CitizenBennett Posted September 16, 2010 Report Share Posted September 16, 2010 In the middle of a PayPal transaction my PC flashed the blue screen of death and rebooted. When I reported the error Windows came back with an urgent message warning me my PC had been hacked by a spool root file and routed me to onecare.live.com for a full system scan. Before I ran the scan I used some google magic to find out what exactly I was dealing with and discovered a fairly serious malware file that goes by "spooldr" its fairly common and a b_tch to remove without booting in safe mode. Hoping I wont need to go that far I checked my sys32 folder to verify the spool file was there and sure enough it was. I run avast for internet security and so far its done well in detecting and removing any suspicious files. I also run CCleaner about once a week. This is all on a Acer Nettop with a moderately slow intel Atom processor, which is why I don't run a full internet security suite. I thought long and hard how this could have happened because I havent downloaded anything from the net on this PC (beside aim,pokerstars, & my HP printer software-because I lost the disc)due to the fact I only use it for its HDMI connection to my flat screen which allows for fully functional internet access, and the occasional print job...and then things began to make sense. As I browsed the spool folder I was seeing a lot of HP related file names. As I thought back I realized I kept encountering an error at HP/support.com and was having trouble downloading the driver so I went to a 3rd party site to attempt to locate the driver there. That site was http://www.siliconguide.com/drivers/device/674/ and as foolish as it was to download my drivers from an unknown source I thought I would be fine. I am currently running onecare.live's fullsystem scan to determine the extent of the damage and am fully prepared that it will turn up nothing. In my research on the spoolds file it was repeated often most scans miss it entirely and it can only be removed in safemode...sometime not even then. If anyone has encountered this worm before I will gladly entertain any suggestions. Ive included details on the spool file if anyone cares to take a look.There are four folder in the spool folder named (primary folders in all caps)...DRIVERS=65.6mb, folders=color,w32x86; PRINTERS=folder is empty; &(this one worries me)PRTPROCS=1.08mb, folders=w32x86,x64, & XPSEP=11.7mb, folders=msxpsdrv.cat,msxpsdrv.inf,msxpsinc.gdp,msxpsinc.ppd--->subfolders/amd64=7.04mb, folders=msxpsdrv(security catalog),msxpsdrv(setup info.),msxpsinc.gpd,msxpsinc.ppd,mxdwdrv.dll(file version 0.3.601.22204),xpssvcs.dll(file version: 6.0.6001.22204/description: Native Code Xps Services Library),& finally i386=4.66mb, folders=msxpsdrv(security catalog),msxpsdrv(setup info),msxpsinc.gpd,msxpsinc.ppd,mxdwdrv.dll(file version 0.3.601.22204/Microsoft XPS Document Writer),xpssvcs.dll(6.0.6001.22204/Native Code Xps Services Library) Quote Link to comment Share on other sites More sharing options...
Alan2273 Posted September 16, 2010 Report Share Posted September 16, 2010 Try Malwarebytes,/>http://www.malwarebytes.org/mbam.phpor Superantispyware, one of these will get rid of the infection./>http://www.superantispyware.com/download.htmlYou could also try an online scan in safe mode with networking using Trend./>http://housecall.trendmicro.com/uk/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.