Analconda Posted January 14, 2009 ID:47609 Share Posted January 14, 2009 Hey guys,I'm writing here because I am quite desperate. Today, the malware Real Antivirus installed on my PC, despite using Sophos Antivirus and Spybot Search and Destroy. Now, I have a "new" desktop, with a blinking ad in the middle and a balloon popup in the taskbar advising me to download anti-spyware and leading me to a realAV-website. Haha.I tried several things suggested on the internet, like deleting RealAV files and registry entries manually, but my PC won't even find them. The often described RealAV-task is not in my task manager. I asssume this is because I have quite a severe case. :-/When I downloaded Malwarebytes (my last hope) and tried to install ist, it was cancelled and like 16 windows opened, saying "invalid floating point operation".I would appreciate help of ANY kind very much!Thanks a lot in advance.Analconda Link to post Share on other sites More sharing options...
Analconda Posted January 14, 2009 Author ID:47611 Share Posted January 14, 2009 Forgot the logfile, sorry:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:23:26, on 14.01.2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\system32\RunDLL32.exeC:\Programme\Visagesoft\eXPert PDF\vspdfprsrv.exeC:\WINDOWS\SOUNDMAN.EXEC:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\frmwrk32.exeC:\Programme\Creative\MediaSource\Detector\CTDetect.exeC:\Programme\Sophos\AutoUpdate\ALMon.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Programme\Cisco Systems\VPN Client\cvpnd.exeC:\Programme\CDBurnerXP\NMSAccessU.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exeC:\Programme\Sophos\AutoUpdate\ALsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ntdll64.exeC:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\WINDOWS\system32\ntdll64.exeC:\Dokumente und Einstellungen\Andreas Keller\Desktop\mbam-setup.exeC:\DOKUME~1\ANDREA~1\LOKALE~1\Temp\is-AM40R.tmp\mbam-setup.tmpC:\Dokumente und Einstellungen\Andreas Keller\Desktop\mbam-setup.exeC:\DOKUME~1\ANDREA~1\LOKALE~1\Temp\is-NHLSS.tmp\mbam-setup.tmpC:\Programme\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Programme\Sophos\Sophos Anti-Virus\SophosBHO.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [EPSON Stylus DX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE /P26 "EPSON Stylus DX4200 Series" /O6 "USB001" /M "Stylus DX4200"O4 - HKLM\..\Run: [REGSHAVE] C:\Programme\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Programme\Visagesoft\eXPert PDF\vspdfprsrv.exe --backgroundO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [Framework Windows] frmwrk32.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [Creative Detector] C:\Programme\Creative\MediaSource\Detector\CTDetect.exe /RO4 - HKCU\..\Run: [sparVoip] "C:\Programme\SparVoip\SparVoip.exe" -nosplash -minimizedO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exeO4 - Global Startup: AutoUpdate Monitor.lnk = C:\Programme\Sophos\AutoUpdate\ALMon.exeO4 - Global Startup: VPN Client.lnk = ?O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dllO10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLLO23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exeO23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SavService.exeO23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Programme\Sophos\AutoUpdate\ALsvc.exe--End of file - 6608 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 14, 2009 Root Admin ID:47688 Share Posted January 14, 2009 Hello and Welcome to Malwarebytes.org Please read and follow the instructions provided here: I'm infected - What do I do now?Someone will be happy to assist you further with cleaning your system if requiredDuring this scan and cleanup process you should not install any other software unless requested to do so.Please do not post logs here in the PC Help forum. In the other forum please also include your MBAM log. Link to post Share on other sites More sharing options...
Recommended Posts