RE: what is ?POOLSV.EXE

Discussion in 'privacy problems' started by Sayin, Jul 8, 2007.

Thread Status:
Not open for further replies.
  1. Sayin

    Sayin Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    3
    Location:
    Lithonia, GA
    Quoting an old topic I found while looming around looking for an answer to the same question, I decided to report my findings here.

    Topic

    Now... poolsv.exe Does infact exist. (NOT spoolsv.exe, I've done the check on the two files, they are quite different from one, another.) The file itself has many registry keys hidden away in the registry, and runs whenever a user accesses the internet. From what I can tell, it is spam, as it hosts a self-installing spyware program called "WinAntiSpyware 2007" which is, although similar to the basic spamming and tracking spyware, quite an annoyance because it attempts to mask it's own files under the names, or almost-matching names of key system files. This program is also carried along with another program, which I don't currently have the name of. I will get it as soon as possible, though.

    Info.jpg
    There is two of it's 6+ keys.
    so far, I have found keys in these folders (I will update the list as I find more);
    \\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

    \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\poolsv

    \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
    (mainly the key-folder "NI.UWAS7_0001_N91M2703", but you may want to search through every folder and key directory in there for various names like WinAntiSpyware 2007 FreeInstall, or something of the sort.)

    \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Explorer\ShellExecuteHooks\
    (Found a key for the program it hosts, here.)

    \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Uninstall\WAS7_is1
    (Found another key for the program it hosts)

    \\HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiSpyware 2007\
    (Another key for the hosted program)

    \\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fopn\log\
    (Another key for the hosted program)
    ---------

    If anyone else finds information on this spyware program, please share it.
    ~Sayin
     
    Last edited: Jul 8, 2007
  2. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    Spyware.

    It's not a part of Windows. And it certain doesn't look like it belongs in your Windows folder. upload to Virus total and scan. Check your ports.
     
  3. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Attached Files:

    Last edited: Jul 8, 2007
  4. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Welcome Sayin,

    Take a look at this 2yr old, EXAMPLE ONLY thread - http://www.geekstogo.com/forum/lofiversion/index.php/t60652.html

    Further investigation reveal's a possible PurityScan infection. Prevx has it flagged, CCop's listing as the 'Microsoft SCC Host Protocol' (maybe running hidden). Hard to tell what's what these day's with the different variant's in circulation. If you're serious about both removing it and learning a thing or two in the process I'd suggest taking your concern's to a *dedicated* removal forum.

    BFC Computer Help is one such site - http://bfccomputerhelp.com/index.php?showtopic=323

    Should you have any question's prior to post, I'm sure someone there would be happy to field them for you.


    Steve
     
    Last edited: Jul 8, 2007
  5. Shaba

    Shaba Registered Member

    Joined:
    Jul 11, 2007
    Posts:
    10
    Location:
    Finland
    Flagged as Trojan.Smitfraud Variant here

    Comes often as a part of WinAntiSpyware/Vundo/Virtumonde infection bundle.
     
  6. Sayin

    Sayin Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    3
    Location:
    Lithonia, GA
    I thank you guys alot for such informative replies. Personally, neither I, nor my software had any information on the file, or the package itself. Any advise on what program I should use to, possibly clean the entire trojan off of my computer without having to wipe my HDD?
     
  7. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    That you were compelled to ask I'd suggest visiting malware expert Shaba at my previous link, BFC Computer.

    BTW Shaba, "Wishing you a warm and healthy welcome to our Wilder's community!"


    Steve
     
  8. Shaba

    Shaba Registered Member

    Joined:
    Jul 11, 2007
    Posts:
    10
    Location:
    Finland
    Thank you for your kind words, GlobalForce :)
     
  9. Sayin

    Sayin Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    3
    Location:
    Lithonia, GA
    Oo... Interesting...
     
Thread Status:
Not open for further replies.