# C:\Windows\system32\WINSPOOL.DRV



## Acronymic (May 6, 2010)

Hello all, I'm not quite sure if my problem is a Virus/Malware, but I just felt that putting my problem in 'General Security' was wrong. I apologize and thank you in advance if I need my post to be redirected into a different forum.

This started 2 days ago, as soon as I logged in to my computer, I was presented with multiple 'errors' all saying the same thing. A screenshot is attached of what the popup appears to be.

The same error would show up multiple times, with the only difference being the title. 
It would be, 'various program.exe - Bad Image' everytime.

It would occur randomly when on the internet, and whenever I started my computer, with programs such Adobe Reader. Those programs would then show a seperate popup, indicating that they would not work ('Adobe Reader and Acrobat Manager has stopped working -Check online for a solution and close the program -Close the program').

Thank you for your help!


----------



## Acronymic (May 6, 2010)

Also:

I can only open Opera atm, FireFox isn't working, and videos won't play. From FaceBook to YouTube, and flash games as well.


----------



## Acronymic (May 6, 2010)

Also:

Cannot upload any media content, on any website.


----------



## CatByte (Feb 24, 2009)

Hi and Welcome,

Please do the following:

Please download *DDS* from either of these links

*LINK 1* 
*LINK 2*

and save it to your *desktop.*

Disable any script blocking protection
 Double click *dds.pif* to run the tool. 
When done, two *DDS.txt's* will open. 
Save both reports to your *desktop.*
---------------------------------------------------
*Please include the contents of the following in your next reply:*

*DDS.txt*
*Attach.txt*.

*NEXT*

Download *GMER Rootkit Scanner *from *here**http://www.gmer.net/download.php*http://www.gmer.net/download.php to your desktop. It will be a randomly named executable.

 Double click the exe file.
 If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*, then use the following settings for a more complete scan.


_Click the image to enlarge it_

 In the right panel, you will see several boxes that have been checked. Ensure the following are *unchecked*
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\) 
 Show All (don't miss this one)

 Then click the Scan button & wait for it to finish. 
 Once done click on the *[Save..]* button, and in the File name area, type in *"Gmer.txt"* or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in reply.

_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _[/QUOTE]


----------



## Acronymic (May 6, 2010)

The WINSPOOL.DRV error occured with the Notepad results, and they couldn't open. I tried to see if I could open Notepad at all after the scan, and it won't.

Should I skip that step and continue onto gmer?


----------



## CatByte (Feb 24, 2009)

yes, try GMER, 

try running in safemode and see if notepad will open in safemode

(on boot up - tap F8 repeatedly till an option menu appears - arrow up to safe mode)


----------



## CatByte (Feb 24, 2009)

Also, try running this program, prior to the scans:

Please download *exeHelper* to your desktop.

Double-click on *exeHelper.com* to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of *log.txt* (Will be created in the directory where you ran exeHelper.com)
*Note  If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).*


----------



## Acronymic (May 6, 2010)

Ran exeHelper in safe mode, Notepad failed to work again.


----------



## CatByte (Feb 24, 2009)

are you able to open any other text editor?

will word open for you?


----------



## CatByte (Feb 24, 2009)

Let's see if you actually have notepad.exe in your system32 folder where it is supposed to be,

Please show hidden files and folders


Double-click *My Computer. *
Click the *Tools menu,* and then click *Folder Options.* 
Click the *View tab.*
*Clear* "Hide file extensions for known file types." 
Under the "Hidden files" folder, *select* "Show hidden files and folders." 
*Clear* "Hide protected operating system files." 
Click *Apply,* and then click *OK.* 

NEXT

go to windows explorer (windows key +E) and type in notepad.exe

tell me all the locations where it is found:

(include the full file paths)


----------



## Acronymic (May 6, 2010)

C:\WINDOWS\System32
That was the only place that I found notepad.exe in when I searched for it in the search bar on the start menu (Windows Vista).

When I pressed Windows key + E, it opened the 'Computer' file, and when I searched for notepad.exe in there, nothing showed up.


