Modelworks
Lifer
I have a system today that seemed to be fine. I wouldn't have suspected anything except I noticed IE running as a process but this system never uses IE, they use chrome, and there was no IE window open.
I ended the process and within a few seconds it appeared again. I figured malware was running it hidden and managed to find the program that was launching it. Printspool.exe hidden in user/appdata/roaming/print spooler. Delete it and it is copied back.
I eliminated its ability to run by removing execute permissions. The last step was to remove what was putting it there. Here I am stuck.
I cannot find what is copying the file to that location.
Places I checked:
Registry - all the usual run, run once settings
Task - nothing in scheduled task
Nothing in any of the startup files.
Searched through windows system files for things that don't belong, nothing found
I can run AV and anti-malware, rootkit software and they find printspool.exe but not the task that is putting it there.
I ended the process and within a few seconds it appeared again. I figured malware was running it hidden and managed to find the program that was launching it. Printspool.exe hidden in user/appdata/roaming/print spooler. Delete it and it is copied back.
I eliminated its ability to run by removing execute permissions. The last step was to remove what was putting it there. Here I am stuck.
I cannot find what is copying the file to that location.
Places I checked:
Registry - all the usual run, run once settings
Task - nothing in scheduled task
Nothing in any of the startup files.
Searched through windows system files for things that don't belong, nothing found
I can run AV and anti-malware, rootkit software and they find printspool.exe but not the task that is putting it there.
