Re: SPOOLSV.EXE

[mto]

"mto" <nobody@dontsendmeanyspam.com> wrote in message
news:C3CdnaCAs_06pa-iXTWJgA@seg.net...
<SNIP>
>>>Been wondering why on earth
> > > Windows Explorer would be trying to connect to 62.211.180.7:80 and
> > > 62.211.180.14:80 and why Messenger tries every 2 minutes or so to
> > > connect to my own IP#, port 1900, even though it is shut off every
> > > which way to Sunday.
> > >
> <SNIP>
> > >
> > > address digger says -
> > > <quote>
> > > dns 63.211.180.7
> > >
> > >
> > > 63.211.180.7 has dubious reverse DNS of unknown.Level3.net - which is
> > > a valid hostname, but not one that resolves to 63.211.180.7
> > >
> > >
> > >
> > > whois -h magic 63.211.180.7
> > > Trying whois -h whois.arin.net 63.211.180.7
> > >
> > > OrgName: Level 3 Communications, Inc.
> > > OrgID: LVLT
> > > Address: 1025 Eldorado Blvd.
> > > City: Broomfield
> > > StateProv: CO
> > > PostalCode: 80021
> > > Country: US
> <SNIP>
> > Have a search in Google>>Newsgroups>>NANAE on Level3... you will have a
> > nice surprise!
> >
> > Dick
>
> OK! So Level 3 is a known spam-haven. Wonderful - and the next
> question is why is Windows Explorer trying to phone home to them every
> couple of minutes -
>
> AdAware, SpyBot & antivirus updated an hour ago all read clean. Checked
all
> of the email accounts for html email or undeleted trash. Clean
everywhere.
> Found a spider.sav file in My Documents & investigated/deleted that.
After
> each of the above the warning reappeared, so it isn't any of those.
>
> Cleared all the files from Temp Internet and reduced cache size to 100 MB.
> About to go get a dedicated trojan detector.
>
> Further ideas?

In playing around I have found that the Windows Explorer outgoing connection
attempts seem to all be connected to page loading at MSNBC.com.

[Dick Hazeleger]

mto wrote:

>
> "mto" <nobody@dontsendmeanyspam.com> wrote in message
> news:C3CdnaCAs_06pa-iXTWJgA@seg.net...
> <SNIP>
> >>>Been wondering why on earth
> > > > Windows Explorer would be trying to connect to 62.211.180.7:80
> > > > and 62.211.180.14:80 and why Messenger tries every 2 minutes or
> > > > so to connect to my own IP#, port 1900, even though it is shut
> > > > off every which way to Sunday.
> > > >
> > <SNIP>
> > > >
> > > > address digger says -
> > > > <quote>
> > > > dns 63.211.180.7
> > > >
> > > >
> > > > 63.211.180.7 has dubious reverse DNS of unknown.Level3.net -
> > > > which is a valid hostname, but not one that resolves to
> > > > 63.211.180.7
> > > >
> > > >
> > > >
> > > > whois -h magic 63.211.180.7
> > > > Trying whois -h whois.arin.net 63.211.180.7
> > > >
> > > > OrgName: Level 3 Communications, Inc.
> > > > OrgID: LVLT
> > > > Address: 1025 Eldorado Blvd.
> > > > City: Broomfield
> > > > StateProv: CO
> > > > PostalCode: 80021
> > > > Country: US
> > <SNIP>
> > > Have a search in Google>>Newsgroups>>NANAE on Level3... you will
> > > have a nice surprise!
> > >
> > > Dick
> >
> > OK! So Level 3 is a known spam-haven. Wonderful - and the next
> > question is why is Windows Explorer trying to phone home to them
> > every couple of minutes -
> >
> > AdAware, SpyBot & antivirus updated an hour ago all read clean.
> > Checked
> all
> > of the email accounts for html email or undeleted trash. Clean
> everywhere.
> > Found a spider.sav file in My Documents & investigated/deleted that.
> After
> > each of the above the warning reappeared, so it isn't any of those.
> >
> > Cleared all the files from Temp Internet and reduced cache size to
> > 100 MB. About to go get a dedicated trojan detector.
> >
> > Further ideas?
>
> In playing around I have found that the Windows Explorer outgoing
> connection attempts seem to all be connected to page loading at
> MSNBC.com.

In addition, it seems that people in the USA who use a FW get
"hammered" by IP's that trace back to L3... wonder what they are up
to... trojan install?