----------



## Acronymic (May 6, 2010)

Sorry, I didn't see your other post. Sorry, sorry, sorry. 
Oddly enough, Wordpad will open up just fine...


----------



## CatByte (Feb 24, 2009)

Ok
Try this scan

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*.
Check the boxes beside *LOP Check* and *Purity Check*.
Under the Custom Scan box paste this in

*
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav 
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT 
*

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post them in your next reply.


----------



## Acronymic (May 6, 2010)

When I open OTL, the original error occurs, followed by: 
This procedure * could not be located in the DLL winspool.drv.

I'm sorry, this is pretty frustrating.


----------



## CatByte (Feb 24, 2009)

If you have access to another computer, download the following program to a USB stick - rename it to Combo.com befor you save it:

run if from the USB stick in safe mode:

make sure all other windows are closed and all security programs are disabled:

*Link 1* 

post the resulting log

Agree to letting combofix install the Recovery Console if it requests to do so


----------



## Acronymic (May 6, 2010)

I'm sorry, I haven't been able to access another computer, I'll have it done by tonight, though.


----------



## CatByte (Feb 24, 2009)

OK, thanks


----------



## Acronymic (May 6, 2010)

I ran combofix from a usb in safemode, and it completed safely, but I couldn't see the results because notepad error'd again.


----------



## CatByte (Feb 24, 2009)

OK

run Combofix for me again in normal mode


----------



## Acronymic (May 6, 2010)

Same result.


----------



## CatByte (Feb 24, 2009)

OK

Upload the files to the thread if you can find them

they should be located at *c:\combofix.txt* and *c:\qoobox\combofix2.txt
*
then try the following:

Download *SREng*


Extract it to Desktop and double click *SREngLdr.EXE* to run it
Select *System Repair* from the left pane.
Click on *File Association*
Select all entries that have an *Error status* click *[Repair]*
Refer to this image for an example:










Close SREng now.

see if it lists notepad as a problem.

If notepad still wont open try this:


Click on *Start*, then *My Computer*
Click on the *Tools* menu option and then choose *Folder Options*....
In the Folder Options window, click on the* File Types* tab.
Under *Registered file types*:, scroll down until you see the file extension *.txt*
Click on the *selected file extension* to highlight it:
Click the *Change* button in the Details for the file extension area near the bottom of the window.
The *Open With* dialog box should appear.
Scroll through the *options* in the Programs area and locate Notepad.exe[/b] l
Note: Chances are, the applications listed under Recommended Programs will contain the program you wish to use, but be sure to look at the applications under Other Programs as well if it doesn't show up immediately.

Once you find it - Click the *OK* button on the *Open With* window.
Click the *Close* button at the bottom of the Folder Options window.

let me know if you can now open notepad.


----------



## Acronymic (May 6, 2010)

I can't open it, but I think it'll upload. 

Working on SREng.


----------



## Acronymic (May 6, 2010)

I extracted SREng, but then it error'd when I attempted to open it.



'In the Folder Options window, click on the File Types tab.'
I couldn't find any 'File Types' tabs under Folder Options... 
The only tabs were General, View, and Search.


----------



## CatByte (Feb 24, 2009)

what did the error say when you tried to open sreng?


----------



## CatByte (Feb 24, 2009)

Hi,

That was the fourth run of Combo fix, I would like to see the first three logs if you can upload those as well, so I can see if I can figure out what's going on in your conmputer.

They will be located in c:\qoobox combofix2.txt combofix3.txt and combofix4.txt

thanks


----------



## CatByte (Feb 24, 2009)

As for the file types, yes, sorry, you are running Vista, there is no File Types tab:

In Vista, there are a couple of ways to access the same functionality

1.The right-click "Open With" command for individual files. For more information about this, open Help and find the topic called "Change the program that opens a type of file."

2. Open the Control panel and visit Default Programs. There are a few settings there, such as "Set your default programs" and "Associate a file type with a program."

locate the .txt extention and choose notepad.exe


----------



## Acronymic (May 6, 2010)

After asking for permission from the admin to run, I accepted but then the same original error occured with SREng.
'SRE859e6ab1.exe - Bad Image'

I'll try to find the rest of the combofix logs, but I'm pretty sure I've only ran it twice.
I've used combofix before, to fix a different malware issue though. 

