Hello, the infection came from the internet last week and from them on avast is unable to remove it
-the infected file is (root)\windows\spoolsv32.dll (a fake windows lybrary?)
-avast!4 detects the trojan at every windows start-up, once there i try to delete it and it seems to work right, but immediately comes another identical alert (for ever&ever&ever…
-if I move to chest the alerts stop until the next startup
What was avast unable to remove it, what error message ?
What is your OS ?
If you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’
Sorry for being late but my internet connection is saltuary (this period i’ve been so busy… ::))
I did the boot time scan yesterday (many times actually) (very good idea DavidR i didn’t have a thought of it…). Unluckly it didn’t solve the problem
Anyway, the OS is WinXP sp2; the alert (small-ckx found in \windows\spoolsv32.dll) shows at every bootup. These are the cases:
-i try to delete with the option “boot remove (or sim.)…” =>seems allright but no confirmation appears. Then, another identical alert (found trojan…)
-I try to remove without checking the option “boot remove…”=> Error message!: “Access denied” (or similar, I use a translation). Even if I checked that the bad bad dll is not present in memory (with process explorer: spoolsv32.dll stays resident in service32.exe).
-move to the chest: this time really alright (until next boot :'() and the library file is not showed in \windows any more…
Sorry for the lenght, i tried to be clear and thank you very very much
ps. I disabled System restore and removed all the backups in \system volume information\ (how many malwares!)
Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can’t delete or move files in use. So schedule boot-time scan in avast’s menu if you have XP, win2k or NT, otherwise boot into safe mode and run an avast scan. This should ensure that the file isn’t in use and avast should be able to deal with it.
This would appear to be why you initially can’t remove it, but even when removed in a boot scan something appears to be bringing it back, which leads on to what Frank is suggesting, it may have a rootkit element to this (this is confirmed in some google searches). So if you haven’t downloaded and run the tools he has given links for that would be your next step.
C: WINNT\ctfmon32.dll is not a file the trojan attached to, it is the trojan itself. As David said schedule an avast! boot scan, turn off system restore, and reboot. Put ctfmon32.dll in quarantine, if possible, during this scan.
@ boone.gary
Follow the steps outlined, something you should consider is prevention and try to stop malware getting established in system folders (a common tactic to make you wary of moving or deletion) and creating registry entries.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.