spoolsv.exe infection

[icemansk]

I am having the same issue, but through my network.  The my laptop is not blocking the attempt to access the net, but my PC is blocking the traffic.  I have run scans with MWB and my virus program on both computers and nothing is detected.  Sample of log below.   No changes made to either systems.  This began on 9/4.  The laptop blocks the IP when directly trying to access it.

 

 

Detection, 9/7/2015 9:54 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 50292, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/7/2015 9:54 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 50292, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/7/2015 9:54 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 50296, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/7/2015 9:54 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 50297, Outbound, C:\Windows\System32\spoolsv.exe,

 

Any suggestions would be appreciated.

 

 

[AdvancedSetup]

Hello and

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:
 
 

 

If you're using

Peer 2 Peer

software such as

uTorrent, BitTorrent

or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have

illegal/cracked software, cracks, keygens etc

. on the system, please remove or uninstall them now and read the policy on

Piracy

.

 
Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
  
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
    

  [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)
  

 
STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 

Link 1

Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.
  

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
    

  [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
  

STEP 02
Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 
 
 

[icemansk]

Detection, 9/12/2015 12:11 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 59133, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/12/2015 12:11 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 59133, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/12/2015 12:11 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 59137, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/12/2015 12:11 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 59138, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/12/2015 12:11 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 59139, Outbound, C:\Windows\System32\spoolsv.exe,
Protection, 9/12/2015 11:48 AM, SYSTEM, KELTNER-PC, Protection, Malware Protection, Starting,
Protection, 9/12/2015 11:48 AM, SYSTEM, KELTNER-PC, Protection, Malware Protection, Started,
Protection, 9/12/2015 11:48 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Starting,
Protection, 9/12/2015 11:48 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Started,
Update, 9/12/2015 11:49 AM, SYSTEM, KELTNER-PC, Scheduler, Domain Database, 2015.9.12.3, 2015.9.12.4,
Update, 9/12/2015 11:49 AM, SYSTEM, KELTNER-PC, Scheduler, Malware Database, 2015.9.12.1, 2015.9.12.3,
Protection, 9/12/2015 11:49 AM, SYSTEM, KELTNER-PC, Protection, Refresh, Starting,
Protection, 9/12/2015 11:49 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Stopping,
Protection, 9/12/2015 11:49 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Stopped,
Protection, 9/12/2015 11:49 AM, SYSTEM, KELTNER-PC, Protection, Refresh, Success,
Protection, 9/12/2015 11:49 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Starting,
Protection, 9/12/2015 11:49 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Started,
Detection, 9/12/2015 11:55 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 11:55 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 11:55 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 11:56 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 11:56 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 11:59 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 11:59 AM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 12:00 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 12:00 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 12:01 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, manroomlaptop.home, 8, Outbound,
Detection, 9/12/2015 12:21 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 51199, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/12/2015 12:21 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 51199, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/12/2015 12:21 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 51200, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/12/2015 12:21 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 51201, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/12/2015 12:21 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 51202, Outbound, C:\Windows\System32\spoolsv.exe,

(end)

Rkill.txt

[icemansk]

Here are the other two logs.

protection-log-2015-09-12.xml

mbam-log-2015-09-12 (11-48-59).xml

[AdvancedSetup]

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus
  

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  

STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07


Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
    

  
  [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.
  

STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
  

[icemansk]

Still getting Pop up.  Even while doing all the scans. 

 

There are 3 computers on my network. 

MODEM/router -->Switch-->Keltner-PC

                                         -->stevelaptop

 

 

Scan Date: 9/14/2015
Scan Time: 12:15 PM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.09.14.05
Rootkit Database: v2015.08.16.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Keltner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395562
Time Elapsed: 32 min, 22 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

[AdvancedSetup]

I need to see the logs from the requested scans please.

Thank you

[icemansk]

Logs attached.  MWB still blocking outbound detections.