Default Programs to Associate a file type with a program.
.txt was already next to notepad.


I could only find Combofix2.


----------



## CatByte (Feb 24, 2009)

did you run the OTL program,

if so, please post that log 

thanks


----------



## Acronymic (May 6, 2010)

I wasn't able to/can't right now run OTL:
'OTL.exe - Bad Image.
C:\Windows\system32\winspool.drv is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media of contact your system administrator or the software vendor for support.'

Then, another error occurs:
'Application error
The procedure* could not be located in the DLL winspool.drv.'

): I'm sorry. This is incredibly lame.


----------



## CatByte (Feb 24, 2009)

Delete the copy from your desktop and download one of the renamed versions

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

see if either of those will run,

use the custom scan I gave you with the original post.


----------



## Acronymic (May 6, 2010)

Tried both, same result.

Scanning with DDS again.


----------



## Acronymic (May 6, 2010)

I'm sorry, notepad is still not working, so I can't save+attach the results of DDS. 

):


----------



## CatByte (Feb 24, 2009)

go back into the file extensions list and change txt files to open with wordpad or word

instructions in this post http://forums.techguy.org/7417523-post21.html

you don't need to open them yourself, just save the log and upload it.


----------



## Acronymic (May 6, 2010)

I'm not sure what's happening.
I made wordpad the default for .txt, but it still says that notepad is erroring, and so the logs never appear.


----------



## CatByte (Feb 24, 2009)

Hi,

This is quite odd.

I need to consult with colleagues, so bear with me.

I'll be back as soon as possible with further instructions:


----------



## Acronymic (May 6, 2010)

Take your time, I appreciate all the help you've been giving me so far.  Thanks.


----------



## CatByte (Feb 24, 2009)

can you please upload this file:

*C:\Qoobox\ComboFix-quarantined-files.txt*


----------



## CatByte (Feb 24, 2009)

Hi,

Please try the following:



1. Click Start, click Run, type C:\Windows\system32, and then click OK.

2. scroll down and locate the Winspool.drv file. Right-click the Winspool.drv file, and then click Rename.

3. Type winspool.drv.old, and then press ENTER.

4. Restart the computer.

Let me know if that helps.

Try running OTL again


----------



## Acronymic (May 6, 2010)

'Destination Folder Access Denied'
You need to confirm ...

I pressed continue, then gave admin. permission then it said
'Destination Folder Access Denied'
You need permission to access this folder... Try Again.


I can't rename it. :|


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"* box on the top of the page:

*c:\windows\system32\userinit.exe *​
Click on the *Upload* button
If a pop-up appears saying the file has been scanned already, please select the *ReScan* button.
Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Do the same for the following files:

*c:\windows\explorer.exe
c:\windows\system32\notepad.exe
c:\windows\system32\spoolsv.exe 
C:\Windows\system32\Winspool.drv*

*Next*

1. Click Start, click Run, type C:\Windows\system32, and then click OK.

2. scroll down and locate the Notepad.exe file. Right-click the Notepad.exe file, and then click Rename.

3. Type notepad.exe.old, and then press ENTER.

4. Restart the computer.

Let me know if the logs will now open in wordpad.

*NEXT*

For the permission issue on that folder,

Try this:

Download Take_Ownership.reg and run it to load into registry. If your UAC is still active, you'll have hit continue every time.

Download Take_Ownership.reg

Now, when you *hold shift* and *right-click* on a file or folder ( the one with issue ) you will have the option of changing the ownership by clicking 'Take Ownership'.










do the same (right click notepad.exe > take ownership) if you are unable to rename notepad.exe.

Let me know if that worked.


----------



## CatByte (Feb 24, 2009)

Hi,

sorry, I omitted for you to run from an elevated command prompt to rename the file:

This may work instead of using the Take Ownership program.



Click on your Start button and in type in CMD into the text field. Right-click on the search result and select "Run As Adminstrator" from the menu. (Alternately, you could right click on "Command Prompt" in Start > All Programs > Accessories)

With the command prompt window open please type in the following lines pressing Enter after each:

cd C:\Windows\System32
rename Winspool.drv Winspool.drv.old

Then restart the computer and let me know if that fixed the problem.


