trojan horse keep appearing

system · 2006-08-25T15:39:42.000Z

Hi kahchoon :

 From the screenshot you posted, I noticed 2 "NvCpl"s
 which have the same "description" but slightly different
 "locations"; is there some reason BOTH do not have
 checkmarks !? 
 Of course having a P2P ( BitComet ) increases your risk of
 getting trojans & worms on your computer .
 You have Javacoolsoftware's SpywareBlaster, but do NOT
 seem to have its "companion", namely SpywareGuard
 available from :
 www.javacoolsoftware.com/spywareguard.html .
 However, I recommend you add this program ONLY AFTER
 the trojan(s)/worm(s) are removed.
 It seems you have reached the point that you should
 have some malware Expert(s) assist you in removing the
 trojan(s)/worm(s), and they are usually found on
 antiSPYWARE forums; since you have Ad-Aware, I
 recommend the Ad-Aware oriented forums at :
 www.landzdown.com . Such Experts usually want to see
 a log from the "HijackThis" program, so download HijackThis (© Merijn) from:  http://www.thespykiller.co.uk/files/HJTsetup.exe  .

Note: This is a complete installer that installs HijackThis to your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools.

At the download prompt, choose “Save”. After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it to complete the installation.

They have knowledge of and make use of special programs
to remove the worse type of malware from people’s
computers .

system · 2006-08-26T13:23:35.000Z

Spiritsongs
I do not know the function of the 2 "NvCpl"s therefore let me know what are they?? Are they important?? As for the recommendation thanks a lot i will try them out.

DavidR
I used autoruns & it gave me alot of detail things running behind the scene of window XP. Can you help me to pin point what should i look for to disable the window explorer load after startup. Thanks

DavidR · 2006-08-26T13:40:08.000Z

You aren’t trying to disable explorer load after startup but the program call that is responsible.

Unfortunately there is no easy way to find this and effectively the only clue you have is the folder that is opened in explorer, it really is like looking for a needle in a haystack. So what ever it is it will be something that runs on startup from that folder. You haven’t stated what folder is opened when explorer loads ?

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3

Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

It may show something that is set to start from that folder, but you are almost checking both autoruns and hijackthis line by line.

system · 2006-08-26T14:07:36.000Z

DavidR
I cant seem to find the file related to the my documents folder. Can you please have a look at my Hijack this log file to check. Thanks

DavidR · 2006-08-26T15:19:30.000Z

Well I cant see anything for the C:\Documents and Settings\UserName\My Documents folder if that is the location that is open in explorer when it loads.

I don’t know anything about the Symantec Settings Manager if there is anything in there that would preserve settings that may be opening the My Documents folder.

Sorry I can’t be more of a help, finding these things is tricky and time consuming.

FreewheelinFrank · 2006-08-26T16:35:31.000Z

Hi kahchoon88,

These two entries in your HijackThis! log are very suspicious:

O23 - Service: Window Services Pack Install (Spullepdsvc) - Unknown owner - C:\Program Files\Common Files\xbnz000.exe (file missing)

O23 - Service: Window Services Pack Installe (Spullerpdsvc) - Unknown owner - C:\Program Files\Common Files\spupdsvc.exe (file missing)

The fact that HijackThis! reports the files missing does not always mean the service is not running. (The avast! services run even though the file is reported as missing.)

Pleas follow these instructions to check for the suspicious service and stop it:

Click "Start" > "Run" and type "Services.msc" (without quotes) then hit "Ok". Click the "Extended" tab. Scroll down and find the services called Spullepdsvc and Spullerpdsvc Click once on the services to highlight them. Click "Stop". Right-click on the service. Click on "Properties". Select the "General" tab. Click the Arrow-down tab on the right-hand side on the "Start-up Type" box. From the drop-down menu, click on "Disabled". Click "Apply", then "OK".
Now you will want to delete the services:

Open HijackThis.
Click on the “Open Misc. tools section” button.
Click on the “Delete an NT service” button.
Type Spullepdsvc in the space provided and click OK.
Repeat for Spullerpdsvc.

The program will ask you to reboot. Accept.

Try scanning with Ewido again and with these services disabled it may be able to delete the malware.

The following entry also contains a suspicious double entry:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

Follow these instructions to correct it:

Run regedit and navigate to:
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

In there there should be a value (on right hand side of screen) called Userinit.

The data for this value is probably something similar to:

C:\windows\system32\userinit.exe,C:\windows\system32\userinit.exe,

If you do see a duplicated string in there similar to the above - simply double click on the Userinit value and edit the data so as to delete everything to the right of the first comma (,). In the case above you would leave only:

C:\windows\system32\userinit.exe,

After that I sugest you reboot into safe mode and run scans with Ewido, Ad-Aware, Spybot etc.

