1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Winspool.drv

Discussion in 'Virus & Other Malware Removal' started by Sega, Feb 24, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. Sega

    Sega Thread Starter

    Joined:
    Feb 24, 2013
    Messages:
    8
    So whats up with this?

    C:\Windows\system32\WINSPOOL.DRV is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.


    I've heard that it usually tied to printers and stuff, but when its mess'n with my game launchers and PS and Sai. I gotta admit that's got me all tied in knots and tried to fixed it with a System restore. It didn't seem to work (odd).
    So I googled and tried other methods.

    Method 1:) (not in safe mode)

    Right-click the Winspool.drv file, and then click Rename.

    Type winspool.drv.old, and then press ENTER.

    = No good

    Method 2:) (In safe mode)

    Right-click the Winspool.drv file, and then click Rename.

    Type winspool.drv.old, and then press ENTER.

    = No good

    I haven't tried the method where you copy the file from one comp and paste in this one yet.

    If I could get the same help this guy got that'd be awesome cause reading it. Looks like I might be in the same box till I get some help.
    http://forums.techguy.org/virus-other-malware-removal/925274-c-windows-system32-winspool-drv.html
     
  2. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    We need to see full details of the file to check if it has been damaged in some way and to see if there is a suitable replacement stored in the system. It is a legitimate Windows file and you are correct, it is related to printing. Please make sure, before you run this scan, that you change the name back to the original or the scan won't find the suspect version of it.

    Please download SystemLook for your operating system from one of the links below and save it to your Desktop.



    • Double-click SystemLook.exe to run it.
    • Vista/Windows 7 users right-click and select Run As Administrator.
    • Copy and paste everything in the codebox below into the main textfield:
      Code:
      :filefind
      winspool.drv
    • Click the Look button to start the scan.
    • When finished, a Notepad window will open SystemLook.txt with the results of the search and save a copy on your Desktop.
    • Please copy and paste the contents of that log in your next reply.
     
  3. Sega

    Sega Thread Starter

    Joined:
    Feb 24, 2013
    Messages:
    8
    Alrighty Changed the name back and this is what I got.

    Searching for "winspool.drv"
    C:\Windows\System32\winspool.drv --a---- 442368 bytes [03:23 21/11/2010] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\SysWOW64\winspool.drv --a---- 320000 bytes [03:24 21/11/2010] [03:24 21/11/2010] C6EB71265A58E78F89007E7B60E471F1
    C:\Windows\winsxs\amd64_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_f153fb8e2f4d5ac7\winspool.drv --a---- 442368 bytes [03:23 21/11/2010] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_9535600a76efe991\winspool.drv --a---- 320000 bytes [03:24 21/11/2010] [03:24 21/11/2010] C6EB71265A58E78F89007E7B60E471F1

    -= EOF =-
     
  4. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Well that is odd, the MD5 number, this bit 0015ACFBBDD164A8A730009908868CA7, gives a positive result as a valid file for the one you are getting the error message about, but the one in the SysWOW64 folder gives zero results which would indicate it is either corrupt or infected.

    Before we go any further we had better get both files scanned.

    Please tell me if you have access to another Windows 7 64bit PC or a Retail (not an OEM Recovery disc) copy of Windows 7 64bit on DVD with SP1 included.

    Please follow this:

    Go to one of the following online services that analyzes suspicious files:

    In the "File to Scan" (Upload or Submit) box, click the "browse" button and locate the following files:
    C:\Windows\System32\winspool.drv <- this file
    C:\Windows\SysWOW64\winspool.drv <- this file


    Click "Open", then click the "Submit" button. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
    -- Post back with the results of the file analysis in your next reply.
     
  5. Sega

    Sega Thread Starter

    Joined:
    Feb 24, 2013
    Messages:
    8
    Hmmm Because this was brought by a family member who didn't look over details. A windows 7 disc was never set with it from the retailer.

    I have access from two 64bit laptops if that can be subtuted instead of a PC. I can work with that.


    All Analysis were blank expect for this. Which popped up on both locations.

    McAfee-GW-Edition Heuristic.BehavesLike.Exploit.CodeExec.O 20130225
     
  6. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Just one detection is probably a false positive, so the file is most probably just corrupted and not infected.

    Ok, go onto one of your laptops, find and copy the files in these locations below onto a Flash Drive and transfer then to the desktop of the problem PC. Then run System Look again exactly as in post 2 and send in the report. We will then go about replacing the files.

    C:\Windows\System32\winspool.drv <- this file
    C:\Windows\SysWOW64\winspool.drv <- this file
     
  7. Sega

    Sega Thread Starter

    Joined:
    Feb 24, 2013
    Messages:
    8
    Alright copied to my desktop and ran the SystemLook and got this.

    Searching for "winspool.drv"
    C:\Users\********\Desktop\winspool.drv --a---- 442368 bytes [23:28 25/02/2013] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\System32\winspool.drv --a---- 442368 bytes [03:23 21/11/2010] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\System32\com\winspool.drv --a---- 442368 bytes [23:30 25/02/2013] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\SysWOW64\winspool.drv --a---- 320000 bytes [03:24 21/11/2010] [03:24 21/11/2010] C6EB71265A58E78F89007E7B60E471F1
    C:\Windows\winsxs\amd64_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_f153fb8e2f4d5ac7\winspool.drv --a---- 442368 bytes [03:23 21/11/2010] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_9535600a76efe991\winspool.drv --a---- 320000 bytes [03:24 21/11/2010] [03:24 21/11/2010] C6EB71265A58E78F89007E7B60E471F1

    -= EOF =-
     
  8. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    I only see one file on your desktop and the other one here C:\Windows\System32\com\winspool.drv and they both have the same MD5 number.

