Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spoolsv.exe Using Cpu Previous Trojan Infections Known


  • Please log in to reply
18 replies to this topic

#1 waiting4Jesus630

waiting4Jesus630

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 24 September 2008 - 07:38 PM

Having a heck of a time with spoolsv.exe using 99%+ CPU. Running Windows XP SP3. This started several weeks ago, I've tried various scans including trendmicro housecall, AVG free antivirus, Malewarebytes Anti Malware...

AVG found and quarantined:
"Virus BackDoor.Hupigon"
"Trojan horse Generic10.ABIR"
"Trojan horse Generic10.ABZK"


I can open the Administrative Tools -> Services and stop the Print Spooler service, and everything seems to be fine except that I can't print. If I start it again, I can see in process explorer that it opens with a "working set" of 3008 K, and it's not using any CPU. As soon as I try to open the Printers and Faxes control panel though, the working set immediately changes (4012K when I did this just now) and the CPU jumps up to 90-99%. I can suspend the process or kill it, but after killing it it will restore unless I stop the Print Spooler service. If I kill the service I can get the Printers and Faxes control panel open, but all of my printers are gone.

Please suggest appropriate scans and logs to post for help. Thanks in advance for helping!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:55 AM

Posted 24 September 2008 - 07:59 PM

http://www.bleepingcomputer.com/forums/ind...st&p=948894

Would you run ATFCleaner and SAS from safe mode?

After returning to normal mode would you update MBAM(malwarebyte's) and post both logs please
Chewy

No. Try not. Do... or do not. There is no try.

#3 waiting4Jesus630

waiting4Jesus630
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 25 September 2008 - 01:35 PM

SAS Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/24/2008 at 08:16 PM

Application Version : 4.21.1004

Core Rules Database Version : 3579
Trace Rules Database Version: 1567

Scan type : Complete Scan
Total Scan Time : 01:13:00

Memory items scanned : 255
Memory threats detected : 0
Registry items scanned : 7624
Registry threats detected : 0
File items scanned : 29255
File threats detected : 5

Adware.Tracking Cookie
C:\QooBox\Quarantine\C\Documents and Settings\elizabeth.opheim\Cookies\elizabeth.opheim@ehg-dig.hitbox[2].txt.vir
C:\QooBox\Quarantine\C\Documents and Settings\elizabeth.opheim\Cookies\elizabeth.opheim@ehg-chrysler.hitbox[2].txt.vir
C:\QooBox\Quarantine\C\Documents and Settings\elizabeth.opheim\Cookies\elizabeth.opheim@a.backcountry[2].txt.vir
C:\QooBox\Quarantine\C\Documents and Settings\elizabeth.opheim\Cookies\elizabeth.opheim@ad.yieldmanager[2].txt.vir
C:\QooBox\Quarantine\C\Documents and Settings\gary.heffern\Cookies\gary.heffern@edge.ru4[2].txt.vir



MBAM Log:
Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 3

9/25/2008 11:34:38 AM
mbam-log-2008-09-25 (11-34-38).txt

Scan type: Full Scan (C:\|Q:\|S:\|)
Objects scanned: 212629
Time elapsed: 4 hour(s), 20 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:55 AM

Posted 25 September 2008 - 02:17 PM

one more scan please

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!


**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

google leads me to suspect avg may have dropped the ball here

have you tried reinstalling the printer drivers

Edited by DaChew, 25 September 2008 - 02:24 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#5 waiting4Jesus630

waiting4Jesus630
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 25 September 2008 - 04:17 PM

SmitFraudFix Log:
SmitFraudFix v2.354

Scan done at 13:55:06.92, Thu 09/25/2008
Run from C:\Documents and Settings\corey.colman.C11345\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\corey.colman.C11345\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\corey.colman.C11345\Desktop\Utilities\procexp.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\corey.colman.C11345


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\corey.colman.C11345\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COREYC~1.C11\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="avgrsstx.dll C:\\WINDOWS\\system32\\guard32.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless 1350 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 66.60.130.2
DNS Server Search Order: 66.60.130.6
DNS Server Search Order: 66.60.130.158