Good luck!

system · 2006-08-26T17:53:16.000Z

Hi Kahchoon :

 The 2 "NvCpl" refer, as best I know, to the Nvidia Drivers
 on your computer; I am far from being an expert on this,
 but recommend you put checkmarks into BOTH in your
 MsConfig Startup Menu . If you have any ( further ) 
 adverse "reaction", you can always go back and 
"uncheck" the "2nd" one .
 I saw on your HijackThis log a seriously "old" version of
 Sun Java, & this is a serious security issue; would
 recommend you uninstall it, if possible, & if successful,
 go to : www.majorgeeks.com/download4648.html to
 download the latest version. Some have had "trouble"
 there & if that happens to you, then go to :
 www.java.com/en & get their latest, which last I saw is
 NOT actually their latest .

 P.S. Probably would be wise to uninstall the Symantec
"Settings Manager" !? Their products cause quite a few
 problems .

system · 2006-08-27T11:31:53.000Z

Hi Spiritsongs,
I’ve unistalled symantec products & updated java. Thanks for the advice.

Hi FreewheelinFrank,
I’ve follow your instruction
Click “Start” > “Run” and type “Services.msc” (without quotes) then hit “Ok”.
Click the “Extended” tab.
Scroll down and find the services called Spullepdsvc and Spullerpdsvc
I dont see it? I checked line by line to verify & nope its not there.

As for
Run regedit and navigate to:

HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

In there there should be a value (on right hand side of screen) called Userinit.

The data for this value is probably something similar to:

C:\windows\system32\userinit.exe,C:\windows\system32\userinit.exe,

Here i did find C:\windows\system32\userinit.exe,userinit.exe

Is it the same? Newbie for me to mess the regedit. What does ths function do? Please tell me to improve knowledge ;D Thanks. After checking your reply & suggestions will update a hijackthis.log to verify again.

FreewheelinFrank · 2006-08-27T11:56:26.000Z

If the services are not there, you can delete the two entries in HijackThis!

O23 - Service: Window Services Pack Install (Spullepdsvc) - Unknown owner - C:\Program Files\Common Files\xbnz000.exe (file missing)

O23 - Service: Window Services Pack Installe (Spullerpdsvc) - Unknown owner - C:\Program Files\Common Files\spupdsvc.exe (file missing)

Run HijackThis! again and tick the entries then click ‘fix’.

Follow the advice to edit the duplicate entry:

If you do see a duplicated string in there similar to the above - simply double click on the Userinit value and edit the data so as to delete everything to the right of the first comma (,). In the case above you would leave only:
C:\windows\system32\userinit.exe,

The double entry is corrupted if not malicious. The syptoms you describe:

Now after every time boot up & loading into windows XP my windows explorer open by itself. Can you guys help me to stop it from opening by itself.

Are similar to those described here:

I'm not a computer newbie, but this is driving me insane. On reboot, My Documents folder opens.

http://www.techspot.com/vb/all/windows/t-21035-My-Documents-Folder-Opens-on-Boot-winxp-sp2.html

So fixing the double entry may cure it.

I also suggest clearing out all you temp files. CleanUp! is good for this:

http://www.stevengould.org/software/cleanup/

And of course you need to update Java as SpiritSongs spotted, and also update windows because your system is out of date which leaves it very vulnerable.

system · 2006-08-27T12:57:56.000Z

Thanks FreewheelinFrank
It did fix the window explorer. Great & very very thank you for your help :D.
I also deleted the two services.
Please check my hijackthis log for any more improvements. Thanks

DavidR · 2006-08-27T13:07:23.000Z

Good find on the techspot link Frank.

@ kahchoon88
I told you it is like trying to find a needle in a haystack ;D glad that explorer opening is at last resolved.

system · 2006-08-27T13:14:50.000Z

DavidR
It is finding a needle in a haystack. Now my com is normal again. Thanks again guys.

FreewheelinFrank · 2006-08-27T17:00:36.000Z

Glad that solved the problem!

You can have HijackThis! fix the following entries:

F2 - REG:system.ini: Shell=

O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)

The two service entries are back. I’d forgotten that HijackThis! won’t remove registry entries for services without using the Delete an NT Service feature.

You can delete them in this way:

Open HijackThis. Click on the "Open Misc. tools section" button. Click on the "Delete an NT service" button. Type Spullepdsvc in the space provided and click OK. Repeat for Spullerpdsvc.
The program will ask you to reboot. Accept.

I’m not sure if you can delete two services this way without rebooting in between.

Or from XP command prompt you can type:

sc delete Spullepdsvc

and repeat for the other service.

