Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spoolsub.exe - Am I clean?


  • Please log in to reply
13 replies to this topic

#1 ====

====

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 21 April 2016 - 03:58 AM

Hey, I found this spoolsub.exe while Iwas looking at the programs in the taskmanager. (Before shutting down I had some backround programs waiting to be shut down but it didn't say which, so I looked in taskmanager)

 

I found out that this is a dangerous file and simply deleting it didn't work. So I used UnhackMe which made it possible to delete the file and restart. I haven't found the file or the process since.

Was that it? Is there more I have to do?

I don't even know where I got it from.  I started every program I installed but it hasn't come back.



BC AdBot (Login to Remove)

 


#2 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 21 April 2016 - 10:27 AM

I'd highly recommend doing a Malwarebytes scan as well. It will check your registry to see if spoolsub had any keys in there.

 

Once the the scan finishes look at the list and see if there are any results related to  W32/Sdbot-AGB worm. 

 

Hope this helps.


Edited by daScholar, 21 April 2016 - 10:32 AM.

If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#3 Stoman

Stoman

  • Banned Spammer
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 21 April 2016 - 10:47 AM

Try to scan your PC by this cleaning software: (link deleted)
It could help.

Edited by Queen-Evie, 21 April 2016 - 11:55 AM.
link deleted. Attempt to get downloads, he/she would earn money for each download from the link


#4 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 21 April 2016 - 11:01 AM

Don't download that software it leads to PC Keeper. A couple of Google searches will tell you why not to use it

If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#5 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 21 April 2016 - 11:14 AM

I agree with daScholar.  Don't ever trust a shortened link, especially from someone who is posting for the first time.  Don't worry, I have reported the post.  The mods will take care of him.



#6 ====

====
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 21 April 2016 - 11:39 AM

Thanks! I wouldn't have anyway, the link redirected me to a "Make easy money" website.

 

Da Scholar, I've been running MalwareBytes and other programs before, and they didn't find anything, it was an accident that I found this. Is there a folder or certain filenames I should look for?

 

Now rkill.exe has shown me this

 

 

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * Spooler [Missing Service]
 * TBS [Missing Service]


Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

 

It says missing service for spooler and Tbs (What's that?)

Is that good or bad?



#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:07 PM

Posted 21 April 2016 - 11:44 AM

====:

:welcome: to the Bleeping Computer Am I Infected? - What Do I Do? Forum. My name is Phil.

From what you have described, you were infected with the W32/SDBot/ABG worm.

More information on this infection can be found here and here.


I suggest that we run a few preliminary scans to determine, IF, and how seriously your computer might be compromised.



:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

*Click this link to open ESET OnlineScan.
* Place a checkmark next to "Yes, I accept the Terms of Use", then click the greenstart.png button.
* When prompted allow the Add-On/Active X to install.
* In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
* Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):

  • Remove found threats
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

*Then click the shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
*When the scan completes, click List Found Threats (only if anything is found).
*Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
*Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!



:step2: Download and install Malwarebytes Anti-Malware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.2.*.****.exe and follow the prompts to install the program ( * = program version numbers may vary - always get the latest version).
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard
  • Paste the contents of the clipboard into your next reply.

I would like you to paste the logs from both scans into your next reply. I will examine those and determine what our next step should be. If there is evidence of serious infection, you might have to open a new thread in the Virus, Trojan, Spyware and Malware Removal Logs Forum, but let's not get ahead of ourselves yet.
 
 
If I haven't responded to your reply in 24 hours, please send me a personal message.

Have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#8 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 21 April 2016 - 11:49 AM

The spooler service is for printing. You probably aren't able to print from that computer now. TBS is used in part for the security of your computer. Its important to get these back up and running I'm gonna do a little bit of digging and write something up for ya about getting it back in.

For now run services.msc and see if you can see it in the services list. If its there enable it. If its missing hold on for a moment. I found an article on restoring the spooler and I'm gonna try and condense it as it was a very lengthy.

If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#9 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 21 April 2016 - 12:29 PM

I happened upon this http://www.techsupportall.com/Print-Spooler-Repair-Tool.exe. Looks like someone was nice enough to write something that'll reinstall the spooler service. 

 

Also I've been looking around and the TBS will appear in the services.msc as TPM Base service. Enable if it's in the list. 


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#10 ====

====
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 22 April 2016 - 10:25 AM

garioch7

These are the results of Eset, these are only exe files. I don't understand how deleting the exe files solves anything, if I still have the programs installed. But not all of them. I highlighted the installed ones.
 They are sorted by results, there are 4 different ones. I never install anything I don't want to, and my Anti Virus program now makes it so that open candy can't even be accessed during installation.

