|
Spooldr rootkit is spread by e-mail. Often attachment has the file name: "ecard.exe" or the similar name.
UnHackMe detects the working driver (not hidden) during the "Scan for Viruses" process:
Also it detects the open process immediately after reboot:
But the spooldr.exe file is hidden by rootkit technology.
The main interesting thing is how does "Spooldr" automatically start after reboot.
I used the Bootlog XP software to track the boot process.
I found that the spooldr.sys is started immediately after "%SysDir%\Drivers\tcpip.sys".
I checked the file sign of the tcpip.sys and I found that it is not signed.
However the original tcpip.sys is signed.
I discovered the contents of the "tcpip.sys" and found the string "spooldr.sys" in the end of the file.
How rootkit works?
The virus in the TCPIP.SYS is used for loading "spooldr.sys" driver.
After that the driver executes "spooldr.exe" and hides the executable file.
Spooldr.exe is used for propagation.
UnHackMe detects the "spooldr.sys" driver and it removes the driver at the next reboot.
After that we can simply delete spooldr.exe and restore old tcpip.sys in the %SysDir%\Drivers and in the %SysDir%\dllcache folders.
In addition, we need to remove "spooldr.exe" from the Windows Firewall Exclusion list.
Also, delete the "spooldir.ini" from "Documents and Settings\UserName" fodler.
|
|
 |
|
UnHackMe
Supported Windows NT4/2000/XP/2003/Vista/Seven.
Compatible with all known antiviral software.
Free updates. On-line support.
System Requirements.
|
|
 |
 |
|
|
 |
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Jeff
Rootkit removal utility that worked!
Bob Rankin
|
 |
 |
|
|