    Could you run SystemLook on the PC you got them from and post that log.
     
  9. Sega

    Sega Thread Starter

    Joined:
    Feb 24, 2013
    Messages:
    8
    Sorry bout that. Wouldn't let me have both file under the same name. Here's the WOW64.

    Searching for "winspool.drv"
    C:\Users\********\Desktop\winspool.drv --a---- 320000 bytes [23:28 25/02/2013] [04:24 21/11/2010] 9E4B0E7472B4CEBA9E17F440B8CB0AB8
    C:\Windows\System32\winspool.drv --a---- 442368 bytes [03:23 21/11/2010] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\System32\com\winspool.drv --a---- 442368 bytes [23:30 25/02/2013] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\SysWOW64\winspool.drv --a---- 320000 bytes [03:24 21/11/2010] [03:24 21/11/2010] C6EB71265A58E78F89007E7B60E471F1
    C:\Windows\winsxs\amd64_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_f153fb8e2f4d5ac7\winspool.drv --a---- 442368 bytes [03:23 21/11/2010] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_9535600a76efe991\winspool.drv --a---- 320000 bytes [03:24 21/11/2010] [03:24 21/11/2010] C6EB71265A58E78F89007E7B60E471F1

    -= EOF =-
     
  10. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    I did ask in my last post: Could you run SystemLook on the PC you got them from and post that log. But, not to worry we will give this a shot. When you have run it post the log and reboot the system, then run SystemLook again exactly as before and post the log so we can make sure the files have moved.


    Please download OTM by OldTimer. Save it to your desktop.

    Double click OTM.exe to start the tool.

    • Copy the text in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    explorer.exe
    
    :Files
    C:\Windows\System32\winspool.drv | C:\Windows\System32\com\winspool.drv /replace
    C:\Windows\SysWOW64\winspool.drv | C:\Users\********\Desktop\winspool.drv /replace
    C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_9535600a76efe991\winspool.drv | C:\Windows\System32\com\winspool.drv /replace
    C:\Windows\winsxs\amd64_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_f153fb8e2f4d5ac7\winspool.drv | C:\Users\********\Desktop\winspool.drv /replace
    :Commands
    [createrestorepoint]
    [emptyflash]
    [emptytemp]
    [resethosts]
    [reboot]
    
    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • All your desktop icons will disappear as the scan begins. It should complete within a few minutes.
    • Once complete you may see a box appear asking you to Restart the system to complete the file removal, accept it and it will reboot.
    • Even if that box does not appear the system should reboot as the command is included in the script.
    • When the system has come back to the desktop a Notepad document will open, please copy and paste that into your next post.

    -- Note: The logs are saved here: C:\_OTM\MovedFiles
     
  11. Sega

    Sega Thread Starter

    Joined:
    Feb 24, 2013
    Messages:
    8
    I cannot get a log off their other comp because they don't not want to risk another laptop to possible virus. So that's out of the question to DL Systemlook onto it .

    Well I ran OTM. Though after the reboot it still said the same thing in my first post, and my laptop is running sadly very slow now.

    C:\Windows\system32\WINSPOOL.DRV is either not designed to run on Windows or it contains an error.


    First scan:

    Searching for "winspool.drv"
    C:\Users\Chelisa AS\Desktop\winspool.drv --a---- 442368 bytes [23:28 25/02/2013] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\System32\winspool.drv --a---- 442368 bytes [03:23 21/11/2010] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\System32\com\winspool.drv --a---- 442368 bytes [23:30 25/02/2013] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\SysWOW64\winspool.drv --a---- 320000 bytes [03:24 21/11/2010] [03:24 21/11/2010] C6EB71265A58E78F89007E7B60E471F1
    C:\Windows\winsxs\amd64_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_f153fb8e2f4d5ac7\winspool.drv --a---- 442368 bytes [03:23 21/11/2010] [03:23 21/11/2010] 0015ACFBBDD164A8A730009908868CA7
    C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_9535600a76efe991\winspool.drv --a---- 320000 bytes [03:24 21/11/2010] [03:24 21/11/2010] C6EB71265A58E78F89007E7B60E471F1
     

    Attached Files:

  12. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    First I would stress that there is absolutely no risk of the laptop getting an infection from downloading SystemLook.

    There is a problem with copying the files with the script I used as the ones saved on your desktop were not found so nothing has been changed, had you edited the path of the file in the SystemLook log in post 9.

    This is what shows in the log:

    File C:\Windows\System32\com\winspool.drv not found.
    File C:\Users\********\Desktop\winspool.drv not found.
    File C:\Windows\System32\com\winspool.drv not found.
    File C:\Users\********\Desktop\winspool.drv not found.


    Please see the note at the bottom of all my posts asking you to Copy & Paste all logs unless instructed to do otherwise, this saves me time downloading the logs and they are easier to look back on in the thread if required.
     
  13. Sega

    Sega Thread Starter

    Joined:
    Feb 24, 2013
    Messages:
    8
    I tried the OTM a 2nd time around it still didn't move them. Once the laptop rebooted the Winspool rror came up and blocked me from using OTM even the notepad.. I went into System32 and SysWOW64 and copy replaced both winspools with the files from off the usb stick and restarted the laptop.


    It seems to have done the trick everything is up and updating itself. With no error popping up.. If you have any advice I'll take it!!

    Thank you soo much for helping me btw!!
     
  14. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    The manual approach was going to be my next move so well done for beating me to it, I usually avoid asking people to do the move manually as there can be problems with file permissions so OTM is usually the shortcut.

    Glad to hear all is well. You can remove OTM by opening it and clicking on the Cleanup button, it will also remove many other tools that we use, redundant logs left on the desktop can be right clicked and deleted.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1090870

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice