Spooler Subsystem App dialing out - XP Pro

[otoe1]

Spooler Sub System App jus started to dial out, forewarned by 'zone alarm', and ran 'The Cleaner', 'Pest Patrol' and 'Spy Bot' and was unable to locate anything.

Have auto update and register disabled for my printer.
Unable to locate anything related on HP web site.

Uninstalled both printer and software, then re-installed from HP site and hooked printer back on. No avail.

Nothing on MS Knowledge Base that I could find (maybe in another location).

Spoosv.exe still wants to connect at initial boot up.

Had installed 'Lime Wire' on the 23rd of Feburary and thinking this might be related. I did not install any of the 'included' adware or spy wear.

Short of doing a 'system restore', I'm at a loss of what else to do.

Here is a copy of my startup listings.

Any help would be appreciated.

Thanx.

StartupList report, 2/28/2003, 11:45:26 AM
StartupList version: 1.52
Started from : C:\unzipped\startuplist152\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\PestPatrol\PPControl.exe
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\DAP\DAP.EXE
C:\unzipped\startuplist152\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[D:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

QuickTime Task = "D:\Program Files\QuickTime\qttask.exe" -atboottime
PestPatrol Control Center = D:\Program Files\PestPatrol\PPControl.exe
PPMemCheck = D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
CookiePatrol = D:\PROGRA~1\PESTPA~1\CookiePatrol.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

RegisterDropHandler = D:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = D:\WINDOWS\System32\ctfmon.exe
Microsoft Works Update Detection = D:\Program Files\Microsoft Works\WkDetect.exe

--------------------------------------------------

Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - D:\Program Files\DAP\DAPBHO.dll - {0000CC75-ACF3-4cac-A0A9-DD3868E06852}
(no name) - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Yahoo! Companion BHO - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll - {13F537F0-AF09-11d6-9029-0002B31F9E59}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = D:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE =

http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[OPUCatalog Class]
InProcServer32 = D:\WINDOWS\System32\opuc.dll
CODEBASE =

http://office.microsoft.com/productupdates/content/opuc.cab

[Microsoft Office XP Professional Step by Step Interactive]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\mitm0026.dll
CODEBASE = file://D:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab

[AnarkClient Class]
InProcServer32 = D:\Program Files\Anark\Client\AMClient.dll
CODEBASE =

http://install.anark.com/client/version1/windows-ie/en/AMClient.cab

[Update Class]
InProcServer32 = D:\WINDOWS\System32\iuctl.dll
CODEBASE =

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37653.8497337963

[Shockwave Flash Object]
InProcServer32 = D:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE =

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\OUTC.DLL
CODEBASE =

http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[MSN Chat Control 4.5]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE =

http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: D:\WINDOWS\system32\SHELL32.dll
CDBurn: D:\WINDOWS\system32\SHELL32.dll
WebCheck: D:\WINDOWS\System32\webcheck.dll
SysTray: D:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,809 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[jevel]

Correct me if I'm wrong, but Spoosv.exe is not the spooler service in XP? I can't find anything called that on any of my XP boxes. Seems like you've been infected...

-KJ

 

[linney]

Have a look in your Event Viewer under the System or the Application folders. See if you can determine from there why it is attempting to connect.

Under Printer and Faxes/ File/ Server Properties/ Advanced

See what boxes you can check there to get further information.

Are you sharing a printer?
Is this a Standalone machine you have?
Double click on your Printer Icon and bring up the Print Que and see if there is anything wanting to print.

 

[MassiveAttack]

Hey jevel,
i can only share your opinion, but infected by what???
i´ve got the same exe(spoolsv.exe) suddenly running on my XP and i can´t explain it...
are you shure it´s no part of XP?
how can i be shure that it isn´t?
I can´t even detect the prosses its running...
&quot;§%/&&%><aaaaargh!!!
PS.:there is no printer in my system...

 

[MassiveAttack]

PS.2:how do i get rid of MOsuccer?

 

[otoe1]

Seems to me guys that this is a part of XP. it is a part where networking is involced, the printer sends out a 'ready for service' notification.

As far as being infected, it truley isn't, as well as one can tell from the startup list that i had provided, lists all startup programs in the registry.

thanx for your concerns.

This is what i have determind from other tech sites.

A fren had installed other netwrok protocols earlier in the week, from what he told me, not knowing what to expect got me all excited.

The printer is not trying to acess the 'internet', there is no addy listed, jus blank octects, jus looking for the local network. Thus, the reason for all of my panicing.

And there is no netwrok to connect to as of yet. I do belief that this will soon guit as soon as i hookup a network.

Thanx.

 

[jevel]

If you've spelled the app right in the first place, it lists as spoosrv.exe, not spoolsrv.exe.

If it's spoolsrv.exe, it's the spoolserver, but if it's spoosrv.exe, it seems to be something camouflaged as the spoolserver.

-KJ

 

[me123]

OTOE1:
Heh. I see in your current program listing, the program name is spoolsv.exe
First: any program ending or containing sv or svc is most likely a system SERVICE.(altho u may want to check in services, see below)

A service is a program that runs in the background to support the everyday running of your computer. Microsoft has come to the decision of not telling end users what these are and that you can control the starting or stopping of them all.

The spool service is one that is started automatically on boot by default on XP install. You can see PrintSpooler, along with the 4 dozen or so other services that you can control by going to start>control panel>admin tools>services. If you have a printer you NEED this service running. If you dont have a printer, you can most likely stop it.

Now as to why this program was sending data out I am not sure, but maybe as a past poster said, if you have, or had a network at anypoint, maybe it is possibly trying to share the printer or print elsewhere???.

A few things you could try are: stopping the service, and seeing if you get the zonealarm alert. (you shouldnt). uninstalling file/printer sharing for a bit and see if u get the zonealarm alert.

just my thoughts
-me-