 

 

C:\Users\Administrator\Downloads\exe\CHIP Windows 10 Zwangs Update Stopper - CHIP-Installer.exe    a variant of Win32/DownloadSponsor.C potentially unwanted application    cleaned by deleting
C:\Users\Administrator\Downloads\exe\MP3Gain - CHIP-Installer.exe    a variant of Win32/DownloadSponsor.C potentially unwanted application    cleaned by deleting
C:\Users\Administrator\Downloads\exe\Taskbar Shuffle - CHIP-Installer.exe    a variant of Win32/DownloadSponsor.C potentially unwanted application    cleaned by deleting
C:\Users\Administrator\Downloads\exe\wxMP3Gain - CHIP-Installer.exe    a variant of Win32/DownloadSponsor.C potentially unwanted application    cleaned by deleting

 

 

C:\Users\Administrator\Downloads\exe\avc-free.exe    a variant of Win32/OpenCandy.A potentially unsafe application    deleted (Any Video Converter)
C:\Users\Administrator\Downloads\exe\clipgrab-3.5.6.exe    a variant of Win32/OpenCandy.A potentially unsafe application    deleted

 

C:\Users\Administrator\Downloads\exe\dfsetup218.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted (Defraggler)

 

C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeAudioConverter.exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeAudioDub (2).exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeAudioDub (3).exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeImageConvertAndResize.exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeScreenVideoRecorder.exe    Win32/OpenCandy potentially unsafe application    deleted

C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeVideoDub (2).exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeVideoDub (3).exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeVideoFlipAndRotate.exe    Win32/OpenCandy potentially unsafe application    deleted

C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeVideoToJPGConverter (2).exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeVideoToJPGConverter (3).exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeVideoToMP3Converter (5).exe    Win32/OpenCandy potentially unsafe application    deleted
C:\Users\Administrator\Downloads\exe\dvdvideosoft\FreeVideoToMP3Converter (6).exe    Win32/OpenCandy potentially unsafe application    deleted

 

Like I said, there were no MalwareBytes Results.

 

Junkware Removal sometimes uninstalled clip grab but never AnyVideoConverter, even so they have the same result here (Win32/OpenCandy.A) Like I said I never installed any open candy whatsoever. And I that spoolsub.exe and the process in the task manager haven't come back after I reinstalled clip grab. (I have used this for years and I haven't found anything that said it contained a virus now)

 

 

One last thing, after I had Eset and Malwarebytes scans done, I immediately wanted to restart my computer, to restart my Anti Virus Programm, but for a second it said "waiting for backround programms to be shut down", again. Did that have something to do with my disabled vrius scanner, or malwarebytes which was still on? It usually doesn't do that when malwarebytes is still on.

I have looked in the taskmanager, but couldn't find any strange process. I've read that sometimes dangerous processes can hide themselves in Windows taskmanger, so I should use another tool that truly shows all processes but I couldn't findone! Any recommendations?

 

daScholar

Thanks I have run the program and now rkil exxe no longer shows me that spooler is missing!

I can't find Tpm Base


Edited by ====, 22 April 2016 - 10:41 AM.


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:07 PM

Posted 22 April 2016 - 11:02 AM

====:

 

ESET found PUPs (Potentially Unwanted Programs) in those installer files, that is why it deleted the installer files.  You are correct.  That has nothing to do with the worm associated with spoolsub.exe.  That ESET didn't find it means that it is no longer active on your computer.

 

A slight pause in shutdown is to be expected immediately after running anti-malware scans.  The antimalware utilities hook deep into the OS, and those "hooks" have to be released and closed by the OS.  That is no cause for concern.

 

To delve into your processes, you can use an excellent free utility called Process Explorer, which you can download here.

 

If Malwarebytes didn't find anything, and ESET dealt with what it found, I would say that you should be reasonably assured that your computer is now clean.

 

Do you require any further assistance?

 

Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#12 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 22 April 2016 - 11:10 AM

http://batcmd.com/windows/10/services/tpm/ So I found this.

 

I'm curious to see if this'll fix your issue. I've been digging around and haven't seen how to reinstall it.

 

Also can you check msconfig and see if you can find the TPM base.


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#13 ====

====
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 08 May 2016 - 06:59 PM

garioch7 Thank you for answering all my questions. I think I am fine now.

 

 

daScholar  Thank you. I've looked everywhere and couldn't find it. I've run rkill. exe before, and it had NEVER shown me missing services. I' ve talked to my computer expert and he looked inside two manuals/product descriptions and according to them, my computer is not supposed to have TPM. He even phoned the company and they said if it's not written in those papers, it's not on my computer.

I feel stupid, but like I said rkill.exe has not shown me the missing services before I had the virus. After I removed it, it mentioned missing spool and TPM.

I think I should believe the manufacturer, right? But should I write to rkill.exe's developers and tell them it's reporting a missing service I'm not even supposed to have?



#14 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 08 May 2016 - 10:21 PM

Yeah if the manufacturer says that I'd trust them on the matter. It's a strange situation but it could be that your computer was using something else instead of TPM and that is what rkill.exe is picking up. It's really hard to say. If anything at this point I can say I haven't seen a whole lot written about TPM so it seems like it's not gonna cause you grief if you can't solve this puzzle of a log. From what I can tell it's a way to authenticate installations being non-malicious, but in the end it's up to the user to be smart about what they are installing. So just be careful out there on the web.


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users