Can't install anti virus programs.

[Nehmo]

I tried installing AVG, but I get this error:
Local machine: prepared for the installation
Initialization:
Warning: Windows Firewall activity checking failed.
There are no more endpoints available from the endpoint
mapper. (1753)
Actions plan:
Error: Evaluating of the short file name failed for "C:
\Program Files\Grisoft\AVG7\avgrssvc.exe".
Creating of the temporary folder "C:\Program Files\Grisoft
\AVG7\avgrssvc.exe" failed.
The system cannot find the file specified. (2) %PATH%
= "C:\Program Files\Grisoft\AVG7\avgrssvc.exe"

The last statement is correct: there is no avgrssvc.exe.

I tried to install AVAST!,
but had a similar problem. I also tired Kasparsky and it didn't
install either. I did it's online scan and it stalled at 5% then at
4%. I tried to install Sophos Anti-Virus, but got these errror
messages:
Cannot create savxp\program files\Sophos\Sophos Anti-Virus
\sav32cli.exe
Cannot create savxp\program files\Sophos\Sophos Anti-Virus
\SAVAdminService.exe
Cannot create savxp\program files\Sophos\Sophos Anti-Virus\Module
Retargetable Folder\SavMain.exe
Cannot create savxp\program files\Sophos\Sophos Anti-Virus\Module
Retargetable Folder\SavProgress.exe

I think something is preventing an anti virus install program from
creating the main executable. I was able to install AdAware. I ran it,
and it didn't flag anything important. Also, I can't start Windows
Defender. Anybody have any idea what's going on?

Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:56 PM, on 12/29/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\s3trayp.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Kleptomania\k-mania.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\FF_Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.everex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.everex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"
O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StandardKeyboard] C:\Windows\Wireless\Wireless.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [drvsyskit] C:\Windows\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [Kleptomania] C:\Program Files\Kleptomania\k-mania.exe
O4 - HKCU\..\Run: [german.exe] C:\Windows\system32\wintems.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: lxdc_device - - C:\Windows\system32\lxdccoms.exe
O23 - Service: lxdj_device - - C:\Windows\system32\lxdjcoms.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6758 bytes

[Nehmo]

I ran an analysis at http://hjt.networktechs.com/parse.php?log=417476
I checked this item and had HJT remove it. I looked up wintems.exe and it was bad.

O4 - HKCU\..\Run: [german.exe] C:\Windows\system32\wintems.exe

[Nehmo]

The malware stops processes that have to do with anti-malware programs. None would install and Windows Defender wouldn't start. I kept trying to install different anti-spyware programs and found that Spybot installed. It flagged several registry entries for three Trojans, but wouldn't delete them because I was using the free version, which doesn't delete. I manually deleted them. Then, I was able to install Bitdefender. It found two more bad files in the emule incomming folder. The infection occurred when I was using emule to get a copy of Kleptomania.

Everything is OK now, and I even have a working copy of Kleptomania.

--
Nehmo

[Nehmo]

I should add that I was fooled by Google’s search results into thinking that
SpywareBot was the evolved version of
SpyBot Search and Destroy http://www.safer-networking.org/en/index.html .
SpywareBot doesn’t make the situation clear on it’s site. The site says over and over that the “download” is free. That’s technically true, but you also need to get a better version (one that costs) to delete the detected malware files.
Spywarebot does indeed identify the malware files (including registry entries), but it doesn’t delete them for free. You have to pay for an upgraded version to do that. Or you can manually delete the malware files, which is what I did.
In fact, Spybot S&D flags Spywarebot as a program that should be removed.
Spybot S&D is free and is the older program with the excellent reputation. The other program, Spywarebot, is basically stealing the reputation of Spybot S&D. It pays Google for a sponsored-link position that tricks people.
Spywarebot probably makes plenty of money with this scam. I suppose you have to give them a certain kind of credit for coming up with a scam that works and doesn’t really hurt people. However, if you have the skills needed to make the webpage and write the program, you should apply those skills to some vocation that has a better moral standing.
--
Nehmo