Please help

I cannot run my machine smoothly for more than ten minutes after I restart it!!

here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:28:08, on 03/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\AVG\AVG9\avgchsvx.exe
C:\Archivos de programa\AVG\AVG9\avgrsx.exe
C:\Archivos de programa\AVG\AVG9\avgcsrvx.exe
C:\Archivos de programa\a-squared Free\a2service.exe
C:\Archivos de programa\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\TeamViewer\Version4\TeamViewer_Service.exe
C:\Archivos de programa\TeamViewer\Version4\TeamViewer.exe
C:\Archivos de programa\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ccdrive32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Archivos de programa\HP\HP Software Update\HPWuSchd.exe
C:\ARCHIV~1\AVG\AVG9\avgtray.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Archivos de programa\AVG\AVG9\avgcsrvx.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.252:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Archivos de programa\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Archivos de programa\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Archivos de programa\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Archivos de programa\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\ARCHIV~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\ccdrive32.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B428EEF-A3E9-4D50-8FF1-CD1253B32BC4}: NameServer = 200.3.250.1,200.3.250.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{6B428EEF-A3E9-4D50-8FF1-CD1253B32BC4}: NameServer = 200.3.250.1,200.3.250.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{6B428EEF-A3E9-4D50-8FF1-CD1253B32BC4}: NameServer = 200.3.250.1,200.3.250.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Archivos de programa\a-squared Free\a2service.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Archivos de programa\AVG\AVG9\avgwdsvc.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Archivos de programa\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\dev6i\BIN\ONRSD80.EXE (file missing)
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Archivos de programa\TeamViewer\Version4\TeamViewer_Service.exe

--
End of file - 6208 bytes

Recommended Answers

All 11 Replies

have you tried to run Malware Bytes on your system?

I will try that, then I´ll post back

thanx a lot

I run malawarebytes without positive results
I didn´t find any threats. The win 32 problem keeps popping.
It disables my shared documents in my network

thanks

You need to post the MBA-M log here. That is always requested.

C:\WINDOWS\ccdrive32.exe

this is a dangerour malware check your temp folder to find a bundle of exe files

here´s the log you´ve requested

thanks a lot


Malwarebytes' Anti-Malware 1.42
Versión de la Base de Datos: 3292
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

07/12/2009 16:12:53
mbam-log-2009-12-07 (16-12-49).txt

Tipo de examen : Examen Completo (C:\|D:\|H:\|)
Objetos examinados: 192656
Tiempo transcurrido: 35 minute(s), 24 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 2

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\WINDOWS\system32\45.exe (Worm.Rimecud) -> No action taken.
H:\RECYCLER\autorun.exe (Worm.Rimecud) -> No action taken.

I run malawarebytes without positive results
I didn´t find any threats. The win 32 problem keeps popping.
It disables my shared documents in my network

thanks

This is obviously not true. You MBA-M log DOES show infections which were NOT cleaned by you.

icheros Infectados:
C:\WINDOWS\system32\45.exe (Worm.Rimecud) -> No action taken.
H:\RECYCLER\autorun.exe (Worm.Rimecud) -> No action taken.

You have to tell the program to clean things up and you did not.
Plus you DID NOT update the program prior to running it as your database is out of date by several days at the very least. Current database is 3311.
You also have SpyBot TeaTimer running which can prevent fixes. You must turn this off by doing the following:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

After doing that UPDATE Malwarebytes' Anti-Malware. Run a Full Scan with it and have it REMOVE EVERYTHING found.
Reboot the computer. Run a new HJT scan and save the log. Then post back here with the MBA-M scan log and the HJT log.
Judy

I did all of the above.
Apparently I can´t remove the infection. It tells me I´ll remove after reboot but then the same win32 problems pops again


