http://www.greatis.com/security/Removal_Spooldr.exe_Spooldr.sys_rootkit.htm

So, how do I download and install this is I can only boot into safe mode? Will safe mode with networking d the trick if I can get there? It will be really interesting if I can't get the mouse to work.

I downloaded this to my laptop and it caused nothing but trouble. I got a blue screen, it runs incredibly slow and takes forever to open programs. There has to be a bteer solution.

It's gotten worse by the sound of it, Combofix would've taken care of it earlier. It takes care of spooldr.sys and spooldr.exe and among other nasties that comes with it.

If you are able to download the combofix using another pc, and if still able to run it on the infected machine;

Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

I was able to get my computer at least functional enough to run scanware by running the computer in Safe Mode Command Promopt and renamimg SPOOLDR.SYS to SPOOLDR._YS. This enabled me to boot, and access the internet afterwards. While I am in the process of running scanners, etc now. This is a quick fix to help get things goin again.

-Rob

I am having to send this from another computer because my laptop is now running so slow. It has also lost all my passwards and Mozilla Firefox no longer opens as the default browser. Anyway, I ran combo fix and hijack this. Here are the results.

ComboFix 07-08-14.4 - "Robert" 2007-08-18 13:40:06.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.266 [GMT -4:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Robert\Desktop.\internet explorer.lnk
C:\WINDOWS\DOWNLO~1.\ODCTOOLS
C:\WINDOWS\system32\MabryObj.dll


(((((((((((((((((((((((((   Files Created from 2007-07-18 to 2007-08-18  )))))))))))))))))))))))))))))))


