Spools.dll.vbs
my computer is infected with spools.dll.vbs.
it's detected as Win32.VBS.Attas.A.
but the file
[C:\WINDOWS\spools.dll.vbs] failed to be moved to the quarantine folder
what should i do?
Comments
-
Firstly I'll assume that You use windows xp in this problem (other than that disregard this post).
Please look at your task manager and see if there are any process called wscript.exe running. If it does please turn it off (end process it -> left click on the process and select end process) before you do the scan. Because spools.dll.vbs is a vb ****** and it needs that process to run itself.
Remember that before you scan you should turn off the system restore in win xp (control panel - system - system restore tab - checked the turn off system restore on all drive). You can turn it on again after you are sure that your computer is free from the virus.
Also make sure that you scan every partition of your hard drive (ex: if you have a hdd that is partitioned into two C and D) because spools.dll.vbs copies itself into every partition that exist within your computer. Take note that it also needs an autorun.inf file to make itself runs everytime you tried to double click your hdd / flashdisk, so if you ever spot this file make sure to delete it (it has the size of 4kb and has the following line in it
[autorun]
shellexecute=wscript.exe spools.dll.vbs)
Try to access your registry editor (start-run-type regedit.exe) to see whether it is blocked by it. If it does blocked it than you might want to try to unblock it using a certain program / command line (I don't have the knowledge about this, sorry -> although I use a standalone antivirus called ansav (www.ansav.com) as it has the ability to unblock registry editing).
Before we continue I'd like to let you know that the next step would be dealing with registry editing, if you are not sure whether you are capable of it please refrain to do the next step and ask for technical support from anyone you know that has the knowledge of it.
If you managed to unblock the registry editing than the next step would be to delete any values that is related to spools.dll.vbs. to do that you need to search the value first. click on my computer on the left side panel (it is on the top of it) and then click ctrl-f. Type spools.dll.vbs and then look at the "look at" section and make sure its all checked. Let it search for the value and than delete any value that has spools.dll.vbs in it.
After that access your msconfig (start-run-type msconfig), and then see the startup tab. See if there are any file with the name of spools that has its box checked. If it does unchecked it. After that you might be prompt to restart your computer, do this only if you have finished scanning all your partition.0 -
ai_cha,
Download HijackThis 2.0.2 from:
http://www.trendsecure.com/portal/en-US/to...ools/hijackthis
Create a new folder only for HijackThis (Example : C:\HJT).But don't let it on
your desktop or in a temp folder!
Unzip it to this folder.
Click "Scan", after click "Save Log".
Save the log, and copy/paste it into your response to this thread.
Download ComboFix from http://download.bleepingcomputer.com/sUBs/ComboFix.exe
IMPORTANT !!! Place it on your Desktop.
• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a hijackthislog.0 -
To fix this problem you can do the following things:
You can search for files with double extensions.If the extensions are hidden on your system turn on the showing.Open the folders you have and search for double extensions files with strange names.If you know where is the file reboot windows,start in safe mode and delete it.I hope that will help.Good luck.0