spoolslv.exe?

[cplouffe]

Hey everyone,

Last week a bunch of win2k and xppro machines on our network started having weird problems like:
(XP) rebooting ala blaster
could not send receive in outlook
could not copy and paste files
winnt and system32 dir were blank (although task bar would show correct file count)
printing problems
could not open secondary windows and could not run search
some other odd and end stuff too

what I found was a process called spoolslv.exe that was causing all this. I could kill the process on XP reboot and seemed ok. Win2k I had to use process mgr to kill it because it was saying access denied. Once I ended the process it would repopulate within minutes some quicker than others but it was pretty fast. I found in the registry where it was adding itself to the run key and also below it in the run services key. It would say "microsoft windows patch"
and had the spoolslv.exe file there. Once I end the process and clean the registry I would have to reboot the machine then go in and delete the actual file, which was located in the system32 folder.

I was trying to see how it works and once it became infected I ran netstat... it seemed like it was trying to connect to a bunch of machines and also connecting to random ip ranges and addresses.

This thing travels pretty fast on the network and is hard to keep it away, I have searched google, yahoo, symantec,trend micro, sophos etc... and no one has heard of it or mentioned it.

I did find that on some machines there was another file that would sometimes be with it called winhlpp32.exe in the same location. These are similiar in name to normal sys files except for 1 letter. Has anyone seen or heard of this at all? Thanks

[muert0]

I found this for now. See if it helps and I'll look some more.
http://forums.devarticles.com/archive/t-7117

[cplouffe]

thanks I found that on google and it is kind of a dead end. Looks like the only thing out there. Thanks for the info

[keezel]

I don't think I've ever seen it - but it sounds familiar... Have you tried unplugging everything from the network and running individual scans with stuff like adaware/spybot s&d and good, updated Antivirus? Are there firewalls on the computers blocking all unnecessary ports? How large of a network are you talking about?

*edit*
Even though I still think you should run AV, it sounds like a worm that you'll need a specific worm removal tool for. If you run AV though it at least may be able to catch and identify exactly what you're dealing with so you can search for and download a specific removal tool. There should be instructions for the removal of the worm too like - turn off system restore, reboot in safe mode, scan, reboot into normal, and then reactivate system restore (all this on a computer that is seperated from the other computers).

[cplouffe]

yes I had about 12 machines unplugged today trying to clean them all off and I am trying to find any others that have it. We have the latest updats running symantec corp edition and I have tried scanning with sites like spywareinfo.com etc... Our network is about 175 nodes pcs and laptops. Most of the machines are not affected, so I wonder if there is a patch or service pack dif between certain ones. I am checking into that tomorrow. We are in the process over moving everyone over to a win2k3 domain with a/d and then we will use the corp edition to regulate the pcs like a firewall but are not at that point yet. If I cannot find a fix somehow, maybe I can create something that I can send to the users that would kill the process delete the file and clear the reg keys or maybe try it remotely. It is getting very time consuming of course to walk to all the machines.

[keezel]

Yeah, I know how much of a pain that can be...sorry man. Lemme know what comes up in the AV scan (hopefully *something* will come up).

This may or may not help but it never hurts:

Adaware
Spybot: Search & Destroy

I strongly recommend using one of these on any computer that actively interfaces with the web in the future, if not immediately - for the present situation. Best of luck!

[cplouffe]

thanks

[Tedob1]

sounds like w32.donk. run stinger http://download.nai.com/products/mca...rt/stinger.exe

[cplouffe]

cool I will check it out thanks

if it is something known I wonder why a current scan is not catching anythng

[Tedob1]

theres a new version of donk out. one of my remote locations got hit with it. symantec had to send us an emergency update. it'll be morphed a few more times to evade detection before its compleatly detectable...if thats what it is.