June 5th, 2008, 04:39 PM
I had the task of fixing a computer with the spool.exe virus. This computer is Windows XP sp2 with from what I could tell no antivirus installed. Usually when I'm fixing a computer I will use hijack this, spybot, adaware, and process explorer as tools. Even in safe mode every program I put on the machine was automatically attacked and shutdown. This was extremely frustrating so after consulting Google I decided to delete the spool.exe from C:\WINDOWS\system32\drivers. After I restarted the computer every one of the file association paths broke. So now if I click on any program windows will ask me how I want to open that program. Has anyone ever dealt with this type of problem before? Right now the only option I see is fdisk and I would rather not reinstall if there is a fix available. Thanks.
June 5th, 2008, 04:56 PM
I would say use system restore in order to get functionality back. Have you tried using one of those online antivirus scans? You probably shouldn't be connected to the network, but, if you already are, you should try to get some antivirus help via the web. You can also try opening task manager and killing the virus process directly, although I'm not sure if that would work. If it did kill the process, you should be able to run software to get rid of it. Do this in safe mode through the Administrative account.
June 5th, 2008, 08:13 PM
I was in safe mode with the admin account. I killed the process through task manager and some how it kept re launching itself. I couldn't use a web browser because the virus disabled them all (Explorer, firefox, and Opera). Although now that the actual file "spool.exe" has been deleted I can't use any program. So even in safe mode I can't access the internet for a scan. I just created a bootable anti virus disk using Bart PE although I'm pretty sure that wont fix my file association problem. When I get home tonight I will look at system restore. Thank You.
Originally Posted by itPro
June 6th, 2008, 05:51 AM
This might be a long shot but it looks like it dug itself into HKEY_CLASSES_ROOT.
See if you can still run command.com. Cmd.exe is probably not working because of the borked .exe association. If command.com works try copying regedit.exe to regedit.com.
Use regedit.com to have a look at HKEY_CLASSES_ROOT. Especially the .exe and exefile keys.
Or if you're able to boot the disk load the registry hive to have a look.
Experience is something you don't get until just after you need it.
June 6th, 2008, 07:16 AM
there is a fix....
Inside the zip file is a .com file you can run and a reg file that does the same thing as well. The hard part is getting one of those to run.
For the reg entry press CTRL-ALT-DEL and open Task Manager. Once there, click File, hold down the CTRL key and click New Task (Run). Now that a cmd window is open, type regedit.exe and hit enter or type in the path to the .com file and run it from there.
For the manual fix go here http://support.microsoft.com/kb/837334
Last edited by Darksnake; June 6th, 2008 at 07:25 AM.
Reason: message attachment
<chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times
June 6th, 2008, 11:43 AM
This may help:
You need to make sure that you have gotten rid of the malware first. This is just to fix the associations problem
Last edited by nihil; June 7th, 2008 at 05:19 AM.
June 7th, 2008, 01:01 AM
Hi I am a newbie here but I saw your conversation about spool.exe and faght it pretty much all night I tried all the tatics mentiond above the virus wouldnt let me go back to restore any further than yesterday and it had made its own restore point so there was no way I was doing that both in cmd prompt and run it pretty much took over all administrator rights I ended up reinstalling windows unfortunitly I did a quick format and the virus is back it might have hoped a ride on my D: external and if thats the case this thing is pretty untouchable any tips on where to go from here. thnx
June 7th, 2008, 05:39 AM
Hello snightwolfred, and welcome to AO.
We need to know a bit more about your setup, firstly what is your operating system and service pack/update status?
Then your hardware:
1. Laptop or desktop?
2. What drives does it have? In particular do you have a CD or DVD drive and do you have a floppy drive?
3. I notice that you have an external drive and that it is D:\, which tells me that you have only one internal hard drive, is that correct? What make is it?
4. Do you have the CD/DVD for your operating system?
5. Do you have access to another computer (friend/relative/library) where you can perform clean downloads?
6. What were you using the external drive for, or was it just attached to the system? In particular did you run any executable from the external drive?
I will wait for your replies to the above before giving you more detailed instructions.
June 9th, 2008, 10:11 AM
Hmm well I would really like to know the outcome of this?
Was this malware or hardware problem?
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
June 9th, 2008, 11:16 AM
Hi there joshmobile & Cider,
This really is an intriguing one, and I think that we are looking at more than one problem.
1. Malware. OK a nuisance, but I have never heard of spool.exe causing damage. It is associated with trojan/worm remote access type activity. I do not believe that this is related to the HDD problems.
2. To have three HDDs "go bad" one after the other is strange. I don't really believe that was caused by hardware faults in the drives themselves. That is just too much of a coincidence for my liking.
3. RAM seems to check out.
4. Different cables were tried.
5. Different installation CDs were tried.
At this point, all I can suggest is that the PSU is defective and is killing the drives during the Windows install? After all, the Molex connector comes straight from the PSU to the HDD. If you use the same bad one, it will kill anything you attach it to.
I would suggest getting the respective manufacturers' diagnostic software, slaving the drives to another machine and running a full/deep scan. If you are offered a "repair" option then take it, otherwise, try zero-filling it.
Normally I would not recommend continued use of a defective drive, but I don't think that these drives are physically damaged, just electronically scrambled. Unfortunately, checkdisk isn't exactly the sharpest tool in the shed when it comes to these situations
It might even be possible to "repair" these drives, but the software is quite expensive and would not be worth it, unless you encountered defective drives on a regular basis.
Yes, that is quite possible but highly improbable. I think that is what this TCP (trusted computing platform) technology is all about. Basically you protect flashable components with a special EEPROM chip to keep malware out.
Is it possible that the virus is hiding somewhere else in the computer and some how wrecking the sectors on the hdd's when I run setup?
You see, there are a number of memory devices in your PC that are flashable. They are used to store device firmware and can be updated, which also means that they can be infected or compromised.
To do such a thing would take a considerable degree of skill and knowledge, and I hardly think that someone with those pre-requisites would stoop to something as trivial as this?
My money is on a bad PSU