Re: SPOOLSV.EXE

[siljaline]

On Wed, 06 Aug 2003 05:14:30 GMT, "Steve" <srhaymesslaysspam@comcast.net> wrote:

>Can anyone tell me what SPOOLSV.EXE is and if I should let it through my
>firewall?

Print and fax "spooler" executable - Microsoft.

Disallow "phone home". Doesn't need to. If it does, track the IP's the connect
out to are from your ZA logs or alerts and post them here or run a whois at
samspade http://www.samspade.org/t/

HTH



--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[mto]

"siljaline" <siljaline@invalid.com> wrote in message
news:t251jvkqd7ab0oj7n8hsk513fttv0cbdtd@4ax.com...
> On Wed, 06 Aug 2003 05:14:30 GMT, "Steve" <srhaymesslaysspam@comcast.net>
wrote:
>
> >Can anyone tell me what SPOOLSV.EXE is and if I should let it through my
> >firewall?
>
> Print and fax "spooler" executable - Microsoft.
>
> Disallow "phone home". Doesn't need to. If it does, track the IP's the
connect
> out to are from your ZA logs or alerts and post them here or run a whois
at
> samspade http://www.samspade.org/t/
>
> HTH

Glad to hear you say that siljaline. Been wondering why on earth Windows
Explorer would be trying to connect to 62.211.180.7:80 and 62.211.180.14:80
and why Messenger tries every 2 minutes or so to connect to my own IP#, port
1900, even though it is shut off every which way to Sunday.

Pretty irritating since in order to see alert notifications I have to click
the miserable thing every minute or so to shut those two up or check
manually. And the sheer waste of system resources has steam coming out my
ears.

Messenger on XP will not, BTW, allow you to shut it down if you have OE
open - claims that the program is "using features provided by Messenger and
that they will not work properly." Microsoft site gives instructions to
remove it but then states that OE, IE and so forth will no longer work.

address digger says -
<quote>
dns 63.211.180.7


63.211.180.7 has dubious reverse DNS of unknown.Level3.net - which is a
valid hostname, but not one that resolves to 63.211.180.7



whois -h magic 63.211.180.7
Trying whois -h whois.arin.net 63.211.180.7

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

NetRange: 63.208.0.0 - 63.215.255.255
CIDR: 63.208.0.0/13
NetName: LEVEL4-CIDR
NetHandle: NET-63-208-0-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-05-28
Updated: 2001-05-30

TechHandle: LC-ORG-ARIN
TechName: level Communications
TechPhone: +1-877-453-8353
TechEmail: ipaddressing@level3.com

OrgAbuseHandle: APL8-ARIN
OrgAbuseName: Abuse POC LVLT
OrgAbusePhone: +1-877-453-8353
OrgAbuseEmail: abuse@level3.com

OrgTechHandle: TPL1-ARIN
OrgTechName: Tech POC LVLT
OrgTechPhone: +1-877-453-8353
OrgTechEmail: ipaddressing@level3.com

# ARIN WHOIS database, last updated 2003-08-05 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
<end>

Info for both IP #'s comes up the same.

Google of Level 3 Communications, Inc. comes up as follows -

Level 3 Communications, Inc. - http://www.level3.com
.... Jul 02, 2003, Level 3 Prices $325 Million of 2.875% Convertible Senior
Notes. © 2003 by Level 3 Communications, Inc. All rights reserved. ...
Description: Holding company with subsidiaries which offer computer
operations outsoursing and systems integration...

[Dick Hazeleger]

mto wrote:

>
> "siljaline" <siljaline@invalid.com> wrote in message
> news:t251jvkqd7ab0oj7n8hsk513fttv0cbdtd@4ax.com...
> > On Wed, 06 Aug 2003 05:14:30 GMT, "Steve"
> > <srhaymesslaysspam@comcast.net>
> wrote:
> >
> > >Can anyone tell me what SPOOLSV.EXE is and if I should let it
> > through my >firewall?
> >
> > Print and fax "spooler" executable - Microsoft.
> >
> > Disallow "phone home". Doesn't need to. If it does, track the IP's
> > the
> connect
> > out to are from your ZA logs or alerts and post them here or run a
> > whois
> at
> > samspade http://www.samspade.org/t/
> >
> > HTH
>
> Glad to hear you say that siljaline. Been wondering why on earth
> Windows Explorer would be trying to connect to 62.211.180.7:80 and
> 62.211.180.14:80 and why Messenger tries every 2 minutes or so to
> connect to my own IP#, port 1900, even though it is shut off every
> which way to Sunday.
>
> Pretty irritating since in order to see alert notifications I have to
> click the miserable thing every minute or so to shut those two up or
> check manually. And the sheer waste of system resources has steam
> coming out my ears.
>
> Messenger on XP will not, BTW, allow you to shut it down if you have
> OE open - claims that the program is "using features provided by
> Messenger and that they will not work properly." Microsoft site
> gives instructions to remove it but then states that OE, IE and so
> forth will no longer work.
>
> address digger says -
> <quote>
> dns 63.211.180.7
>
>
> 63.211.180.7 has dubious reverse DNS of unknown.Level3.net - which is
> a valid hostname, but not one that resolves to 63.211.180.7
>
>
>
> whois -h magic 63.211.180.7
> Trying whois -h whois.arin.net 63.211.180.7
>
> OrgName: Level 3 Communications, Inc.
> OrgID: LVLT
> Address: 1025 Eldorado Blvd.
> City: Broomfield
> StateProv: CO
> PostalCode: 80021
> Country: US
>
> NetRange: 63.208.0.0 - 63.215.255.255
> CIDR: 63.208.0.0/13
> NetName: LEVEL4-CIDR
> NetHandle: NET-63-208-0-0-1
> Parent: NET-63-0-0-0-0
> NetType: Direct Allocation
> NameServer: NS1.LEVEL3.NET
> NameServer: NS2.LEVEL3.NET
> Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
> RegDate: 1999-05-28
> Updated: 2001-05-30
>
> TechHandle: LC-ORG-ARIN
> TechName: level Communications
> TechPhone: +1-877-453-8353
> TechEmail: ipaddressing@level3.com
>
> OrgAbuseHandle: APL8-ARIN
> OrgAbuseName: Abuse POC LVLT
> OrgAbusePhone: +1-877-453-8353
> OrgAbuseEmail: abuse@level3.com
>
> OrgTechHandle: TPL1-ARIN
> OrgTechName: Tech POC LVLT
> OrgTechPhone: +1-877-453-8353
> OrgTechEmail: ipaddressing@level3.com
>
> # ARIN WHOIS database, last updated 2003-08-05 19:15
> # Enter ? for additional hints on searching ARIN's WHOIS database.
> <end>
>
> Info for both IP #'s comes up the same.
>
> Google of Level 3 Communications, Inc. comes up as follows -
>
> Level 3 Communications, Inc. - http://www.level3.com
> ... Jul 02, 2003, Level 3 Prices $325 Million of 2.875% Convertible
> Senior Notes. ) 2003 by Level 3 Communications, Inc. All rights
> reserved. ... Description: Holding company with subsidiaries which
> offer computer operations outsoursing and systems integration...

Have a search in Google>>Newsgroups>>NANAE on Level3... you will have a
nice surprise!

Dick

[mto]

"Dick Hazeleger" <Dick@post_it_in_the_newsgroup.com> wrote in message
news:vj393q2kqr7ecf@corp.supernews.com...
> mto wrote:
>
> >
> > "siljaline" <siljaline@invalid.com> wrote in message
> > news:t251jvkqd7ab0oj7n8hsk513fttv0cbdtd@4ax.com...
> > > On Wed, 06 Aug 2003 05:14:30 GMT, "Steve"
> > > <srhaymesslaysspam@comcast.net>
> > wrote:
> > >
> > > >Can anyone tell me what SPOOLSV.EXE is and if I should let it
> > > through my >firewall?
> > >
> > > Print and fax "spooler" executable - Microsoft.
> > >
> > > Disallow "phone home". Doesn't need to. If it does, track the IP's
> > > the
> > connect
> > > out to are from your ZA logs or alerts and post them here or run a
> > > whois
> > at
> > > samspade http://www.samspade.org/t/
> > >
> > > HTH
> >
> > Glad to hear you say that siljaline. Been wondering why on earth
> > Windows Explorer would be trying to connect to 62.211.180.7:80 and
> > 62.211.180.14:80 and why Messenger tries every 2 minutes or so to
> > connect to my own IP#, port 1900, even though it is shut off every
> > which way to Sunday.
> >
<SNIP>
> >
> > address digger says -
> > <quote>
> > dns 63.211.180.7
> >
> >
> > 63.211.180.7 has dubious reverse DNS of unknown.Level3.net - which is
> > a valid hostname, but not one that resolves to 63.211.180.7
> >
> >
> >
> > whois -h magic 63.211.180.7
> > Trying whois -h whois.arin.net 63.211.180.7
> >
> > OrgName: Level 3 Communications, Inc.
> > OrgID: LVLT
> > Address: 1025 Eldorado Blvd.
> > City: Broomfield
> > StateProv: CO
> > PostalCode: 80021
> > Country: US
<SNIP>
> Have a search in Google>>Newsgroups>>NANAE on Level3... you will have a
> nice surprise!
>
> Dick

OK! So Level 3 is a known spam-haven. Wonderful - and the next
question is why is Windows Explorer trying to phone home to them every
couple of minutes -

AdAware, SpyBot & antivirus updated an hour ago all read clean. Checked all
of the email accounts for html email or undeleted trash. Clean everywhere.
Found a spider.sav file in My Documents & investigated/deleted that. After
each of the above the warning reappeared, so it isn't any of those.

