trojan horse keep appearing

Hi Spiritsongs,
I’ve unistalled symantec products & updated java. Thanks for the advice.

Hi FreewheelinFrank,
I’ve follow your instruction
Click “Start” > “Run” and type “Services.msc” (without quotes) then hit “Ok”.
Click the “Extended” tab.
Scroll down and find the services called Spullepdsvc and Spullerpdsvc
I dont see it? I checked line by line to verify & nope its not there.

As for
Run regedit and navigate to:

HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

In there there should be a value (on right hand side of screen) called Userinit.

The data for this value is probably something similar to:

C:\windows\system32\userinit.exe,C:\windows\system32\userinit.exe,

Here i did find C:\windows\system32\userinit.exe,userinit.exe

Is it the same? Newbie for me to mess the regedit. What does ths function do? Please tell me to improve knowledge ;D Thanks. After checking your reply & suggestions will update a hijackthis.log to verify again.

If the services are not there, you can delete the two entries in HijackThis!

O23 - Service: Window Services Pack Install (Spullepdsvc) - Unknown owner - C:\Program Files\Common Files\xbnz000.exe (file missing)

O23 - Service: Window Services Pack Installe (Spullerpdsvc) - Unknown owner - C:\Program Files\Common Files\spupdsvc.exe (file missing)

Run HijackThis! again and tick the entries then click ‘fix’.

Follow the advice to edit the duplicate entry:

If you do see a duplicated string in there similar to the above - simply double click on the Userinit value and edit the data so as to delete everything to the right of the first comma (,). In the case above you would leave only:

C:\windows\system32\userinit.exe,

The double entry is corrupted if not malicious. The syptoms you describe:

Now after every time boot up & loading into windows XP my windows explorer open by itself. Can you guys help me to stop it from opening by itself.

Are similar to those described here:

I'm not a computer newbie, but this is driving me insane. On reboot, My Documents folder opens.

http://www.techspot.com/vb/all/windows/t-21035-My-Documents-Folder-Opens-on-Boot-winxp-sp2.html

So fixing the double entry may cure it.

I also suggest clearing out all you temp files. CleanUp! is good for this:

http://www.stevengould.org/software/cleanup/

And of course you need to update Java as SpiritSongs spotted, and also update windows because your system is out of date which leaves it very vulnerable.

Thanks FreewheelinFrank
It did fix the window explorer. Great & very very thank you for your help :D.
I also deleted the two services.
Please check my hijackthis log for any more improvements. Thanks

Good find on the techspot link Frank.

@ kahchoon88
I told you it is like trying to find a needle in a haystack ;D glad that explorer opening is at last resolved.

DavidR
It is finding a needle in a haystack. Now my com is normal again. Thanks again guys.

Glad that solved the problem!

You can have HijackThis! fix the following entries:

F2 - REG:system.ini: Shell=

O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)

The two service entries are back. I’d forgotten that HijackThis! won’t remove registry entries for services without using the Delete an NT Service feature.

You can delete them in this way:

Open HijackThis. Click on the "Open Misc. tools section" button. Click on the "Delete an NT service" button. Type Spullepdsvc in the space provided and click OK. Repeat for Spullerpdsvc.

The program will ask you to reboot. Accept.

I’m not sure if you can delete two services this way without rebooting in between.

Or from XP command prompt you can type:

sc delete Spullepdsvc

and repeat for the other service.

After that you need to update because your browser and OS are vulnerable:

http://www.windowsupdate.com/

Download every critical update. If you need to reboot, return after rebooting and check there are no more to download.

:slight_smile: Hi kahchoon ( & Frank ) :

 Several days ago you said you "loaded" SpyCatcher, yet
 the ONLY place it shows up on your HijackThis log is the
"02" Entry that Frank recommended to be "fixed". Is this
 program ACTUALLY ON your computer  ?
 I ask because "0A87E45F-537A-40B4-B812-
 E2544C21A09F" is SpyCatcher's "Active Block" and 
 wonder if it should be "fixed" ( removed ) !?
 AND BEFORE getting XP SP2, make one last "sweep" of
 your antiSPYWARE program(s) and it would not hurt to
 see if any rootkits MAY BE on your computer by using the
 FREE RootkitRevealer from :
 www.sysinternals.com/Utilities/rootkitrevealer.html .
 As to Microsoft "critical" Updates : avoid KB 905474,
 known as the "Genuine Advantage Notification Tool"
 IF you have managed to NOT get it in the past .
..."02" Entry that Frank recommended to be "fixed". Is this program ACTUALLY ON your computer ? I ask because "0A87E45F-537A-40B4-B812-E2544C21A09F" is SpyCatcher's "Active Block" and wonder if it should be "fixed" ( removed ) !?

Awww… Don’t trust me?

Don’t worry, even “Microsoft Most Valued Professionals”, and those “malware experts” at AumHa have been known to recommend the same thing as poor ignorant meddling me:

http://www.windowsbbs.com/showthread.php?t=54987

http://forum.aumha.org/viewtopic.php?t=21244&sid=9dd2201d1ee7c112ef14e8722d7641c4

:slight_smile: Hi Frank :

  The Aumha thread you quoted had "KB" provide the
  advise; there is no "Malware Expert", "MMVP" or
 "A.S.A.P" anywhere in his posts. His skill seems similar
  to yours !?
  However, I found a thread there where Expert
 "Robear Dyer" advised someone with SpyCatcher
 "Active Block" as a "02" Item that he did not recommend
  it be fixed; if interested, see :
  http://aumha.net/viewtopic.php?t=18812&highlight=spycatcher .

SpiritSongs,

The entry in the thread you link to is a very different kettle of fish:

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll

The entry I and the people at windowsbbs.com and forum.aumha.org suggested deleting was:

O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)

Can I respectfully suggest that if you are going to take issue with advice provided by a member of the forum, you address your concerns to the person giving the advice, rather than to the recipient?

Regards,

FwF.

Ah sorry guys i forgot to tell you guys that i uninstall spycatcher 2006. It cause my window xp to hang after loading with ewido. Guess you cant have 2 antispyware running like antivirus. Sorry :-[. Now that i unistalled spycather 2006, i guess i can deleted the entry
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file) Right?
Thanks anyways guys now i know that even uninstall a program still leave some entries in the registry.

By the way, guys can i really update windows cause some of my friends tell me if i you are not using a genuine windows xp to update you will get a message poping every 30 minutes telling you your not using a genuine one. (P.S. I am not using a genuine windows xp :-X). If i avoid this update
As to Microsoft “critical” Updates : avoid KB 905474,
known as the “Genuine Advantage Notification Tool”
will my window xp work? ???

In that case, maybe it’s not such a good idea… although it does leave you very vulnerable to infection.

I suggest you switch to Opera or Firefox straight away, because an old version of IE will be full of holes, and will expose you to auto-installing spyware.

I did read about a site where you can download Windows updates without the Genuine Advantage check, but I can’t remember where. Maybe you could Google for it and search the forum.

Maybe somebody will read this and post a link.

Glad you problem is solved, anyway.

EDIT: I think this was the site:

http://windizupdate.com/

NB: Requires Firefox

:slight_smile: Hi kahchoon :

  How do you know your XP SP1 is NOT "genuine" ?
  Since Microsoft allegedly will stop "issuing" Updates for
  that OS after Oct 10, '06, you may be able to resolve
  any "genuineness" issue with Microsoft on the following
  Microsoft Support Forum :

 http://forums.microsoft.com/genuine/default.aspx?siteid=25 .

 I have heard they can be lenient if someone tells them
 the circumstances on HOW they got the computer !?
 Since we are talking Microsoft Updates, do you have
 KB 892130 ( Win Gen Advantage Validation Tool )
 currently on your computer ? As far as I know, this one
 does NOT cause any annoying popup "messages" ?

 P.S. Would be best to ask Microsoft on those forums
        BEFORE downloading the XP SP2; in fact, I have
        heard it is best to order the SP2 CD on the
        Microsoft site rather than downloading it from their
        site ( less potential problems ) . The CD is FREE,
        though there is a small shipping/handling "fee" .

Hi Spiritsongs,

Well when i bought this com, the retailer said i didnt need a genuine windows xp for home use. However at that time my knowledge about the benefit of having a license software was low. Therefore i listened to his advice. Now i know how important is was. Now i will try FreewheelinFrank to update windows xp at the site. I will be looking for the price of conroe to drop next year & the launch of windows vista. Untill then i will have to cling on this ungenuine windows xp. :-
Oh & never the less thanks FreewheelinFrank for the site. :slight_smile: