spooldr.sys removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Belicose, Feb 20, 2008.

  1. Belicose

    Belicose Private E-2

    Recently I have been receiving BSOD and finally an error report came back with an infection by spooldr.sys (Now I have some where to start!)

    I have read and completed the following:

    Read and Run Me First
    XP cleaning procedures
    ran Sophos Anti-Rootkit


    I've run norton internet security, blacklight and avg and nothing came up. Also, when using the norton web based app to check my security it says that I have no anti-virus application running although norton security center and the task bar icon say it is running. Symptons of spooldr.sys?

    Using Sophos it did find a hidden file but according to the instructions it says to not clean the checked file unless instructed to do so, I will wait.

    I also tried searching for spooldr.sys to manually remove it but I don't find it. Don't know what to do next.

    Attached are my logs, please help!

    Belicose
     

    Attached Files:

    Belicose, Feb 20, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Is this still occurring?

    Not that I know of. You can read what Symantec stated about this infection here:

    http://www.symantec.com/enterprise/security_response/weblog/2007/08/the_new_peacomm_infection_tech.html

    Please attach a log from Sophos showing what it finds. Then see if it is still being found by running a new scan.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O23 - Service: D - Unknown owner - C:\DOCUME~1\DREWOD~1\LOCALS~1\Temp\D.exe (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
D
 
File::
C:\DOCUME~1\DREWOD~1\LOCALS~1\Temp\D.exe
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 22, 2008
    #2
  3. Belicose

    Belicose Private E-2

    Thanks for the hearty welcome and speedy response! Attached are the requested log files.

    I haven't had a BSOD since performing the read and run first process. Checking my machine against Norton's free internet security scan still shows my computer has having no virus protection. Because of that I suspect that I am affected by Peacomm which in the link you provided to Symantec hides all files that contain spooldr.exe/sys/dll etc and disables and prevents the following 3rd party apps from detecting the trojan:

    * ZoneAlarm Firewall
    * PC Watchdog Systems
    * Bcfilter Jetico Personal Firewall
    * Outpost Firewall
    * McAfee Anti Spyware
    * McAfee Internet Security Suite
    * FSecure Black Light
    * Kaspersky Anti Virus
    * Symantec Anti Virus
    * BitDefender Anti Virus
    * FSecure Anti Virus
    * Microsoft Anti Spyware
    * InterCheck Monitor
    * NOD32 Anti Virus
    * Panda Anti Virus


    Windows messanger has been disabled (uninstalled) from the link provided. What puzzles me is from the link to symantec the removal steps say to disable system restore and update/run a virus scan which again shows nothing. Due to the nature of Peacomm the fix supplied by symantec does absolutely nothing right?

    Also, running combofix changed my system clock to the 24hr format and states it will change it back which it has not. Did I skip a step or the scan not perform correctly?

    Drew
     

    Attached Files:

    Belicose, Feb 22, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    True. But you don't appear to have the infection anyway.

    Normally this is a sign that ComboFix did not run exactly as required. We can easily fix this.

    You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.

    You need to avoid running things we are not asking you to run. I see other things showing up in your logs from other rootkit scans ...etc. Are you also working at another forum? If so, you must not do that. You must only work in one forum.


    Sophos did not find anything other than files from Symantec.

    Your logs are all coming up clean. Perhaps you need to ask Symantec why their scan cannot detect their own antivirus program. You could also try uninstalling it and then running the below:

    Norton Removal Tool (SymNRT)

    Then reboot and try reinstalling it. Then make sure everything is working properly.
     
    chaslang, Feb 23, 2008
    #4
  5. Belicose

    Belicose Private E-2

    Chaslang,

    I'm thinking that during the run and readme I cleaned up whatever problem I had... I was receiving BSOD referencing spooldr.sys and kdbclass.sys as the error.

    Thanks for the help and looking over my logs. Glad that I found Majorgeeks!

    Drew
     
    Belicose, Feb 23, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    2. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    3. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    4. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    5. After doing the above, you should work thru the below link:
     
    chaslang, Feb 23, 2008
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds