what is this: "The modul could not be found!"

You have the Troj/Crypter-C trojan, amongst others.

Open Task Manager & end process on the following:
de32gen.exe
Mra.EXE

Go to C:\windows\system32 and delete de32gen.exe and Mra.EXE.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

F3 - REG:win.ini: run=c:\windows\system32\de32gen.exe

O4 - HKLM\..\Run: [fxhilc] C:\WINDOWS\System32\fxhilc.exe
O4 - HKLM\..\Run: [DQMXFKBM] c:\windows\system32\dqmxfkbm.exe /install
O4 - HKLM\..\Run: [Hot_Tarts_il] C:\Program Files\Video1\Dialers\Hot_Tarts_il\Hot_Tarts_il.exe /dontdial
O4 - HKLM\..\Run: [HDOFAEVY] c:\windows\system32\hdofaevy.exe /install
O4 - HKLM\..\Run: [WCBRCLZV] c:\windows\system32\wcbrclzv.exe /install
O4 - HKLM\..\Run: [Cmx32] c:\windows\system32\cmx32.exe
O4 - HKCU\..\Run: [Mra] C:\Documents and Settings\Æåíÿ\Application Data\Mra\Mra.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1022.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Advmon32] c:\windows\system32\advmon32.exe
O4 - HKCU\..\Run: [Sysint16] c:\windows\system32\sysint16.exe
O4 - HKCU\..\Run: [Videocntl] c:\windows\system32\videocntl.exe
O4 - HKCU\..\Run: [De32gen] c:\windows\system32\de32gen.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binari...UTH_1022_EN.cab
Electronic-Group Dialer
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
Electronic-Group Dialer
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
SearchBarCash

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

C:\WINDOWS\System32\fxhilc.exe<----file
c:\windows\system32\dqmxfkbm.exe<----file
c:\windows\system32\hdofaevy.exe<----file
c:\windows\system32\wcbrclzv.exe<----file
c:\windows\system32\cmx32.exe<----file
p2esocks_1022.dll<----file
C:\WINDOWS\mslagent\mslagent.exe<----file
c:\windows\system32\advmon32.exe<----file
c:\windows\system32\sysint16.exe<----file
c:\windows\system32\videocntl.exe<----file

C:\Program Files\Video1<----folder
C:\Documents and Settings\Æåíÿ\Application Data\Mra<----folder
C:\Program Files\VBouncer<----folder

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

Go here to TrendMicro for an on-line scan & set it to autoclean for you.

Try this scan at Panda as well.

Crunchie!
Thanks a lot for a quick answer!

Hi!
I did all that you adviced me.
This is the result:

Logfile of HijackThis v1.98.2
Scan saved at 15:45:51, on 08.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\SYSTEM\Mra.EXE
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\qttask.exe
C:\windows\system32\sysflg32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nana.co.il/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [Sysflg32] c:\windows\system32\sysflg32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\Mra.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5B132B38-9E37-4D05-B8D6-A274C32D5234} - http://mnb.validbox.com/ActiveX_DownloadAndRun_0.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://engine.vogclub.com/activex/vogweb29.cab

Thanks!

You need to update hijackthis to version 1.99. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [Sysflg32] c:\windows\system32\sysflg32.exe

Download the Pocket KillBox
Unzip the file to your desktop.
Open TheKillbox.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\SYSTEM\Mra.EXE

It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:

c:\windows\system32\sysflg32.exe

On the next prompt to reboot, do so. Post another log when back in your system.

Hi!
In hijackthis scan wasn't the following line:

O4 - HKLM\..\Run: [Sysflg32] c:\windows\system32\sysflg32.exe

I rebooted after C:\WINDOWS\SYSTEM\Mra.EXE ,as it was inpossible to do so after pasting "c:\windows\system32\sysflg32.exe".

This is the last logfile:

Logfile of HijackThis v1.99.0
Scan saved at 22:52:16, on 11.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system32\scopedll.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\WINDOWS\System32\svchost.exe
E:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nana.co.il
F3 - REG:win.ini: run=c:\windows\system32\scopedll.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [Scopedll] c:\windows\system32\scopedll.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Scopedll] c:\windows\system32\scopedll.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\Mra.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5B132B38-9E37-4D05-B8D6-A274C32D5234} - http://mnb.validbox.com/ActiveX_DownloadAndRun_0.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://engine.vogclub.com/activex/vogweb29.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Thank you!!! :)

In another trial I found the "...sysflsg32.exe...". Killbox can't delete it!
After verifying registry, instead of rebooting, appeared following message:
"PendingFileRenameOperations Registry Data has been removed by External Process".

What do you think about?

Thanks again!!! :)

Open Task Manager & end process on the following:
scopedll.exe

Go to C:\windows\system32 and delete the file manually.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

F3 - REG:win.ini: run=c:\windows\system32\scopedll.exe

O4 - HKLM\..\Run: [Scopedll] c:\windows\system32\scopedll.exe
O4 - HKCU\..\Run: [Scopedll] c:\windows\system32\scopedll.exe

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
VirTool.Win32.Collector

Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.

Reboot after doing the above, rescan with hijackthis, then post that log here please.