Can not install Malwarebytels

[Ruzzian]

I'm having similar issues as others with installing Malwarebytes. It will never run no matter how I rename the file and I also can not go to any website that references Malwarebytes. I have looked for in device manager for hidden devices and none of the suggestions show up. I have also ran ComboFix and below is the results. This originally was brought to my attention when a program called Alpha Antivirus was somehow installed on the machine. As far as I can tell I have removed it and I can find no references to that program causing this.

ComboFix 09-10-27.07 - kdenbeste 10/28/2009 9:07.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1541 [GMT -4:00]

Running from: c:\documents and settings\Kim Den Beste\Desktop\Combo-Fix.exe

AV: avast! antivirus 4.8.1356 [VPS 091027-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\_000005_.tmp.dll

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000009_.tmp.dll

c:\windows\system32\_000010_.tmp.dll

c:\windows\system32\_000011_.tmp.dll

c:\windows\system32\_000012_.tmp.dll

c:\windows\system32\_000019_.tmp.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACrnjnwyquva.dll

c:\windows\system32\UACymxnuuykds.dll

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NWCWORKSTATION

-------\Legacy_UACD.SYS

-------\Service_NWCWorkstation

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))

.

2009-10-28 02:51 . 2009-10-28 02:51 -------- d-sh--w- c:\documents and settings\Administrator.KIM\IETldCache

2009-10-27 21:21 . 2009-10-27 21:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-27 15:14 . 2009-10-27 15:14 193040 ----a-w- c:\windows\system32\lastmon.dll

2009-10-27 15:10 . 2009-10-27 15:10 277007 ----a-w- c:\windows\system32\addefcebbeefeaaec.dll

2009-10-27 13:07 . 2009-10-27 13:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-24 20:17 . 2009-10-24 20:17 350208 ----a-w- c:\windows\system32\IEaddonscontrol.dll

2009-10-15 07:00 . 2009-10-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

2009-10-09 12:14 . 2009-10-09 12:14 -------- d-----w- c:\documents and settings\Kim Den Beste\Application Data\Office Genuine Advantage

2009-10-06 19:28 . 2009-10-06 18:10 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-10-06 18:21 . 2009-10-06 18:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-10-06 18:10 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-10-06 18:09 . 2009-10-06 18:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-10-06 18:09 . 2009-10-06 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-10-06 18:09 . 2009-10-06 18:09 -------- d-----w- c:\program files\Lavasoft

2009-10-06 18:00 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-10-06 18:00 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-10-06 18:00 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-10-06 18:00 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-10-06 18:00 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-10-06 18:00 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-10-06 18:00 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-10-06 17:59 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe

2009-10-06 17:59 . 2009-10-06 17:59 -------- d-----w- c:\program files\Alwil Software

2009-10-06 17:48 . 2009-10-06 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-06 17:48 . 2009-10-06 17:49 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-02 21:39 . 2009-10-02 21:39 45 ----a-w- c:\documents and settings\Kim Den Beste\jagex_runescape_preferences2.dat

2009-10-02 21:38 . 2009-10-02 22:22 38 ----a-w- c:\documents and settings\Kim Den Beste\jagex_runescape_preferences.dat

2009-10-02 21:37 . 2009-10-02 21:38 -------- d-----w- c:\windows\.jagex_cache_32

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-23 22:00 . 2006-08-07 12:19 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-15 07:03 . 2007-08-21 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-25 22:34 . 2009-07-31 14:46 84432 ---ha-w- c:\windows\system32\mlfcache.dat

2009-09-22 21:15 . 2009-09-22 21:09 -------- d-----w- c:\program files\Google

2009-09-22 13:27 . 2009-09-22 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-20 17:55 . 2009-09-16 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-20 13:27 . 2009-09-20 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-09-17 22:22 . 2009-09-17 22:22 -------- d-----w- c:\program files\MapPuzzles

