Real hassle from virus/spyware

Alfonso_Skinarelli

Start a new topic in the uploads forum (no registration required).

Topic Title : C:\WINDOWS\spoolsvt.exe for Captain Spyware

Add a link to this page and look just below the data entry window. You'll see the "Attach" function. Simply paste the full filepath C:\WINDOWS\spoolsvt.exe in the open field and then click the [Post] button.

rosy

Thanks, I think I cross posted with you when I edited my last post. Do I just wait for email with the results? Or do I have to keep checking on the other site?

Alfonso_Skinarelli

I'll download the file now and let you know.

Edit: Derek's already had a look at it.

it's a downloader for adult webcams & !!!!!! scum adn will undoubtably cause pop ups of unwanted images

On that basis, please use Killbox (delete on reboot) and murder that file!!

rosy

On that basis I will indeed murder it! Would it be useful to do a panda scan after this and check or wait till later? Thanks again

Alfonso_Skinarelli

I would be inclined to run a slightly more aggressive scan than Panda to be honest.

Download Dr.Web CureIt to your desktop:

• Double-click the drweb-cureit.exe file and allow it to run the express scan.
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow > to the right and the scan will begin.
• At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, click the "Select all/select none" toggle button (if available) next to the files found:
• Then click the green cup icon right below and select Move incurable as you'll see in next image:
  
  This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).
• Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.
• After the restart, post the contents of the Dr.Web.csv log file which you saved.

Note: This scan can take several hours depending on the size of your harddrive.

rosy

Alfonso_Skinarelli wrote:

Note: This scan can take several hours depending on the size of your harddrive.

I think if you dont mind I'll do this tomorrow - I'm shattered! If I try to keep going now for several more hours I'll probably press the wrong thing somewhere! Thank you for everything though, I'll probably sleep easier tonight!:)

Alfonso_Skinarelli

Leave the scan running overnight if you can. I've known it to take up to 8 hours sometimes LOL.

Sleep well.

rosy

The Dr Web scan didn't take too long after all! I ran it in safe mode, hope that was right. I noticed that it has managed to quarantine the Four Book Grim Noun\oozeobj.bk! file ( the Killbox didn't work on it). I went into Internet explorer to check it and although the file Four Book Grim Noun\oozeobj.bk! has indeed gone :j there is still a Four Book folder with four other icons ( they look pale, not bold ) - entitled antisavebold, Bib Trans VC, bitstransplan, VC Third Ace - any significance in this? Anyway the scan results - it has picked up more!

oozeobj.bk!;C:\Documents and Settings\All Users\Application Data\Four Book Grim Noun;Trojan.PWS.Krepper;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Ros\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Ros\Desktop\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
fwRemoteCfg.dll;C:\Program Files\Common Files\FTL Shared;Probably DLOADER.Trojan;Incurable.Moved.;
Process.exe;C:\Program Files\Roguescanfix;Tool.Prockill;Incurable.Moved.;
Dc1.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.Swizzor;Deleted.;
Dc10.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.Swizzor;Deleted.;
Dc11.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.LopAd;Deleted.;
Dc12.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.Swizzor;Incurable.Moved.;
Dc13.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.DownLoader.1190;Deleted.;
Dc2.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.Swizzor;Deleted.;
Dc3.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.Swizzor;Deleted.;
Dc4.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.DownLoader.1190;Deleted.;
Dc5.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.Swizzor;Deleted.;
Dc6.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.DownLoader.1190;Deleted.;
Dc7.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.Swizzor;Incurable.Moved.;
Dc8.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.Swizzor;Incurable.Moved.;
Dc9.exe;C:\RECYCLER\S-1-5-21-516891756-261280664-3295107285-1007;Trojan.DownLoader.1190;Deleted.;
A0002937.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.Swizzor;Deleted.;
A0002938.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.Swizzor;Deleted.;
A0002939.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.LopAd;Deleted.;
A0002940.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.Swizzor;Incurable.Moved.;
A0002941.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.DownLoader.1190;Deleted.;
A0002942.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.Swizzor;Deleted.;
A0002943.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.Swizzor;Deleted.;
A0002944.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.DownLoader.1190;Deleted.;
A0002945.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.Swizzor;Deleted.;
A0002946.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.DownLoader.1190;Deleted.;
A0002947.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.Swizzor;Incurable.Moved.;
A0002948.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.Swizzor;Incurable.Moved.;
A0002949.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP11;Trojan.DownLoader.1190;Deleted.;
A0000148.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.Swizzor;Incurable.Moved.;
A0000149.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.DownLoader.1190;Deleted.;
A0000150.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.LopAd;Deleted.;
A0000151.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.Swizzor;Deleted.;
A0000152.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.DownLoader.1190;Deleted.;
A0000153.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.Swizzor;Incurable.Moved.;
A0000154.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.Swizzor;Incurable.Moved.;
A0000155.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.DownLoader.1190;Deleted.;
A0000156.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.Swizzor;Deleted.;
A0000157.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.DownLoader.1190;Deleted.;
A0000158.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.Swizzor;Deleted.;
A0000159.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.Swizzor;Deleted.;
A0000160.exe;C:\System Volume Information\_restore{A64DEAED-BE8F-4F64-A460-DA3A545C4F5A}\RP6;Trojan.Swizzor;Deleted.;

Alfonso_Skinarelli

is still a Four Book folder with four other icons ( they look pale, not bold ) - entitled antisavebold, Bib Trans VC, bitstransplan, VC Third Ace - any significance in this?

Is there anything in these folders or are they empty?

Is this the complete DrWeb report? Is anything beneath the "System Volume" entries?

rosy

That's the complete Dr Web report as far as I can see- should there be anything else?- I checked the spreadsheet again and there are a total of 44 detections.

The Four Book Grim Noun files - I right clicked each one and chose delete and I got a message saying they were all system files and if deleted them some programs/ the PC might not work properly. I've left them as they are at present. I didn't try to open them either in case I unleashed something! Hovering over them, the first three on the list are about 2kB. The last one (VCThird Ace) is about 129kB. I checked the properties for that one - created sometime in 2005, modified 20.09.06, accessed today at 18.34 ( could that be me checking the properties/trying to delete? ) I don't know if I am making more of a deal of this than I need to.

Something is still going on though - McAfee has asked several times if I want to allow Skype access saying the application has changed since I first allowed access. I decided to block it for just now and up popped up a chat conversation I had had on it a while ago. Don't know if it's just a blip or part of this stuff.