Tranjano-213

Hi! New here & looking for advice - avast shows an infection of Win32:Trojano-213, located in C:\WINNT\UnstaSA2. I have read the advice at the top of this forum :slight_smile: and have run adadware, spybot, trendmicro, kaspersky, symantec - none report the infection.

My system is win2k, sp4, with all updates. Sygate firewall, all updates applied. I found the file and ran avast specifically on that file - avast again reports the trojan. This file’s properties page has nothing on it except a version #, file name, and creation date of may 25,2004.

Here is my HiJackThis file:

Logfile of HijackThis v1.97.2
Scan saved at 3:05:31 PM, on 7/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINNT\system32\gtablet.exe
C:\WINNT\system32\gtab.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\program files\quicktime\qttask.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\AT&T Wireless\AT&T Wireless Sync\Voxsync.exe
C:\Program Files\Palm\HOTSYNC.EXE
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Documents\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [blspcloader] “C:\Program Files\BellSouth Internet Tools\blsloader.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Gtablet] C:\WINNT\system32\gtablet.exe
O4 - HKLM..\Run: [tabscr] C:\WINNT\system32\gtab.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp3\winampa.exe”
O4 - HKLM..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [QuickTime Task] “C:\program files\quicktime\qttask.exe” -atboottime
O4 - HKLM..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [Reminder] C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: AT&T Wireless Sync.lnk = C:\Program Files\AT&T Wireless\AT&T Wireless Sync\Voxsync.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38074.6488541667
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

Hello-
Bychance do you have a yamaha sound card?
-max

O4 - HKLM..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
-ViewMgr (VIEWMGR.EXE)

this seems to be bad…

O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM..\Run: [Gtablet] C:\WINNT\system32\gtablet.exe
O4 - HKLM..\Run: [tabscr] C:\WINNT\system32\gtab.exe

→ Is this stuff known/wanted ?

I didn’t find anything about “UnstaSA2” via google, which is not an indication that it’s useful/needed…
what software do you have running/installed apart from the usual stuff ?

→ you might want to send in the file to
virus@avast.com and ask for analysis…

:wink:

madmax - I don’t believe that the sound card is a yamaha - it is embedded in MB, & named VIA AC’97 Audio Controller (WDM).

whocares -

  1. the gtablet.exe is a drawing tablet, hardware; so that is ok

  2. Viewpoint is a search bar from yahoo.com (only shows up in i.e., which I only use when I have to, as in windows update)

  3. When I typed “UnstaSA2” in google, my computer shut down! I assume that happened because I have the file?? maybe not??

  4. As far as software, here is a list of startup programs:

System Information report written at: 07/04/2004 07:05:10 PM
[Startup Programs]

Program Command
HotSync Manager c:\progra~1\palm\hotsync.exe Startup
msnmsgr “c:\program files\msn messenger\msnmsgr.exe” /background HKU\S-1-5-21-73586283-1677128483-1343024091-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Reminder c:\program files\microsoft money\system\reminder.exe HKU\S-1-5-21-73586283-1677128483-1343024091-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager c:\program files\yahoo!\messenger\ypager.exe -quiet HKU\S-1-5-21-73586283-1677128483-1343024091-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AIM c:\progra~1\aim\aim.exe -cnetwait.odl HKU\S-1-5-21-73586283-1677128483-1343024091-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alarm Manager c:\progra~1\palm\alarmapp.exe Common Startup
Synchronization Manager mobsync.exe /logon HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon rundll32.exe c:\winnt\system32\nvcpl.dll,nvstartup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
POINTER c:\program files\microsoft hardware\mouse\point32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AtiPTA atiptaxx.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz nwiz.exe /install HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
blspcloader “c:\program files\bellsouth internet tools\blsloader.exe” HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast! c:\progra~1\alwils~1\avast4\ashdisp.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ashMaiSv c:\progra~1\alwils~1\avast4\ashmaisv.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Gtablet c:\winnt\system32\gtablet.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tabscr c:\winnt\system32\gtab.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\program files\java\j2re1.4.2_04\bin\jusched.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinampAgent “c:\program files\winamp3\winampa.exe” HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adaptec DirectCD c:\progra~1\adaptec\directcd\directcd.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BellSouthSyn c:\program files\bellsouth\application center\bsnappcenter.exe /synchronize HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BellSouthScheduler c:\program files\bellsouth\application center\bsnappcenter.exe /scheduler HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ViewMgr c:\program files\viewpoint\viewpoint manager\viewmgr.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SmcService c:\progra~1\sygate\spf\smc.exe -startgui HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task “c:\program files\quicktime\qttask.exe” -atboottime HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CreateCD c:\progra~1\adaptec\easycd~1\createcd\createcd.exe -r HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

:slight_smile:

Found more into about the file:

http://www.a2zhelp.com/products/pcspy/

Looks like spyware to me

:slight_smile:

Sandra-
have you tried to just delete it to recycle bin?
To stop shutdown type shutdown -a in start/run
If that doesn’t work create a file on your desktop called stayon.bat
use notepad:

@echo off
:loop
shutdown -a
goto loop

-max

madmax, thank you! I took your advice and deleted the file with no problems. Did not want to delete a file that was important to the os, so thanks again for helping me to work thru this.

I am rescanning with avast, just to make sure.

:slight_smile: Sandra

Hi All,
We are the ones at Kalptaru Infotech Ltd. http://www.a2zhelp.com.
Lately we have been receiving a lot of heat because somebody is using our name in their software and distributing and annoying users all accross the internet.
We have finally compiled a list of methods by which you can remove all these files from your PC. Please have a look at the article at http://www.a2zhelp.com/removeapp.asp

Secondly, this is for Sandra2613 and other who mentioned about PC Spy,
PC Spy is a key logging software that the user installs on their PC to monitor the keystrokes and watch the screen shots. This product has not yet been released, hence this software cannot be present on user’s PC.

