RejZoR
1
Some user from my local forums encountered strange problem with Win32:Gaobot-1195. He somehow gets it loaded into:
C:\WINDOWS\system32\spool\PRINTERS\
This also triggers waiting line for printing files queue.
He checked entire machine using my directions (McAfee and F-Secure check of the machine). Nothing found except JV/Shinwow and Exploit.VBS.Phel.a.
I’m still waiting for HiJack This log,but for now i can’t understand why is this loaded into SPOOL/PRINTERS folder for printing.
Files located in PRINTERS folder are always in pairs:
00001.shd in 00001.spl , 00002.shd in 00002.spl , 00003.shd in 00003.spl and so on…
.spl files appear to be recognized as Shockwave Flash Object,while .shd are unknown filetype.
I also have entire content(files) of PRINTERS folder when he found out about Gaobot infestation. If Karel(or anyone else from Alwil) needs them,let me know and i’ll submit them 
I’ll check his HiJack This log when he sends it to me.
Oh,he is also using avast! HE just like me 
Eddy
2
.shd > ArcView ARC/INFO Shadeset Symbol File (ESRI) : Metatools Bryce Support Materials Catalogue : Print Spooler Shadow File (Microsoft)
RejZoR
3
No,i meant that the files have that default windows icon (the one when file is not associated with any program). But thx anyway 
RejZoR
4
Strange,nothing in HijackThis log. Not even a toolbar since he’s using Opera…
Any idea what that could be? I have never encountered such strange infestation ???