3 replies to this topic

[Ruzzian]

I'm having similar issues as others with installing Malwarebytes. It will never run no matter how I rename the file and I also can not go to any website that references Malwarebytes. I have looked for in device manager for hidden devices and none of the suggestions show up. I have also ran ComboFix and below is the results. This originally was brought to my attention when a program called Alpha Antivirus was somehow installed on the machine. As far as I can tell I have removed it and I can find no references to that program causing this.

ComboFix 09-10-27.07 - kdenbeste 10/28/2009 9:07.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1541 [GMT -4:00]
Running from: c:\documents and settings\Kim Den Beste\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1356 [VPS 091027-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACrnjnwyquva.dll
c:\windows\system32\UACymxnuuykds.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWCWORKSTATION
-------\Legacy_UACD.SYS
-------\Service_NWCWorkstation
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-28 02:51 . 2009-10-28 02:51 -------- d-sh--w- c:\documents and settings\Administrator.KIM\IETldCache
2009-10-27 21:21 . 2009-10-27 21:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-27 15:14 . 2009-10-27 15:14 193040 ----a-w- c:\windows\system32\lastmon.dll
2009-10-27 15:10 . 2009-10-27 15:10 277007 ----a-w- c:\windows\system32\addefcebbeefeaaec.dll
2009-10-27 13:07 . 2009-10-27 13:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-24 20:17 . 2009-10-24 20:17 350208 ----a-w- c:\windows\system32\IEaddonscontrol.dll
2009-10-15 07:00 . 2009-10-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-10-09 12:14 . 2009-10-09 12:14 -------- d-----w- c:\documents and settings\Kim Den Beste\Application Data\Office Genuine Advantage
2009-10-06 19:28 . 2009-10-06 18:10 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-06 18:21 . 2009-10-06 18:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-06 18:10 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-06 18:09 . 2009-10-06 18:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-06 18:09 . 2009-10-06 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-06 18:09 . 2009-10-06 18:09 -------- d-----w- c:\program files\Lavasoft
2009-10-06 18:00 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-06 18:00 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-06 18:00 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-06 18:00 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-06 18:00 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-06 18:00 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-06 18:00 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-06 17:59 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-06 17:59 . 2009-10-06 17:59 -------- d-----w- c:\program files\Alwil Software
2009-10-06 17:48 . 2009-10-06 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 17:48 . 2009-10-06 17:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-02 21:39 . 2009-10-02 21:39 45 ----a-w- c:\documents and settings\Kim Den Beste\jagex_runescape_preferences2.dat
2009-10-02 21:38 . 2009-10-02 22:22 38 ----a-w- c:\documents and settings\Kim Den Beste\jagex_runescape_preferences.dat
2009-10-02 21:37 . 2009-10-02 21:38 -------- d-----w- c:\windows\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 22:00 . 2006-08-07 12:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-15 07:03 . 2007-08-21 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-25 22:34 . 2009-07-31 14:46 84432 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-22 21:15 . 2009-09-22 21:09 -------- d-----w- c:\program files\Google
2009-09-22 13:27 . 2009-09-22 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-20 17:55 . 2009-09-16 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-20 13:27 . 2009-09-20 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-17 22:22 . 2009-09-17 22:22 -------- d-----w- c:\program files\MapPuzzles
2009-09-16 21:40 . 2009-09-16 21:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-16 21:40 . 2009-09-16 21:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-11 14:18 . 2008-12-13 19:35 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-12-13 19:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 18:20 . 2006-08-07 12:12 106608 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 08:08 . 2004-08-04 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 21:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:24 . 2004-08-04 21:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-04 21:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2007-08-22 15:34 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-04 21:00 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-04 21:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 21:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-04 21:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2007-08-24 13:00 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2007-04-17 02:43 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-04 21:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2008-12-13 19:35 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-12-13 19:35 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-12-13 19:35 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator.KIM\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\aserrano\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\__sbs_netsetup__\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\addefcebbeefeaaec]
2009-10-27 15:10 277007 ----a-w- c:\windows\system32\addefcebbeefeaaec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kim Den Beste^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Kim Den Beste\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\HPNetworkAssistant\\HPNetworkAssistant.exe"=
"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/6/2009 2:10 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/6/2009 2:00 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/6/2009 2:00 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/27/2008 1:00 PM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2009 5:09 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 18:10]

2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 21:09]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 21:09]

2009-10-25 c:\windows\Tasks\Norton Security Scan for kdenbeste.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-27 23:58]

2009-10-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=toolbar
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: trinityprep.org\webportal
Trusted Zone: yahoo.com\www
TCP: {6FF4182C-6FD6-41B3-98B8-E05C36184816} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Kim Den Beste\Application Data\Mozilla\Firefox\Profiles\6apdhr4j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Kim Den Beste\Application Data\Mozilla\Firefox\Profiles\6apdhr4j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 09:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\addefcebbeefeaaec.dll
c:\windows\system32\WININET.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\combo-fix\CF3203.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 9:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 13:23

Pre-Run: 82,383,810,560 bytes free
Post-Run: 82,340,265,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 26075FD5B19638F27C6B8EC656AF7523

[Ruzzian]

I have been scouring Google to find some solutions. I tried the following programs that were suggested by different reputable sites and still no luck.

System Repair Engineer
OTL by OldTimer
drweb-cureit
ATF_cleaner

I also tried CounterSpy since it has a 15 day trial version and it did find Backdoor.bifrost but this still didn't fix the problem

[Ruzzian]

I'm still getting blocked from anything referencing malwarebytes. As soon as I click on a link it shuts down the browser. Does it in IE, firefox, and Crome. I also found that it will prevent autoruns from starting. autoruns.exe Tried superantispyware and it found a couple things (trojan.dropper), but I'm still having the issue.

[Ruzzian]

I was able to finally fix the problem. I tried using Sophos anti-rootkit and the malware was able to see it and stop it from running. I then ran it from command prompt and that the did the trick. While running the scan it found a file:
windows\system32\addefcebbeefeaaec.dll

The only way I was able to remove it was to pull the drive out and install it on my portable USB drive. Once I deleted it and installed the hard drive back I had control to install malwarebytes and surfing websites.

Whoever designed this malware must have been brilliant.

Hopefully this will help others.