Regards

Thank you for your response to my problem. Hope you have good luck in tracking down the person(s) responsible.

Sandra

Help I have the Win32:Trojano-123 virus in my C:\temp files. I don’t what to do and am not computer smart. I have tried to clean, delete, repair but it says it is unable to this. I have already tried going into disk clean up but it still remains. What should I do?
Thanks
Cindy

Hi Cindy,

welcome on board… :slight_smile:

please read the link “VirusRemoval” below, and then come back with more info:
-What WIN you use ?

  • exact location/folder/name of trojan file
  • maybe results of onlinescanners
  • Hijackthis-Log

What happens if you move/delete the file after booting in safeMode, or via a boot-time scan with avast ?
:wink:

Okay, i have something of the same problem here… I keep getting, atleast once a day this stupid trojano-213 virus, something to the extent that cindy does… where it puts a temp folder in my c drive… i usually delete it, then restart with a boot scan… I have installed a firewall, thinking that might help stop the problem, but the virus just keeps on coming back…

Giving more details like what windows version and what Avast version would be very nice :smiley: That way we can give better/more specific help. In the mean time click on the linl in my signature. And read how pro’s deal with infected systems. Big mouth, me? Perhaps, but after working with comps for over 24 years and being the owner of two companies (both comp related) I believe I am in title to say so ;D

Good luck, and post any problems you encounter here.

info from hijack this program…

Logfile of HijackThis v1.98.0
Scan saved at 3:37:02 AM, on 1/13/2002
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS3\System32\smss.exe
C:\WINDOWS3\system32\winlogon.exe
C:\WINDOWS3\system32\services.exe
C:\WINDOWS3\system32\lsass.exe
C:\WINDOWS3\system32\svchost.exe
C:\WINDOWS3\System32\svchost.exe
C:\WINDOWS3\system32\spoolsv.exe
C:\WINDOWS3\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\WINDOWS3\system32\AvidSDMService.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS3\System32\nvsvc32.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINDOWS3\System32\ctfmon.exe
C:\WINDOWS3\System32\owncfh.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\WINDOWS3\System32\svchost.exe
C:\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=2484
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=2484
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onestepfilms.net/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {1CFD3A75-E168-0DE9-8623-63550EA27B3E} - C:\WINDOWS3\System32\tqvu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS3\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS3\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS3\UpdReg.EXE
O4 - HKLM..\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS3\system32\NeroCheck.exe
O4 - HKLM..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM..\Run: [WebRebates0] “C:\Program Files\Web_Rebates\WebRebates0.exe”
O4 - HKLM..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM..\RunServices: [MSN Update] dllcon.exe
O4 - HKLM..\RunServices: [Microsoft Update Machine] lmrss.exe
O4 - HKLM..\RunOnce: [tlc] C:\WINDOWS3\update13.js
O4 - HKCU..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS3\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=5515fe605c52658b09a2d8f8784291e01d242c98fad134389acefa3cb0f9ce15fea9eafe13e208c45d4551a46272ed56a280b8c6901fb4898fecf364b6d6:28e9b69987bf58e8942c5c6546c7d1fb
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

and there is that webrebates thing there that i can never figure out where it came from as well…

As I thought. Many harmfull things there. Copy/paste the log here and remove all harmfull things, after that, run HJT again and use the anlayzer that you can download from the site in my signature and remove everything it reports to be removed. Let me (us) know when you have done so and what the remaing problems are.

i did it a couple times, and this is what comes up now

Logfile of HijackThis v1.98.0
Scan saved at 5:09:51 AM, on 1/13/2002
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS3\System32\smss.exe
C:\WINDOWS3\system32\winlogon.exe
C:\WINDOWS3\system32\services.exe
C:\WINDOWS3\system32\lsass.exe
C:\WINDOWS3\system32\svchost.exe
C:\WINDOWS3\System32\svchost.exe
C:\WINDOWS3\system32\spoolsv.exe
C:\WINDOWS3\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\WINDOWS3\system32\AvidSDMService.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS3\System32\nvsvc32.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINDOWS3\System32\ctfmon.exe
C:\WINDOWS3\System32\owncfh.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS3\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=2484
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=2484
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onestepfilms.net/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {1CFD3A75-E168-0DE9-8623-63550EA27B3E} - C:\WINDOWS3\System32\tqvu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS3\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS3\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS3\UpdReg.EXE
O4 - HKLM..\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS3\system32\NeroCheck.exe
O4 - HKLM..\Run: [WebRebates0] “C:\Program Files\Web_Rebates\WebRebates0.exe”
O4 - HKLM..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM..\RunServices: [MSN Update] dllcon.exe
O4 - HKLM..\RunOnce: [tlc] C:\WINDOWS3\update13.js
O4 - HKCU..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS3\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe

Try using PestScan,I have a link to it on my site
-max

I have been actively deleting this same virus about every other day (it was about 3 times a day). As soon as I go into the web it pops up with the virus. I delete it but I don’t know if it is really gone. I have been on the web for removal tools and it has worked but it just keeps coming back. It was worse before but since I have deleted temp files before going on the web it seems not to hit me as much. I now have it happening on my email as well. Sometimes worms, sometimes trojan. It is a big pain! >:(

Okay, im still getting this damned virus, and all these scanners tell me i have spyware even though i have two spyware programs… this is just getting out of hand…