OK, back to your problem... MTO, did you install some kind of "handy
dandy" search bar, newsfeature, weather program, etc (you know what
type I mean)?

Did you search the registry for this page? What kind of page is loaded?
Ads, news, MS stuff... this could give a hint in the right direction...

See ya later guys and gals, I'm almost "done" in this temperature.

Dick

[mto]

"Dick Hazeleger" <Dick@post_it_in_the_newsgroup.com> wrote in message
news:vj7q83kachq68@corp.supernews.com...
> mto wrote:
>
> >
> > "mto" <nobody@dontsendmeanyspam.com> wrote in message
> > news:C3CdnaCAs_06pa-iXTWJgA@seg.net...
> > <SNIP>
> > >>>Been wondering why on earth
> > > > > Windows Explorer would be trying to connect to 62.211.180.7:80
> > > > > and 62.211.180.14:80 and why Messenger tries every 2 minutes or
> > > > > so to connect to my own IP#, port 1900, even though it is shut
> > > > > off every which way to Sunday.
> > > > >
> > > <SNIP>
> > > > >
> > > > > address digger says -
> > > > > <quote>
> > > > > dns 63.211.180.7
> > > > >
> > > > >
> > > > > 63.211.180.7 has dubious reverse DNS of unknown.Level3.net -
> > > > > which is a valid hostname, but not one that resolves to
> > > > > 63.211.180.7
> > > > >
> > > > >
> > > > >
> > > > > whois -h magic 63.211.180.7
> > > > > Trying whois -h whois.arin.net 63.211.180.7
> > > > >
> > > > > OrgName: Level 3 Communications, Inc.
> > > > > OrgID: LVLT
> > > > > Address: 1025 Eldorado Blvd.
> > > > > City: Broomfield
> > > > > StateProv: CO
> > > > > PostalCode: 80021
> > > > > Country: US
> > > <SNIP>
> > > > Have a search in Google>>Newsgroups>>NANAE on Level3... you will
> > > > have a nice surprise!
> > > >
> > > > Dick
> > >
> > > OK! So Level 3 is a known spam-haven. Wonderful - and the next
> > > question is why is Windows Explorer trying to phone home to them
> > > every couple of minutes -
> > >
> > > AdAware, SpyBot & antivirus updated an hour ago all read clean.
> > > Checked
> > all
> > > of the email accounts for html email or undeleted trash. Clean
> > everywhere.
> > > Found a spider.sav file in My Documents & investigated/deleted that.
> > After
> > > each of the above the warning reappeared, so it isn't any of those.
> > >
> > > Cleared all the files from Temp Internet and reduced cache size to
> > > 100 MB. About to go get a dedicated trojan detector.
> > >
> > > Further ideas?
> >
> > In playing around I have found that the Windows Explorer outgoing
> > connection attempts seem to all be connected to page loading at
> > MSNBC.com.
>
> In addition, it seems that people in the USA who use a FW get
> "hammered" by IP's that trace back to L3... wonder what they are up
> to... trojan install?

Don't seem to be being hammered by an IP from outside in - this is all
outgoing traffic.

> OK, back to your problem... MTO, did you install some kind of "handy
> dandy" search bar, newsfeature, weather program, etc (you know what
> type I mean)?

Not on your life! Installed nothing new whatever.


> Did you search the registry for this page? What kind of page is loaded?
> Ads, news, MS stuff... this could give a hint in the right direction...

Haven't searched the registry - guess I've got to download Hijack This since
everything comes up clean EXCEPT for the salient fact that within the last 2
hours Zone Alarm got literally wiped except for the alert logs. Every
single thing turned off, all the blocked sites, privacy settings gone. Went
to a very limited # of webpages so set all the security even yet higher,
turned off everything possible to turn off and will see if I can track it
down.

> See ya later guys and gals, I'm almost "done" in this temperature.
>
> Dick

Yeah, I hear that you are baking Like my Dad always says though - easy
to get cold in the summer, just jump in the water. It's the winter cold
that costs you.

MTO, writing from cold showers are us (though not as bad as last year here.)

