spoo1.exe

Hello !

Recently, my PC was infected with this virus spoo1.exe. This virus will run everytime when booting up. I could not access the icons on the taskbar because the taskbar flickers and disappears everytime I click my mouse.

I tried running Avast, Adaware, Spybot Search & Destroy, but none worked.

In the end I downloaded Autorun (shows which programs run when booting up) from sysinternal and removed the virus manually.

Why didn’t Avast, Adaware or Spybot detect this virus ???

Hi pacman2004,

Do you mean spool.exe?

spool.exe is part of RapidBlaster spyware:

http://www.liutilities.com/products/wintaskspro/processlibrary/spool/

This spyware is constantly changing to avoid detection, which is why all the programs you tried missed it.

There is a special tool available. I suggest you run it just to make sure RapidBlaster has gone:

http://www.wilderssecurity.net/specialinfo/rapidblaster.html

SpywareBlaster will protect you against future infection by RapidBlaster. It’s available here:

http://www.javacoolsoftware.com/spywareblaster.html

Hi ! FreewheelinFrank

It’s spoo1.exe , no mistake about the name :slight_smile:

Thanks for the link. I will try it out.

Spool1.exe brings up nothing on Google: it must be something new.

Can you do a scan with HijackThis! and post the log please?

Instructions here:

http://www.bleepingcomputer.com/forums/tutorial42.html

Hello FreewheelinFrank

I thought I removed spoo1.exe already ???

But this process appeared again after I ran HijackThis. Same symptons as before ; message saying “my IE homepage has changed to about:blank”.

Anyway, please see log below. Hope you can help solve this problem.

http://www.18hi.com/123.exeLogfile of HijackThis v1.99.1
Scan saved at 7:58:46 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Utilities\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Utilities\SpywareGuard\sgmain.exe
C:\Utilities\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O4 - HKLM..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Utilities\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM..\Run: [SmcService] C:\UTILIT~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [msnappau] “C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [PopUpStopperFreeEdition] “C:\PROGRA~1\POP-UP~1\PSFree.exe”
O4 - HKCU..\Run: [FreeRAM XP] “C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe” -win
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - Startup: SpywareGuard.lnk = C:\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093701870593
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip..{ED167D02-FBA5-4053-99C6-588473EB4C04}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Utilities\Sygate\SPF\smc.exe

BY the way, the process is spoo1.exe, not spool1.exe.

Freewheelin Frank

Please ignore previous log, because I have shut down the process spoo1.exe.

This new log is taken with spoo1.exe running :

http://www.18hi.com/123.exeLogfile of HijackThis v1.99.1
Scan saved at 8:23:17 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Utilities\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\WINDOWS\system\spoo1sv.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
C:\Utilities\SpywareGuard\sgmain.exe
C:\Utilities\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O4 - HKLM..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Utilities\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM..\Run: [SmcService] C:\UTILIT~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [msnappau] “C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [SVCH0ST] C:\WINDOWS\system\spoo1sv.exe
O4 - HKCU..\Run: [PopUpStopperFreeEdition] “C:\PROGRA~1\POP-UP~1\PSFree.exe”
O4 - HKCU..\Run: [FreeRAM XP] “C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe” -win
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - Startup: SpywareGuard.lnk = C:\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093701870593
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip..{ED167D02-FBA5-4053-99C6-588473EB4C04}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Utilities\Sygate\SPF\smc.exe

Hi Pacman2004,

spoo1sv.exe is a Trojan process:

http://castlecops.com/s3454-spoo1sv_exe.html

Please download, install, update and run this anti-trojan program:

http://www.ewido.net/en/

(If this doesn’t work, we can do a manual deletion, so let me know if it works.)

I also recommend you download Ad-Aware and run a scan:

http://www.lavasoft.de/

It may detect Gamespy Arcade which is adware and which you may want to remove:

http://securityresponse.symantec.com/avcenter/venc/data/adware.gamespyarcade.html

Hello Freewheelin Frank

I tried running ewido under normal & safe modes. Still doesn’t pick up this virus :frowning:

How to remove manually ???

Please test the file C:\WINDOWS\system\spoo1sv.exe at http://virusscan.jotti.org/ and report what it finds. You could first rename the file in Safe mode to prevent the file getting startet in normal mode.

Hi Pacman2004,

Run HijackThis1 again and check the following entries:

O4 - HKLM..\Run: [SVCH0ST] C:\WINDOWS\system\spoo1sv.exe

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab

The first is your Trojan and is essential to remove; the second is adware and only recommended to remove.

Click the Fix button and reboot into safe mode. (Tap F8 while booting.)

Delete this file:

C:\WINDOWS\system\spoo1sv.exe

and search for any more instances of spoo1sv.exe and delete them

(You may need to enable ‘show hidden files’.

http://www.xtra.co.nz/help/0,4155-1916458,00.html)

Reboot into normal mode and do another HijackThis scan to check that spoo1sv.exe has gone.

If it has not, there are more drastic ways to kill it we can try later!

Good luck,

FF

Hello FreewheelinFrank

I followed your instructions. I found 2 things.

  1. There are no files with the name spoo1.exe in windows\system subfolder, although the scan log shows otherwise.

  2. spoo1.exe appears in the windows\Prefetch subfolder. (And I deleted this while in safe mode).

After rebooting again, spoo1.exe appears to have been deleted (It’s found in my recycle bin). I did not encounter any more messages telling me that my homepage has been changed.

I run Hijack This again to get the latest scan… and those messages start appearing again!!

Remember, I started this thread saying that I used a software “Autorun” from sysinternal and also deleted the file while in safe mode ? (similar to what you have suggested except that the software used now is HijackThis) I ran HijackThis back then just to check it out and the same thing happened.

