trojan horse keep appearing

My Avast home edition found a Win32:Delf-APJ trojan& Win32:Delf-BCN worm on on access protection. I keep on deleting it however it keeps on appearing. Can anyone help me to get rid of it for good. Thanks.

What was the infected file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?

There may be more than one element of this infection, one part restoring/downloading it again. If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode, Ewido anti-spyware If using winXP. or a-Squared free if using win98/ME.

What is your OS ?
What is your firewall ?

Thanks DavidR my OS Is Windows XP & the firewall is ZoneAlarm version:6.5.731.000. I am now trying to use the suggested software ewido to kill it forever. Cross my fingers and hope it works. Never the less thanks to you for your help.

No problem, welcome to the forums.

Let us know how you get on and if you need more help.

DavidR Ewido did find the culprit but still after quarantine & deleting it in safe mode with it, avast still report it with a pop up after every few minutes. I ended up using spyware catcher 2006 to defend against it. With ewido & spyware cather loaded together i finally keep the worm & trojan at bay. I think it works cause no alert for 4 hours testing. I hope it holds forever & not get the pop up of detection by avast poping out in the middle of work.

When we ask where it is located it can help us to help you, especially if it kept coming back the location could be one that avast can’t deal with e.g. the system volume information folder.

But did you run avast at boot-time or not? (Start avast! > Right click the skin > Schedule a boot-time scanning > Select for scanning archives > Boot)

DavidR the trojan & worms are in this folder
C:\Documents and Settings\Administrator\Local Settings\Temp\2.exe &
C:\Documents and Settings\Administrator\Local Settings\Temp\3.exe

Tech, I did run avast at boot-time but it still cannot find the trojan & worms. After scanning complete it load into windows XP & after a few minutes surfing the web, avast alert me again.

Now the com survived for 2 days & i think it is holding as no alert come poping up. Thanks to the both of you for giving me help. I really appreciate it.

Now after every time boot up & loading into windows XP my windows explorer open by itself. Can you guys help me to stop it from opening by itself. Thanks.

Interesting hiding in the Administrator profile setings. Not sure if that souldn’t be protected in some way so only the administrator can make changes, etc.

If you logged on as ‘The Administrator’ (or account with admin rights) that really could give any malware unrestricted rights to reap havoc ?

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

I have seen this before where explorer opens and it is usually because there is a program that is trying to run and because it can’t be found explorer opens in that folder. The trick is finding what is trying to be found or run. So, using start, run, type msconfig, see if there is anything in the Startup tab that is flagged to start but no longer exists on the hard disk.

DavidR please have a look at msconfig startup. I’ve checked it a few times & find the files all are found in its described location. I only have these six startup program. For avast & zonealarm i think it’s not the problem. As for the other four i’ve seen them checked in the box before the window explorer automativally loaded every startup. Any hints to slove this problem. Thanks.

:slight_smile: Hi Kahchoon :

 "Holding them at bay" should only be a temporary
  solution ; other than Avast, Ewido, SpyCatcher & Zone
   Alarm, what other security programs do you have on
  your computer ?

Hi, Spiritsongs.
I’ve got spyware blaster, ad- aware se, spyware doctor, spybot search & destroy. I think that should be more than enough arsenal. If you got any good recommendations please let me know. Thanks.

@ kahchoon88
As I said the trick is trying to find the cause, startup is just one possibility and easiest to check. It was so long ago that I can’t recall the exact reason or how I did resolve it. The only clue I had then was the folder that kept being opened. There are other programs like autoruns http://www.sysinternals.com/utilities/autoruns.html or codestuff starter http://CodeStuff.mirrorz.com these give a listing of everything that runs at startup (much more than you see in the very basic startup tab of msconfig.

For the future, the Alt + the print Screen key just copies the active window.

:slight_smile: Hi kahchoon :

 From the screenshot you posted, I noticed 2 "NvCpl"s
 which have the same "description" but slightly different
 "locations"; is there some reason BOTH do not have
 checkmarks !? 
 Of course having a P2P ( BitComet ) increases your risk of
 getting trojans & worms on your computer .
 You have Javacoolsoftware's SpywareBlaster, but do NOT
 seem to have its "companion", namely SpywareGuard
 available from :
 www.javacoolsoftware.com/spywareguard.html .
 However, I recommend you add this program ONLY AFTER
 the trojan(s)/worm(s) are removed.
 It seems you have reached the point that you should
 have some malware Expert(s) assist you in removing the
 trojan(s)/worm(s), and they are usually found on
 antiSPYWARE forums; since you have Ad-Aware, I
 recommend the Ad-Aware oriented forums at :
 www.landzdown.com . Such Experts usually want to see
 a log from the "HijackThis" program, so download HijackThis (© Merijn) from:  http://www.thespykiller.co.uk/files/HJTsetup.exe  . 

