Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spools.exe And Ftp33.dll Problem!


  • Please log in to reply
7 replies to this topic

#1 Djeff

Djeff

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 30 April 2008 - 10:46 AM

Hye

I have a problem with my computer. I run windows XP Home edition.
My antivirus (Antivir) warns me at each start of the computer that I am infected : the files are ftp33.dll (in "system32/" and "docs and settings/nameofuser/" folders) and spools.exe (in the "system32/drivers/" folder). I also have Avast and SUPERANTISpyware, which also warn me of the presence of these viruses sometimes (even though it is commonly Antivir that warns me). Antivir displays choice of actions to deal with the virus, and most of the time I choose to "delete" the file, sometimes I chose "access deny" or "quarantine" but none of these actions seem to eradicate the virus, as it still comes back after each startup. The other antiviruses warn me about spools.exe when I chose to "acces deny" it with Antivir, I think (Avast nor SUPERANTIspyware never warned me about ftp33.dll).
The virus seems to have this effect : it corrupts the "exe" files association with the Application kind, so that every "exe" type file prompts me the "open with..." windowd when I try to open them (At first, I discovered that most applciations could be runned if I chose them in the "open with" window). It happened once that instead of the "open with" problem, .exe files would prompt me an error telling me something like "this it is not a valid 32bit application".
The problem with exe files is partly fixed with help I found on a forum, which constsited in creating a registry key file that reads like this (simply add the exe association in windows wouldn't fix the problem):
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"


Now, even though this registry key fixes the exe problem, it doesn't delete the viruses and, most of the time, at startup, the "exe" problem is still here, and I need to apply the registry key again.
I ran scans with my three antiviruses, and even though it could find some trojan and all, it never fixed the problem, which it seems, originate from spools.exe.

I hope my english is understandable, and that you will be able to help me.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 30 April 2008 - 01:06 PM

I ran scans with my three antiviruses,

This could be he problem in itself. All AV's are conflicting and finding each others malware signature file. TRy disabling 2 and run a can with one from Safe mode.

How to enter safe mode(XP)
Using the F8 Method

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

After reboot into normal mode please...
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Djeff

Djeff
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 30 April 2008 - 02:37 PM

Hye, thank you for your fast answer.
Just a note: I usually only have two antivirus, Antivir and SUPERantispyware, and I have them for some years now, they never have been conflicting with each other. I installed Avast a few days ago, to scan my computer and see about the problem I have been having. I also wanted to have a maximum of internet shields for when I, like now, go on the web.
I'll try every step you suggested right away!
Thank you

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 30 April 2008 - 02:48 PM

OK thats good SAS is an antispyware tool not an Antivirus tho it is almost as good as some and better than others. It will not conflict with AVs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Djeff

Djeff
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 01 May 2008 - 07:12 AM

Here is my log with Malwarebyte:





==============================================


Malwarebytes' Anti-Malware 1.11
Version de la base de données: 704

Type de recherche: Examen rapide
Eléments examinés: 68332
Temps écoulé: 39 minute(s), 5 second(s)

Processus mémoire infecté(s): 1
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 2
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 2

Processus mémoire infecté(s):
C:\Documents and Settings\Jacques\cftmon.exe (Trojan.Agent) -> Unloaded process successfully.

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\Documents and Settings\Jacques\Local Settings\Temporary Internet Files\Content.IE5\4JRJAWX5\KB908531[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacques\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

=============================================


I hope it won't bother you too much that it's in french :D
As you can see, it found some Trojans that Antivir never found before (I did the scan with it in safe mode before as you adviced). Malwarebyte didn't found ftp33.dll nor spools.exe because, as usual, antivir warned me about them and I chose to delete them (as usual), at startup, and THEN I did the Malwarebyte scan. So it might seem pretty stupid from me, but it appears those viruses weren't the serious ones, as after Malwarebyte found the ones Antivir never saw, and deleted them, Spools.exe and ft33.dll never shown up again on startup (I rebooted after my first Malware scan to do anotgher one without deleting spools.exe and ftp33.dll with Antivir when prompted, but it turned out spools.exe and ftp33.dll never came back, as they were certainly created by the trojans Malwarebyte dealt with).
I hope I'm being clear!
I suppose the problem is over, so thank you very, very much for your time and your good advices! If I do come back in trouble, I'll go right here to find a solution!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 01 May 2008 - 10:13 AM

Not a problem at all. I wish I had the ability to have kept up with the French I took in school You look to be clean. But let's do another scan anyway to see if anything is left. Do this from Safe Mode.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Djeff

Djeff
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 01 May 2008 - 08:02 PM

All right, I'll do that, I'm sorry I didn't answer sooner, I guess I didn't check the email notification box, since I didn't know you answered me. I have some busy days ahead of me but I'll keep you updated with the results as soon as I'll have time to do the scans!
Thank you

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:33 AM

Posted 01 May 2008 - 08:33 PM

C:\Documents and Settings\Jacques\Local Settings\Temporary Internet Files\Content.IE5\4JRJAWX5\KB908531[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacques\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Even in wookish these look very dangerous

especially together
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users