Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Weird bug...Maybe a Trojan? or a Virus?

Posted on 2003-11-02
14
Medium Priority
?
868 Views
Last Modified: 2013-12-04
Ok, so just recently my computer started performing 3 strange things. I'm not if they're related or not, but my best is "yes."
First, the computer freezes up on me at random times...when this happens I cannot move the mouse, nor click on anything, or use the keyboard. The only option was to unplug the computer.
Second, McAfee AnitiVirus won't run anymore, I start it up, but after a minute or so, it has a program error and quits.
Third, there is a process running called "spoolvq.exe", which I had never noticed before, and always uses around 12-16,000k in the Processes list.

Here are some basics:
I'm running Windows 2000 Pro with the latest service pack.
I have the latest ZoneAlarm firewall running constantly.

If anyone can help me with this before I have to reformat the hard drive, I will would appreciate it enormously.

Thanks in advance!!
0
Comment
Question by:skyboysky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +2
14 Comments
 
LVL 2

Expert Comment

by:aleshm
ID: 9665485
Try installing AdAware and run it... see if it finds anything.
Uninstall & reinstall McAfee, and/or perhaps Norton Antivirus.
Run scandisk on your hard drive(s) and see if it reports any errors, problems, etc.

What about Windows Update? All patches applied?

Also try uninstalling ZoneAlarm and see if it helps.

Report back!

A.
0
 

Author Comment

by:skyboysky
ID: 9666345
some more info that could help:

I have already run the latest (and updated) versions of AdAware and SpyBot. I have uninstalled and re-installed McAfee, then uninstalled again when I saw the problem repeat itself. I then installed Norton, which for some reason could not run it's LiveUpdate. (I've had either McAfee and Norton running and updated for years on this machine without problems). And lastly, I do have the latest patches and updates from Windows. I'm scared to uninstall or stop ZoneAlarm because this "spoolvq.exe" always tries to connect to the internet, and a couple of times has tried to SEND EMAIL.

Any other suggestions? HELP!

Thanks,
T
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Expert Comment

by:aleshm
ID: 9666363
Unplug your machine from the net and try to uninstall and perhaps manually stop this service and find the file on your HD and delete it.

A.
0
 

Author Comment

by:skyboysky
ID: 9666370
Ah! One more weird thing just started happening: when I go to START > RUN > "regedit", the Registry Editor has been disabled. I get the following message: "Registry editing has been disabled by your administrator."

Strange thing is that I AM THE ADMINISTRATOR!
0
 
LVL 4

Assisted Solution

by:speyfisher
speyfisher earned 1200 total points
ID: 9666415
This virus seems to be spread by a bogus "Internet Explorer Update" received by email.  This would explain 'spoolvq.exe'
________________________________________
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100758

The virus copies itself to the WINDOWS directory using the name "spool"  or smss  followed by 2 random characters, followed by .exe.   A registry key is created to load that file at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Service Host" = %WinDir%\spool (random characters) .exe
________________________________________
 
0
 

Author Comment

by:skyboysky
ID: 9667274
speyfisher, this is EXACTLY what I've got. Wow....thanks a ton. Now my problem is REMOVING it. The McAfee and Symantec sites both inform me to simply run a scan and clean/delete the infected files. However the virus makes it impossible for me to even RUN an antivirus. So how can I delete it? The virus (in spoolvq.exe) recreates itself.

Thanks again,
t
0
 
LVL 4

Expert Comment

by:speyfisher
ID: 9667323
did you see this post about Windows System Restore utility that the virus may use to back itself up?

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
0
 

Author Comment

by:skyboysky
ID: 9669746
yep, I had seen that one, however I'm using Win2000Pro
0
 
LVL 4

Expert Comment

by:speyfisher
ID: 9672488
I just cleaned a machine that had over created 400 clones of itself on a machine.      The anti-virus software was being shutdown by the virus.  I removed all the registry keys that the virus had created, and changed back the keys it had modified.  I also renamed my anti-virus .exe file so the virus would not find it and shut it down.

Prevent this thing from starting up, try renaming your anti-virus_program.exe in if it is still being stopped.

Did you remove the viruses' registry keys? i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolXX.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe spoolXX.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
TORVIL
0
 

Author Comment

by:skyboysky
ID: 9672707
I would try changing back my registry keys, but when I try to run regedit, it says I don't have permission (even though I'm logged in as the administrator). I'll try renaming the antivirus .exe.
0
 

Author Comment

by:skyboysky
ID: 9672725
is there another way to edit my registry without using regedit?
0
 
LVL 1

Accepted Solution

by:
ctennet earned 300 total points
ID: 9678878
what happens when you terminate the spoolvq.exe process? can you run the AV afterwards? if not you can try this

if you are using McAfee, like you say then you can run a command line scan. download the SDAT into the directory:

>Program Files>Common Files>Network Associates>VirusScan Engine>4.0.xx

Navigate to that directory from a command promt and run the SDAT using the /e switch to extract the update files.

ie. >SDAT4301.EXE /e

then run SCAN.EXE with the /All and /Clean switches

This will clean all infected files without needing to run the Antivirus program
0
 

Author Comment

by:skyboysky
ID: 9732260
well...I never got the virus off my machine without reinstalling windows. But anyway...thanks for the help folks...
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question