----------



## Acronymic (May 6, 2010)

C:\Windows\System32>cd C:\Windows\System32

C:\Windows\System32>rename Winspool.drv Winspool.drv.old
Access is denied.

C:\Windows\System32>

^ That's what my cmd windows looks like.

And for the VIRscan, 
The Copy to clipboard button isn't working.

How should I post the results?
c:\windows\system32\userinit.exe
c:\windows\explorer.exe
c:\windows\system32\notepad.exe
c:\windows\system32\spoolsv.exe 

All came clean, but when I tried to scan the winspool.drv,
ERROR: Can't find upload file!

I also tried by finding the drive manually, then uploading it, but it wouldn't upload.


----------



## CatByte (Feb 24, 2009)

Try the "take Ownership" on the winspool.drv file


----------



## CatByte (Feb 24, 2009)

Hi,

I've received some advice from a colleague and this should do it.

It would seem that Winspool.drv is likely corrupted and is showing as in use.

As long as the file is in use, you will receive an access denied error.

You will need to boot to the Repair Console.

It should be available by tapping F8 repeatedly at startup until an option menu appears > arrow up to the Repair Console:.

At the Repair Console select *Command prompt*, then type the following:

*C:
cd \
cd widows\system32
ren Winspool.drv Winspool.drv.old
Exit*

Restart the computer.

Chances are your Printer's software needs to be reinstalled.

Let me know how things are now.


----------



## Acronymic (May 6, 2010)

is it 'cd widows\system32'? Or 'cd windows\system32'.


----------



## CatByte (Feb 24, 2009)

sorry it's cd windows (typo)

my apologies


----------



## Acronymic (May 6, 2010)

It's fineee.  I just didn't want to type the wrong thing, just in case.


----------



## CatByte (Feb 24, 2009)

how did you make out with the last instructions (once you got passed the typo







)


----------



## Acronymic (May 6, 2010)

I'm so sorry it took so long! I appreciate your patience. I had to go on a family trip. 

It worked! Only now the error that occurs says that Winspool.drv cannot be found. 

 Does this mean all we have to do now is redownload it? I haven't done anything yet, though, since you haven't instructed so.


----------



## CatByte (Feb 24, 2009)

Hi,

Let's check the status of the PC first.

How is it behaving other than the message you are receiving.

Do you have any outstanding issues?

Can you open notepad?

If it will open now

please run the OTL program from this post here and post the log:

http://forums.techguy.org/7413347-post13.html


----------



## Acronymic (May 6, 2010)

Actually, the computer's exactly the same as before when the original error occured. Still occurs in the same scenarios, messes up the same programs, blah.
Which includes Notepad. ):


----------



## CatByte (Feb 24, 2009)

OK,

Can you be more specific as to exactly what happens and with what program:

Please delete the copy of ComboFix from your desktop, download a fresh copy and run it, make sure your security programs are disabled and then post the resulting log.


----------



## Acronymic (May 6, 2010)

My computer is basically in the same condition as before I renamed winspool.drv to winspool.drv.old, the error occurs in the same instances, ie, when I log onto my computer, and Adobe Acrobat errors. 

I still can't access the same things I couldn't access before, only the actual text in the error is different. 

Running ComboFix.


----------



## Acronymic (May 6, 2010)

downloading* ComboFix.


----------



## Acronymic (May 6, 2010)

When I tried to run it, the error saying that Winspool.drv could not be located occurred twice. After I clicked, 'Okay' on both of them, ComboFix continued and opened as if nothing happened. After a couple of minutes of nothing happening, a Windows popup appeared saying that the program had to be closed...

I attached screenshots because I'm horrible at explaining, but if they are too tedious or unhelpful, I won't attach them anymore. Just let me know.


----------



## CatByte (Feb 24, 2009)

It's hard to know what is going on with your computer.

We should probably try a boot CD to access the computer without windows loading so I can look at what is going on.

