spoolserv.exe - Dangerous
spoolserv.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
It exploits weak passwords and uses the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-039) to create user accounts on remote computers.
Joins an IRC channel and waits for commands from a remote attacker.
The attacker can:
Retrieve information about the infected host, such as the operating system version and the computer's hardware
Upload and download files
Execute files
Use the computer to perform Denial of Service (DoS) attacks on other computers
Copies itself as the following files:
%System%\Spoolserv.exe
%System%\Cmst32.exe
%System%\Smshost.exe
%System%\Svhost32.exe.
Attempts to delete the following files:
X:\Program Files\Norton AntiVirus\navapsvc.exe
X:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
Use RegRun Startup Optimizer to remove this worm.
And manually changes some values in the system registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
set the DWORD value:
"restrictanonymous" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Set the value:
"EnableDCOM" = "Y"