Whirlpool

I had a program called spoolcll.exe try to open up port 14054 today.

Investigation showed that although it lived in c:\winnt\system32 it wasn't tagged as a microsoft program. It had a file datestamp of 26 Jan 5 12:57pm. The internet access happened at 12:58.

It showed up in the registry as a service 'evmon'.

The running .exe could not be killed in Task Manager. Nor could the service be paused or stopped.

After telling Norton to block all access, it tried to send a message to: 212.105.105.214, port 5003, which I also blocked.

I set the service to disabled and changed the filename it was looking for. Rebooted. It wasn't running, so I changed the name of the .exe.

So, my question is: is spoolcll.exe legitimate or is it a new virus?

I have Norton AV and firewall, up to date. But I am a little behind in my W2K updates.

www.zoneedit.com/lookup....verse=Look+it+up

I think it is a virus of some sort, as there should be no reason I'm trying to connect to a site in Sweden.

Reverse DNS gets me:

Reverse Lookup Results
Host Type Value
105.105.212.in-addr.arpa NS ns.utfors.se
105.105.212.in-addr.arpa NS ns2.utfors.se
105.105.212.in-addr.arpa NS ns.utfors.se
105.105.212.in-addr.arpa NS ns2.utfors.se
ns.utfors.se A 195.58.103.124
ns2.utfors.se A 195.58.103.18

im surprised, google returns nothing :O

-CO^STY- writes...

im surprised, google returns nothing :O

Neither does Microsoft, Symantec, Kaspersky or McAffe.

Evan writes...

im surprised, google returns nothing :O

Neither does Microsoft, Symantec, Kaspersky or McAffe.

just wondering, did you spell the file name correctly

ruberto writes...

just wondering, did you spell the file name correctly

Yes. SPOOLCLL.EXE

And, how do you go about reporting this to the virus companies?

I can't find an obvious link on either the Symantec, McAfee or Kaspersky sites.

Ever consider it may not be a virus, but SPYWARE? At the risk of suggesting something you've already done, have you tried scanning your system for spyware (using adaware, spybot s&d, etc)

edit: fiksed mina speling mestake

Johnny Bravo writes...

Ever consider it may not be a virus, but SPYWARE?

No.

I wasn't into any websites at that time that I hadn't already been to. And the only sites that I had been to today were commercial sites that couldn't afford to be associated with spyware.

At the risk of suggesting something you've already done, have you tried scanning your system for spyware (using adaware, spybot s&d, etc)

Ad-Aware comes up clean.

Evan writes...

were commercial sites that couldn't afford to be associated with spyware.

not always obvious who can and who can't be associated with spyware.

I had a piece of paid for software I've run for months. It was only after I installed the latest AVG free edition that I noticed this program was trying to make an SMTP connection to somewhere in europe ... because of AVG's popup status indicator just sat there until it timed out - it's always failed in the past anyway, because iiNet block external SMTP connections (i.e, from me to any other SMTP other than their own)

Evan writes...

Ad-Aware comes up clean.

What browser are you using? Ad-Aware works good on EI but not so good on Firefox etc. You should always use at least 2 spyware programmes, Spybot works well with Firefox and EI.

Evan writes...

program called spoolcll.exe try to open up port 14054 today

Trend Micro Virus Encyclopedia does not list it as a virus or spy-ware 0 results found.

What sort of printer do you have? I have read reports of some printer software phoning home, for the collection of printing stats.

alaxus writes...

What sort of printer do you have? I have read reports of some printer software phoning home, for the collection of printing stats.

I was going to mention that myself - my newly acquired Epson tried that!!!

edit: however, the OP does state that the file was created at 12;57 today ... I think he would've remembered installing something like a printer today ;-)

I have an HP 4100N, which wouldn't be sending to Sweden.

I'm using IE 6.

I didn't install anything at the time.

Port 5003 is a registered port number, used by Filemaker Server and Filemaker Pro, neither of which I have.

Interestingly, a google search of port 5003 brings up lintilla.df.lth.se/html/5003.html , which is associated with a Lintilla Multiple Worlds, which looks like some online game.

Do you mean spoolsv.exe?

www.neuber.com/taskmanag...spoolsv.exe.html

Muad' Dib writes...

Do you mean spoolsv.exe?

No.

What program picked it up?

Spool.exe is a virus, so maybe this is a new strain. Renaming itself maybe.

Utfors is a Swedish Telephony carrier.

www.rad.com/Article/0,6583,10123,00.html

do you still have the offending file?
How big was it?
Rename it to ".txt" and look at it for any readable text that may give a clue to it's origins/purpose

Muad' Dib writes...

What program picked it up?

Norton Firewall.

And it keeps coming back. I got a new copy at 4:11 and one at 6:25. I had a connection at 6:24/6:25 from 211-74-63-39.adsl.dynamic.seed.net­ .tw(211.74.63.39): 3406 , which sent me about 300k, which is approx twice the size of the exe (at 163 K).