Hopefully you have access to a computer that can burn CD's

We will need to make a *BOOT CD*

Print these instruction out so that you know what you are doing.

Two programs to download

*First *

Please download ISOBurner and save it to your desktop. This program will allow you to burn *OTLPE.ISO* to make a bootable CD.
*
Double click the ISOBurner set up icon to install the program, from there on in it is fairly automatic. 
There are Instructions  for the iso burner here if you need them.

*Second*


Download * OTLPE.iso* save it to your desktop. Now burn OTLPE.iso to a CD using ISO Burner. {NOTE: This file is 276.7 MB in size so it may take some time to download.)
When downloaded double click *OTLPE.iso* > this will then open *ISOBurner* to burn the file to CD

Reboot the infected system using the *boot CD* you just created.
_Note :_ If you do not know how to set your computer to boot from CD follow the steps here

Your system should now display a Reatogo desktop.
*Note : as you are running from CD it is not exactly speedy *
Double-click on the *OTLPE* icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "*Do you wish to load the remote registry*", select *Yes*
When asked "*Do you wish to load remote user profile(s) for scanning*", select *Yes*
Ensure the box "*Automatically Load All Remaining Users*" is checked and press *OK*
OTL should now start. Change the following settings
Change Drivers to Safe List
Under the Custom Scan box paste this in
*/md5start
iaStor.sys
nvstor.sys
atapi.sys
nvata.sys
iastorv.sys
/md5stop*

Press *Run Scan* to start the scan.
When finished, the file will be saved**in drive *C:\OTL.txt*
Copy this file to your USB drive if you do not have internet connection on this system.
Right click the file and select send to : select the USB drive.**
Confirm that it has copied to the USB drive by selecting it
You can backup any files that you wish from this OS
Please post the contents of the *C:\OTL.txt* file in your reply.


----------



## Acronymic (May 6, 2010)

Okay. This may take some time, because I won't be able to get the boot cd from my other computer because it's in another house.


----------



## Acronymic (May 6, 2010)

404!
The resource requested could not be found on this server!

^ Happens when trying to download OTLPE.iso. ):


----------



## CatByte (Feb 24, 2009)

Hi,
Yes, the link has been changed

new instructions to follow:


----------



## CatByte (Feb 24, 2009)

Hi,

File details OTLPEStd.exe
Bytes=97,702,766
MB=93.1
MD5=FC1A07D156DE710955032B1CF7891671


Download *OTLPEStd.exe * to your desktop
Ensure that you have a blank CD in the drive
Double click *OTLPEStd.exe* and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.
*Note : If you do not know how to set your computer to boot from CD follow the steps here*
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads 

Your system should now display a Reatogo desktop.
*Note : as you are running from CD it is not exactly speedy *
Double-click on the *OTLPE* icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "*Do you wish to load the remote registry*", select *Yes*
When asked "*Do you wish to load remote user profile(s) for scanning*", select *Yes*
Ensure the box "*Automatically Load All Remaining Users*" is checked and press *OK*
OTL should now start.
Drag and drop this attached *scan.txt *into the Custom scans and fixes box
Press *Run Scan* to start the scan.
When finished, the file will be saved in drive *C:\OTL.txt*
Copy this file to your USB drive if you do not have internet connection on this system.
Right click the file and select send to : select the USB drive. 
Confirm that it has copied to the USB drive by selecting it
You can backup any files that you wish from this OS
Please post the contents of the *C:\OTL.txt* file in your reply.


----------



## CatByte (Feb 24, 2009)

Hi,

I was discussing this thread with an expert colleague and there is another scan he suggested we run as well to see if we can identify what is going on with this machine:

Please do the following:

Please navigate to C:\Windows and look for a file named *ntbtlog.txt*

If present, *delete* it.

Restart the computer and begin tapping F8 upon startup to enable the *Advanced Start Menu.*

Select *Enable Boot Logging*

The computer will continue to boot normally.

Logon and open the *C:\Windows\ntntlog.txt* file and post it's contents here.

It may be large, so please zip it and attach it.


----------



## Acronymic (May 6, 2010)

! C:\WINDOWS\ntbtlog.zip: Cannot create ntbtlog.zip
! Access is denied.


