Solved

Weird bug...Maybe a Trojan? or a Virus?

Posted on 2003-11-02
14
866 Views
Last Modified: 2013-12-04
Ok, so just recently my computer started performing 3 strange things. I'm not if they're related or not, but my best is "yes."
First, the computer freezes up on me at random times...when this happens I cannot move the mouse, nor click on anything, or use the keyboard. The only option was to unplug the computer.
Second, McAfee AnitiVirus won't run anymore, I start it up, but after a minute or so, it has a program error and quits.
Third, there is a process running called "spoolvq.exe", which I had never noticed before, and always uses around 12-16,000k in the Processes list.

Here are some basics:
I'm running Windows 2000 Pro with the latest service pack.
I have the latest ZoneAlarm firewall running constantly.

If anyone can help me with this before I have to reformat the hard drive, I will would appreciate it enormously.

Thanks in advance!!
0
Comment
Question by:skyboysky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +2
14 Comments
 
LVL 2

Expert Comment

by:aleshm
ID: 9665485
Try installing AdAware and run it... see if it finds anything.
Uninstall & reinstall McAfee, and/or perhaps Norton Antivirus.
Run scandisk on your hard drive(s) and see if it reports any errors, problems, etc.

What about Windows Update? All patches applied?

Also try uninstalling ZoneAlarm and see if it helps.

Report back!

A.
0
 

Author Comment

by:skyboysky
ID: 9666345
some more info that could help:

I have already run the latest (and updated) versions of AdAware and SpyBot. I have uninstalled and re-installed McAfee, then uninstalled again when I saw the problem repeat itself. I then installed Norton, which for some reason could not run it's LiveUpdate. (I've had either McAfee and Norton running and updated for years on this machine without problems). And lastly, I do have the latest patches and updates from Windows. I'm scared to uninstall or stop ZoneAlarm because this "spoolvq.exe" always tries to connect to the internet, and a couple of times has tried to SEND EMAIL.

Any other suggestions? HELP!

Thanks,
T
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Expert Comment

by:aleshm
ID: 9666363
Unplug your machine from the net and try to uninstall and perhaps manually stop this service and find the file on your HD and delete it.

A.
0
 

Author Comment

by:skyboysky
ID: 9666370
Ah! One more weird thing just started happening: when I go to START > RUN > "regedit", the Registry Editor has been disabled. I get the following message: "Registry editing has been disabled by your administrator."

Strange thing is that I AM THE ADMINISTRATOR!
0
 
LVL 4

Assisted Solution

by:speyfisher
speyfisher earned 300 total points
ID: 9666415
This virus seems to be spread by a bogus "Internet Explorer Update" received by email.  This would explain 'spoolvq.exe'
________________________________________
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100758

The virus copies itself to the WINDOWS directory using the name "spool"  or smss  followed by 2 random characters, followed by .exe.   A registry key is created to load that file at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Service Host" = %WinDir%\spool (random characters) .exe
________________________________________
 
0
 

Author Comment

by:skyboysky
ID: 9667274
speyfisher, this is EXACTLY what I've got. Wow....thanks a ton. Now my problem is REMOVING it. The McAfee and Symantec sites both inform me to simply run a scan and clean/delete the infected files. However the virus makes it impossible for me to even RUN an antivirus. So how can I delete it? The virus (in spoolvq.exe) recreates itself.

Thanks again,
t
0
 
LVL 4

Expert Comment

by:speyfisher
ID: 9667323
did you see this post about Windows System Restore utility that the virus may use to back itself up?

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
0
 

Author Comment

by:skyboysky
ID: 9669746
yep, I had seen that one, however I'm using Win2000Pro
0
 
LVL 4

Expert Comment

by:speyfisher
ID: 9672488
I just cleaned a machine that had over created 400 clones of itself on a machine.      The anti-virus software was being shutdown by the virus.  I removed all the registry keys that the virus had created, and changed back the keys it had modified.  I also renamed my anti-virus .exe file so the virus would not find it and shut it down.

Prevent this thing from starting up, try renaming your anti-virus_program.exe in if it is still being stopped.

Did you remove the viruses' registry keys? i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolXX.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe spoolXX.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
TORVIL
0
 

Author Comment

by:skyboysky
ID: 9672707
I would try changing back my registry keys, but when I try to run regedit, it says I don't have permission (even though I'm logged in as the administrator). I'll try renaming the antivirus .exe.
0
 

Author Comment

by:skyboysky
ID: 9672725
is there another way to edit my registry without using regedit?
0
 
LVL 1

Accepted Solution

by:
ctennet earned 75 total points
ID: 9678878
what happens when you terminate the spoolvq.exe process? can you run the AV afterwards? if not you can try this

if you are using McAfee, like you say then you can run a command line scan. download the SDAT into the directory:

>Program Files>Common Files>Network Associates>VirusScan Engine>4.0.xx

Navigate to that directory from a command promt and run the SDAT using the /e switch to extract the update files.

ie. >SDAT4301.EXE /e

then run SCAN.EXE with the /All and /Clean switches

This will clean all infected files without needing to run the Antivirus program
0
 

Author Comment

by:skyboysky
ID: 9732260
well...I never got the virus off my machine without reinstalling windows. But anyway...thanks for the help folks...
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question