WIN32:TROJAN-GEN. {UPX!} || HELP ME!

I have the WIN32:TROJAN-GEN. {UPX!} virus and I tried to delete it and it says I can’t.I tried to repair ti and ti says I cant.Hoe do I get it off?

Give us the exact name and folder where avast finds it. Noramally it is enough to start windows in safe mode, delete the file there and clean in the registry the references to the file.

ok yesterday it said it found it in my rundll.exe then it found it in winrun~1.exe and this morning it found it in trz20.tmp.help!

There is no filename rundll.exe existing under Windows(systemfiles) so maybe a Hijackthis log or an onlinescanner maybe usefull here:

Posting a hijackthis log: http://www.tomcoyote.org/hjt/
Download then unzip the file and double click on the “HijackThis” icon.
When finished loading click on the “Scan button”.
Next click on the “Save Log” button. Save the log somewhere you will remember and open the log file with notepad. Then copy the contents and paste them in a reply to be checked.

A good Onlinescanner: http://www.rav.ro/scan/indexie.php

Logfile of HijackThis v1.97.7
Scan saved at 12:37:52 PM, on 12/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ResChanger XP\ResChangerXP.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINNT\mwsvm.exe
C:\WINNT\dnjjnepj.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\qbefdvis.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\program files\steam\steam.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\hix\mirc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\0JO7Y1QX\hijackthis[1]\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=F838C34A-295C-4D15-862F-2F0E76A7E3EA&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sqwire.com/homepage.php?aid=975
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:“Keyboard Preload Check”
O4 - HKLM..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM..\Run: [MoneyStartUp10.0] “C:\Program Files\Microsoft Money\System\Activation.exe”
O4 - HKLM..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM..\Run: [Shell32] WinRundll.exe
O4 - HKLM..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp3\winampa.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
O4 - HKLM..\Run: [absr] C:\WINNT\mwsvm.exe
O4 - HKLM..\Run: [ldvkpjby] C:\WINNT\dnjjnepj.exe
O4 - HKLM..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM..\Run: [POINTER] point32.exe
O4 - HKLM..\Run: [qbefdvis] C:\WINNT\System32\qbefdvis.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKCU..\Run: [Shell32] WinRundll.exe
O4 - HKCU..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU..\Run: [Steam] “c:\program files\steam\steam.exe” -silent
O4 - HKCU..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\Money Express.exe”
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra ‘Tools’ menuitem: &FlashGet (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/stop-sign_scn.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37412.8417824074
O16 - DPF: {A4509D9F-B2A1-4AB4-A410-7520F1C79C4E} (ClientYahoo Control) - http://kr.chat.yahoo.com/ECCHAT/ClientYahoo.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

also this morning i woke up and it says the virus was now detecting in my trz20.tmp file

Puh! Your Log contains many Spy and Adware, okay we will see what will happen after fixen all these with Hijackthis:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=F838C34A-295C-4D15-862F-2F0E76A7E3EA&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sqwire.com/homepage.php?aid=975
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM..\Run: [Shell32] WinRundll.exe
O4 - HKLM..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
O4 - HKLM..\Run: [absr] C:\WINNT\mwsvm.exe
O4 - HKLM..\Run: [ldvkpjby] C:\WINNT\dnjjnepj.exe
O4 - HKLM..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM..\Run: [qbefdvis] C:\WINNT\System32\qbefdvis.exe
O4 - HKLM..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKCU..\Run: [Shell32] WinRundll.exe
O4 - HKCU..\Run: [Steam] “c:\program files\steam\steam.exe” -silent
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/stop-sign_scn.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37412.8417824074
O16 - DPF: {A4509D9F-B2A1-4AB4-A410-7520F1C79C4E} (ClientYahoo Control) - http://kr.chat.yahoo.com/ECCHAT/ClientYahoo.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Make a restart after fixing it.

I see that you made a “housecall” and a “Pandascan”. Please use the mentioned RAV Onlinescan too, it is more reliable than the other two(IMO) Please post after this a new fresh log.

I see that you made a "housecall" and a "Pandascan". Please use the mentioned RAV Onlinescan too, it is more reliable than the other two(IMO) Please post after this a new fresh log.]I see that you made a "housecall" and a "Pandascan". Please use the mentioned RAV Onlinescan too, it is more reliable than the other two(IMO) Please post after this a new fresh log.

RAV is quitting the antivirus business and trend has scored better in virus builiten test than RAV!!! >:(

on those things do I delete those or what?what exactly do you mean by fix?

i MIGHT ALSO ADD THAT THE WAY i GOT TEH TROJAN WAS I WAS TRYING TO DOWNLAOD LORD OF THE RINGS 3 OFF IRC AND i’M 99.9% SURE THATS WHERE I GOT IT FROM!

Hijackthis offers the optio to fix the things it finds by mark the objects and press “fix”. “fix checked” is located next to te scan button.

Trend is not bad, but you will see that RAV is better in finding these Malware. Trend is week in finding Trojans and Packed(upx/aspack and so on) Malware.

…and yes i wanted to provoke you a bit! :wink:

i MIGHT ALSO ADD THAT THE WAY i GOT TEH TROJAN WAS I WAS TRYING TO DOWNLAOD LORD OF THE RINGS 3 OFF IRC AND i'M 99.9% SURE THATS WHERE I GOT IT FROM!