): I'll upload it, but it's not .zip format.


----------



## CatByte (Feb 24, 2009)

Hi,

Please remove all your installed printers and any printer drivers that are installed on your machine

Also can you tell me if you can reach a command prompt

go to Start > type *cmd*

right click on the cmd.exe that appears and choose to run as administrator

do you get a command window opening up?


----------



## Acronymic (May 6, 2010)

I can reach the cmd without removing my printer drivers. Should I still uninstall them, though?


----------



## CatByte (Feb 24, 2009)

Yes,

please remove the printers and the printer drivers completely

let me know once that is done how the computer behaves and what error messages you might still be receiving.


----------



## Acronymic (May 6, 2010)

When I try to open 'EPSON Printer Software Uninstall', the error stating the application failed to start because Winspool.drv couldn't be found.

Is there another way to manually uninstall it? I have an EPSON WorkForce 500 Series.


----------



## CatByte (Feb 24, 2009)

Hi,

we need to rename the winspool.drv.old back to winspool.drv then try removing it again

Most likely your Epson software is corrupt and causing all these issues.


----------



## CatByte (Feb 24, 2009)

Just want to give you the instructions for that again,

just do the steps you did before in reverse

You might want to rename the file from an elevated command prompt
go to start > type *cmd*

right click the command and choose to run as an administrator

type the following at the command prompt

C:
cd \
cd windows\system32
ren Winspool.drv.old Winspool.drv
Exit

Restart the computer.


----------



## Acronymic (May 6, 2010)

I renamed it. Should I try uninstalling EPSON once more?


----------



## CatByte (Feb 24, 2009)

yes please


----------



## Acronymic (May 6, 2010)

I am still blocked by an error when I try to open the 'EPSON Printer Software Uninstall'. 
Only it's the very first error, the 'Bad Image' error.


----------



## CatByte (Feb 24, 2009)

Hi,

let's look for a replacement Winspool.drv on your system.

It's looking more like that file is corrupted and causing all these issues.

Please open an elevated command window:

Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.

copy/paste the following into the open window

*cd \
dir winspool.drv /s>log.txt
ftype>>log.txt
assoc>>log.txt*

*
log.txt* will be located in your *c:\ drive*, if you can please upload it.

thanks


----------



## Acronymic (May 6, 2010)

When I copy/pasted it, everything said 'Access is denied.''

log.txt uploaded.


----------



## CatByte (Feb 24, 2009)

did you right click and run as Administrator?


----------



## CatByte (Feb 24, 2009)

Please try it this way,

open the elevated command window again

copy/paste the following

log.txt should now be on your desktop

*cd \
dir winspool.drv /s>%userprofile%\desktop\log.txt
ftype>>%userprofile%\desktop\log.txt
assoc>>%userprofile%\desktop\log.txt*


----------



## Acronymic (May 6, 2010)

Yes, I ran it as Administrator.

I'll go ahead and attach log.txt


----------



## CatByte (Feb 24, 2009)

OK, that doesn't seem to be working for you.

Let's disable that spooler driver and see if that changes anything:

Please do the following:

Winkey + R > type *services.msc* > Enter

Scroll down to Printer Spooler Service

double click the Spooler Service and
stop it

now set it to *disabled*

reboot the machine

see if the behaviour of the machine changes at all with the spooler service disabled.

(I'm turning in for the night - will pick this up tomorrow, very late here)


----------



## Acronymic (May 6, 2010)

Printer Spooler was already 'stopped' when I opened it, then I disabled it. 
Restarted the computer, everything's still the same as before I disabled it. 
The programname.exe - Bad Image error still occurs at the same rate as before.


----------



## CatByte (Feb 24, 2009)

OK

let's see if we can find a copy of that file on your system and replace it

glad you're hanging in there with me on this, it's a strange one, I'll be asking for lots of tasks for you to do

trial and error at this stage

were you ever able to burn the boot CD?

