Rootkit problem

Greetings, folks. I've searched on the forums for 'spooldr' and 'spooldr.exe' to no avail, so I imagine this is a new subject here.

About two days ago my father downloaded a (dun-dun-DUN) e-card to his desktop, despite the fact that it ended in an '.exe' extension. Anyway, when I checked it this morning, there was a new file floating around:

spooldir.ini

And, later, a new program trying to get access to the internetz:

spooldr.exe

Apparently, tcpip.sys has been altered, so I'm afraid just deleting the offending files won't help.

Any way to get rid of this problem? Let's say reformatting my dad's harddrive is not an option.

Help me, Majorgeeks, you're my only hope!

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gifWhen you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy Log - only for Windows XP, 2K, & NT users
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• Bitdefender Log - from step 6
• Panda Scan Log - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis Log

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Bjgarrick, I have a huge (and, suddenly, more immediate) problem:

I was going through the Read & Run Me First procedure by the letter, saving logs, etc., and everything was going fine until I performed the scan with BitDefender. I performed the scan in Safe Mode with networking, saved the log to my desktop, and rebooted my computer into Normal to do the Panda scan. Immediately after, my dad's desktop lost the ability to connect to the internet. I connected the DSL modem to my lappy and was able to connect, but the desktop itself can't use the internet. Each time I try to do a System Restore, I get the "Incomplete" message and still can't connect.

Have you ever heard of this occurring after using BitDefender, or do you think it's unrelated? I left the BitDefender settings untouched when I did the scan; I think it deleted something important. If you like, I can upload the BitDefender log here (I suppose I could also put up the CounterSpy, GetRunKey, ShowNew and HJT logs, as I don't need the internet for those. However, since I lost the internet for my dad's desktop, I wasn't able to run PandaActiveScan).

Please: this is very important as my father uses his desktop for school and work.

 

Here are my logs. The PandaActiveScan is not there, of course, as I couldn't connect to the internet after using BitDefender. There were no real hookups besides that as I was going through the process.

 

And the rest...

 

One more log before we begin the fix..

Please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

When I click the exe on my Desktop I get this message:

"F-Secure BlackLight could no acquire necessary privileges
(SeDubPrivilege)

-Your computer settings may prevent acquiring these privileges
-A malicious program might have disabled these privileges"

I don't have any antivirus programs on that system.

 

Download the attached file, save to your desktop. Once downloaded, double click to run, once complete reboot and try Blacklight once more.

 

The log...

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Pre-Instructions:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.


Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Step 4:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 5: Begin here after rebooting from Step 5!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 6:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 7:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I did all the steps in order. Since you said to post ShowNew and GetRunKey logs, I ran those two as well immediately after, and these are the logs that were created. Was this correct?

I'm still unable to connect to the internet with the desktop. As to whether or not the initial problem is still there, I don't know: spooldr.ini is still on my desktop. Quite honestly, it doesn't matter one bit at this point: this is my dad's PC that can't connect to the internet, and when classes start again I'll be taking my lappy to campus and he'll have no internet connection unless I get this fixed. I'm much concerned with that than getting rid of any malware.

 

More

 

No luck with that, Chaslang. Here's some oddities, though:

I can't access my modem through a browser on my desktop, but I can on the lappy.

Also, my local area connection in Network Connections was showing 'connected'.

Any epiphanies with that information?

 

For the next several hours, Chaslang, you are my hero.

I went ahead and deleted the spooldr.ini file that was disappearing and reappearing on my desktop, in case that had something to do with infecting tcpip.sys (a website I checked said that spooldr.exe did that, though).

*Awaits further instruction*

 

Deleted f^cnvesh.sys. What was it?

 

Oh, and yes, I have internet access now.

 

Are you having any further malware problems?

If so, please attach the following fresh log.

• HijackThis Log
• ShowNew Log
• GetRunKey Log

 

I think I'm clean at this point. My firewall hasn't reported spooldr.exe lookin' to get to the internet. Just in case, here are the log files.

But, if c'est fin, thanks very much Majorgeeks, for saving my system once again.

 

First, I would like to look at something. Click Start > Run > type regedit

Navigate to the key in below in quote...

Right click ok Winlogon and select Export. Save this file to your desktop, ZIP it and attach it to your next post.

Also, reset the HOSTS file to by following the below...

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Now click Start, Run, and enter ipconfig /flushdns and click OK!

 

Performed all of the above (or below, how I have it right now).

^_^

 

Once you complete the below, attach three new logs, GetRunKey, ShowNew and HJT.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme1.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme1.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

 

Okie-dokey.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

All seems well.

Thanks again, bjgarrick, and chaslang! Y'all are the best.

 

Your Welcome!

Be sure you go thru the "How to Protect yourself from malware!", it's a great article.

Surf Safely!