So instead of ‘Return of the King’ it was rather ‘Return of the Trojan’, right? :o

.....and yes i wanted to provoke you a bit!
Grrrrrrr.... Oh well. Ill get over it. 8)

after i have dleted those things what do I do next?

Make a restart and post a new log.

:-[ HELLO, IM KIZZY! FROM VENEZUELA, IVE GOT THE SAME Win32:Trojan-gen WORM ON MY COMPUTER, AND I THINK I GOT IT FROM THAT LORD OF THE RING 3 (TRAILER) TOO!! :‘( :’( :cry: I HAVE NO IDEA WHAT TO DO??? !!! I TRIED TO READ WHAT YOU SAID TO THE OTHER PERSON THAT HAD IT, BUT THIS IS THE 1ST TIME THIS HAPPENS TO ME… AND ITS A LITTLE BIT COMPLICATED :-[ :-[ :-[ COULD YOU GUYS HELP ME??? ??? ??? ???

Please do that what was written on page 1 on this thread, make an onlinescan and/or post a hijackthis log.

Logfile of HijackThis v1.97.7
Scan saved at 10:33:22 a.m., on 16/12/2001
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe
C:\Archivos de programa\Música\Winamp\winampa.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\Webdialer\od-shma33.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\ARCHIV~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Kizzy\Escritorio\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=69362
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=69362
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=69362
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\ARCHIV~1\ARCHIV~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Archivos de programa\ISTbar\istbar.dll (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\ARCHIV~1\ARCHIV~1\Real\Toolbar\realbar.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM..\Run: [AHQInit] C:\Archivos de programa\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM..\Run: [QuickTime Task] “C:\Archivos de programa\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [CMESys] “C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe”
O4 - HKLM..\Run: [IST Service] C:\Archivos de programa\ISTsvc\istsvc.exe
O4 - HKLM..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
O4 - HKLM..\Run: [AttuneClientEngine] C:\ARCHIV~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM..\Run: [CorelCorelDRAW10 Reminder] “C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe” /r /i “C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini”
O4 - HKLM..\Run: [WinampAgent] “C:\Archivos de programa\Música\Winamp\winampa.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU..\Run: [od-shma33] c:\program files\Webdialer\od-shma33.exe -m
O4 - HKLM..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://start.online-dialer.com/MaConnect.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} (Installer2 Class) - http://download.mediacharger.com/swimsuitnetwork.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
O17 - HKLM\System\CCS\Services\Tcpip..{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4
O17 - HKLM\System\CS1\Services\Tcpip..{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4

WAITING FOR YOUR HELP… THIS IS SO NEW FOR ME :stuck_out_tongue: ;D :wink:

First of all yyour windows is not up to date, update it by using www.windowsupdate.com.
Second you are “infected” with coolwebsearch Hijacker Infos and a Fix can be found here: http://www.merijn.org/cwschronicles.html

Let the following things “fix” using Hijackthis:
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\ARCHIV~1\ARCHIV~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Archivos de programa\ISTbar\istbar.dll (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\ARCHIV~1\ARCHIV~1\Real\Toolbar\realbar.dll
O4 - HKLM..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM..\Run: [CMESys] “C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU..\Run: [od-shma33] c:\program files\Webdialer\od-shma33.exe -m
O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://start.online-dialer.com/MaConnect.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} (Installer2 Class) - http://download.mediacharger.com/swimsuitnetwork.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab

Post a new log after you have done all of these.

Please turn of your Shift/caps lock. You do not need to shout here! :wink:

1st. About updating my windows, i went to the windownsupdate website but when i clik on: look for updates (in spanish: buscar actualizaciones) it says that windowns update found an error so, i cant update it… :-
2nd. About what you said: about being infected with coolwebsearch Hijacker Info, is this mean that i have to do a whole other process in this other website you refer me to:
http://www.merijn.org/cwschronicles.html What exactly do you mean when you say that I can find the Fix there?
3rd. Here is the new Log after i fixed the files you indicated:

Logfile of HijackThis v1.97.7
Scan saved at 11:43:45 a.m., on 16/12/2001
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe
C:\Archivos de programa\Música\Winamp\winampa.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\Webdialer\od-shma33.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\ARCHIV~1\WINZIP\wzqkpick.exe
C:\ARCHIV~1\ICQ\Icq.exe
C:\Documents and Settings\Kizzy\Escritorio\hijackthis\HijackThis.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Windows NT\Accesorios\wordpad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=69362
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=69362
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=69362
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM..\Run: [AHQInit] C:\Archivos de programa\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM..\Run: [QuickTime Task] “C:\Archivos de programa\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [IST Service] C:\Archivos de programa\ISTsvc\istsvc.exe
O4 - HKLM..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
O4 - HKLM..\Run: [AttuneClientEngine] C:\ARCHIV~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM..\Run: [CorelCorelDRAW10 Reminder] “C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe” /r /i “C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini”
O4 - HKLM..\Run: [WinampAgent] “C:\Archivos de programa\Música\Winamp\winampa.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Mirabilis ICQ] C:\ARCHIV~1\ICQ\ICQNet.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4
O17 - HKLM\System\CS1\Services\Tcpip..{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4

Sorry about the caps… :smiley: