I thought it will be a simple task to search then solve that spoolsv.exe issue but it isn’t ???
(By the way, the ‘System Restore’ is disabled since long ago.)
-
I didn’t find any trace of C:\Windows\SPOOLSV.EXE (or equivalent) in the XP registry, win.ini or system.ini. So, it seems it is not a ‘Backdoor_Ciadoor_B’, right?
-
Winlogon.exe of XP cannot run without that C:\Windows\SPOOLSV.EXE if deleted!
-
If it is ‘Hacktool.Privshell’ trojan, is it enough for me to replace that ‘spoolsv.exe’ with the good one in ‘C:\Windows\System32’? Does XP Pro SP2 needs this file in two places?!
-
Is it possible that ‘Winlogon.exe’ is directed, at the start, to the infected ‘C:\Windows\SPOOLSV.EXE’ by a sort of command embedded in ‘pagefile.sys’ (virtual memory)?!
-
Perhaps the starter is disguised under another name.
Here is the complete list in the ‘RUN’ key:
=== Begin list1 ==================================================
Known to me (hence clean):
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“CookieWall”=“C:\Program Files\AnalogX\CookieWall\cookie.exe”
Not sure about:
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“nwiz”=“nwiz.exe /install”
“PHIME2002ASync”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC”
“PHIME2002A”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName”
“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“IMJPMIG8.1”=“"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32”
“MSPY2002”=“C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC”
" "=“C:\WINDOWS\system32\primafilla ok !!.exe”
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe”
“MsmqIntCert”=“regsvr32 /s mqrt.dll”
“QuickTime Task”=“"C:\Program Files\QuickTime\qttask.exe" -atboottime”
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe”
=== End list1 ====================================================
And should I delete the following ones in the ‘RUN-’ key list?
=== Begin list2 =========================
“ABBYY Community Agent”=“C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe”
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot”
=== End list2 ===========================
- Is it a mere coincidence that just before the update 0513-1 my PC got infected or I had it since long but 0513-1 was able to detect it as WIN32:Trojan-gen {Delphi} now?
Note: The size of my actual infected spoolsv.exe is 407,552 Bytes
Thank you in advance for any further hint and/or advice.
Kerim