I killed a virus but did I hurt my computer?

Factual Questions
1

My norton antivirus recently informed me that I’d acquired “backdoor assassin”. It then informed me that it couldn’t eradicate or quarantine the virus, as it was tied to windows. It identified which files were infect, and which it had tried to delete. They all began with the “MS spool” designation, and were in the “windows” folder.

I rebooted to DOS, and had no trouble deleting all the MS SPOOL files, and voila: computer works fine (it had been slow and crash-prone with virus in it), virus scan comes up with nothing.

Everything is fine.

Or is it? Did I get overenthusiastic in wiping out my MS Spool files? Was there something in there that I’ll need? Of course I should have asked these questions before I deleted them, but since I didn’t, I’m asking now. Did I need any of those MS SPOOL files to run Windows?

Thanks!

2

I don’t know what (if any) real critical use the MS SPOOL designation is unless they’re printer spool files.

But you could always reinstall windows. That should fix it if it needs fixing.

3

A spool file is where data resides waiting the next step, as in printing. I doubt you damaged anything.

4

Well the printer seems to work fine.

Thanks, folks.

5

Just as an added safeguard, you might want to do an online virus scan as well?

6

No prob.

Now I got this here twinge in my back…

:slight_smile:

7

Just let me roll up, my sleeves, jonathan.

Now bend over.

8

You’ll be allright
FromHere

When Backdoor.Assasin is executed, it does the following:

it copies itself as %Windows%\Ms spool32.exe.

It adds the value:

Ms Spool32 MS SPOOL32.EXE

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and also adds the subkey:

TVP,MGNEYU4

to the registry key:

HKEY_LOCAL_MACHINE\Software
3. Creates the %Windows%\Ms spool32.dat file.
They Recommend what you did:
Run a full system scan and delete all the files detected as Backdoor.Assasin.
Delete the file C:%Windows%\Ms spool32.dat.
Reverse the changes made to the registry.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit, and then click OK. (The Registry Editor opens.)
Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the following value:

Ms Spool32 MS SPOOL32.EXE

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE

In the left pane, locate and delete the following subkey:

TVP,MGNEYU4

Click Registry, and then click Exit.

But …

How did you get infected ?

Did you have your realtime protection turned off ?

Tut Tut Tut

This piece of rogue code has been around since July 03, 2002
and you would not have gotten it had you had real time protection enabled and up to date definitions…

Then you went and deleted it yourself ?

You didnt take a screenshot of the error message did you ?

Bad Qadgop the Mercotan

9

Now, now. I update my definitions weekly, and scan weekly. BDA hit me over a year ago, was detected and eliminated. I have no clue how this slipped thru. Especially since it says it was there since 9/16/03. This implies my virus scanner was running weekly without detecting it, until one week ago.

I took a “printscreen” of the error message, but it wasn’t real helpful. It told me it was the virus BDA, but then again maybe it wasn’t. It told me to use my zip rescue disks, but they didn’t function either. They were up to date too. So I figured all I could do was eliminate via DOS the files that Norton had tried and failed to eliminate on its own. Elfbabe is off at college so I was on my own.

The other computer on my network is unaffected. So it is still a mystery to me just what happened. It’s also the first time Norton has failed me in eliminating problems.

But thanks for the advice. I eliminated MS SPOOL32.EXE, but there was no TVP, or MGNEYU4 in the
HKEY_LOCAL_MACHINE\SOFTWARE file.
QtM

10

Did it say Clean Failed - Quarantine Failed - Action Left Alone Succeeded."

That would indicate arrival of new definitions scanned your quearantine directory

http://service1.symantec.com/SUPPORT/ent-security.nsf/d4c5e22498a8619f88256b6c000ba435/1dfd59a4a163616388256ca7006faa85?OpenDocument&src=bar_sch_nam
oh and check you email to get what you deserve for updating the defs so frequently

11

Actually not. It said “repair failed” and then “quarantine failed” and it told me 4 possible reasons: One was it was a program that was currently running, and that I should shut down all programs and then run the virus scan again. Two was that I might have told it NOT to repair or quarantine. Three was that it was imbedded in Windows, and could not be repaired within windows, and Four was that it was some sort of supervirus. Then it told me to have a nice day or some such.

But now everything scans clean, and runs fine.

And thanks for giving me exactly what I deserve!

QtM

12

“One was it was a program that was currently running, and that I should shut down all programs and then run the virus scan again”

So how did it get there ?
"Two was that I might have told it NOT to repair or quarantine. "

You may indeed have had exclsuions set ?

“Three was that it was imbedded in Windows,”

Again how did it get there if we had real time protection enabled and up to date defs ? and where wa sit till now ?

“and Four was that it was some sort of supervirus.”
Possibly a false positive. Something new , detected by heuristics but not previously defined can trigger the wrong detection

Next time identify the file itself , capture it and submit it to security response for analysis. I’ll mail you a utility for automating that.

13

But APOC! It’s too haaaarrrd to do all that fancy computer stuff! I’m just this guy!

Frankly, I’d rather have to deal with another pulseless non-breather with my defibrillator paddles than muck around in my computer too much. I know I can restore a heart rhythm sometimes.

Thanks again!

14

Fair nuff,

Next Time just kick it

The PC as opposed to a non-breather that is.

15

If it’s supposedly been on your system for over two months with current virus patterns, it could just be a false positive.

I know everyone’s paranoid these days, but like anything, just because your virus scanner tells you you have a virus doesn’t always make it so.

I run a tight ship on my system at home, and every two or three months I’ll get up in the morning and find that the scanner detected a “virus” during it’s overnight scan. All but one time, upon investigating the details of the virus it says I have, none of the secondary signs of infection for a given virus were present (ie, no registry keys, or win.ini entries, no weird files in the downloaded files folder, or whatever).
However, as has been answered more than a couple of times - don’t sweat it, QtM. I don’t see any problems. If strange things do start happening with your printer for some reason, just delete and reinstall your printer drivers and any necessary files you need will be installed.

critter42