Note: This is a complete installer that installs HijackThis to your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools.

At the download prompt, choose “Save”. After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it to complete the installation.

They have knowledge of and make use of special programs
to remove the worse type of malware from people’s
computers .

Spiritsongs
I do not know the function of the 2 "NvCpl"s therefore let me know what are they?? Are they important?? As for the recommendation thanks a lot i will try them out.

DavidR
I used autoruns & it gave me alot of detail things running behind the scene of window XP. Can you help me to pin point what should i look for to disable the window explorer load after startup. Thanks

You aren’t trying to disable explorer load after startup but the program call that is responsible.

Unfortunately there is no easy way to find this and effectively the only clue you have is the folder that is opened in explorer, it really is like looking for a needle in a haystack. So what ever it is it will be something that runs on startup from that folder. You haven’t stated what folder is opened when explorer loads ?

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3

Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

It may show something that is set to start from that folder, but you are almost checking both autoruns and hijackthis line by line.

DavidR
I cant seem to find the file related to the my documents folder. Can you please have a look at my Hijack this log file to check. Thanks

Well I cant see anything for the C:\Documents and Settings\UserName\My Documents folder if that is the location that is open in explorer when it loads.

I don’t know anything about the Symantec Settings Manager if there is anything in there that would preserve settings that may be opening the My Documents folder.

Sorry I can’t be more of a help, finding these things is tricky and time consuming.

Hi kahchoon88,

These two entries in your HijackThis! log are very suspicious:

O23 - Service: Window Services Pack Install (Spullepdsvc) - Unknown owner - C:\Program Files\Common Files\xbnz000.exe (file missing)

O23 - Service: Window Services Pack Installe (Spullerpdsvc) - Unknown owner - C:\Program Files\Common Files\spupdsvc.exe (file missing)

The fact that HijackThis! reports the files missing does not always mean the service is not running. (The avast! services run even though the file is reported as missing.)

Pleas follow these instructions to check for the suspicious service and stop it:

Click "Start" > "Run" and type "Services.msc" (without quotes) then hit "Ok". Click the "Extended" tab. Scroll down and find the services called Spullepdsvc and Spullerpdsvc Click once on the services to highlight them. Click "Stop". Right-click on the service. Click on "Properties". Select the "General" tab. Click the Arrow-down tab on the right-hand side on the "Start-up Type" box. From the drop-down menu, click on "Disabled". Click "Apply", then "OK".

Now you will want to delete the services:

Open HijackThis.
Click on the “Open Misc. tools section” button.
Click on the “Delete an NT service” button.
Type Spullepdsvc in the space provided and click OK.
Repeat for Spullerpdsvc.

The program will ask you to reboot. Accept.

Try scanning with Ewido again and with these services disabled it may be able to delete the malware.

The following entry also contains a suspicious double entry:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

Follow these instructions to correct it:

Run regedit and navigate to:

HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

In there there should be a value (on right hand side of screen) called Userinit.

The data for this value is probably something similar to:

C:\windows\system32\userinit.exe,C:\windows\system32\userinit.exe,

If you do see a duplicated string in there similar to the above - simply double click on the Userinit value and edit the data so as to delete everything to the right of the first comma (,). In the case above you would leave only:

C:\windows\system32\userinit.exe,

After that I sugest you reboot into safe mode and run scans with Ewido, Ad-Aware, Spybot etc.

Good luck!

:slight_smile: Hi Kahchoon :

 The 2 "NvCpl" refer, as best I know, to the Nvidia Drivers
 on your computer; I am far from being an expert on this,
 but recommend you put checkmarks into BOTH in your
 MsConfig Startup Menu . If you have any ( further ) 
 adverse "reaction", you can always go back and 
"uncheck" the "2nd" one .
 I saw on your HijackThis log a seriously "old" version of
 Sun Java, & this is a serious security issue; would
 recommend you uninstall it, if possible, & if successful,
 go to : www.majorgeeks.com/download4648.html to
 download the latest version. Some have had "trouble"
 there & if that happens to you, then go to :
 www.java.com/en & get their latest, which last I saw is
 NOT actually their latest .

 P.S. Probably would be wise to uninstall the Symantec
"Settings Manager" !? Their products cause quite a few
 problems .