Need help with Trojan win32:Small-ckx !

Hello, the infection came from the internet last week and from them on avast is unable to remove it

-the infected file is (root)\windows\spoolsv32.dll (a fake windows lybrary?)
-avast!4 detects the trojan at every windows start-up, once there i try to delete it and it seems to work right, but immediately comes another identical alert (for ever&ever&ever…
-if I move to chest the alerts stop until the next startup

What’s the matter with me!!
Thanks in advice

What was avast unable to remove it, what error message ?

What is your OS ?
If you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’

Hi johntrevor,

It could be a rootkit infection: I suggest you try a scan with a couple of Anti-rootkit tools if a boot time scan is not effective:

http://www.freewarefiles.com/downloads_counter.php?programid=22524

http://www.f-secure.com/blacklight/

Sorry for being late but my internet connection is saltuary (this period i’ve been so busy… ::))

I did the boot time scan yesterday (many times actually) (very good idea DavidR i didn’t have a thought of it…). Unluckly it didn’t solve the problem

Anyway, the OS is WinXP sp2; the alert (small-ckx found in \windows\spoolsv32.dll) shows at every bootup. These are the cases:
-i try to delete with the option “boot remove (or sim.)…” =>seems allright but no confirmation appears. Then, another identical alert (found trojan…)
-I try to remove without checking the option “boot remove…”=> Error message!: “Access denied” (or similar, I use a translation). Even if I checked that the bad bad dll is not present in memory (with process explorer: spoolsv32.dll stays resident in service32.exe).

-move to the chest: this time really alright (until next boot :'() and the library file is not showed in \windows any more…

Sorry for the lenght, i tried to be clear and thank you very very much

ps. I disabled System restore and removed all the backups in \system volume information\ (how many malwares!)

Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can’t delete or move files in use. So schedule boot-time scan in avast’s menu if you have XP, win2k or NT, otherwise boot into safe mode and run an avast scan. This should ensure that the file isn’t in use and avast should be able to deal with it.

This would appear to be why you initially can’t remove it, but even when removed in a boot scan something appears to be bringing it back, which leads on to what Frank is suggesting, it may have a rootkit element to this (this is confirmed in some google searches). So if you haven’t downloaded and run the tools he has given links for that would be your next step.

Also see Hidden things http://invisiblethings.org

Hello,

I’m having the same problem…what was your final fix- Thanks Gary

Current logical steps:

  1. disable system restore, reboot.
  2. schedule an avast boot-time scan.
  3. check out the links (and programs) given by Frank and myself.

But what would be more helpful is some information from you.

  • What Operating System are you using ? is it up to date ?
  • What avast! version and VPS file (virus database) number, e.g. 0630-2 (see about avast!) ?
  • What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
  • What actions have you taken to try and resolve the problem ?

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

need assistance removing win32:small-ckx. I am using Windows XP.

C: WINNT\ctfmon32.dll is not a file the trojan attached to, it is the trojan itself. As David said schedule an avast! boot scan, turn off system restore, and reboot. Put ctfmon32.dll in quarantine, if possible, during this scan.

WINNT\system32\Izx32.sys is probably rustock.b

Since rustock.b attempts to hide itself from

RootkitRevealer
BlackLight
Rkdetector
gmer.exe
endoscope.EXE
DarkSpy
Anti-Rootkit

the normal tools may not work with this.

There are removal instructions at Geeks to Go (scroll about halfway down the page)

http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html

And more information here

http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2

@ boone.gary
Follow the steps outlined, something you should consider is prevention and try to stop malware getting established in system folders (a common tactic to make you wary of moving or deletion) and creating registry entries.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.