Hi there,
Let me tell you what I was able to dig up on spoolsv.exe and
spollvse.exe and then talk about how to get rid of them.
Spoolsv.exe is Microsoft's Printer Spooler Service. This is a legit
and harmless file. Unfortunately it's often overwritten by the
Backdoor Ciadoor.B Trojan. This trojan sets itself up to run on system
startup. It also adds these lines to your win.ini file:
load=%Windir%\Spoolsv.exe
run=%Windir%\Spoolsv.exe
This Trojan then makes it possible for a remote user to access your
system. This user could download, install, run or delete files. He can
also take screen shots and log keystrokes that you type at your
keyboard. This is generally done in the hope of capturing passwords or
credit card information.
Additional background information and removal instructions for
Backdoor.Ciadoor.B can be found at
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ciadoor.b.html.
Spoolvse.exe installs with WORM_SDBOT.AJJ. You'll find it in your
Windows\System or System32 folder and you may see it described as
"Start Extracting". This worm spreads across weakly protected
networks. It takes advantage of RPC and DCOM security holes in
Microsoft Windows. More info can be found at
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx) and
a security update/patch is available at
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.
This worm also allows a remote user access to your computer. Users
also report that it can terminate running processes, including
antivirus and anti-spyware programs. Additional background information
and removal instructions can be found here:
http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_SDBOT.AJJ
The links above show you had to edit your registry to remove
references to these files. If you do opt to give it a try, please make
a backup of your registry first. To do this, go to your START menu,
click on RUN. Type "Regedit". A new window will open. Click "File"
click "Export" type a name (I usually use the date) and click SAVE.
If you don't want to mess with your Windows registry, hopefully we can
automate the removal process. When spoolvse.exe is in memory, your
antivirus program (Norton Antivirus 2005) may not work right. If you
got NAV 2005 on a CD, put that CD in the drive and reboot your system.
As long as the disk is in the drive and it's a fairly new system, it
should boot from the Norton CD Rom. This way you'll be able to scan
your system without having the virus related files in memory. Run a
full scan and let it clean whatever it finds.
If you don't have the NAV CD available, try the free web-based scan at
http://housecall.trendmicro.com/. Again, let it clean whatever it
finds.
Next, boot your system into Safe mode.
Restart the computer. The computer begins processing a set of
instructions known as the Basic Input/Output System (BIOS). What is
displayed depends on the BIOS manufacturer. Some computers display a
progress bar that refers to the word BIOS, while others may not
display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on
your keyboard. Continue to do so until the Windows Advanced Options
menu appears. If you begin tapping the F8 key too soon, some computers
display a "keyboard error" message. To resolve this, restart the
computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe
mode menu item, and then press Enter.
Click Start > Search > Files or Folders. Enter spoolvse.exe. When found, delete it.
If you'd done this and the virus (or viruses) still come back, they
could be hiding in System restore. Try disabling System Restore and
repeat the removal process:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
If you need anything, just <a href="mailto:pcrobin@yahoo.com">email</a> me! |
