spoolslv.exe?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: spoolslv.exe?

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    5

    Exclamation spoolslv.exe?

    Hey everyone,

    Last week a bunch of win2k and xppro machines on our network started having weird problems like:
    (XP) rebooting ala blaster
    could not send receive in outlook
    could not copy and paste files
    winnt and system32 dir were blank (although task bar would show correct file count)
    printing problems
    could not open secondary windows and could not run search
    some other odd and end stuff too

    what I found was a process called spoolslv.exe that was causing all this. I could kill the process on XP reboot and seemed ok. Win2k I had to use process mgr to kill it because it was saying access denied. Once I ended the process it would repopulate within minutes some quicker than others but it was pretty fast. I found in the registry where it was adding itself to the run key and also below it in the run services key. It would say "microsoft windows patch"
    and had the spoolslv.exe file there. Once I end the process and clean the registry I would have to reboot the machine then go in and delete the actual file, which was located in the system32 folder.

    I was trying to see how it works and once it became infected I ran netstat... it seemed like it was trying to connect to a bunch of machines and also connecting to random ip ranges and addresses.

    This thing travels pretty fast on the network and is hard to keep it away, I have searched google, yahoo, symantec,trend micro, sophos etc... and no one has heard of it or mentioned it.

    I did find that on some machines there was another file that would sometimes be with it called winhlpp32.exe in the same location. These are similiar in name to normal sys files except for 1 letter. Has anyone seen or heard of this at all? Thanks

  2. #2
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    I found this for now. See if it helps and I'll look some more.
    http://forums.devarticles.com/archive/t-7117
    When death sleeps it dreams of you...

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Posts
    5
    thanks I found that on google and it is kind of a dead end. Looks like the only thing out there. Thanks for the info

  4. #4
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    I don't think I've ever seen it - but it sounds familiar... Have you tried unplugging everything from the network and running individual scans with stuff like adaware/spybot s&d and good, updated Antivirus? Are there firewalls on the computers blocking all unnecessary ports? How large of a network are you talking about?

    *edit*
    Even though I still think you should run AV, it sounds like a worm that you'll need a specific worm removal tool for. If you run AV though it at least may be able to catch and identify exactly what you're dealing with so you can search for and download a specific removal tool. There should be instructions for the removal of the worm too like - turn off system restore, reboot in safe mode, scan, reboot into normal, and then reactivate system restore (all this on a computer that is seperated from the other computers).

  5. #5
    Junior Member
    Join Date
    Jul 2002
    Posts
    5
    yes I had about 12 machines unplugged today trying to clean them all off and I am trying to find any others that have it. We have the latest updats running symantec corp edition and I have tried scanning with sites like spywareinfo.com etc... Our network is about 175 nodes pcs and laptops. Most of the machines are not affected, so I wonder if there is a patch or service pack dif between certain ones. I am checking into that tomorrow. We are in the process over moving everyone over to a win2k3 domain with a/d and then we will use the corp edition to regulate the pcs like a firewall but are not at that point yet. If I cannot find a fix somehow, maybe I can create something that I can send to the users that would kill the process delete the file and clear the reg keys or maybe try it remotely. It is getting very time consuming of course to walk to all the machines.

  6. #6
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    Yeah, I know how much of a pain that can be...sorry man. Lemme know what comes up in the AV scan (hopefully *something* will come up).

    This may or may not help but it never hurts:

    Adaware
    Spybot: Search & Destroy

    I strongly recommend using one of these on any computer that actively interfaces with the web in the future, if not immediately - for the present situation. Best of luck!

  7. #7
    Junior Member
    Join Date
    Jul 2002
    Posts
    5
    thanks

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    sounds like w32.donk. run stinger http://download.nai.com/products/mca...rt/stinger.exe
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Junior Member
    Join Date
    Jul 2002
    Posts
    5
    cool I will check it out thanks

    if it is something known I wonder why a current scan is not catching anythng

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    theres a new version of donk out. one of my remote locations got hit with it. symantec had to send us an emergency update. it'll be morphed a few more times to evade detection before its compleatly detectable...if thats what it is.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •