Hey everyone,

Last week a bunch of win2k and xppro machines on our network started having weird problems like:
(XP) rebooting ala blaster
could not send receive in outlook
could not copy and paste files
winnt and system32 dir were blank (although task bar would show correct file count)
printing problems
could not open secondary windows and could not run search
some other odd and end stuff too

what I found was a process called spoolslv.exe that was causing all this. I could kill the process on XP reboot and seemed ok. Win2k I had to use process mgr to kill it because it was saying access denied. Once I ended the process it would repopulate within minutes some quicker than others but it was pretty fast. I found in the registry where it was adding itself to the run key and also below it in the run services key. It would say "microsoft windows patch"
and had the spoolslv.exe file there. Once I end the process and clean the registry I would have to reboot the machine then go in and delete the actual file, which was located in the system32 folder.

I was trying to see how it works and once it became infected I ran netstat... it seemed like it was trying to connect to a bunch of machines and also connecting to random ip ranges and addresses.

This thing travels pretty fast on the network and is hard to keep it away, I have searched google, yahoo, symantec,trend micro, sophos etc... and no one has heard of it or mentioned it.

I did find that on some machines there was another file that would sometimes be with it called winhlpp32.exe in the same location. These are similiar in name to normal sys files except for 1 letter. Has anyone seen or heard of this at all? Thanks