2007-08-18 13:26      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-08-16 21:11      <DIR>      d--------      C:\Program Files\Common Files\Avery
2007-08-16 13:42      93,184      --a------      C:\WINDOWS\system32\wvjava.dll
2007-08-16 13:42      <DIR>      d--------      C:\Program Files\PLATINUM technology
2007-08-14 21:31      <DIR>      d--------      C:\Program Files\MSXML 4.0
2007-08-07 10:35      <DIR>      d--------      C:\WINDOWS\system32\NtmsData
2007-08-01 16:03      <DIR>      d--------      C:\DOCUME~1\Robert\APPLIC~1\Roxio
2007-08-01 15:54      <DIR>      d--------      C:\Program Files\Common Files\Roxio Shared
2007-08-01 15:53      61,424      --a------      C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-01 15:53      57,344      --a------      C:\WINDOWS\uneng.exe
2007-08-01 15:53      49,152      --a------      C:\WINDOWS\system32\cdrtc.dll
2007-08-01 15:53      45,056      --a------      C:\WINDOWS\system32\cdral.dll
2007-08-01 15:53      23,436      --a------      C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-08-01 15:53      <DIR>      d--------      C:\Program Files\Common Files\Adaptec Shared
2007-07-30 17:41      <DIR>      d--------      C:\WINDOWS\PhotoBackup
2007-07-23 12:28      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 18:07      783224      --a------      C:\WINDOWS\system32\aswBoot.exe
2007-07-27 18:02      94416      --a------      C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 18:02      92848      --a--c---      C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 18:00      23152      --a------      C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 17:59      42912      --a------      C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 17:58      26624      --a------      C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 17:57      95608      --a--c---      C:\WINDOWS\system32\AVASTSS.scr
2007-07-19 02:59      3583488      --a--c---      C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 19:31      765952      --a--c---      C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 15:14      1152      --a------      C:\WINDOWS\system32\windrv.sys
2007-06-27 10:34      823808      --a--c---      C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 10:34      671232      --a--c---      C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 10:34      6058496      -----c---      C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 10:34      52224      -----c---      C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34      477696      --a--c---      C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 10:34      459264      -----c---      C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 10:34      44544      -----c---      C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 10:34      384512      -----c---      C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 10:34      383488      -----c---      C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 10:34      27648      --a--c---      C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 10:34      267776      -----c---      C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 10:34      232960      -----c---      C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 10:34      230400      -----c---      C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 10:34      193024      --a--c---      C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 10:34      153088      -----c---      C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 10:34      132608      --a--c---      C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 10:34      124928      -----c---      C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 10:34      1152000      --a--c---      C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 10:34      105984      -----c---      C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 10:34      102400      -----c---      C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 04:27      63488      -----c---      C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 04:27      625152      -----c---      C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 04:27      13824      -----c---      C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 03:00      161792      --a--c---      C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:08      1104896      --a------      C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08      1104896      -----c---      C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31      282112      --a------      C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31      282112      -----c---      C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 06:23      1033216      --a------      C:\WINDOWS\explorer.exe
2007-06-13 06:23      1033216      -----c---      C:\WINDOWS\system32\dllcache\explorer.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\HOME-8F2B915D5D\EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 06:00]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]
"Auto EPSON Stylus Photo R200 Series on FAMILY-HGJM2O4R"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 06:00]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-11-30 21:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=C:\WINDOWS\pss\Forget Me Not.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus Photo RX580 Series on MR-D25F737AA276]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE /FU "C:\WINDOWS\TEMP\E_S273.tmp" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMGAG]
RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Modem Update Reminder]
C:\WINDOWS\MWW32\manager\mwremind.exe autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryBot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
C:\Program Files\SpyNoMore\SNM.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
tp4serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
E:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
R1 IBMTPCHK;IBMTPCHK;\??\C:\WINDOWS\System32\Drivers\IBMBLDID.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R3 Tp4Track;PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys
S3 AEIWL;IBM High Rate Wireless LAN MiniPCI Combo Card Driver;C:\WINDOWS\system32\DRIVERS\AEIWLNDS.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\rtl8180.sys
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
S3 neo20xx;neo20xx;C:\WINDOWS\system32\DRIVERS\neo20xx.sys
S3 ThinkPadDSP;ThinkPad DSP Driver Service;C:\WINDOWS\system32\DRIVERS\mwwdm.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\AUTORUN\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69c2f842-4cad-11db-823b-806d6172696f}]
AutoRun\command- E:\Program Files\Broderbund\AG CreataCard\Unlock\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a5ed972-e094-11db-a732-0020e08a400b}]
AutoRun\command- setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-08-17 21:28:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-01-17 14:25:54 C:\WINDOWS\Tasks\BMMTask.job
2007-08-18 21:37:34 C:\WINDOWS\Tasks\RegCure Program Check.job
2007-08-16 12:42:57 C:\WINDOWS\Tasks\RegCure.job
2007-08-18 21:37:29 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-14 12:44:23 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-18 17:41:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\HOME-8F2B915D5D\\EPSON Stylus Photo R200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P48 \"\\\\HOME-8F2B915D5D\\EPSON Stylus Photo R200 Series\" /O6 \"USB001\" /M \"Stylus Photo R200\""

Completion time: 2007-08-18 18:23:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-18 18:22

      --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 6:42:46 PM, on 08/18/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\system32\ctfmon.exe
E:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe
C:\DOCUME~1\Robert\LOCALS~1\Temp\HijackThis.exe
c:\program files\mcafee.com\agent\mcupdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\IEFlash.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [\\HOME-8F2B915D5D\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P48 "\\HOME-8F2B915D5D\EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on FAMILY-HGJM2O4R] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P54 "Auto EPSON Stylus Photo R200 Series on FAMILY-HGJM2O4R" /O25 "\\FAMILY-HGJM2O4R\Printer" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: mysql - Unknown owner - E:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=E:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) -   - c:\program files\lenovo\system update\suservice.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe


Please help me determine the problem and also advise on how to read these reports.

Thank you!

Robert

After running the scanners, I found that a trojan file infected both spooldr.sys and tcpip.sys. The scanner corrected the issues, and things are working so far.

