Some user from my local forums encountered strange problem with Win32:Gaobot-1195. He somehow gets it loaded into:
C:\WINDOWS\system32\spool\PRINTERS\
This also triggers waiting line for printing files queue.
He checked entire machine using my directions (McAfee and F-Secure check of the machine). Nothing found except JV/Shinwow and Exploit.VBS.Phel.a.
I'm still waiting for HiJack This log,but for now i can't understand why is this loaded into SPOOL/PRINTERS folder for printing.
Files located in PRINTERS folder are always in pairs:
00001.shd in 00001.spl , 00002.shd in 00002.spl , 00003.shd in 00003.spl and so on...
.spl files appear to be recognized as Shockwave Flash Object,while .shd are unknown filetype.
I also have entire content(files) of PRINTERS folder when he found out about Gaobot infestation. If Karel(or anyone else from Alwil) needs them,let me know and i'll submit them
I'll check his HiJack This log when he sends it to me.
Oh,he is also using avast! HE just like me
