Avast WEBforum
Other => Viruses and worms => Topic started by: RejZoR on January 06, 2005, 06:25:15 PM
-
Some user from my local forums encountered strange problem with Win32:Gaobot-1195. He somehow gets it loaded into:
C:\WINDOWS\system32\spool\PRINTERS\
This also triggers waiting line for printing files queue.
He checked entire machine using my directions (McAfee and F-Secure check of the machine). Nothing found except JV/Shinwow and Exploit.VBS.Phel.a.
I'm still waiting for HiJack This log,but for now i can't understand why is this loaded into SPOOL/PRINTERS folder for printing.
Files located in PRINTERS folder are always in pairs:
00001.shd in 00001.spl , 00002.shd in 00002.spl , 00003.shd in 00003.spl and so on...
.spl files appear to be recognized as Shockwave Flash Object,while .shd are unknown filetype.
I also have entire content(files) of PRINTERS folder when he found out about Gaobot infestation. If Karel(or anyone else from Alwil) needs them,let me know and i'll submit them ;)
I'll check his HiJack This log when he sends it to me.
Oh,he is also using avast! HE just like me :)
-
.shd > ArcView ARC/INFO Shadeset Symbol File (ESRI) : Metatools Bryce Support Materials Catalogue : Print Spooler Shadow File (Microsoft)
-
No,i meant that the files have that default windows icon (the one when file is not associated with any program). But thx anyway :)
-
Strange,nothing in HijackThis log. Not even a toolbar since he's using Opera...
Any idea what that could be? I have never encountered such strange infestation ???