Re: spyware tcp connections from spoolsv.exe to internet!!!


kemanetzis@xxxxxxxxxxx wrote:
The past few days all running programs are trying to connect to the
internet at random addreses.
(mainly a1981.g.akamai.com and ports 80:http and 53:dns)
(snip)
1)Is there a good reason for this to be happening???? (i mean
spoolsv.exe should not connect to the internet!)

2)Can you recomment a way to find - clean this spyware-or what ever it
is?

I would like those answers as well!

My "symptom" is that I'll see attempted connections from IP addresses
in the Akamai range from their port 80 to my ports 10xx through 12xx.
They are always in TIME_WAIT. When I restart my machine I'll usually
see 20 connections from one IP address going at the lower 1000's of my
ports. Then, just sitting there, it seems like there will be a few
attempted connections that pop-up. Tonight I noticed that Zone Alarm
zlclient.exe had made some outbound connections to Akamai servers. And
that's after I turned all of the update stuff off.

--Dale--

from another newsgroup....
"sengsational" wrote in message news:ds91tk$1qq8$1@xxxxxxxxxxxxxxx
Each machine on home network has been running it's own ZoneAlarm, I run AVG
on all systems, plus I'm behind a router, so I'm not a _complete_ security
idiot (snip)

Or then again, maybe I am.... for trusting ZoneAlarm

I think I might be a victim of a supposed "bug" in ZoneAlarm:

http://www.theinquirer.net/?article=29157

Tonight I've seen quite a few IP addresses doing this thing (81.52.202.137,
80.67.72.224, 63.222.71.150, 81.52.202.143). A lot of times those IP's
belong to Akamai Technologies (snip)

It looks like all in the last 2 days have been Akamai, and I think
there's a correlation with outbound connections by zlclient.exe
(ZoneAlarm) that I did NOT allow. I turned everything off, and it
still was nagging me to upgrade. These connections from Akamai port 80
machines only started happening after I refused to pay for another
annual upgrade. Maybe it's a way to strike fear in people to generate
upgrades, ha!

I can't report on if blocking zaclient.exe had any effect yet. The
sure-fire way to get those inbound IP's was to restart, but my HTPC is
recording something right now. More later.

--Dale--

.

Relevant Pages

  • Re: Help - what is port 666 (DOOM) and why?
    ... <SNIP> ... But once in a while I get the "BLING" alert with the ... alert box associating svchost to port 666. ... statistics screen and see no existing connections to 666. ...
    (comp.security.firewalls)
  • Re: Need help with bandwidth management . . .
    ... also be a good time to separate the wired from the wireless parts of ... wired connections. ... QoS lan port settings, and I cannot get anything consistent. ... switch ports and limit the bandwidth per port (the settings are ...
    (alt.internet.wireless)
  • Re: Iptables FTP question
    ... for secondary connections. ... Some ftp servers don't allow passive mode because it is less safe from ... algs that allow port mode for client machines. ...
    (comp.security.firewalls)
  • Re: Need Help on setting up a small home site.
    ... > told me that I have to open that port and forward request to my ... computer is the first network device. ... connections to port 80, so that they can be routed through to something ... > So if U don't consider it rude to post a long config file here, ...
    (comp.infosystems.www.servers.unix)
  • Re: Looking for program that emails me when dhcp addr changes
    ... For SSH all you need forwarded is TCP Port 22... ... >>participate in TCP connections or UDP conversations it initiates but ...
    (comp.security.ssh)