Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Weird bug...Maybe a Trojan? or a Virus?

Posted on 2003-11-02
14
Medium Priority
?
870 Views
Last Modified: 2013-12-04
Ok, so just recently my computer started performing 3 strange things. I'm not if they're related or not, but my best is "yes."
First, the computer freezes up on me at random times...when this happens I cannot move the mouse, nor click on anything, or use the keyboard. The only option was to unplug the computer.
Second, McAfee AnitiVirus won't run anymore, I start it up, but after a minute or so, it has a program error and quits.
Third, there is a process running called "spoolvq.exe", which I had never noticed before, and always uses around 12-16,000k in the Processes list.

Here are some basics:
I'm running Windows 2000 Pro with the latest service pack.
I have the latest ZoneAlarm firewall running constantly.

If anyone can help me with this before I have to reformat the hard drive, I will would appreciate it enormously.

Thanks in advance!!
0
Comment
Question by:skyboysky
  • 7
  • 3
  • 2
  • +2
14 Comments
 
LVL 2

Expert Comment

by:aleshm
ID: 9665485
Try installing AdAware and run it... see if it finds anything.
Uninstall & reinstall McAfee, and/or perhaps Norton Antivirus.
Run scandisk on your hard drive(s) and see if it reports any errors, problems, etc.

What about Windows Update? All patches applied?

Also try uninstalling ZoneAlarm and see if it helps.

Report back!

A.
0
 

Author Comment

by:skyboysky
ID: 9666345
some more info that could help:

I have already run the latest (and updated) versions of AdAware and SpyBot. I have uninstalled and re-installed McAfee, then uninstalled again when I saw the problem repeat itself. I then installed Norton, which for some reason could not run it's LiveUpdate. (I've had either McAfee and Norton running and updated for years on this machine without problems). And lastly, I do have the latest patches and updates from Windows. I'm scared to uninstall or stop ZoneAlarm because this "spoolvq.exe" always tries to connect to the internet, and a couple of times has tried to SEND EMAIL.

Any other suggestions? HELP!

Thanks,
T
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 2

Expert Comment

by:aleshm
ID: 9666363
Unplug your machine from the net and try to uninstall and perhaps manually stop this service and find the file on your HD and delete it.

A.
0
 

Author Comment

by:skyboysky
ID: 9666370
Ah! One more weird thing just started happening: when I go to START > RUN > "regedit", the Registry Editor has been disabled. I get the following message: "Registry editing has been disabled by your administrator."

Strange thing is that I AM THE ADMINISTRATOR!
0
 
LVL 4

Assisted Solution

by:speyfisher
speyfisher earned 1200 total points
ID: 9666415
This virus seems to be spread by a bogus "Internet Explorer Update" received by email.  This would explain 'spoolvq.exe'
________________________________________
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100758

The virus copies itself to the WINDOWS directory using the name "spool"  or smss  followed by 2 random characters, followed by .exe.   A registry key is created to load that file at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Service Host" = %WinDir%\spool (random characters) .exe
________________________________________
 
0
 

Author Comment

by:skyboysky
ID: 9667274
speyfisher, this is EXACTLY what I've got. Wow....thanks a ton. Now my problem is REMOVING it. The McAfee and Symantec sites both inform me to simply run a scan and clean/delete the infected files. However the virus makes it impossible for me to even RUN an antivirus. So how can I delete it? The virus (in spoolvq.exe) recreates itself.

Thanks again,
t
0
 
LVL 4

Expert Comment

by:speyfisher
ID: 9667323
did you see this post about Windows System Restore utility that the virus may use to back itself up?

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
0
 

Author Comment

by:skyboysky
ID: 9669746
yep, I had seen that one, however I'm using Win2000Pro
0
 
LVL 4

Expert Comment

by:speyfisher
ID: 9672488
I just cleaned a machine that had over created 400 clones of itself on a machine.      The anti-virus software was being shutdown by the virus.  I removed all the registry keys that the virus had created, and changed back the keys it had modified.  I also renamed my anti-virus .exe file so the virus would not find it and shut it down.

Prevent this thing from starting up, try renaming your anti-virus_program.exe in if it is still being stopped.

Did you remove the viruses' registry keys? i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolXX.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe spoolXX.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
TORVIL
0
 

Author Comment

by:skyboysky
ID: 9672707
I would try changing back my registry keys, but when I try to run regedit, it says I don't have permission (even though I'm logged in as the administrator). I'll try renaming the antivirus .exe.
0
 

Author Comment

by:skyboysky
ID: 9672725
is there another way to edit my registry without using regedit?
0
 
LVL 1

Accepted Solution

by:
ctennet earned 300 total points
ID: 9678878
what happens when you terminate the spoolvq.exe process? can you run the AV afterwards? if not you can try this

if you are using McAfee, like you say then you can run a command line scan. download the SDAT into the directory:

>Program Files>Common Files>Network Associates>VirusScan Engine>4.0.xx

Navigate to that directory from a command promt and run the SDAT using the /e switch to extract the update files.

ie. >SDAT4301.EXE /e

then run SCAN.EXE with the /All and /Clean switches

This will clean all infected files without needing to run the Antivirus program
0
 

Author Comment

by:skyboysky
ID: 9732260
well...I never got the virus off my machine without reinstalling windows. But anyway...thanks for the help folks...
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
Screencast - Getting to Know the Pipeline
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question