spoolsv.exe & malicious website

[RHinCT]

Running Malwarebytes Premium.  Here is a sample from the log.

 

Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49219, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49219, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49231, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49243, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49255, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49267, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49279, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49291, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49303, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49315, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/6/2015 6:02 PM, SYSTEM, GROMIT, Protection, Malicious Website Protection, IP, 198.105.244.114, gromit.local, 49327, Outbound, C:\Windows\System32\spoolsv.exe,

 

198.105.244.114 is a know bad place to go.
 

Neither Malwarebytes nor Microsoft's security program finds any problems with spoolsv.exe, the print spooler.  The Properties of spoolsv.exe matches other copies exactly, including size. My tentative conclusion is that something is trying to "print" to the network as a means of phoning home.  Identifying that something is my immediate concern.

 

One recent change in my system is installing a new hard drive, onto which a copy of W7 was installed as dual boot with this copy of W7.  The new copy was then updated to the latest 7.1, fully patched, and then to W10.  Since then I have had to uninstall one Gigabyte utility from the W10 copy.  Note that I have done minimal browsing from W10 but I am running there without Malwarebytes.  Both hard drives are visible from both copies of Windows.  I can't see how the W10 copy could be involved, but what do I know?

 

Thanks for any light you can shed!

 

RH in CT

 

FRST.txt

Addition.txt

[AdvancedSetup]

Sorry for the delay, Do you still need help with this ?

[RHinCT]

No problem with the delay.  As I said, I would be grateful for any light you can shed on what might have been trying to exploit the print spooler.  If you have any thoughts I would like to hear them.

 

There have been no additional blocks of this by Malwarebytes since the ones listed in my original message.  I still have no idea what might have been trying to use that path out.

[AdvancedSetup]

My guess would be that perhaps you either printed or did a print preview of some website that had an advertisement on it that led to a bad site.

At least restart your computer and then make sure your antivirus is up to date and do a full system scan then also make sure MBAM is up to date and do a Threat scan and if anything is found let me know.

[RHinCT]

I've taken all those steps right at the start.

 

Thanks for your advice.  I will consider this one closed... (unless it happens again).

 

FYI, I believe that if MBAM had not stopped it that Zone Alarm firewall would have.  It was set to "ask" for letting the spooler reach the internet; I think I would have been smart enough to say No.  Today I set ZA to disallow the print spooler access to the internet, just the local network is permitted.

 

Thanks again!

[AdvancedSetup]

Great sounds good and glad it is under control. I'll go ahead then and close your topic now but if you do need further help please let us know.

Take care and stay safe out there. Don't forget to backup your data too.

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.