Tech Support Forum banner
Status
Not open for further replies.

Spooldr.sys

7K views 48 replies 2 participants last post by  Ried 
Hello GusHolst,

No, the cracked game is the more likely source of the infection. Lets try another rootkit scanner.

Download RootRepeal from any of the links below:

http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe

Close any open programs, browsers, and disable AV and other protective programs.

  • Extract RootRepeal.exe from the zip archive.
  • Open
    on your desktop.
  • Click the
    tab.
  • Click the
    button.
  • Check all boxes
  • Click Ok
  • Check the box for your main system drive (Usually C:), and click Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the
    button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
 
Let's see if this one will run for you. Please download Rootkit Unhooker and save it to your desktop.

Close all open programs and browsers, then double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning. Please click OK to continue:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
 
Try running it from Safe Mode.
 
This next tool won't show me rootkits, but it may give me a hint or a clue somewhere. Again, shut down any programs, close browsers, that disable all active protection programs before running the tool.

Download OTL to your desktop.

Double click the icon to start the tool.
  • Click Run Scan and let the program run uninterrupted.
  • When the scan is complete, two text files will be created, OTL.Txt <- this one will be opened in Notepad and Extras.txt, on Desktop.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTL.Txt and the Extras.txt in your next reply.
 
Thanks for the bump. :)

I'm not finding the source in any of these logs. Let's see if an online scanner reveals anything for us. Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.

Is the system still restarting with that same error? Have you gotten any more error messages from Gmail since changing the password?
 
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 
How is the system behaving now?
 
Gmer causing a crash is not unusual - that does not indicate anything is wrong with your system.

What game are you referring to? I don't see you mentioning any game by name.
 
I'll take your word for it that it's a great game. :grin:

I'm not finding any malware here. The finding by Eset were cleared when you ran ComboFix.

You might want to talk to the folks in our Gaming section and see if they have any ideas for you as to why you're having troubles with the game.
 
Your logs are clean. I can't guarantee any system is clean. I can only remove what I see.

We do need to uninstall ComboFix, but in doing so, it will flush out all old restore points. Do you see any need for previous restore points?
 
No, I'm not concerned about the rootkit scanners having trouble, only because gmer did run in Safe Mode.

I took another look at your Attach.txt. I think this is the problem with your game

08/08/2010 16:42:03, error: nv [108] - The driver nv4_disp for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.

If you've no need for the previous restore points, you can proceed with uninstalling ComboFix.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
    • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

  • WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE.


  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • BACKING UP YOUR REGISTRY
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    Vista/Windows 7 users - see this link for proper setup of Erunt http://www.winhelponline.com/blog/backup-windows-vista-registry-daily-using-erunt/


    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles


**Kindly respond one more time and let me know if we may consider this thread resolved.
 
Hi Gus. :wave:

No worries about the typo - I suppose over the years I've been called worse. :winkgrin:

ComboFix uninstall would not have made any changes to startup programs, so I'll need to see new logs.

Run a new scan with dds.scr and post both logs it produces.
 
Try running it from Safe Mode.
 
See if this tool will run for you. Download rsit.exe and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
If you do not see the info.txt you can find it in the C:\rsit folder. Please attach that .txt
 
Is that the exact error message each time? What else won't run and what error message do you see?
 
Scratch that, I just went back a page and read where you said nothing will open.

Rename rsit.exe to iexplore.exe and see if it will run. Make sure you have file extensions viewable so you don't end up with a double extension:

My Computer>Tools>Folder Options>

Click on the View tab and uncheck 'Hide extensions for known file types'
Click Apply, and OK your way out.
 
Thanks. :)

I posted again while you were posting. Scroll up a bit. :smile:
 
Try changing the extension to .com

If that still won't work, rename it to spoolsv.exe and give it a try.

If all that still fails, download and run the following tool to help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the other one. You only need to get one of them to run, not all of them.

(Vista and Win7 users need to right click and choose Run as Admin)

Rkill.exe
Rkill.com
Rkill.scr


Once the tool has run, do NOT reboot the machine, and then try once again to run DDS and GMER.

In some really stubborn cases, it can take several tries with rkill. The trick with rkill and some rogues is to leave the error message open, and run rkill again. You'll know rkill has worked when explorer cycles off and then on again.
 
Since explorer.exe is permitted to run, one more try in renaming.

Rename rsit.exe to explorer.exe
 
I imagine Task Manager is disabled as well. Try it anyway - press Ctrl Alt Del on your keyboard. If it doesn't load or you see that error message, try this:

Navigate to c:\Windows\System32\taskmgr.exe and copy it to the desktop. Rename it csrss.exe

Double click the csrss.exe and see if task manager opens for you.

If it does, look at the running processes. You're looking for:

  • A randomly named file, usually 8 characters long
  • av.exe

If you aren't sure of a file name, write them down and post back here what you see in the Running Processes.

If you see av.exe kill process on it and run the renamed rsit.exe.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top