Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
No replies to this topic

#1 WarumWolf


  • Members
  • 1 posts
  • Local time:03:24 PM

Posted 28 May 2008 - 03:02 PM

Maybe this is helpful for others:

Recently my router firewall warned me about a process called spools.exe that tried to contact "geil-de.info".
As "geil" is the german word for "horny" this was very suspicious.
First, I renamed spools.exe so that whoever started it, would not find it. What happened now was that many programs
(as IE) would not start anymore with the message that windows does not know which program to use to open
iexplore.exe (or whatever I tried to start). So I renamed it back and ran HiJackThis. It confirmed that spools.exe is a virus.
In the Registry I found an entry called "shell" was set to "C:\WINDOWS\system32\drivers\spools.exe "%1 "%*
Comparing to another WinXP system, I found that this entry should be only "%1 "%*
I changed it back and was able to start programs again even with spools.exe renamed. Interesting: HiJackThis didn't report the shell hack as a problem...?
Then I searched the whole registry for spools.exe and found other entries:

\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule: ImagePath = ...spools.exe
I changed it back to it's original value of "%SystemRoot%\System32\svchost.exe -k netsvcs"

autoload = spools.exe
ntuser = spools.exe
As this seems to start spools.exe, I removed these entries.

Also, there was a "cftmon.exe" (not to be confused with a regular Windows program "ctfmon.exe" in C:\WINDOWS\system32) in different places of the registry.
I also removed these. Don't know if this was a coincidence or if spools.exe and cftmon.exe come together.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users