Please try this

Open an elevated command window:

Go to Start > type in cmd

right click the command.exe in the window above and choose to run as an Administrator

then type the following:
*
dir winspool.drv /s*

you will see the results written to the command window

please type out the alternate locations that it gives you for winspool.drv

thanks


----------



## Acronymic (May 6, 2010)

It's all good, I'm glad you're still trying to help me. 

I will still try to get that CD, sorry. I told my friend it was alright since we were trying to solve it with an alternative way at that moment.

Hmmm, it says that is only one file of Winspool.drv? I'm not sure how to type it out. 
Should I send you a screenshot?

It says exactly:
C:\Windows\system32>dir winspool.drv /s
Volume in drive C is HP
Volume Serial Number is 4813-21D1

Directory of C:\Windows\system32

09/24/2009 17:54 PM 0 Winspool.drv 
1 Files(s) 0 bytes

Total Files Listed:
1 File(s) 0 bytes
0 Dir(s) 176,508,141,568 bytes free

C:\Windows\system32>

I eyeballed it when I typed it out, but that's exactly what my cmd window looks like.


----------



## Acronymic (May 6, 2010)

Pffff, nevermind. I spaced it out all like the window, but silly forum won't let me post it with all the extra spaces, etc.


----------



## CatByte (Feb 24, 2009)

Please try this

let's look in a different location

there should be one in the winsxs folder

Open an elevated command window:

Go to Start > type in cmd

right click the command.exe in the window above and choose to run as an Administrator

then type the following:

dir %systemroot%\winspool.drv /s


you will see the results written to the command window

please type out the alternate locations that it gives you for winspool.drv

thanks


----------



## Acronymic (May 6, 2010)

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dir %systemroot%\winspool.drv /s
Volume in drive C is HP
Volume Serial Number is 4813-21D1

Directory of C:\Windows\System32

09/24/2009 17:54 PM 0 Winspool.drv
1 File(s) 0 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31b
f3856ad364e35_6.0.6001.18000_none_932df61f18add086

01/20/2008 21:23 PM 258,048 winspool.drv
1 File(s) 258,048 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31b
f3856ad364e35_6.0.6002.18005_none_95196f2b15cf9bd2

04/11/2009 01:27 AM 258,048 winspool.drv
1 File(s) 258,048 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31b
f3856ad364e35_6.0.6002.18088_none_94c5f0a9160dc75f

09/24/2009 17:54 PM 0 winspool.drv
1 File(s) 0 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31b
f3856ad364e35_6.0.6002.22197_none_9543bd3e2f3469c3

09/24/2009 17:55 PM 258,048 winspool.drv
1 File(s) 258,048 bytes

Total Files Listed:
5 File(s) 774,144 bytes
0 Dir(s) 176,481,472,512 bytes free

C:\Windows\system32>


----------



## CatByte (Feb 24, 2009)

Hi,

I have uploaded a script for you to drop into combofix, replacing those corrupt winspool.drv

save the script to your desktop, then just drag it into ComboFix,

reboot your computer if ComboFix doesn't do it automatically










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*


----------



## Acronymic (May 6, 2010)

My computer didn't reboot on it's own, but the log was produced before I could manually do so, so I have uploaded it.

Should I still reboot, then reupload it?

(I named it combolog.txt)

Notepad works now!


----------



## Acronymic (May 6, 2010)

Asjfhasjkfha!

The error doesn't appear anymore & i can watch videos & open firefox.


----------



## CatByte (Feb 24, 2009)

try all the programs that were giving you errors,

are there any outstanding issues or did that fix it?


----------



## CatByte (Feb 24, 2009)

Let's run a couple more scans make sure there are no infections lurking, but I have a feeling this was all caused by that corrupt file, now how that became corrupted, who knows? Do you recall what happened or what you were doing before this all happened?

Please do the following:


Please open your *MalwareBytes AntiMalware* Program
Click the *Update Tab* and *search for updates*
If an update is found, it will download and install the latest version.
Once the program has loaded, select* "Perform Quick Scan"*, then click* Scan.*
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that everything is checked, and click *Remove Selected*. <-- very important
When disinfection is completed, a *log* will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
*Copy&Paste the entire report in your next reply.*

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. 