Cleared all the files from Temp Internet and reduced cache size to 100 MB.
About to go get a dedicated trojan detector.

Further ideas?

[mto]

"mto" <nobody@dontsendmeanyspam.com> wrote in message
news:C3CdnaCAs_06pa-iXTWJgA@seg.net...
<SNIP>
>>>Been wondering why on earth
> > > Windows Explorer would be trying to connect to 62.211.180.7:80 and
> > > 62.211.180.14:80 and why Messenger tries every 2 minutes or so to
> > > connect to my own IP#, port 1900, even though it is shut off every
> > > which way to Sunday.
> > >
> <SNIP>
> > >
> > > address digger says -
> > > <quote>
> > > dns 63.211.180.7
> > >
> > >
> > > 63.211.180.7 has dubious reverse DNS of unknown.Level3.net - which is
> > > a valid hostname, but not one that resolves to 63.211.180.7
> > >
> > >
> > >
> > > whois -h magic 63.211.180.7
> > > Trying whois -h whois.arin.net 63.211.180.7
> > >
> > > OrgName: Level 3 Communications, Inc.
> > > OrgID: LVLT
> > > Address: 1025 Eldorado Blvd.
> > > City: Broomfield
> > > StateProv: CO
> > > PostalCode: 80021
> > > Country: US
> <SNIP>
> > Have a search in Google>>Newsgroups>>NANAE on Level3... you will have a
> > nice surprise!
> >
> > Dick
>
> OK! So Level 3 is a known spam-haven. Wonderful - and the next
> question is why is Windows Explorer trying to phone home to them every
> couple of minutes -
>
> AdAware, SpyBot & antivirus updated an hour ago all read clean. Checked
all
> of the email accounts for html email or undeleted trash. Clean
everywhere.
> Found a spider.sav file in My Documents & investigated/deleted that.
After
> each of the above the warning reappeared, so it isn't any of those.
>
> Cleared all the files from Temp Internet and reduced cache size to 100 MB.
> About to go get a dedicated trojan detector.
>
> Further ideas?

In playing around I have found that the Windows Explorer outgoing connection
attempts seem to all be connected to page loading at MSNBC.com.

[Dick Hazeleger]

mto wrote:

>
> "mto" <nobody@dontsendmeanyspam.com> wrote in message
> news:C3CdnaCAs_06pa-iXTWJgA@seg.net...
> <SNIP>
> >>>Been wondering why on earth
> > > > Windows Explorer would be trying to connect to 62.211.180.7:80
> > > > and 62.211.180.14:80 and why Messenger tries every 2 minutes or
> > > > so to connect to my own IP#, port 1900, even though it is shut
> > > > off every which way to Sunday.
> > > >
> > <SNIP>
> > > >
> > > > address digger says -
> > > > <quote>
> > > > dns 63.211.180.7
> > > >
> > > >
> > > > 63.211.180.7 has dubious reverse DNS of unknown.Level3.net -
> > > > which is a valid hostname, but not one that resolves to
> > > > 63.211.180.7
> > > >
> > > >
> > > >
> > > > whois -h magic 63.211.180.7
> > > > Trying whois -h whois.arin.net 63.211.180.7
> > > >
> > > > OrgName: Level 3 Communications, Inc.
> > > > OrgID: LVLT
> > > > Address: 1025 Eldorado Blvd.
> > > > City: Broomfield
> > > > StateProv: CO
> > > > PostalCode: 80021
> > > > Country: US
> > <SNIP>
> > > Have a search in Google>>Newsgroups>>NANAE on Level3... you will
> > > have a nice surprise!
> > >
> > > Dick
> >
> > OK! So Level 3 is a known spam-haven. Wonderful - and the next
> > question is why is Windows Explorer trying to phone home to them
> > every couple of minutes -
> >
> > AdAware, SpyBot & antivirus updated an hour ago all read clean.
> > Checked
> all
> > of the email accounts for html email or undeleted trash. Clean
> everywhere.
> > Found a spider.sav file in My Documents & investigated/deleted that.
> After
> > each of the above the warning reappeared, so it isn't any of those.
> >
> > Cleared all the files from Temp Internet and reduced cache size to
> > 100 MB. About to go get a dedicated trojan detector.
> >
> > Further ideas?
>
> In playing around I have found that the Windows Explorer outgoing
> connection attempts seem to all be connected to page loading at
> MSNBC.com.

In addition, it seems that people in the USA who use a FW get
"hammered" by IP's that trace back to L3... wonder what they are up
to... trojan install?

OK, back to your problem... MTO, did you install some kind of "handy
dandy" search bar, newsfeature, weather program, etc (you know what
type I mean)?

Did you search the registry for this page? What kind of page is loaded?
Ads, news, MS stuff... this could give a hint in the right direction...

See ya later guys and gals, I'm almost "done" in this temperature.

Dick