Posted 28 May 2008 - 03:02 PM
Maybe this is helpful for others:
Recently my router firewall warned me about a process called spools.exe that tried to contact "geil-de.info".
As "geil" is the german word for "horny" this was very suspicious.
First, I renamed spools.exe so that whoever started it, would not find it. What happened now was that many programs
(as IE) would not start anymore with the message that windows does not know which program to use to open
iexplore.exe (or whatever I tried to start). So I renamed it back and ran HiJackThis. It confirmed that spools.exe is a virus.
In the Registry I found an entry called "shell" was set to "C:\WINDOWS\system32\drivers\spools.exe "%1 "%*
Comparing to another WinXP system, I found that this entry should be only "%1 "%*
I changed it back and was able to start programs again even with spools.exe renamed. Interesting: HiJackThis didn't report the shell hack as a problem...?
Then I searched the whole registry for spools.exe and found other entries:
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule: ImagePath = ...spools.exe
I changed it back to it's original value of "%SystemRoot%\System32\svchost.exe -k netsvcs"
autoload = spools.exe
ntuser = spools.exe
As this seems to start spools.exe, I removed these entries.
Also, there was a "cftmon.exe" (not to be confused with a regular Windows program "ctfmon.exe" in C:\WINDOWS\system32) in different places of the registry.
I also removed these. Don't know if this was a coincidence or if spools.exe and cftmon.exe come together.