Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
1 reply to this topic

#1 Hookem


  • Members
  • 1 posts
  • Local time:09:24 AM

Posted 24 April 2005 - 09:18 AM

I have a problem with the spoolsrv.exe virus. It is killing me, and I need any help that I can get.


BC AdBot (Login to Remove)


#2 virusX


  • Members
  • 222 posts
  • Gender:Male
  • Location:Brazilia
  • Local time:10:24 AM

Posted 24 April 2005 - 10:49 AM

Hello there. Yes of course you will get help. it's an virus. I will explain it to you. Step by Step.

SPOOLSRV.EXE/ MSGSRV.EXE is a Backdoor Trojan that gives a remote attacker full control over your computer. SPOOLSRV.EXE/ MSGSRV.EXE uses IRC to communicate with the attacker.

When SPOOLSRV.EXE/ MSGSRV.EXE is executed, it does the following:

1. Creates a registry value under the key:


This registry value will load SPOOLSRV.EXE/ MSGSRV.EXE the next time you start Windows.

The values that SPOOLSRV.EXE/ MSGSRV.EXE adds depend on the variant, and are:

Variant A:
Service "<path of executable>\exec.exe" "<path of executable>\SPOOLSRV.EXE"

Variant B:
Service "<path of executable>\exec.exe" "<path of executable>\MSGSRV.EXE"
2. Connects to IRC using the ports (variant-dependent):
* Variant A: 24,613
* Variant B: 6,667
3. Joins the IRC channels:
* Variant A: #clone
* Variant B: #!chire

SPOOLSRV.EXE/ MSGSRV.EXE is usually accompanied by the hacker program, Exec.exe, which hides SPOOLSRV.EXE/ MSGSRV.EXE so that you cannot see that it is running.

Let's remove it now since you know what it does !
Restarting in Safe Mode

On Windows NT (VGA mode)

1. Click Start>Settings>Control Panel.
2. Double-click the System icon.
3. Click the Startup/Shutdown tab.
4. Set the Show List field to 10 seconds and click OK to save this change.
5. Shut down and restart your computer.
6. Select VGA mode from the startup menu.

On Windows 2000

1. Restart your computer.
2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

On Windows XP

1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Terminating the Malware Program

# Open Windows Task Manager.
On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
# In the list of running programs*, locate the process:
# Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
# To check if the malware process has been terminated, close Task Manager, and then open it again.
# Close Task Manager.

Delete the following registry values

Go to your registry (start-->run-->enter regedit-->press OK)
Search for exec.exe (press ctrl+F and enter exec.exe)
Delete where ever you find it.

Search for SPOOLSRV.EXE (press ctrl+F and enter SPOOLSRV.EXE)
Delete where ever you find it.

Search for MSGSRV.EXE (press ctrl+F and enter MSGSRV.EXE)
Delete where ever you find it.

Hope ive helped you
for the fact that it didn't work then you would have to go into the HiJack forum by CLICKING HEREHijack this log.. they will look at your HJT log and will be able to tell you what to do.......

Edited by virus, 24 April 2005 - 11:27 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users