Author Topic: SPOOLSV.EXE  (Read 14435 times)

0 Members and 1 Guest are viewing this topic.

Kerim

  • Guest
SPOOLSV.EXE
« on: March 30, 2005, 12:46:21 PM »
After 'Avast4.6 Pro' updated its VPS to 0513.0 on a PC running 'XP Pro SP2', it detected a WIN32:Trojan-gen {Delphi} in C:\Windows\SPOOLSV.EXE (size about 396K, dated few months ago)

I noticed that 'spoolsv.exe' does also exist in C:\Windows\System32\ (and it has a backup in folder 'i386'). But its size is 57,856 Bytes

I run XP in safe mode and moved that "C:\Windows\SPOOLSV.EXE" to another hard (and ciphered... that is why I lost its original date).

When I restarted XP, a pop-up said (after opening everything) that winlogon.exe has to close due to an error!

Of course the next reboot failed to run normally giving 'safe mode' as a choice.

So in safe mode, I returned the moved 'SPOOLSV.EXE' to its original place and as expected the PC run again normally.

Any advice on how to remove that Trojan? Or it is just a false positive?

Note: I run 2 other PCs with XP Home SP2 instead. No sign of C:\Windows\SPOOLSV.EXE in them.

Thanks, Kerim

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: SPOOLSV.EXE
« Reply #1 on: March 30, 2005, 01:01:17 PM »
It is not a false positive. It is usually referenced as CIADOOR Trojan. More info and removal instruction can be found with your favorite internet search engine.

e.g. http://snipurl.com/dqiy

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: SPOOLSV.EXE
« Reply #2 on: March 30, 2005, 02:16:51 PM »
Hi Lukor my friend,

Can you take a look at this one too ?

http://forum.avast.com/index.php?topic=12410.0

Thanks !
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Kerim

  • Guest
Re: SPOOLSV.EXE
« Reply #3 on: March 30, 2005, 07:07:57 PM »
Hi Lukor,

Quote
It is not a false positive.

That is what I liked to hear to search for a removal process.

Thanks, Kerim


av-outsource

  • Guest
Re: SPOOLSV.EXE
« Reply #4 on: March 30, 2005, 08:04:30 PM »
I`ve seen this service with AGOBOT virus i think.

av-outsource

Kerim

  • Guest
Re: SPOOLSV.EXE
« Reply #5 on: March 31, 2005, 12:12:29 PM »
I thought it will be a simple task to search then solve that spoolsv.exe issue but it isn't  ???
(By the way, the 'System Restore' is disabled since long ago.)

1) I didn't find any trace of C:\Windows\SPOOLSV.EXE (or equivalent) in the XP registry, win.ini or system.ini. So, it seems it is not a 'Backdoor_Ciadoor_B', right?

2) Winlogon.exe of XP cannot run without that C:\Windows\SPOOLSV.EXE if deleted!

3) If it is 'Hacktool.Privshell' trojan, is it enough for me to replace that 'spoolsv.exe' with the good one in 'C:\Windows\System32'? Does XP Pro SP2 needs this file in two places?!

4) Is it possible that 'Winlogon.exe' is directed, at the start, to the infected 'C:\Windows\SPOOLSV.EXE' by a sort of command embedded in 'pagefile.sys' (virtual memory)?!

5) Perhaps the starter is disguised under another name.
Here is the complete list in the 'RUN' key:

=== Begin list1 ==================================================
Known to me (hence clean):

"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"CookieWall"="C:\\Program Files\\AnalogX\\CookieWall\\cookie.exe"

Not sure about:

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"nwiz"="nwiz.exe /install"

"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"

"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"

"  "="C:\\WINDOWS\\system32\\primafilla ok !!.exe"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"

"MsmqIntCert"="regsvr32 /s mqrt.dll"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

=== End list1 ====================================================

And should I delete the following ones in the 'RUN-' key list?

=== Begin list2 =========================

"ABBYY Community Agent"="C:\\PROGRA~1\\SPRINT~1.0OF\\Sprint\\CAgent.exe"

"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"

=== End list2 ===========================

6) Is it a mere coincidence that just before the update 0513-1 my PC got infected or I had it since long but 0513-1 was able to detect it as WIN32:Trojan-gen {Delphi} now?

Note: The size of my actual infected spoolsv.exe is 407,552 Bytes

Thank you in advance for any further hint and/or advice.

Kerim

Spyros

  • Guest
Re: SPOOLSV.EXE
« Reply #6 on: March 31, 2005, 12:16:38 PM »
Kerim, posting a hijackthis log here wouldn't hurt...

Kerim

  • Guest
Re: SPOOLSV.EXE
« Reply #7 on: March 31, 2005, 12:38:48 PM »
Hmmm.... Could I?

I thought I have to wait first to be asked for it when it might be useful... usually by a moderator for example.

I know I have a problem I like to be solved as soon as possible, but I am not the only one here that needs help.

Spyros... thank you for reminding me. I will prepare a hijackthis log just in case one proposes to analyse it. You for example ;)

By the way, the infected PC is not the one I am using now so it will take me more than few minutes to prepare it.

Kerim
 

Kerim

  • Guest
Re: SPOOLSV.EXE
« Reply #8 on: March 31, 2005, 02:46:50 PM »
I got the HijackThis log and attached it here.

Thanks, Kerim


 

Spyros

  • Guest
Re: SPOOLSV.EXE
« Reply #9 on: March 31, 2005, 02:58:34 PM »
Kerim,
You used an old version of HijackThis, please update and repost.

Kerim

  • Guest
Re: SPOOLSV.EXE
« Reply #10 on: March 31, 2005, 03:07:01 PM »
OK I will look for it. ;D

Since you know about a new one why you didn't tell me its version?  :P

Time is running fast these days  :-\


Spyros

  • Guest
Re: SPOOLSV.EXE
« Reply #11 on: March 31, 2005, 03:12:57 PM »

Kerim

  • Guest
Re: SPOOLSV.EXE
« Reply #12 on: March 31, 2005, 03:49:32 PM »
Thank you Spyros

Here is the new log.

Spyros

  • Guest
Re: SPOOLSV.EXE
« Reply #13 on: March 31, 2005, 03:57:56 PM »
From Eddy's HijackThis File Log Analyzer:

No software firewall detected. If you are not using a hardware firewall, it is highly recommended to install one.

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
default_page_url = about:blank

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [sunjavaupdatesched] c:\program files\java\jre1.5.0_01\bin\jusched.exe

You can also analyze the original HijackThis log online at: http://hijackthis.de

Kerim

  • Guest
Re: SPOOLSV.EXE
« Reply #14 on: March 31, 2005, 04:34:35 PM »
I will fix those 2 entries.

Meanwhile I have to continue searching about that stand-alone SPOOLSV.EXE that has a WIN32:Trojan-gen {Delphi} and cannot be deleted as I have explained in above posts :(

I am curious that though this exe is not running on the background, winlogon.exe ceases to run after finishing all startup programs if that spoolsv.exe is not present in C:\Windows folder! 

I'll let you know when I get something new about it.

Kerim