Solved

Weird bug...Maybe a Trojan? or a Virus?

Posted on 2003-11-02
14
858 Views
Last Modified: 2013-12-04
Ok, so just recently my computer started performing 3 strange things. I'm not if they're related or not, but my best is "yes."
First, the computer freezes up on me at random times...when this happens I cannot move the mouse, nor click on anything, or use the keyboard. The only option was to unplug the computer.
Second, McAfee AnitiVirus won't run anymore, I start it up, but after a minute or so, it has a program error and quits.
Third, there is a process running called "spoolvq.exe", which I had never noticed before, and always uses around 12-16,000k in the Processes list.

Here are some basics:
I'm running Windows 2000 Pro with the latest service pack.
I have the latest ZoneAlarm firewall running constantly.

If anyone can help me with this before I have to reformat the hard drive, I will would appreciate it enormously.

Thanks in advance!!
0
Comment
Question by:skyboysky
  • 7
  • 3
  • 2
  • +2
14 Comments
 
LVL 2

Expert Comment

by:aleshm
Comment Utility
Try installing AdAware and run it... see if it finds anything.
Uninstall & reinstall McAfee, and/or perhaps Norton Antivirus.
Run scandisk on your hard drive(s) and see if it reports any errors, problems, etc.

What about Windows Update? All patches applied?

Also try uninstalling ZoneAlarm and see if it helps.

Report back!

A.
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
0
 

Author Comment

by:skyboysky
Comment Utility
some more info that could help:

I have already run the latest (and updated) versions of AdAware and SpyBot. I have uninstalled and re-installed McAfee, then uninstalled again when I saw the problem repeat itself. I then installed Norton, which for some reason could not run it's LiveUpdate. (I've had either McAfee and Norton running and updated for years on this machine without problems). And lastly, I do have the latest patches and updates from Windows. I'm scared to uninstall or stop ZoneAlarm because this "spoolvq.exe" always tries to connect to the internet, and a couple of times has tried to SEND EMAIL.

Any other suggestions? HELP!

Thanks,
T
0
 
LVL 2

Expert Comment

by:aleshm
Comment Utility
Unplug your machine from the net and try to uninstall and perhaps manually stop this service and find the file on your HD and delete it.

A.
0
 

Author Comment

by:skyboysky
Comment Utility
Ah! One more weird thing just started happening: when I go to START > RUN > "regedit", the Registry Editor has been disabled. I get the following message: "Registry editing has been disabled by your administrator."

Strange thing is that I AM THE ADMINISTRATOR!
0
 
LVL 4

Assisted Solution

by:speyfisher
speyfisher earned 300 total points
Comment Utility
This virus seems to be spread by a bogus "Internet Explorer Update" received by email.  This would explain 'spoolvq.exe'
________________________________________
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100758

The virus copies itself to the WINDOWS directory using the name "spool"  or smss  followed by 2 random characters, followed by .exe.   A registry key is created to load that file at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Service Host" = %WinDir%\spool (random characters) .exe
________________________________________
 
0
 

Author Comment

by:skyboysky
Comment Utility
speyfisher, this is EXACTLY what I've got. Wow....thanks a ton. Now my problem is REMOVING it. The McAfee and Symantec sites both inform me to simply run a scan and clean/delete the infected files. However the virus makes it impossible for me to even RUN an antivirus. So how can I delete it? The virus (in spoolvq.exe) recreates itself.

Thanks again,
t
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 4

Expert Comment

by:speyfisher
Comment Utility
did you see this post about Windows System Restore utility that the virus may use to back itself up?

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
0
 

Author Comment

by:skyboysky
Comment Utility
yep, I had seen that one, however I'm using Win2000Pro
0
 
LVL 4

Expert Comment

by:speyfisher
Comment Utility
I just cleaned a machine that had over created 400 clones of itself on a machine.      The anti-virus software was being shutdown by the virus.  I removed all the registry keys that the virus had created, and changed back the keys it had modified.  I also renamed my anti-virus .exe file so the virus would not find it and shut it down.

Prevent this thing from starting up, try renaming your anti-virus_program.exe in if it is still being stopped.

Did you remove the viruses' registry keys? i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolXX.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe spoolXX.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
TORVIL
0
 

Author Comment

by:skyboysky
Comment Utility
I would try changing back my registry keys, but when I try to run regedit, it says I don't have permission (even though I'm logged in as the administrator). I'll try renaming the antivirus .exe.
0
 

Author Comment

by:skyboysky
Comment Utility
is there another way to edit my registry without using regedit?
0
 
LVL 1

Accepted Solution

by:
ctennet earned 75 total points
Comment Utility
what happens when you terminate the spoolvq.exe process? can you run the AV afterwards? if not you can try this

if you are using McAfee, like you say then you can run a command line scan. download the SDAT into the directory:

>Program Files>Common Files>Network Associates>VirusScan Engine>4.0.xx

Navigate to that directory from a command promt and run the SDAT using the /e switch to extract the update files.

ie. >SDAT4301.EXE /e

then run SCAN.EXE with the /All and /Clean switches

This will clean all infected files without needing to run the Antivirus program
0
 

Author Comment

by:skyboysky
Comment Utility
well...I never got the virus off my machine without reinstalling windows. But anyway...thanks for the help folks...
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now