Solved

Weird bug...Maybe a Trojan? or a Virus?

Posted on 2003-11-02
14
864 Views
Last Modified: 2013-12-04
Ok, so just recently my computer started performing 3 strange things. I'm not if they're related or not, but my best is "yes."
First, the computer freezes up on me at random times...when this happens I cannot move the mouse, nor click on anything, or use the keyboard. The only option was to unplug the computer.
Second, McAfee AnitiVirus won't run anymore, I start it up, but after a minute or so, it has a program error and quits.
Third, there is a process running called "spoolvq.exe", which I had never noticed before, and always uses around 12-16,000k in the Processes list.

Here are some basics:
I'm running Windows 2000 Pro with the latest service pack.
I have the latest ZoneAlarm firewall running constantly.

If anyone can help me with this before I have to reformat the hard drive, I will would appreciate it enormously.

Thanks in advance!!
0
Comment
Question by:skyboysky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +2
14 Comments
 
LVL 2

Expert Comment

by:aleshm
ID: 9665485
Try installing AdAware and run it... see if it finds anything.
Uninstall & reinstall McAfee, and/or perhaps Norton Antivirus.
Run scandisk on your hard drive(s) and see if it reports any errors, problems, etc.

What about Windows Update? All patches applied?

Also try uninstalling ZoneAlarm and see if it helps.

Report back!

A.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9665665
0
 

Author Comment

by:skyboysky
ID: 9666345
some more info that could help:

I have already run the latest (and updated) versions of AdAware and SpyBot. I have uninstalled and re-installed McAfee, then uninstalled again when I saw the problem repeat itself. I then installed Norton, which for some reason could not run it's LiveUpdate. (I've had either McAfee and Norton running and updated for years on this machine without problems). And lastly, I do have the latest patches and updates from Windows. I'm scared to uninstall or stop ZoneAlarm because this "spoolvq.exe" always tries to connect to the internet, and a couple of times has tried to SEND EMAIL.

Any other suggestions? HELP!

Thanks,
T
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 2

Expert Comment

by:aleshm
ID: 9666363
Unplug your machine from the net and try to uninstall and perhaps manually stop this service and find the file on your HD and delete it.

A.
0
 

Author Comment

by:skyboysky
ID: 9666370
Ah! One more weird thing just started happening: when I go to START > RUN > "regedit", the Registry Editor has been disabled. I get the following message: "Registry editing has been disabled by your administrator."

Strange thing is that I AM THE ADMINISTRATOR!
0
 
LVL 4

Assisted Solution

by:speyfisher
speyfisher earned 300 total points
ID: 9666415
This virus seems to be spread by a bogus "Internet Explorer Update" received by email.  This would explain 'spoolvq.exe'
________________________________________
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100758

The virus copies itself to the WINDOWS directory using the name "spool"  or smss  followed by 2 random characters, followed by .exe.   A registry key is created to load that file at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Service Host" = %WinDir%\spool (random characters) .exe
________________________________________
 
0
 

Author Comment

by:skyboysky
ID: 9667274
speyfisher, this is EXACTLY what I've got. Wow....thanks a ton. Now my problem is REMOVING it. The McAfee and Symantec sites both inform me to simply run a scan and clean/delete the infected files. However the virus makes it impossible for me to even RUN an antivirus. So how can I delete it? The virus (in spoolvq.exe) recreates itself.

Thanks again,
t
0
 
LVL 4

Expert Comment

by:speyfisher
ID: 9667323
did you see this post about Windows System Restore utility that the virus may use to back itself up?

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
0
 

Author Comment

by:skyboysky
ID: 9669746
yep, I had seen that one, however I'm using Win2000Pro
0
 
LVL 4

Expert Comment

by:speyfisher
ID: 9672488
I just cleaned a machine that had over created 400 clones of itself on a machine.      The anti-virus software was being shutdown by the virus.  I removed all the registry keys that the virus had created, and changed back the keys it had modified.  I also renamed my anti-virus .exe file so the virus would not find it and shut it down.

Prevent this thing from starting up, try renaming your anti-virus_program.exe in if it is still being stopped.

Did you remove the viruses' registry keys? i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolXX.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe spoolXX.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
TORVIL
0
 

Author Comment

by:skyboysky
ID: 9672707
I would try changing back my registry keys, but when I try to run regedit, it says I don't have permission (even though I'm logged in as the administrator). I'll try renaming the antivirus .exe.
0
 

Author Comment

by:skyboysky
ID: 9672725
is there another way to edit my registry without using regedit?
0
 
LVL 1

Accepted Solution

by:
ctennet earned 75 total points
ID: 9678878
what happens when you terminate the spoolvq.exe process? can you run the AV afterwards? if not you can try this

if you are using McAfee, like you say then you can run a command line scan. download the SDAT into the directory:

>Program Files>Common Files>Network Associates>VirusScan Engine>4.0.xx

Navigate to that directory from a command promt and run the SDAT using the /e switch to extract the update files.

ie. >SDAT4301.EXE /e

then run SCAN.EXE with the /All and /Clean switches

This will clean all infected files without needing to run the Antivirus program
0
 

Author Comment

by:skyboysky
ID: 9732260
well...I never got the virus off my machine without reinstalling windows. But anyway...thanks for the help folks...
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question