SPOOLSV.EXE

After ‘Avast4.6 Pro’ updated its VPS to 0513.0 on a PC running ‘XP Pro SP2’, it detected a WIN32:Trojan-gen {Delphi} in C:\Windows\SPOOLSV.EXE (size about 396K, dated few months ago)

I noticed that ‘spoolsv.exe’ does also exist in C:\Windows\System32\ (and it has a backup in folder ‘i386’). But its size is 57,856 Bytes

I run XP in safe mode and moved that “C:\Windows\SPOOLSV.EXE” to another hard (and ciphered… that is why I lost its original date).

When I restarted XP, a pop-up said (after opening everything) that winlogon.exe has to close due to an error!

Of course the next reboot failed to run normally giving ‘safe mode’ as a choice.

So in safe mode, I returned the moved ‘SPOOLSV.EXE’ to its original place and as expected the PC run again normally.

Any advice on how to remove that Trojan? Or it is just a false positive?

Note: I run 2 other PCs with XP Home SP2 instead. No sign of C:\Windows\SPOOLSV.EXE in them.

Thanks, Kerim

It is not a false positive. It is usually referenced as CIADOOR Trojan. More info and removal instruction can be found with your favorite internet search engine.

e.g. http://snipurl.com/dqiy

Hi Lukor my friend,

Can you take a look at this one too ?

http://forum.avast.com/index.php?topic=12410.0

Thanks !

Hi Lukor,

It is not a false positive.

That is what I liked to hear to search for a removal process.

Thanks, Kerim

I`ve seen this service with AGOBOT virus i think.

av-outsource

I thought it will be a simple task to search then solve that spoolsv.exe issue but it isn’t ???
(By the way, the ‘System Restore’ is disabled since long ago.)

  1. I didn’t find any trace of C:\Windows\SPOOLSV.EXE (or equivalent) in the XP registry, win.ini or system.ini. So, it seems it is not a ‘Backdoor_Ciadoor_B’, right?

  2. Winlogon.exe of XP cannot run without that C:\Windows\SPOOLSV.EXE if deleted!

  3. If it is ‘Hacktool.Privshell’ trojan, is it enough for me to replace that ‘spoolsv.exe’ with the good one in ‘C:\Windows\System32’? Does XP Pro SP2 needs this file in two places?!

  4. Is it possible that ‘Winlogon.exe’ is directed, at the start, to the infected ‘C:\Windows\SPOOLSV.EXE’ by a sort of command embedded in ‘pagefile.sys’ (virtual memory)?!

  5. Perhaps the starter is disguised under another name.
    Here is the complete list in the ‘RUN’ key:

=== Begin list1 ==================================================
Known to me (hence clean):

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“CookieWall”=“C:\Program Files\AnalogX\CookieWall\cookie.exe”

Not sure about:

“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”

“nwiz”=“nwiz.exe /install”

“PHIME2002ASync”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC”

“PHIME2002A”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName”

“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”

“IMJPMIG8.1”=“"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32”

“MSPY2002”=“C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC”

" "=“C:\WINDOWS\system32\primafilla ok !!.exe”

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe”

“MsmqIntCert”=“regsvr32 /s mqrt.dll”

“QuickTime Task”=“"C:\Program Files\QuickTime\qttask.exe" -atboottime”

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe”

=== End list1 ====================================================

And should I delete the following ones in the ‘RUN-’ key list?

=== Begin list2 =========================

“ABBYY Community Agent”=“C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe”

“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot”

=== End list2 ===========================

  1. Is it a mere coincidence that just before the update 0513-1 my PC got infected or I had it since long but 0513-1 was able to detect it as WIN32:Trojan-gen {Delphi} now?

Note: The size of my actual infected spoolsv.exe is 407,552 Bytes

Thank you in advance for any further hint and/or advice.

Kerim

Kerim, posting a hijackthis log here wouldn’t hurt…

Hmmm… Could I?

I thought I have to wait first to be asked for it when it might be useful… usually by a moderator for example.

I know I have a problem I like to be solved as soon as possible, but I am not the only one here that needs help.

Spyros… thank you for reminding me. I will prepare a hijackthis log just in case one proposes to analyse it. You for example :wink:

By the way, the infected PC is not the one I am using now so it will take me more than few minutes to prepare it.

Kerim

I got the HijackThis log and attached it here.

Thanks, Kerim

Kerim,
You used an old version of HijackThis, please update and repost.

OK I will look for it. ;D

Since you know about a new one why you didn’t tell me its version? :stuck_out_tongue:

Time is running fast these days :-\

1.99.1
http://www.majorgeeks.com/download3155.html

Thank you Spyros

Here is the new log.

From Eddy’s HijackThis File Log Analyzer:

No software firewall detected. If you are not using a hardware firewall, it is highly recommended to install one.


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

default_page_url = about:blank


THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - hklm..\run: [sunjavaupdatesched] c:\program files\java\jre1.5.0_01\bin\jusched.exe

You can also analyze the original HijackThis log online at: http://hijackthis.de

I will fix those 2 entries.

Meanwhile I have to continue searching about that stand-alone SPOOLSV.EXE that has a WIN32:Trojan-gen {Delphi} and cannot be deleted as I have explained in above posts :frowning:

I am curious that though this exe is not running on the background, winlogon.exe ceases to run after finishing all startup programs if that spoolsv.exe is not present in C:\Windows folder!

I’ll let you know when I get something new about it.

Kerim

A link to help you:
http://answers.google.com/answers/threadview?id=457101

You will find more relevant links in that post.
Hope it helps…

Thank you again Spyros.

By the way, you made a very nice website, worth to be visited from time to time.