It seems like I am back to square one! This is driving me crazy !!

I would also like to add that spoo1.exe found it’s way back to the Windows\Prefetch subfolder again !

Raman :

I scanned the file using the address provided…No results.

Hello again Pacman2004,

As it seems the virus might be hiding out in prefetch, can you empty all temporary folders and clear out prefetch as described here:

http://safecomputing.umn.edu/guides/tempdirectories.html

Then could you do another boot time scan with avast! because a lot of new virus definitions have been added.

There are also two very powerful anti-Trojan programs which you could try:

TDS-3 (Download the definitions file and move to the program folder.)

http://tds.diamondcs.com.au/

and TrojanHunter

http://www.trojanhunter.com/

They both have a free trial, and will find Trojans that anti-virus programs miss.

Finally, download Winpatrol:

http://www.winpatrol.com/

Install and run the program and select Active Tasks. If you see spoo1sv.exe in the list, right click it and select Delete File on Reboot.

Finally run HijackThis! again so we can check that your computer is clean.

Good luck!

Pacman2004,

I found removal instructions for Souljet, of which spoo1sv.exe is a symptom, here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SOULJET.C&VSect=Sn

If the above fails, do a scan with the Trend Micro online scanner, make a note of infected files found and proceed as described in the link.

Edit: If the Trojan is installing services, this would explain why it is returning. These services didn’t appear in the HijackThis log, where they should appear in the O23 section. ???

Hello FreewheelinFrank

No luck at all.

I have done boot scan… detect nothing. TrojanHunter, WinPatrol doesn’t work. The trendmicro online scanner did not detect this also.

Any particular reason why HjackThis caused spoo1sv.exe to “revive” ?

What next ? :-\

Hi Pacman2004,

To recap:

You have virus-like symptoms on your computer and you have found a file spoo1sv.exe which you think is responsible. This file is identified on the web as part of the SoulJet Trojan, but when you uploaded it to Jotti’s scanner, all the tests were negative. The file came back when deleted (even when you removed the start-up entry with HijackThis!)- so it certainly behaves like malware. None of the programs I recommended has detected or removed this file.

Well, it looks like this might be a new variant of the Trojan, not yet recognised by anti-virus or anti-Trojan programs.

If it is like SoulJet, it will install itself as a Windows service, so that deleting the file will be useless, as services run even in safe mode- the Trojan can simply recreate the file later on. If it is doing this, the service is not appearing in HijackThis!, so we haven’t seen it.

There are several things to do:

Submit the file to avast! for analysis. Follow DavidR’s instructions in this thread:

http://forum.avast.com/index.php?topic=14717.msg124035#msg124035

Check to see if other anti-virus programs identify the Trojan. This usually takes from a few hours to a few days. Can you submit the file again to Jotti’s scanner and see if it is identified as malware by any of the programs? Repeat this daily, because eventually one of the programs should identify it.

Try some more online scanners and see if any pick it up. You can try these:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

http://support.f-secure.com/enu/home/ols.shtml

and of course the Housecall scanner again.

Finally, you could search the registry for these entries:

* HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
  Enum>Root>LEGACY_NETMM
* HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
  Services>Netmm 

If you find these, it is the Trojan service as described by Trend Micro. Do not delete these keys, but tell me if you find them.

Please let me know what happens.

Hello FreewheelinFrank

I noticed something peculiar when I open MS Words. It seems that the “copy” function has been activated everytime I open MS Words. There is this icon with an " I" and three small vertical lines appearing. Normally this appears when we copy and paste things in Ms Words.

So I clicked "paste " function and this web address appeared : http//www.18hicom/123.exe (Happens eveytime when I do this in MS Words) This is the webpage page that the virus was installed from!

I didn’t go into detail earlier about how my PC was infected. It was like this : I received a e-mail from a friend. There are no attachments in the e-mail except for the web address above. So I opened Explorer and keyed in this address. Some message appeared (can’t remember what it was - probably about running some program) and I clicked OK. That’s when all the trouble starts. On hindsight, it’s really my stupidity that caused my PC to be infected.

I will try out what you have recommended and will inform you if there are new developments. Really appreciate your advice and instructions :slight_smile:

Hi Pacman2004,

Could you also try these rootkit detection programs, just to see if you have a rootkit hiding malware programs and registry entrirs?

http://www.sysinternals.com/Utilities/RootkitRevealer.html

http://www.f-secure.com/blacklight/

Edit: Please carry out the scans in my second posting first, as I think they will be more productive!

Hi Pacman2004,

A web search on 123.exe brings up some interesting results!

eTrust describe a Trojan called Sinister Uploader 1.0 which uses an install file name 123.exe, is hidden from the user, and produces task bar blink- all of which fits what you describe.

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075414

Panda call this Trojan Trj/W32.Apher, so it will be interesing to see if the Panda scanner detects anything.

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=38228

eTrust also have an online scanner, so I recommend trying that:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Sophos describe a Trojan called Troj/VB-GX which downloads a file called 123.exe from a remote location. Symptoms include the start page being set to “about:blank” which you describe. This is a new Trojan, emerging last month, and only added to the Sophos definitions this month, so this might also be the culprit!

http://www.sophos.com/virusinfo/analyses/trojvbgx.html

Sophos have a downloadable scanner you can try called SAV32CLI. You have to downloaded it, un zip the folder and copy it to a CD. You then boot into safe mode with command prompt and run the following commands:

D:

CD SAV32CLI

SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

Full instructions on this page:

http://www.sophos.com/support/disinfection/trojan.html

So, run the Panda and eTrust online scanners, and download and run the Sophos scanner- I think we’ll get a result this time!