«

[Eagle of Fire]

Today I noticed that my cable modem is allowing traffic coming from or to my PC without having programs running which would attemp to connect to the internet.

I checked in my ZoneAlarm archive and noticed that the "Spooler Subsystem App" tryied to connect to the internet 48 times today only, and it's the first day whatsoever that this program try to connect to the internet.

A little search on yahoo lead me to think that the "Spooler Subsystem App" is commonly used by Windows when printers try to access a network or a wireless network. The main problem is that I don't have any printers installed or even pluged on this computer, and I have no networks installed either.

I ran my usual anti-spyware and malware programs along with my anti-virus but none of them found something revelant.


Any help on the matter will be really helpfull. I don't really know how to search deeper than what I already do right now.

[Data]

do you have printer/drive sharing active ?

[Eagle of Fire]

Not to my knowledge. And even so it would not explain why the program tryied to connect to the internet yesterday for the first time ever.

[The Niles]

It is very likely you have been infected with something. As long as your firewall keeps blocking whatever it is though your OK for now. Try and update all your anti spyware and especially your Anti Virus programs and look again.

[Eagle of Fire]

I already did that Picard. And it seems that what infected my computer try to connect to the internect even before my normal programs load, i.e. in the screen I need to choose which user will log in. I can see it with my cable modem that my computer try to access internet. But nothing's loaded yet! :angry:

I checked my ZA today and noticed that, in the last 300 alerts, 90%+ of those alerts have the same destination DNS: PROPRI-DHXNAFLL

Perhaps this would mean something to someone here.

My neighbor suggested me to borrow his Norton System Works... I am wondering if it would be good to do so. Especially since I'm not sure I'll find something in the first place, especially if it's a virus of some sort.

Got to the Start-button, select Run and type in: Msconfig.
There go to Systemstart-tab or similar named one, the tab where programs are about to load at system start. Now you can see there which programs are loaded at systemstart. Be careful what you turn off, some are needed and if Windows doesn't run after you unchecked them and clicked on OK, start it in the debug-mode and turn the things again on, only one per time.
If you see some unusual name there that is loaded, something like 49384msload.exe or similar, this would be the suspected Nr. 1. You can then first try to check it off, then if Windows starts normal still, search your HD and delete this file. You might need to turn off in the Windows Explorer the option "Fade out protected system files" under the middle tab first, because the program may hide itself as a system + hidden file. Also be sure that the option "Show contents of system folders" under the above mentioned option is turned on too. Good luck (goddamned hackers)!

[wendymaree]

If you're worried about viruses or spyware, I found a forum today that specialises in ridding computers of both. They have a step-by-step guide and links to four great free programs. You can also post a log result in the forum and their members can tell by looking at it if you've got any problems in your computer system.

http://www.webuser.co.uk/cgi-bin/forums/sh...sb=5&o=93&part=

Good luck!

[Eagle of Fire]

Thanks you two, I'll check both of this tomorrow.

[Fruit Pie Jones]

Quote:

Originally posted by Eagle of Fire@Nov 20 2004, 06:38 PM
I checked my ZA today and noticed that, in the last 300 alerts, 90%+ of those alerts have the same destination DNS: PROPRI-DHXNAFLL

That's not your own computer's NetBIOS name, is it? Does pinging that name give an IP address of either 127.0.0.1 or whatever is assigned to your primary network adapter? If so, the Spooler Subsystem App is only trying to access your own machine but doing so in such a way that raises a flag for ZA. You should simply allow it to do so, just to avoid further annoying messages from ZA.

Of course, if that name resolves to some external machine, you should block it on principle.

[Rogue]

I would sugest you to get SPYBOT or/and AdAware, as you can use it to protect PC, IE, and to make sure nobody is messing with your registry and host file.

If you already using latest ZA, then your computer is safe from attacks from outside (but not if uou install some spy/ad stuff) and SPYBOT and AdAware will clean and secure your computer.

A lot of the trafic I got is some robots trying to infect me with MS SQL worm. But in my case, my computer firewall is second in the chain of protection, as I'm using IPCop as firewall (an old computer acting as firewall) or router (with forward ports turned off).

If anybody like to know more about IP cop, let me know.