So the solution that I can offer is as follows:
A) Start Windows in Safe Mode with Command Prompt.
B) Rename C:\Windows\System32\sysldr.sys to sysldr_ys
c) Reboot and run a virus scanning/cleaning utility as well as an adware tool (Make sure to clean any infected files.

This worked for me.
-Rob

Oh  I will mention that the trojan caused Housecall to fail as I usually use both a web-based and local scanner. It actually crashed Internet Exploder when it was trying to clean the files. Use a local virus scanner first. I use the AWG Free Edition and Lavalsoft AdAware wiyh good results.

-Rob

"So the solution that I can offer is as follows:
A) Start Windows in Safe Mode with Command Prompt.
B) Rename C:\Windows\System32\sysldr.sys to sysldr_ys
c) Reboot and run a virus scanning/cleaning utility as well as an adware tool (Make sure to clean any infected files."

I did all of that and no infected files were found. The above logs were the results after running the scans.

Also, my cpu usage continually spikes to 100%. If I am reading an email it will drop to an acceptable level but as soon as I open a different email, delete the one I had been reading or open any application it jumps back to 100%. There are several processes that fluctuate wildly including explorer.exe, svhost.exe, csrss.exe, taskmrg.exe.

E:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe <-- you know what this program is?

You have 2 antivirus there? Avast and McAfee? You need to only have one antivirus with real-time protection, having 2 will only conflict each other and corrupt the system.
Please uninstall one of them.

I have had two anti-virus programs for over a year with no performance issues. I usually have one disabled and then use both when I run a scan. I did not have any problems until I ran http://www.greatis.com/security/Removal_Spooldr.exe_Spooldr.sys_rootkit.htm as suggested. I do not know what E:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe is.

All -

Something must be going around.  We have one client machine and possibly two (a different client) experiencing the same sudden onset Random BSOD.  Both reported starting this past week.  Same precursors with the 0x0000050 errors suggesting RAM or drivers problems.  On the one, I finally (after scanning online with TrendMicro and removing a Trojan) got it to consistenly crash and the error message was a problem with spooldr.sys.  I'm going down the rootkit path to see if that clears things up and will keep advised as to progress or not.

All -

I've fixed my first problem.  It was indeed a virus, several in fact.  Housecall (TrendMicro) only got part of them.  BitDefender's online free scan got lots more and after scanning, rebooting, scanning, rebooting and scanning again, I've got a clean report and no more crashes.

Here's the BitDefender report in case there is anything in it that triggers something to look for for the rest.  TCPIP.SYS was, in fact, part of the problem.  I don't see that SPOOLDR.SYS (which I renamed to SPOOLDR._YS was, but since I can identify no reason for it, I'me deleting it too.  Oops.  Just did a search and indeed nasty SPOOLDR was found (by TrendMicro in the initial scans and again by BitDefender).  Looks like this was like Yeller's situation.  Must be something going around.  Hope this helps.  Sorry for how the paste turned out.

BitDefender Online Scanner
 
 
 
Scan report generated at: Sun, Aug 19, 2007 - 14:34:13
 
 
 ***BitDefender log removed by rpggamergirl, Zone Advisor***
 
 

I ahve run another spyware scan and found five severe threats and am in the process of running another ad-aware scan. So far it has found 321 infections. I will run TrendMicro and botDefenderr next to see if that helps.

Thanks!!

Robert

Also try SuperAntiSpyware (free edition)

http://www.superantispyware.com/

>>I usually have one disabled and then use both when I run a scan.<<
both antivirus are showing in your running processes, that's why I asked.
Not scanning both at the same time I hope.


BitDefender's log found most files that are already in Trend's quarantine and in the System Restore points which can be easily deleted by flushing the restore points. But most importantly it deleted the infected tcpip.sys

tcpip.sys are patched(of filesize around 375168 bytes) and it's the one loading the 2 spooldr's
spooldr.exe runs as a process and spooldr.sys stealths it.
If the exe process gets killed, the machine BSODs during reboot

The  tcpip.sys copies from System32\drivers & dllcache are patched so they need to be replaced/deleted. You can then copy from the remaining uninfected file or from another machine.

