RE: what is ?POOLSV.EXE

[Sayin]

Quoting an old topic I found while looming around looking for an answer to the same question, I decided to report my findings here.

Topic

Now... poolsv.exe Does infact exist. (NOT spoolsv.exe, I've done the check on the two files, they are quite different from one, another.) The file itself has many registry keys hidden away in the registry, and runs whenever a user accesses the internet. From what I can tell, it is spam, as it hosts a self-installing spyware program called "WinAntiSpyware 2007" which is, although similar to the basic spamming and tracking spyware, quite an annoyance because it attempts to mask it's own files under the names, or almost-matching names of key system files. This program is also carried along with another program, which I don't currently have the name of. I will get it as soon as possible, though.


There is two of it's 6+ keys.
so far, I have found keys in these folders (I will update the list as I find more);
\\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

\\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\poolsv

\\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
(mainly the key-folder "NI.UWAS7_0001_N91M2703", but you may want to search through every folder and key directory in there for various names like WinAntiSpyware 2007 FreeInstall, or something of the sort.)

\\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Explorer\ShellExecuteHooks\
(Found a key for the program it hosts, here.)

\\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Uninstall\WAS7_is1
(Found another key for the program it hosts)

\\HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiSpyware 2007\
(Another key for the hosted program)

\\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fopn\log\
(Another key for the hosted program)
---------
If anyone else finds information on this spyware program, please share it.
~Sayin

[eniqmah]

Spyware.

It's not a part of Windows. And it certain doesn't look like it belongs in your Windows folder. upload to Virus total and scan. Check your ports.

[LoneWolf]

You can try and remove this rouge app with the free version of Rouge Remover
I have removed some old entries of Error Nuker in the past with this.
Their forum is here.http://www.malwarebytes.org/forums/

A little info here.http://www.castlecops.com/o23list-1837.html
And here.http://fileinfo.prevx.com/spyware/qq...OOLSV.EXE.html

[GlobalForce]

Welcome Sayin,

Take a look at this 2yr old, EXAMPLE ONLY thread - http://www.geekstogo.com/forum/lofiv...hp/t60652.html

Further investigation reveal's a possible PurityScan infection. Prevx has it flagged, CCop's listing as the 'Microsoft SCC Host Protocol' (maybe running hidden). Hard to tell what's what these day's with the different variant's in circulation. If you're serious about both removing it and learning a thing or two in the process I'd suggest taking your concern's to a *dedicated* removal forum.

BFC Computer Help is one such site - http://bfccomputerhelp.com/index.php?showtopic=323

Should you have any question's prior to post, I'm sure someone there would be happy to field them for you.


Steve

[Shaba]

Flagged as Trojan.Smitfraud Variant here

Comes often as a part of WinAntiSpyware/Vundo/Virtumonde infection bundle.

[Sayin]

I thank you guys alot for such informative replies. Personally, neither I, nor my software had any information on the file, or the package itself. Any advise on what program I should use to, possibly clean the entire trojan off of my computer without having to wipe my HDD?

[GlobalForce]

That you were compelled to ask I'd suggest visiting malware expert Shaba at my previous link, BFC Computer.

BTW Shaba, "Wishing you a warm and healthy welcome to our Wilder's community!"


Steve

[Shaba]

Thank you for your kind words, GlobalForce

[Sayin]

Oo... Interesting...