*NEXT*

**Vista users - right click on the IE icon and run as administrator

*Run an on-line scan with Kaspersky*

Using Internet Explorer or Firefox, visit *Kaspersky On-line Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
*2.* To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
*3.* Click *Run* at the Security prompt. 
The program will then begin downloading and installing and will also update the database. 
Please be patient as this can take several minutes. 

Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan. 
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined. 
Click *View scan report* at the bottom.










 Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply


----------



## Acronymic (May 6, 2010)

I tried restarting my computer, to check if the error occured when I logged on to my computer, and when I viewed a flash/video/ or upload photos, and it hasn't occured at all!
I think it's been fixed!  I'm so ecstatic!


----------



## Acronymic (May 6, 2010)

Running MBAM.


----------



## CatByte (Feb 24, 2009)

(thanks to expert noahdfear for his input)


----------



## Acronymic (May 6, 2010)

Thanks to you both! 

Sorry that I took so long to reply at times, but thank you so much for being patient and sticking with me. 

MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4190

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

6/11/2010 22:13:20
mbam-log-2010-06-11 (22-13-20).txt

Scan type: Quick scan
Objects scanned: 133492
Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## CatByte (Feb 24, 2009)

Good,

the Kaspersky scan might take a couple of hours:

please reenable that winspool driver when it's done:

please do the following:

open an elevated command window

(Start > type *cmd *> right click cmd.exe > run as administrator)

copy/paste the following command into the elevated command window > press enter

*reg add HKLM\SYSTEM\CurrentControlSet\Services\Spooler /v Start /t REG_DWORD /d 0x2 /f*

(don't do that till Kaspersky's done though)


----------



## Acronymic (May 6, 2010)

Okay!


----------



## Acronymic (May 6, 2010)

Kaspersky did take a while, plus I accidentally exitted out of the browser twice, and had to restart. ):

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>reg add HKLM\SYSTEM\CurrentControlSet\Services\Spooler /v St
art /t REG_DWORD /d 0x2 /f
The operation completed successfully.

C:\Windows\system32>

I was wondering, how do I rehide my hidden folders? I know it's probably back in one of these pages, but I thought it'd be better to just ask.


----------



## CatByte (Feb 24, 2009)

Hi,

Please do the following:

*Set correct settings for files that should be hidden in Windows Vista*

Click *Start.*
Open *My Computer.*
Select *Folder and Search Options*
Select the *View Tab.*
Under the *Hidden files and folders* heading select *Hide hidden files and folders.*
Check *Hide file extensions for known file types*
Check the *Hide protected operating system files (recommended)* option.
Click *Yes *to confirm.
Click *OK.*

*NEXT*

*Follow these steps to uninstall Combofix *


Click *START* then *RUN*
Now copy/paste *Combofix /uninstall* into the *runbox* and click *OK.* Note the *space* between the *..X* and the */U*, it needs to be there.










*NEXT*

Clean up with *OTL:*

Double-click *OTL.exe* to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the *CLEANUP* button
Say *Yes* to the prompt and then allow the program to reboot your computer.

If any logs/tools remain on your desktop > right click and delete them.

*NEXT*

Below I have included a number of recommendations for how to protect your computer against malware infections.


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article*
Strong passwords: How to create and use them* 
Then consider a *password keeper,* to keep all your passwords safe.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

*Make Internet Explorer more secure*
Click *Start* > *Run*
Type *Inetcpl.cpl* & click *OK*
Click on the *Security* tab
Click *Reset all zones to default level*
Make sure the *Internet Zone* is selected & Click *Custom level*
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click *OK*, then *Apply* button and then *OK* to exit the Internet Properties page.

*Download* *TFC* *to your desktop*
Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*WOT*, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
*Green* to go 
*Yellow* for caution 
*Red* to stop
 WOT has an addon available for both Firefox, IE and chrome.

*Keep a backup of your important files* - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
*Think Prevention.*
*PC Safety and Security--What Do I Need?.*

***Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. *

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.


----------



## Acronymic (May 6, 2010)

Thank you so much.


----------



## CatByte (Feb 24, 2009)

Glad we finally got it figured out in the end

stay safe

~CB


----------