2009-09-16 21:40 . 2009-09-16 21:40 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-16 21:40 . 2009-09-16 21:39 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-11 14:18 . 2008-12-13 19:35 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2008-12-13 19:35 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-30 18:20 . 2006-08-07 12:12 106608 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-29 08:08 . 2004-08-04 21:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-04 21:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL

2009-08-06 23:24 . 2004-08-04 21:00 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2004-08-04 21:00 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2007-08-22 15:34 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2004-08-04 21:00 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2004-08-04 21:00 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-04 21:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2004-08-04 21:00 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2007-08-24 13:00 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-06 23:23 . 2007-04-17 02:43 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-06 23:23 . 2004-08-04 21:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2008-12-13 19:35 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 15:13 . 2008-12-13 19:35 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2008-12-13 19:35 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll

2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll

2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator.KIM\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\aserrano\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\__sbs_netsetup__\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\addefcebbeefeaaec]

2009-10-27 15:10 277007 ----a-w- c:\windows\system32\addefcebbeefeaaec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kim Den Beste^Start Menu^Programs^StartUp^Vongo Tray.lnk]

path=c:\documents and settings\Kim Den Beste\Start Menu\Programs\StartUp\Vongo Tray.lnk

backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\HP\\HPNetworkAssistant\\HPNetworkAssistant.exe"=

"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=

"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/6/2009 2:10 PM 64160]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/6/2009 2:00 PM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/6/2009 2:00 PM 20560]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/27/2008 1:00 PM 24652]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2009 5:09 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 18:10]

2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 21:09]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 21:09]

2009-10-25 c:\windows\Tasks\Norton Security Scan for kdenbeste.job

- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-27 23:58]

2009-10-28 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.aol.com/?src=toolbar

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

uInternet Settings,ProxyOverride = *.local

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: trinityprep.org\webportal

Trusted Zone: yahoo.com\www

TCP: {6FF4182C-6FD6-41B3-98B8-E05C36184816} = 208.67.222.222,208.67.220.220

FF - ProfilePath - c:\documents and settings\Kim Den Beste\Application Data\Mozilla\Firefox\Profiles\6apdhr4j.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query=

FF - component: c:\documents and settings\Kim Den Beste\Application Data\Mozilla\Firefox\Profiles\6apdhr4j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

- - - - ORPHANS REMOVED - - - -

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-28 09:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)

c:\windows\system32\addefcebbeefeaaec.dll

c:\windows\system32\WININET.dll

c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3540)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\hnetcfg.dll

c:\program files\Bonjour\mdnsNSP.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\mqsvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\combo-fix\CF3203.exe

c:\combo-fix\PEV.cfxxe

.

**************************************************************************

.

Completion time: 2009-10-28 9:23 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-28 13:23

Pre-Run: 82,383,810,560 bytes free

Post-Run: 82,340,265,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 26075FD5B19638F27C6B8EC656AF7523

[Ruzzian]

I have been scouring Google to find some solutions. I tried the following programs that were suggested by different reputable sites and still no luck.

System Repair Engineer

OTL by OldTimer

drweb-cureit

ATF_cleaner

I also tried CounterSpy since it has a 15 day trial version and it did find Backdoor.bifrost but this still didn't fix the problem

[Ruzzian]

I'm still getting blocked from anything referencing malwarebytes. As soon as I click on a link it shuts down the browser. Does it in IE, firefox, and Crome. I also found that it will prevent autoruns from starting. autoruns.exe Tried superantispyware and it found a couple things (trojan.dropper), but I'm still having the issue.

[Ruzzian]

I was able to finally fix the problem. I tried using Sophos anti-rootkit and the malware was able to see it and stop it from running. I then ran it from command prompt and that the did the trick. While running the scan it found a file:

windows\system32\addefcebbeefeaaec.dll

The only way I was able to remove it was to pull the drive out and install it on my portable USB drive. Once I deleted it and installed the hard drive back I had control to install malwarebytes and surfing websites.

Whoever designed this malware must have been brilliant.

Hopefully this will help others.