June 5th, 2008, 05:39 PM
I had the task of fixing a computer with the spool.exe virus. This computer is Windows XP sp2 with from what I could tell no antivirus installed. Usually when I'm fixing a computer I will use hijack this, spybot, adaware, and process explorer as tools. Even in safe mode every program I put on the machine was automatically attacked and shutdown. This was extremely frustrating so after consulting Google I decided to delete the spool.exe from C:\WINDOWS\system32\drivers. After I restarted the computer every one of the file association paths broke. So now if I click on any program windows will ask me how I want to open that program. Has anyone ever dealt with this type of problem before? Right now the only option I see is fdisk and I would rather not reinstall if there is a fix available. Thanks.
June 5th, 2008, 05:56 PM
I would say use system restore in order to get functionality back. Have you tried using one of those online antivirus scans? You probably shouldn't be connected to the network, but, if you already are, you should try to get some antivirus help via the web. You can also try opening task manager and killing the virus process directly, although I'm not sure if that would work. If it did kill the process, you should be able to run software to get rid of it. Do this in safe mode through the Administrative account.
June 5th, 2008, 09:13 PM
I was in safe mode with the admin account. I killed the process through task manager and some how it kept re launching itself. I couldn't use a web browser because the virus disabled them all (Explorer, firefox, and Opera). Although now that the actual file "spool.exe" has been deleted I can't use any program. So even in safe mode I can't access the internet for a scan. I just created a bootable anti virus disk using Bart PE although I'm pretty sure that wont fix my file association problem. When I get home tonight I will look at system restore. Thank You.
Originally Posted by itPro
June 6th, 2008, 06:51 AM
This might be a long shot but it looks like it dug itself into HKEY_CLASSES_ROOT.
See if you can still run command.com. Cmd.exe is probably not working because of the borked .exe association. If command.com works try copying regedit.exe to regedit.com.
Use regedit.com to have a look at HKEY_CLASSES_ROOT. Especially the .exe and exefile keys.
Or if you're able to boot the disk load the registry hive to have a look.
Experience is something you don't get until just after you need it.
June 6th, 2008, 08:16 AM
there is a fix....
Inside the zip file is a .com file you can run and a reg file that does the same thing as well. The hard part is getting one of those to run.
For the reg entry press CTRL-ALT-DEL and open Task Manager. Once there, click File, hold down the CTRL key and click New Task (Run). Now that a cmd window is open, type regedit.exe and hit enter or type in the path to the .com file and run it from there.
For the manual fix go here http://support.microsoft.com/kb/837334
Last edited by Darksnake; June 6th, 2008 at 08:25 AM.
Reason: message attachment
<chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times
June 6th, 2008, 12:43 PM
This may help:
You need to make sure that you have gotten rid of the malware first. This is just to fix the associations problem
Last edited by nihil; June 7th, 2008 at 06:19 AM.
June 7th, 2008, 02:01 AM
Hi I am a newbie here but I saw your conversation about spool.exe and faght it pretty much all night I tried all the tatics mentiond above the virus wouldnt let me go back to restore any further than yesterday and it had made its own restore point so there was no way I was doing that both in cmd prompt and run it pretty much took over all administrator rights I ended up reinstalling windows unfortunitly I did a quick format and the virus is back it might have hoped a ride on my D: external and if thats the case this thing is pretty untouchable any tips on where to go from here. thnx
June 7th, 2008, 06:39 AM
Hello snightwolfred, and welcome to AO.
We need to know a bit more about your setup, firstly what is your operating system and service pack/update status?
Then your hardware:
1. Laptop or desktop?
2. What drives does it have? In particular do you have a CD or DVD drive and do you have a floppy drive?
3. I notice that you have an external drive and that it is D:\, which tells me that you have only one internal hard drive, is that correct? What make is it?
4. Do you have the CD/DVD for your operating system?
5. Do you have access to another computer (friend/relative/library) where you can perform clean downloads?
6. What were you using the external drive for, or was it just attached to the system? In particular did you run any executable from the external drive?
I will wait for your replies to the above before giving you more detailed instructions.
June 8th, 2008, 07:15 PM
First off thank you guys very much for the help on the file association issue. After fighting with this for quite some time I decided to just re-install windows xp. This machine is a Dell dimension 8400. I formatted the drive using the dell windows install disk and re-installed windows xp sp2. When it was done installing I tried to boot into windows and it automatically blue screened. So I swapped out the hard drive with one that I knew was good ran the install and I got a blue screen again when I tried to boot into windows. I noticed the computer was only on bios version 3 so I updated it to bios version 9. I swapped out the dell xp install disk for a regular windows xp install disk and swapped out the sata cable to the hdd just in case. I ran the install and now when I boot up it will tell me the windows didn't start properly and gives me the choice to go to last good known, safe mode, or start windows normally. Whichever one I choose just causes the computer to loop and restart. I ran memtest86 and everything passed. I'm not even sure where I should go from here. Any advice is appreciated. Thanks.
June 8th, 2008, 07:54 PM
Nuke the HDD with the bootable disk. And start the re-installation from scratch.
A single pass will do for the drive overwrite.