Description: Dell Wireless 1350 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{012A388C-F118-4B53-9378-33B76956CB97}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FE49F96-ED16-4589-AE88-8894D4D46A9A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E5B8AD7-08B2-4BB2-8FDC-D6D9AD152360}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8972260B-7A0A-4FF0-A781-D16710DA9D3D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C7FD5FF9-D421-4A09-844C-81852B8EB3B2}: DhcpNameServer=66.60.130.2 66.60.130.6 66.60.130.158
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E309826B-9234-45B5-85A5-F5A507FBAE0A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{012A388C-F118-4B53-9378-33B76956CB97}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FE49F96-ED16-4589-AE88-8894D4D46A9A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E5B8AD7-08B2-4BB2-8FDC-D6D9AD152360}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8972260B-7A0A-4FF0-A781-D16710DA9D3D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C7FD5FF9-D421-4A09-844C-81852B8EB3B2}: DhcpNameServer=66.60.130.2 66.60.130.6 66.60.130.158
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E309826B-9234-45B5-85A5-F5A507FBAE0A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{012A388C-F118-4B53-9378-33B76956CB97}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FE49F96-ED16-4589-AE88-8894D4D46A9A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7E5B8AD7-08B2-4BB2-8FDC-D6D9AD152360}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8972260B-7A0A-4FF0-A781-D16710DA9D3D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C7FD5FF9-D421-4A09-844C-81852B8EB3B2}: DhcpNameServer=66.60.130.2 66.60.130.6 66.60.130.158
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E309826B-9234-45B5-85A5-F5A507FBAE0A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.60.130.2 66.60.130.6 66.60.130.158
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.60.130.2 66.60.130.6 66.60.130.158
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.60.130.2 66.60.130.6 66.60.130.158


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



I've thought about reinstalling the printer drivers but am not sure how I could do that. You see, if I try to open the Printers and Faxes control panel it freezes until I kill spoolsv.exe Then the control panel opens with no printers. If I click "add printer" it says "Operation could not be completed. The print spooler service is not running." I can start the service while that window is now open, but it freezes on me when I click "add printer."
I grabbed an install CD for one of my printers, ran through the install then tried printing from IE8. Gave me a dialog saying that I must install a printer, asked if I wanted to, then computer froze on me while spoolsv.exe went to 99% cpu.

I have another computer on same OS that's doing just fine; would it be beneficial to try to copy the spoolsv.exe from there and replace this one?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:55 AM

Posted 25 September 2008 - 05:50 PM

I am pretty sure I have seen this before but it's not coming to me where

I'll kick this upstairs

Maybe we can get to the bottom of this
Chewy

No. Try not. Do... or do not. There is no try.

#7 waiting4Jesus630

waiting4Jesus630
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 25 September 2008 - 06:54 PM

Kickin it upstairs to get to the bottom... this is getting complicated. :thumbsup: Thanks for your help.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:55 AM

Posted 26 September 2008 - 06:52 AM

...but all of my printers are gone

From what you describe and the scans performed, this doesn't appear to be a malware related issue but lets examine the file more closely.

Please download FileLook by jpshortstuff and save to your Desktop.
alternate download link
  • Double-click FileLook.exe to run it.
  • Important! If using Windows Vista, be sure to Run As Administrator.
  • Ensure that BBCode Ouput is checked.
  • Copy and paste everything in the code box below into the empty textfield under FileLook by...

    C:\WINDOWS\SYSTEM32\spoolsv.exe
  • Click the FileLook button to start the scan.
  • When finished, Notepad will open with the results of the scan in a text file named fl_log.txt which will automatically be saved to the root of your system drive. (Typically C:\fl_log.txt)
  • Please copy and paste the contents of this log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 waiting4Jesus630

waiting4Jesus630
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 26 September 2008 - 09:46 AM

FileLook Log:

