I have nothing under tasks. I just submitted the dll file to Mcafee so maybe they can indentify it.
Automated anaylisis is not finding it, here is their reply:
File Name Findings Detection Type Extra
cmutilc.dll |inconclusive | | |no
We started seeing this issue today also, I found on a different forum that the lastest version of Malwarebytes is finding the virus
I will update when I complete some scans on our systems
We experience(d) the same issue in a network of over 600 workstations and a little under 100 (mainly) HP-printers.
In the printtask that set off the paperspitting, we could see the user that executed the task. When we checked where that user had last logged on, we took a closer look on that computer.
In the event viewer of our suspect-computer, we saw a couple of events with ID 4 and 5 (concerning Kerberos verification that did not succeed). We concluded that the computer(-virus) had tried to send his code across our network, returning an event 4 and 5 for workstations that did not have a specific port open (wild guess). The date- and timestamp of these events match with the time of the start of every 'paper-spit'.
We singled out 5 workstations. 4 with Windows XP SP3 and 1 with Windows 7 SP1 that had the events 4 and 5.
Only on the Windows 7, we found a (hidden) scheduled task, that used rundll32.exe with a randomly generated dll-file in c:\windows\system32
When we installed, updated en ran a scan with Malwarbytes this morning around 9.00 AM (GMT +1), no security risk was found. However, when we did the same an hour ago, Malwarebytes updated once again and now, the virus is found and cleaned!
Up until now, the problem did not present itself again, but my main issue is that I did not find how the virus got inside our LAN.
If I have more information, I will reply again in this thread.
By the way: we have Trend Micro installed on every workstation, but up until now, Trend Micro does not detect the virus"
What was the virus name that Malwarebytes detected it as out of curiosity? I'd like to try and ge to the bottom of how it got inside our LAN too, although I suspect it was a drive by infection whilst web browsing.
My guys are running scans now, i will let you know what we find... if we find anything
Mcafee just posted an extra.dat file for me to use. It stopped the file I submitted from running but I am checking now to see if it can clean it.
Weird, added the extra.dat and rebooted and PC came up that is could not run the DLL that was the infection. Looked in that area and the file is gone but Mcafee's logs does not tell me it deleted anything...
The registry settings are still there. I am not confident this PC is clean. Might just wipe and image it.
Well the extra DAT Mcafee sent me cannot indentify the registry keys that are causing this...Too bad, as I had added this information to the virus submission.
I founded inse the files C:\WINDOWS\system32\spool\PRINTERS\FP00037.SPL
in the printer server the description npjbqtmmiy.exe. May be npjbqtmmiy.exe is a virus random name .
I would assume that everyone will see files here when the virus is in action:
C:\WINDOWS\system32\spool\PRINTERS since it is trying to spool off print jobs. You will see them in that folder as well on the server as it is processing them but I doubt they can infect the server this way.
I scanned my PC with Malwarebytes at v2012.06.08.04 and it did not find anything. I manually deleted the registry key after MB was done. As I mentioned ealier the payload file dissappered on its own, or Mcafee deleted it with no logs saying it did.
There is a file in my c:\quarantine bin dated around the time I installed the Extra.dat but I am really concerned it never reported that it removed it.