After that you need to update because your browser and OS are vulnerable:

http://www.windowsupdate.com/

Download every critical update. If you need to reboot, return after rebooting and check there are no more to download.

system · 2006-08-27T18:04:00.000Z

Hi kahchoon ( & Frank ) :

 Several days ago you said you "loaded" SpyCatcher, yet
 the ONLY place it shows up on your HijackThis log is the
"02" Entry that Frank recommended to be "fixed". Is this
 program ACTUALLY ON your computer  ?
 I ask because "0A87E45F-537A-40B4-B812-
 E2544C21A09F" is SpyCatcher's "Active Block" and 
 wonder if it should be "fixed" ( removed ) !?
 AND BEFORE getting XP SP2, make one last "sweep" of
 your antiSPYWARE program(s) and it would not hurt to
 see if any rootkits MAY BE on your computer by using the
 FREE RootkitRevealer from :
 www.sysinternals.com/Utilities/rootkitrevealer.html .
 As to Microsoft "critical" Updates : avoid KB 905474,
 known as the "Genuine Advantage Notification Tool"
 IF you have managed to NOT get it in the past .

FreewheelinFrank · 2006-08-27T21:33:39.000Z

..."02" Entry that Frank recommended to be "fixed". Is this program ACTUALLY ON your computer ? I ask because "0A87E45F-537A-40B4-B812-E2544C21A09F" is SpyCatcher's "Active Block" and wonder if it should be "fixed" ( removed ) !?

Awww… Don’t trust me?

Don’t worry, even “Microsoft Most Valued Professionals”, and those “malware experts” at AumHa have been known to recommend the same thing as poor ignorant meddling me:

http://www.windowsbbs.com/showthread.php?t=54987

http://forum.aumha.org/viewtopic.php?t=21244&sid=9dd2201d1ee7c112ef14e8722d7641c4

system · 2006-08-28T03:48:27.000Z

Hi Frank :

  The Aumha thread you quoted had "KB" provide the
  advise; there is no "Malware Expert", "MMVP" or
 "A.S.A.P" anywhere in his posts. His skill seems similar
  to yours !?
  However, I found a thread there where Expert
 "Robear Dyer" advised someone with SpyCatcher
 "Active Block" as a "02" Item that he did not recommend
  it be fixed; if interested, see :
  http://aumha.net/viewtopic.php?t=18812&highlight=spycatcher .

FreewheelinFrank · 2006-08-28T06:05:16.000Z

SpiritSongs,

The entry in the thread you link to is a very different kettle of fish:

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll

The entry I and the people at windowsbbs.com and forum.aumha.org suggested deleting was:

O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)

Can I respectfully suggest that if you are going to take issue with advice provided by a member of the forum, you address your concerns to the person giving the advice, rather than to the recipient?

Regards,

FwF.

system · 2006-08-28T13:43:12.000Z

Ah sorry guys i forgot to tell you guys that i uninstall spycatcher 2006. It cause my window xp to hang after loading with ewido. Guess you cant have 2 antispyware running like antivirus. Sorry :-[. Now that i unistalled spycather 2006, i guess i can deleted the entry
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file) Right?
Thanks anyways guys now i know that even uninstall a program still leave some entries in the registry.

By the way, guys can i really update windows cause some of my friends tell me if i you are not using a genuine windows xp to update you will get a message poping every 30 minutes telling you your not using a genuine one. (P.S. I am not using a genuine windows xp :-X). If i avoid this update
As to Microsoft “critical” Updates : avoid KB 905474,
known as the “Genuine Advantage Notification Tool”
will my window xp work? ???

FreewheelinFrank · 2006-08-28T16:25:36.000Z

In that case, maybe it’s not such a good idea… although it does leave you very vulnerable to infection.

I suggest you switch to Opera or Firefox straight away, because an old version of IE will be full of holes, and will expose you to auto-installing spyware.

I did read about a site where you can download Windows updates without the Genuine Advantage check, but I can’t remember where. Maybe you could Google for it and search the forum.

Maybe somebody will read this and post a link.

Glad you problem is solved, anyway.

EDIT: I think this was the site:

http://windizupdate.com/

NB: Requires Firefox

system · 2006-08-28T20:47:08.000Z

Hi kahchoon :

  How do you know your XP SP1 is NOT "genuine" ?
  Since Microsoft allegedly will stop "issuing" Updates for
  that OS after Oct 10, '06, you may be able to resolve
  any "genuineness" issue with Microsoft on the following
  Microsoft Support Forum :

 http://forums.microsoft.com/genuine/default.aspx?siteid=25 .

 I have heard they can be lenient if someone tells them
 the circumstances on HOW they got the computer !?
 Since we are talking Microsoft Updates, do you have
 KB 892130 ( Win Gen Advantage Validation Tool )
 currently on your computer ? As far as I know, this one
 does NOT cause any annoying popup "messages" ?

 P.S. Would be best to ask Microsoft on those forums
        BEFORE downloading the XP SP2; in fact, I have
        heard it is best to order the SP2 CD on the
        Microsoft site rather than downloading it from their
        site ( less potential problems ) . The CD is FREE,
        though there is a small shipping/handling "fee" .

Announcements