FileLook.exe v1.0 by jpshortstuff
Log created at 14:44:45 on 26/09/2008

==============================
FileLook - spoolsv.exe

Filename: spoolsv.exe
Path: C:\WINDOWS\SYSTEM32\
Created: 23:55:46 on 10/06/2005
Modified: 00:12:36 on 14/04/2008
Size: 57856 bytes
Attributes: Archive
-------------------------
FileDescription: Spooler SubSystem App
FileVersion: 5.1.2600.5512 (xpsp.080413-0852)
ProductVersion: 5.1.2600.5512
OriginalFilename: spoolsv.exe
InternalName: spoolsv.exe
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

==============================

=EOF=

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:55 AM

Posted 26 September 2008 - 10:03 AM

File details look ok. Sounds like a driver issue or some other conflict going on. I will move this topic to the XP forum where others may have further suggestions.

Driver issues are a known source of conflicts that can cause various issues. If you need to update a driver, a convenient place to start is at DriverGuide.com or MrDriver.com. If you're not sure how to update a driver, please read How to update a Windows hardware driver and How to manage devices in Windows XP.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:55 AM

Posted 26 September 2008 - 10:25 AM

C:\WINDOWS\system32\drivers\etc\winhelper.exe -> Backdoor.Hupigon.hk : Cleaned.


could you specify a path for those files that avg cleaned

chasing a false positive deletion
Chewy

No. Try not. Do... or do not. There is no try.

#12 waiting4Jesus630

waiting4Jesus630
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 26 September 2008 - 11:03 AM

AVG Log:

Scan "Scheduled scan" was finished.
Infections found:;"11"
Infected objects removed or healed:;"11"
Not removed or healed:;"0"
Spyware found:;"1"
Spyware removed:;"1"
Not removed:;"0"
Warnings count:;"0"
Information count:;"0"
Scan started:;"Wednesday, September 17, 2008, 9:00:06 PM"
Scan finished:;"Thursday, September 18, 2008, 2:34:17 AM (5 hour(s) 34 minute(s) 10 second(s))"
Total object scanned:;"1132037"
User who launched the scan:;"SYSTEM"

Infections
File;"Infection";"Result"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0000037.old;"Virus found BackDoor.Hupigon";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001258.dll;"Trojan horse Generic10.ABIR";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001259.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001260.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001261.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001262.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001263.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001264.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001265.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001266.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"
C:\System Volume Information\_restore{82B7F6B6-32D9-4E66-9813-2E377D61841C}\RP2\A0001267.dll;"Trojan horse Generic10.ABZK";"Moved to Virus Vault"

Spyware
File;"Infection";"Result"
C:\WINDOWS\system32\LMIinit.dll.000.bak;"Potentially harmful program RemoteAdmin.SA";"Moved to Virus Vault"

#13 odarren

odarren

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 30 September 2008 - 11:53 AM

Hi there,

I am experiencing the exact same problem. I had several trojan viruses, which McCaffee removed for me. Afterwards, I stopped, then deleted the spoolsv.exe file I then ran from the cmd line, "sfc /scannow", which required the Windows XP Professional install disk. This replaced my spoolsv.exe file with a known good file.

Unfortunately, this didn't solve the problem. spoolsv.exe and other processes can still begin taking up cpu time when I run some software (MS Word), or try to print things from other (non-Microsoft as well) applications.

I am guessing another file has been corrupted. I see that the printer spooler service is dependent on the remote procedure call service, so I may try the same tactic of replacing that file.

I am certainly looking forward to any resolution to this problem that you find.

Best of luck,
Darren

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:55 AM

Posted 30 September 2008 - 01:07 PM

I would also consider running windows as a repair disk

http://www.michaelstevenstech.com/XPrepairinstall.htm
Chewy

No. Try not. Do... or do not. There is no try.

#15 odarren

odarren

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 01 October 2008 - 01:27 PM

I did the WindowsXP repair yesterday...to no avail. One oddity in the process was that I kept getting messages that the installer couldn't find specific files in /386. I'd browse to that directory and see the specific file it was looking for. Selecting that file had no effect.

So, no change at this point. The only thing I can do to run my computer well is to turn off the print spooler service--and am then, of course, unable to print. Any other thoughts on this one?

Thanks,
-D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users