29. August 2011 16:23
by Jake Rutski
Recently, I had cleaned up a virus from a user's laptop - it was a fairly straightforward cleanup, and I thought I was done. Not quite. The user had said that her husband had been trying to print and was getting a print spooler error...had the spooler randomly stopped? I sent the command to restart the spooler. This did not work as it seemed the spooler continually stopped running. I then sent the path for the spool folder to see if there was some corrupt spool files that the spooler did not like - turns out that directory was empty. Finally I recomended to uninstall then reinstall the print drivers for the printer...long story short, the laptop came back in.
There was clearly an issue as the spooler stopped nearly immediately whenever anything print related was done - add a printer, view server properties. I tried removing the entire contents of the driver folder in the spool directory. Still nothing. As always- "When in doubt, run Process Monitor!"
I looked through the log to see what the spoolsv.exe process was doing - did not seem to be anything out of the ordinary. Then I found it: right before the spooler thread exits, there's a QueryOpen to a file in a temp directory:
Why was the spooler looking here? Was this somehow a spool file? I figured I would just rename the file and see if that helped -
Sure enought that worked - I could now use all printing functions on the system...but what the heck was 17EB.tmpjQuery15209008132997218726_1340742345248 Let's check the stack:
Bingo! The description of this image (Zhgemubqnkekkwthf) matches one of the .exe files associated with the malware I had cleaned previously. Additionally, I have heard of malware associated with 'Heaventools Software'. Now the root cause analysis: why did any print function hose the spooler? Clearly this was the cause, but what continually called it? Let's check the registry:
So the malware had injected itself as a print provider. Anytime that a print function was called, the malware would have likely recopied itself, or run one of the executables I had already deleted or done something else undesirable. Additionally, it was added to all ControlSet trees.....it was also REMOVED from the registry entirely, and fixed.