Damage from mspool.exe?

[gm]

Hi,

I replaced ZoneAlarm with Kaspersky and immediately found out that I had
4 viruses sitting in my computer, among them were 2 instances of
mspool.exe. I serched for the info on mspool.exe and other that it is a
Trojan, not much info available.
I'd like to know what kind of damage could have it caused to me?

Thanks in advance for the help,

gm

 

[Art]

Hi,

I replaced ZoneAlarm with Kaspersky and immediately found out that I had
4 viruses sitting in my computer, among them were 2 instances of
mspool.exe. I serched for the info on mspool.exe and other that it is a
Trojan, not much info available.

KAV would have given you a malware name. What was it?

Art

http://home.epix.net/~artnpeg

 

[gm]

KAV would have given you a malware name. What was it?

Art

http://home.epix.net/~artnpeg

Below is what I found in the Report section
========================================

C:\WINDOWS\system32\mspool.exe

is a Trojan Backdoor.Win32.ServU-based.gen
mspool.exe\mspool.exe

object could not be disinfected, disinfection postponed

C:\WINDOWS\system32\mspool.exe

object could not be disinfected, disinfection postponed

C:\WINDOWS\SYSTEM32\MSPOOL.EXE

is a Trojan Backdoor.Win32.ServU-based.gen

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspool
[ImagePath=C:\WINDOWS\system32\mspool.exe]
is infected with a virus Service: startUp link to
C:\WINDOWS\SYSTEM32\MSPOOL.EXE object with "Infected" verdict
C:\WINDOWS\SYSTEM32\MSPOOL.EXE

object could not be disinfected, disinfection postponed

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspool
[ImagePath=C:\WINDOWS\system32\mspool.exe]

 

[David H. Lipman]

From: "gm" <[email protected]>

| Below is what I found in the Report section
| ========================================
|
| C:\WINDOWS\system32\mspool.exe
|
| is a Trojan Backdoor.Win32.ServU-based.gen
| mspool.exe\mspool.exe
|
| object could not be disinfected, disinfection postponed
|
| C:\WINDOWS\system32\mspool.exe
|
| object could not be disinfected, disinfection postponed
|
| C:\WINDOWS\SYSTEM32\MSPOOL.EXE
|
| is a Trojan Backdoor.Win32.ServU-based.gen
|
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspool
| [ImagePath=C:\WINDOWS\system32\mspool.exe]
| is infected with a virus Service: startUp link to
| C:\WINDOWS\SYSTEM32\MSPOOL.EXE object with "Infected" verdict
| C:\WINDOWS\SYSTEM32\MSPOOL.EXE
|
| object could not be disinfected, disinfection postponed
|
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspool
| [ImagePath=C:\WINDOWS\system32\mspool.exe]

It is running as NT Service.

Download HiJackThis!
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a log file.

Copy all line items labeled "O23 - Service:" and paste only those line items in your reply.

 

[Art]

Below is what I found in the Report section
========================================

C:\WINDOWS\system32\mspool.exe

is a Trojan Backdoor.Win32.ServU-based.gen
mspool.exe\mspool.exe

object could not be disinfected, disinfection postponed

I suspect KAV refused to help with disinfection because it did a
generic identiication. In a case like that, you should work with
Kaspersky support. They may want sample files from you to
analyze. (You may have a new variant).

You could also try David's Muti-av to see if McAfee or Sophos
can identify a exact variant and help with cleanup.

The ServU Backdoor allows a remote hacker to manipulate
files on your machine. Here's a McAfee description:

http://vil.nai.com/vil/content/v_99802.htm

Your PC thus may have been compromised ... and you might
consider changing all your passwords, etc.

Art


http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>


|
| I suspect KAV refused to help with disinfection because it did a
| generic identiication. In a case like that, you should work with
| Kaspersky support. They may want sample files from you to
| analyze. (You may have a new variant).
|
| You could also try David's Muti-av to see if McAfee or Sophos
| can identify a exact variant and help with cleanup.
|
| The ServU Backdoor allows a remote hacker to manipulate
| files on your machine. Here's a McAfee description:
|
| http://vil.nai.com/vil/content/v_99802.htm
|
| Your PC thus may have been compromised ... and you might
| consider changing all your passwords, etc.
|
| Art
|
| http://home.epix.net/~artnpeg

Art:

It is being loaded as a NT Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspool

Therefore the File Handle is held open and it can't be deleted (removed) or in this case
"object could not be disinfected, disinfection postponed"

Assuming the service is; mspool

He can open a command prompt and enter the following command lines...

sc stop mspool
sc delete mspool

Then the scan can be performed and it should be able to delete the file(s) needed.

Copying all line items labeled "O23 - Service:" in a HiJack This! log and replying with
this information can help to indentify if "mspool" is trult the name of the NT Service that
needs to be stopped and removed.

 

[Art]

Art:

It is being loaded as a NT Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspool

Therefore the File Handle is held open and it can't be deleted (removed) or in this case
"object could not be disinfected, disinfection postponed"

Good observation

Art

http://home.epix.net/~artnpeg

 

[gm]

Good observation

Art

http://home.epix.net/~artnpeg

Art, David,
thanks a lot for the help. KAV removed it later, at the time of next
reboot. The virus is not in computer anymore.

Thanks again,

gm

 

[David H. Lipman]

From: "gm" <[email protected]>


| Art, David,
| thanks a lot for the help. KAV removed it later, at the time of next
| reboot. The virus is not in computer anymore.
|
| Thanks again,
|
| gm

Based upon the notification -- "...disinfection postponed"

 

[gm]

From: "gm" <[email protected]>


| Art, David,
| thanks a lot for the help. KAV removed it later, at the time of next
| reboot. The virus is not in computer anymore.
|
| Thanks again,
|
| gm

Based upon the notification -- "...disinfection postponed"

David,
I included in that part only info that was describing viruses. Later,
during reboot KAV removed viruses. All the following scans, including a
one that lasted for 2 hours, found no viruses.
Thanks again for the help,

gm

 

[David H. Lipman]

From: "gm" <[email protected]>


| David,
| I included in that part only info that was describing viruses. Later,
| during reboot KAV removed viruses. All the following scans, including a
| one that lasted for 2 hours, found no viruses.
| Thanks again for the help,
|
| gm

Any time !