[Dick Hazeleger]

mto wrote:

>
> "Dick Hazeleger" <Dick@post_it_in_the_newsgroup.com> wrote in message
> news:vj7q83kachq68@corp.supernews.com...
> > mto wrote:
> >
> > >
> > > "mto" <nobody@dontsendmeanyspam.com> wrote in message
> > > news:C3CdnaCAs_06pa-iXTWJgA@seg.net...
> > > <SNIP>
> > > >>>Been wondering why on earth
> > > > > > Windows Explorer would be trying to connect to
> > > > > > 62.211.180.7:80 and 62.211.180.14:80 and why Messenger
> > > > > > tries every 2 minutes or so to connect to my own IP#, port
> > > > > > 1900, even though it is shut off every which way to Sunday.
> > > > > >
> > > > <SNIP>
> > > > > >
> > > > > > address digger says -
> > > > > > <quote>
> > > > > > dns 63.211.180.7
> > > > > >
> > > > > >
> > > > > > 63.211.180.7 has dubious reverse DNS of unknown.Level3.net -
> > > > > > which is a valid hostname, but not one that resolves to
> > > > > > 63.211.180.7
> > > > > >
> > > > > >
> > > > > >
> > > > > > whois -h magic 63.211.180.7
> > > > > > Trying whois -h whois.arin.net 63.211.180.7
> > > > > >
> > > > > > OrgName: Level 3 Communications, Inc.
> > > > > > OrgID: LVLT
> > > > > > Address: 1025 Eldorado Blvd.
> > > > > > City: Broomfield
> > > > > > StateProv: CO
> > > > > > PostalCode: 80021
> > > > > > Country: US
> > > > <SNIP>
> > > > > Have a search in Google>>Newsgroups>>NANAE on Level3... you
> > > > > will have a nice surprise!
> > > > >
> > > > > Dick
> > > >
> > > > OK! So Level 3 is a known spam-haven. Wonderful - and the
> > > > next question is why is Windows Explorer trying to phone home
> > > > to them every couple of minutes -
> > > >
> > > > AdAware, SpyBot & antivirus updated an hour ago all read clean.
> > > > Checked
> > > all
> > > > of the email accounts for html email or undeleted trash. Clean
> > > everywhere.
> > > > Found a spider.sav file in My Documents & investigated/deleted
> > > > that.
> > > After
> > > > each of the above the warning reappeared, so it isn't any of
> > > > those.
> > > >
> > > > Cleared all the files from Temp Internet and reduced cache size
> > > > to 100 MB. About to go get a dedicated trojan detector.
> > > >
> > > > Further ideas?
> > >
> > > In playing around I have found that the Windows Explorer outgoing
> > > connection attempts seem to all be connected to page loading at
> > > MSNBC.com.
> >
> > In addition, it seems that people in the USA who use a FW get
> > "hammered" by IP's that trace back to L3... wonder what they are up
> > to... trojan install?
>
> Don't seem to be being hammered by an IP from outside in - this is all
> outgoing traffic.
>
> > OK, back to your problem... MTO, did you install some kind of "handy
> > dandy" search bar, newsfeature, weather program, etc (you know what
> > type I mean)?
>
> Not on your life! Installed nothing new whatever.
>
>
> > Did you search the registry for this page? What kind of page is
> > loaded? Ads, news, MS stuff... this could give a hint in the right
> > direction...
>
> Haven't searched the registry - guess I've got to download Hijack
> This since everything comes up clean EXCEPT for the salient fact that
> within the last 2 hours Zone Alarm got literally wiped except for the
> alert logs. Every single thing turned off, all the blocked sites,
> privacy settings gone. Went to a very limited # of webpages so set
> all the security even yet higher, turned off everything possible to
> turn off and will see if I can track it down.
>
> > See ya later guys and gals, I'm almost "done" in this temperature.
> >
> > Dick
>
> Yeah, I hear that you are baking Like my Dad always says though -
> easy to get cold in the summer, just jump in the water. It's the
> winter cold that costs you.
>
> MTO, writing from cold showers are us (though not as bad as last year
> here.)

But that is a completely different situation then your browser going to
MSNBC (although annoying) every time... This looks more like a virus or
trojan... Did you have a look at processes and/or services running,
Kaperski has a nice (free) tool for that... no install, just run it;
then of course a scan with (even a trial) of a Trojan detector like
TDS3 wouldn't hurt (although it takes time, lots of it...). Since I
don't know what OS flavor you're running, I cannot give you the obvious
advice: scan from DOS with for instance F-Prot (with updated reference
files of course), but if you could do so... that too won't hurt...

I hope you'll find what the problem is and will be able to make it a
"dead problem"!

Yes, we are "baking" here; even the water is getting too warm now (if
available), at some places the water is dangerously low and farmers are
not allowed to water their crops on our sandy grounds... (the part
where I am living); it's really bad in Europe right now...

If you have enough of those showers and cold winds... send them over to
us, we would welcome them ;-D

Dick