But that was not my BitDefender log. I am still trying to determine why my computer is so slow. It took over four hours to SpyNoMore and now TrendMicro has been running for two hours. The explorer.exe process has been running at anywhere from 35 % to 80%. My cpu usage constantly spikes to 100%.

If you didnt already,scan with the following antivirus programs.All of them are free,just google them.If your cpu is at 100%,you are more likely still infected
smithfraudfix.exe
vundofix.exe
rustbfix.exe
AVG Rootkit Scanner
Dr.Web.Cureit
sdfix.exe
SpyBot Search and Destroy
SuperAntispyware
AdwarePersonal
Very important scan is mwav.exe.The problem with it is that you have to manually delete the infected files or buy the e-scan.It will also show registry errors,that might be slowing down the computer.If you cant find how to delete the errors,post the log file.
And make sure you update the ones that could be updated

When you run hijackthis,click the following entries to delete them:
E:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe.I am not sure about this one,but it shouldnt be running at sturtup.I recommend you fix it.
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: mysql - Unknown owner - E:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=E:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

In a run dialog box type:
msconfig and hit enter
On the window opened click the Startup tab,uncheck all entries except for your current antivirus,firewall and you could leave ctfmon.exe as well.,apply and reboot.
Download CCleaner(it is free) ,install and run it.Click the analyze button first and when scan complete,run cleaner button.Click on the issues tab and scan again,fix issues.
And also,after you are sure your system is clean,turn off system restore and then turn it back on.This will delete the system restore points.
After you scan your system and do all of the above,post a hijackthis log file again
Sorry for the brief explanation,but there is so much to do on your system,that I could be a day if I have to give you detailed instructions.If you have problems with any of the above,post a message.Good luck!

Forgot:When you use the msconfig tool,leave only one antivirus to start up with windows(all files associated with it),not both.You could always load the second one manualy if that is what you want

>>But that was not my BitDefender log.<<
I assume it was BitDefender's log when I read the lines below that says;

>>BitDefender Online Scanner
 
  Scan report generated at: Sun, Aug 19, 2007 - 14:34:13<<


snazy,
Please be careful what you suggest to Askers especially when you ask them to fix hijackthis entries which can have bad consequences.
Hijackthis has a bug that false positively reports 09 and 023 entries a "file missing" even if the file really exists.

As you can see from those 023 Avast entries where it says "file missing" but the file is there, that's his other antivirus and Avast is there in the running processes. If he fix those entries it will greatly affect Avast, 023 entries corresponds to program's services.

">>But that was not my BitDefender log.<<"

rpggamergirl, the emphasis there should be on "my", that report was posted by a different poster, leading to some confusion :)

Sorry for the confusion.  I merely posted because we were seeing similar occurrences in two of our client computers and since we had used some of these suggestions in diagnosing and correcting our situation, thought it might be helpful to others as it seems that something is happening on this front.

OK, I have run everything suggested but still have a sluggish computer. The cpu usage still spikes to 100% on a regular basis with explorer.exe, msiexec.exe and csrss.exe seem to be the main culprits. Whenever they run nothing else can because they will go to 75 to 100% of usage.

Quick Solution ...

Boot into Safe Mode.
open Folder Options and select "Show all files" and Uncheck "Hide system files"
Go to C:\Windows and rename SPOOLDR.EXE to anything (ex. "SPOOLDR.EXE.OLD")
expand TCPIP.SYS from XP Cd to C:\Windows\System32\Drivers and Overwrite what is there
Reboot into Normal mode and no more BSOD caused by SPOOLDR.SYS

You can run anything that you want to delete rest of files.