here are the logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:37, on 09/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\a-squared Free\a2service.exe
C:\WINDOWS\system32\dllhost.exe
C:\Archivos de programa\Archivos comunes\Doctor Web\Scanning Engine\dwengine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\ARCHIV~1\DrWeb\spidernt.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\TeamViewer\Version4\TeamViewer_Service.exe
C:\Archivos de programa\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Archivos de programa\HP\HP Software Update\HPWuSchd.exe
C:\Archivos de programa\DrWeb\SpIDerAgent.exe
C:\Archivos de programa\DrWeb\spiderml.exe
C:\ARCHIV~1\DrWeb\spiderui.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\TightVNC\WinVNC.exe
C:\dev6i\BIN\ifrun60.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.252:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpIDerAgent] "C:\Archivos de programa\DrWeb\SpIDerAgent.exe"
O4 - HKLM\..\Run: [SpIDerMail] "C:\Archivos de programa\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [SpIDerNT] C:\ARCHIV~1\DrWeb\spiderui.exe /agent
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launch TightVNC Server.lnk = C:\Archivos de programa\TightVNC\WinVNC.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B428EEF-A3E9-4D50-8FF1-CD1253B32BC4}: NameServer = 200.3.250.1,200.3.250.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{6B428EEF-A3E9-4D50-8FF1-CD1253B32BC4}: NameServer = 200.3.250.1,200.3.250.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{6B428EEF-A3E9-4D50-8FF1-CD1253B32BC4}: NameServer = 200.3.250.1,200.3.250.2
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Archivos de programa\a-squared Free\a2service.exe
O23 - Service: Dr.Web Scanning Engine (DrWebEngine) (DrWebEngine) - Doctor Web, Ltd. - C:\Archivos de programa\Archivos comunes\Doctor Web\Scanning Engine\dwengine.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Archivos de programa\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\dev6i\BIN\ONRSD80.EXE (file missing)
O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\ARCHIV~1\DrWeb\spidernt.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Archivos de programa\TeamViewer\Version4\TeamViewer_Service.exe

--
End of file - 5283 bytes


Malwarebytes' Anti-Malware 1.42
Versión de la Base de Datos: 3311
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

07/12/2009 17:54:14
mbam-log-2009-12-07 (17-54-14).txt

Tipo de examen : Examen Completo (C:\|D:\|H:\|)
Objetos examinados: 193619
Tiempo transcurrido: 35 minute(s), 46 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
H:\RECYCLER\autorun.exe (Worm.Rimecud) -> Delete on reboot.

It looks to me like you are connected to other computers by using the program Team Viewer, is this true? The worm you are showing spreads via P2P sharing and possibly also remotely shared comptuers. As long as you are connected via remote sharing you may continue to be infected.

You were first showing AVG 9 on the system, you have obviously removed it because it doesn't show on the latest log. Now you have a program on the computer called Dr.Web but this is just a stand alone av program and does not provide any real time protection. What happened to the AVG 9? You also have no firewall on the computer.

Your internet domain showing is from Paraguay. Where ARE you located?
You have to get this computer OFF this remote connection with other computers and connect only this computer. You need an anti-virus program which is known to work well.

I´m located in Paraguay and yes, there are at least 3 computers connected to mine.
Which antivirus will you recommend me to download?
Do I have to disconnect myself from those computers?

Thanks a lot for the help

José

I´m located in Paraguay and yes, there are at least 3 computers connected to mine.
Which antivirus will you recommend me to download?
Do I have to disconnect myself from those computers?

Thanks a lot for the help

José

Hello Jose, my brother lived in Paraguay for three years, many years ago.

If you are connected to other computers then Yes, you need to remove yourself from that network. But, ALL of those computers may very well also be infected so they all will have to be cleaned also.
I would recommend that you use Avira Free. It is well respected and does a good job.

The programs which gave the indication of remote sharing on the log are these:
TeamViewer
TightVNC
I mentioned in my other post Dr.Web which IS a stand alone anti-virus program but offers NO protection at all. You also are showing an entry for an old Norton 360 program. It appears that it has been removed but very likely has remaining files on there since they are still listed in your log, but with (file missing) notation.
You should run the Norton Removal Tool which applies to the specific product you had on the machine to be sure these are definitely all removed.
My advice is remove yourself from the computer sharing network, add the Avira Anti-Virus program, update it and do a Full Scan with it and have it remove and or quarantine anything it finds. Then follow the steps given earlier again, be certain that Malwarebytes' Anti-Malware (MBA-M) is Updated again BEFORE you run it and again have it clean/remove everything found. Of course Reboot after each scan.
Then do a new HJT scan, save the log and then post back here with the new MBA-M log and the HJT log.
These steps would have to be completed on each and every computer on that remote sharing network BEFORE reconnecting again to each other. This is the only way you can be certain that none of the computers are infected and able to again pass the infections back and forth.
Judy

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.