spyware tcp connections from spoolsv.exe to internet!!!

TheMSsForum.com: The Microsoft Software Forum

The past few days all running programs are trying to connect to the
internet at random addreses.
(mainly a1981.g.akamai.com and ports 80:http and 53:dns)

(even spoolsv.exe)
I have tried to search (advanced search) for spywares-rootkits-etc but
i did not found any.

Was running norton corporate client and had zonealarm freeware at the
time it started.
(captured it by seeing that spoolsv.exe tried to connect to the
internet)

replaced norton with avast free antivirus and zonealarm with kerio.
the strange behaviour seemed to be more rare but did not got way yet.

the behaviour is changing from time to time!

Currently my work partner also has the same problem, but the spyware
running on his machine mostly tries to connect to the sites listed on
HOSTS file (we have putted a dummy site there and it tries to connect
to that dummy)
Like i had with spoolsv.exe he had also with userinit and lsass trying
to connect to an akamai address

lets say i connect to a site then close the internet explorer and then
i try to go to a dif site the spyware through internet explorer tries
to connect to the previous site (noone asked him too!!!)

the firewall sees the connections are made from a legit program so they
can not be blocked!

I have looked at the list loaded by the legit apps and no new dlls are
loaded.


1)Is there a good reason for this to be happening???? (i mean
spoolsv.exe should not connect to the internet!)

2)Can you recomment a way to find - clean this spyware-or what ever it
is?
Top

RE: spyware tcp connections from spoolsv.exe to internet!!! by Pandaman

Pandaman
Tue Feb 07 09:49:30 CST 2006

The first wrong was changing the security applications.

PC World ,a world famous independend computer magazine ,makes tests on
different products.
They recently carried out AV tests on 10 AV products and Avast is the worst
program for them.Symantec Corporate is deffinitely better.
Zone Alarm is deffinitely better than Kerio.

I can recommend you I way to clean the infected computer but as I can
understand you are in a corporate network so you probably have
administrators- guys who take care of all the computer stuff.Ask them for
help because you might be limited or punished if something goes wrong.If you
still want to take the risk to clean the infected machine your self,start
with the Full Detailed Malware removal instructions in my web-site.
http://pandaman.hit.bg

Before the instructions ,remove Avast and change it with another AV software.
It is essential !!!:-)


If you have any other questions ,do not hesitate to contact the Community
again !

Panda_man
--
Prevention is always better than cure !
Panda TruPrevent - the most intelligent technology to combat unknown malware
http://www.pandasoftware.com
http://pandaman.hit.bg




"kemanetzis@freemail.gr" wrote:

> The past few days all running programs are trying to connect to the
> internet at random addreses.
> (mainly a1981.g.akamai.com and ports 80:http and 53:dns)
>
> (even spoolsv.exe)
> I have tried to search (advanced search) for spywares-rootkits-etc but
> i did not found any.
>
> Was running norton corporate client and had zonealarm freeware at the
> time it started.
> (captured it by seeing that spoolsv.exe tried to connect to the
> internet)
>
> replaced norton with avast free antivirus and zonealarm with kerio.
> the strange behaviour seemed to be more rare but did not got way yet.
>
> the behaviour is changing from time to time!
>
> Currently my work partner also has the same problem, but the spyware
> running on his machine mostly tries to connect to the sites listed on
> HOSTS file (we have putted a dummy site there and it tries to connect
> to that dummy)
> Like i had with spoolsv.exe he had also with userinit and lsass trying
> to connect to an akamai address
>
> lets say i connect to a site then close the internet explorer and then
> i try to go to a dif site the spyware through internet explorer tries
> to connect to the previous site (noone asked him too!!!)
>
> the firewall sees the connections are made from a legit program so they
> can not be blocked!
>
> I have looked at the list loaded by the legit apps and no new dlls are
> loaded.
>
>
> 1)Is there a good reason for this to be happening???? (i mean
> spoolsv.exe should not connect to the internet!)
>
> 2)Can you recomment a way to find - clean this spyware-or what ever it
> is?
>
>
Top

Re: spyware tcp connections from spoolsv.exe to internet!!! by DRS

DRS
Tue Feb 07 21:27:13 CST 2006


kemanetzis@freemail.gr wrote:
> The past few days all running programs are trying to connect to the
> internet at random addreses.
> (mainly a1981.g.akamai.com and ports 80:http and 53:dns)
(snip)
> 1)Is there a good reason for this to be happening???? (i mean
> spoolsv.exe should not connect to the internet!)
>
> 2)Can you recomment a way to find - clean this spyware-or what ever it
> is?

I would like those answers as well!

My "symptom" is that I'll see attempted connections from IP addresses
in the Akamai range from their port 80 to my ports 10xx through 12xx.
They are always in TIME_WAIT. When I restart my machine I'll usually
see 20 connections from one IP address going at the lower 1000's of my
ports. Then, just sitting there, it seems like there will be a few
attempted connections that pop-up. Tonight I noticed that Zone Alarm
zlclient.exe had made some outbound connections to Akamai servers. And
that's after I turned all of the update stuff off.

--Dale--

from another newsgroup....
"sengsational" wrote in message news:ds91tk$1qq8$1@news.grc.com...
> Each machine on home network has been running it's own ZoneAlarm, I run AVG
> on all systems, plus I'm behind a router, so I'm not a _complete_ security
> idiot (snip)

Or then again, maybe I am.... for trusting ZoneAlarm

I think I might be a victim of a supposed "bug" in ZoneAlarm:

http://www.theinquirer.net/?article=29157

> Tonight I've seen quite a few IP addresses doing this thing (81.52.202.137,
> 80.67.72.224, 63.222.71.150, 81.52.202.143). A lot of times those IP's
> belong to Akamai Technologies (snip)

It looks like all in the last 2 days have been Akamai, and I think
there's a correlation with outbound connections by zlclient.exe
(ZoneAlarm) that I did NOT allow. I turned everything off, and it
still was nagging me to upgrade. These connections from Akamai port 80
machines only started happening after I refused to pay for another
annual upgrade. Maybe it's a way to strike fear in people to generate
upgrades, ha!

I can't report on if blocking zaclient.exe had any effect yet. The
sure-fire way to get those inbound IP's was to restart, but my HTPC is
recording something right now. More later.

--Dale--

Top

Re: spyware tcp connections from spoolsv.exe to internet!!! by kemanetzis

kemanetzis
Wed Feb 08 03:06:34 CST 2006

is there anyone that can give me some more serious answer to what is
happening??

(cause this one looks like Panta antivirus advertising!!!!)

Top

Re: spyware tcp connections from spoolsv.exe to internet!!! by Malke

Malke
Wed Feb 08 07:43:25 CST 2006

kemanetzis@freemail.gr wrote:

> is there anyone that can give me some more serious answer to what is
> happening??
>
> (cause this one looks like Panta antivirus advertising!!!!)

Go through the malware removal steps listed here:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Be systematic, do everything in Safe Mode. All tools suggested are free.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Top