I have tried all but the last solution and the new problem is that not my CD and DVD ROMs don't work. They did before we started this troubleshooting. If I put a disk in the disk is recognized and I can actually view the contents of the disk but I can not run anything on the disk. I have tried by simply inserting the disk, I have tried from My Computer and double clicking the drive's icon, I have tried by right clicking and trying to run from the pop up menu and I have tried by going to start, run and then browsing for the setup file. In all cases I get the same tjhing, it acts like it is going to load the program but after a few seconds of first seeing a disk icon and then the hour glass, it just stops.
What have we done to cause this?

Thanks!!

Robert

Also, I am not quite sure what is meant by "expand TCPIP.SYS from XP Cd to C:\Windows\System32\Drivers and Overwrite what is there." Am I to copy the TCPIP.SYS  from the CD to the C:\Windows\System32\Drivers folder on my Hard Drive?

Thanks!!

Robert

Sorry for my previous mistake.Did you run rootbfix.exe or AVG RootKit Scanner?
You can also go to http://virusscan.jotti.org/ 
browse to C:\Windows\System32\Drivers\TCPIP.SYS and scan it to see if it is infected before you replace it
Note that it might take a few minutes for the submit button to appear

And why do I need four instances of the svchost.exe process? Could that be part of the problem?

Having multiple instances of the svchost process is quite normal. That process hosts various Windows services. To see what is being run within each, type "tasklist /svc" at a command prompt.

I have not been folowing this thread too closely, but did you run RootkitRevealer yet?
If not, please do, and save the resulting log to a text file, then copy and paste here (or just the first 30 lines or so if it is too long)

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

HKU\DEFAULT\Control Panel\Internetional_combofixbackup        2007-08-21   0 bytes  Security mismatch
HKU\DEFAULT\Control Panel\Internetional_combofixbackup\Geo 2007-08-21   0 bytes  Security mismatch
HKU\S-1-5-18                     Error dumping hive. The system cannot find the
HKLM\SAM                         Error mapping hive file. The system cannot find
HKLM\SECURITY                Error dumping hive. Insufficient system resources
HKLM\SYSTEM                  Error dumping hive. The system cannot find the
F:                                       Error muniting volume

An error occurred in CMD.EXE that prevents RootkitRevealer form accurately analyzing your system.
If CMD.EXE is available on your system please report this failure.

I tried running again and got this message:
"Error loading helper driver: Access denied." But after clicking OK it ran and I got the following:

HKU\DEFAULT\Control Panel\Internetional_combofixbackup        2007-08-21   0 bytes  Security mismatch
HKU\DEFAULT\Control Panel\Internetional_combofixbackup\Geo 2007-08-21   0 bytes  Security mismatch
HKU\S-1-5-18\Control Panel\Internetional_combofixbackup         2007-08-21   0 bytes  Security mismatch
HKU\S-1-5-18\Control Panel\Internetional_combofixbackup\Geo 2007-08-21   0 bytes  Security mismatch      
HKLM\SECURITY\Policy\Secrets\SAC*                                         2007-05-09   0 bytes  Key name contains embedded nulls(*)
HKLM\SECURITY\Policy\Secrets\SAI*                                         2007-05-09   0 bytes  Key name contains embedded nulls(*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed             2007-08-23  80 bytes  Data mismatch between Windows API and raw hive date.

I ran it once more and got the same thinh as the second list above. After each attempt I got the same error message - An error occurred in CMD.EXE that prevents RootkitRevealer form accurately analyzing your system.
If CMD.EXE is available on your system please report this failure.

The second and third time I ran the application there was no mention of the F: drive.

The only way to shut the computer down now is with the power button. If I click to shutdown all I get it the window asking me to switch users and there is only one user on this machine.  

Hi all,

I kow this question was opened and answered a couple of months ago. I've just encountered someone with this issue and they were running avast. They're wondering how it got past the antivirus software.

Any ideas on how to prevent this and other issues from infecting the user again?

Thanks,
Chris

Problem was not really solved. Formatted hard drive and installed clean system