[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 992
  • Last Modified:

Spoolsv.exe application error - reboots machine automatically!

I got this error when just trying to load my machine.
Spoolsv.exe application error.  The instruction at "0x00376B7" referenced memory at "0x003706B7" the memory could not be "written".  
I can't even get my desktop to appear before my computer automatically reboots itself.  I've tried to go in through safe mode but it automatically reboots as well.  Any idea of how I can load my desktop to try to fix this issue?  Also, any suggestions on a fix?  Is this the spoolsv.exe worm?
Thanks so much for any assistance!
0
mjcad
Asked:
mjcad
1 Solution
 
ComputerTechieCommented:
Try pressing F8 and selecting Last Known Configuration or Vga mode then reinstall your printer reboot and reinstall it.
If unable to still boot up try recovery console and rename spoolsv.exe in C:\WINDOWS\system32\spoolsv.exe than run SFC /SCANNOW
CT
 
0
 
mjcadAuthor Commented:
Thanks CT.  Just an FYI, I don't even have a printer hooked up to my PC.  So, I'm not sure why this error is popping up.  That's why I'm thinking it might be a virus of some sort.  Also, I tried selecting Last Known Configuration and VGA mode without luck.  I don't have the recovery console so I am trying to get that installed now.  I'll keep you updated.
Thanks again for you help.
0
 
warturtleCommented:
Creating a live CD with Dr Web CureIt might help. You need to boot using this CD and do a virus scan from the CD itself. That should help!

http://www.freedrweb.com/livecd/

Don't forget to read the documentation that is available on: ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

Hope it helps.

Alternatively, you can slave it to another PC and do a full antivirus scan of it. MalwareBytes (www.malwarebytes.org) is also a scanner that you can use.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
mjcadAuthor Commented:
Hi warturle,
Thanks for the advice.  I am having trouble getting the Cd with the iso file to boot up.  I have the CD rom as the first option when booting up, but nothing happens.  The Cd has this file on it "minDrWebLiveCD-5.0.0.iso" , do I need something else?  Sorry to be such a pain!  I didn't see a help section on the Dr Web Curelt site.
Thanks for any assistance. :)
0
 
xmachineCommented:
Hi,

Check the following MS support article:

http://support.microsoft.com/kb/810894


A Symantec Certified Specialist @ your service
0
 
warturtleCommented:
Hmm.. I see. If you can see the iso file when you look at the CD in Windows Explorer that means that CD has not been burnt correctly. The iso file that you downloaded is an image and needs to be burnt as an image and not like a normal data CD. If you send me the name of the CD Writing program that you use, I'll look up for specific instructions and send them to you or you can search for 'Burn Image' or 'Burn Image to disk' on google along with the name of CD Writing program and can see the instructions yourself. You'll have to use another blank CD now.

If you burn the iso file on a CD as an image, then on opening this CD in explorer you'll see a lot of different files in it generally depending on the content of the CD.
0
 
SimonL-UKCommented:
Spoolsv.exe is the Windows Print Spooler service.  Generally, this will happen if you have a corrupt or buggy printer driver.
Once you've run a virus and malware scan to show that this is the genuine executable, remove one printer driver at a time until your machine isn't rebooting.
If you have a number of print drivers installed, try disabling automatic system reboot and configure your PC to generate a kernel memory dump - post it here and it will aid troubleshooting.

HTH
0
 
mjcadAuthor Commented:
Thanks again to everyone for the great suggestions.  Here is an update.  I ran Dr Web CureIt and found a ton of viruses.  Looks like I hit the virus motherload!  Here are some of the ones it found:
backdoor.tdss.115
trojan.packed.191
trojan.packed.255
winlogqu.exe

After the scan completed I was able to log back into my computer but the same error message appeared.  I ran ad-aware and tend micro anti-spyware.  This found more viruses and "threats".  Here are a few:
infostealer.gampass
trojan.fakeavalert
bloodhound.exploit.196

 I tired to run Symantec antivirus and got this error message "Could not start scan.  Scan engine returned error 0x20000058".  I tried stopping the symantec service and restarting it but that did not solve the problem.   I also renamed spoolsv.exe  and ran SFC /SCANNOW from the commnd line as suggested by ComputerTechie above.

When I rebooted my computer the chkdsk utility started.  Let me know if you need the report.

This time I got a whole new set of errors.  The spoolsv.exe error was gone (probably since I renamed it) and in its place I got this:

logonui.exe application error
wmiprvse.exe application error
transferagent.exe app. error

The Data Execution Prevention popup keeps displaying for the Windows Logon UI and for Windows explorer.

I checked the system Event Viewer ad here is the error that keeps popping up:
"The wuausev Registry key denied access to SYSTEM account programs s the Service Control Managere took ownership of the Registry key.

Hopefully, that is enough info to get you started.  Please let me know what else you need and I will provide it.  Any idea what

So, as you can see I've still got serious issues.  Any help is appreciated.
Thanks again!
0
 
warturtleCommented:
Good, good, good! Finally, you can boot into your laptop again. I am going to suggest that you download ComboFix and run it in safe mode. It can be downloaded from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix . The same page also has instructions which I suggest that you read before you run ComboFix. I suggest downloading it and saving with a completely different name like jabba.exe and then disabling your antivirus and firewall and then running it. After ComboFix has finished and created a log, you can re-enable your antivirus and firewall. Please send that log to us.

The computer should be clean enough to let you install MalwareBytes Anti-Malware on your PC. It can be downloaded from: www.malwarebytes.org . Instal it, update the definitions then reboot your computer in safe mode and do a full scan with this. That should clean most of the infections. And send us that log as well. Its not a replacement for your antivirus product but a specialised utility to clean spyware which can sometimes trouble antiviruses and can escape detection by antiviruses as well.
0
 
warturtleCommented:
After having suggested all of the above, I still cannot 100% guarantee that a Windows re-install is not an option, because you are getting errors on lots of Windows files, and it might be that they have been corrupted by a virus.

But best to do the above suggestions first and see what we can find on your PC and assess the amount of repair needed.
0
 
mjcadAuthor Commented:
Warturtle,
Looks like I'm in deep trouble!  I tried downloading Combofix in safe mode and got this error:
ALERT It is not safe to continue
contents of combofix package have been compromised.  Download a fresh copy.  Note:  You may be infected with a file patching virus (virut).

Do you recommend that I follow the directions here http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99&tabid=3 
??
0
 
warturtleCommented:
Yes, that is not good. Virut/Sality are file infectors and the files they infect normally have to be replaced completely with new ones. Looks like they've consumed the Windows OS files as well as other files on your disk. They infect the files with the following extensions:

.exe, .scr, .rar, .zip, .htm, .html, php and asp

So, I suggest that you take a backup of all your .doc, .xls, .ppt and other important files except for the files with the extensions - .exe, .scr, .rar, .zip, .htm, .html, php and asp.

Create a list of programs that you would like to re-install on your PC and then format and re-install Windows XP and the other required programs and move back your backed up documents.

Alternatively, you can try the Virut removal tool from the link that you sent to us and then try to run the programs that you would normally run to check the amount of damage done. That way, you can find out what files need replacing. Using this tool to remove Virut might not competely help you, because you've got other viruses in your PC to take care of as well. I feel a re-install after backing up important documents is your easiest way out.

0
 
mjcadAuthor Commented:
Thanks for the help warturtle!  I appreciate you taking the time to work with me!  I'm going to start the process of rebuilding my computer! :)
0
 
warturtleCommented:
Thanks for the feedback. Always happy to help :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now