 

ESET detected 5 items.

 

There are 3 computers on my network. 

MODEM/router -->Switch-->Keltner-PC

                                         -->stevelaptop

                                         -->Cannon 620 Printer

                          -->Switch-->Manroomlaptop -->HP printer via USB

 

Nothing is running off the wireless currently and the only machine that is currently turned on is Keltner-PC.

Trend Micro Last Scan.txt

AdwCleanerC2.txt

JRT.txt

MWB SCAN.txt

MWB ProLog 9_14_2015.txt

ESET Scan.txt

FRST.txt

Addition.txt

[icemansk]

Sorry for fat fingering the one reply.  Was in process of doing scans and attaching when I hit the return key.

[AdvancedSetup]

The Event Logs indicate some possible hardware issues or software conflicts. Some items cannot be accessed and some cannot be written.

Please temporarily disable your antivirus and run the following.

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here: C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

[icemansk]

Here is the log for combofix.

 

I was not aware of Defender running when I ran the scan.  Do I need to run it again?

 

Everything seems to be working ok at the moment.  I have not seen a pop-up since 4:35 PST and it is now 7:30 PST.

 

Fingers crossed.

ComboFix.txt

[icemansk]

Still blocking outbound 198.105.244.114

 

Could it be in my router?

[AdvancedSetup]

Possible but not if other users are on it with no issue.

Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following.

Please download JavaRa-1.16 and save it to your computer.

• Double click to open the zip file and then select all and choose Copy.
• Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
• Quit all browsers and other running applications.
• Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location and post it in your next reply.

Next:

Please Run TFC by OldTimer to clear temporary files:

• Download TFC from here and save it to your desktop.
• http://oldtimer.geekstogo.com/TFC.exe
• Close any open programs and Internet browsers.
• Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
• Please be patient as clearing out temp files may take a while.
• Once it completes you may be prompted to restart your computer, please do so.
• Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

[icemansk]

Ok, stevelaptop was left on "alone" on network and no pop-ups for 14 hours, I opened several programs and visited a few websites.  When Keltner-PC is running all machines will have the pop-up. 

 

 

At 954 PST the pop-ups started on Keltner-PC, after above steps were completed to remove Java and clear Temp files.

Is it time to shoot this thing.  
 

Logs attached.

JavaRa.log

MWB ProtLog 9_16.txt

[AdvancedSetup]

Actually quite a twist here. First one I've seen posted with this. Basically if you shut down the Keltner-PC the blocks should stop. Turn it back on and the blocks come back.

It would appear that you have home network sharing enabled and that either something on the Keltner-PC is causing this or there is something on the other computer that makes the block happen for something it does not like.

 

So please try to isolate each of the PCs. Shut all but one down. Run, test that it's has no issues with the other 2 computers off. Do that for all 3 and let me know the results.

[icemansk]

Ok, I know Keltner-PC has an issue of some sort, as it has pop-up for that IP when it is running.  I have had it isolated as only machine running on the network. 

 

stevelaptop ran for 14 hours as stated before with no pop-ups while it was the only machine running.  The other laptop manroomlaptop was turned on today and was the only machine running for 3 hour, no pop-ups.

 

When I just started up Keltner-PC, MWB configuration was changed from earlier today.  Malware protection was turned off and Malicious Website Protection was also turned off.  It was suppose to load with windows, but did not, even though the box was checked when I manually started it (and saw the other two boxes unchecked).

 

Yes, I have the computers all sharing.   I work mostly with manroomlaptop and Keltner-PC.

 

I will turn Keltner-PC off for a couple days and see what happens with the other two, running alone and together.

[icemansk]

Ok, manroomlaptop has been running all day with no pop-ups.  Started stevelaptop up about 6 pst, no pop-ups yet on either machine.  Keltner-PC still powered down.

 

Will turn off all sharing tomorrow until this issue is resolved.

 

I truly appreciate your time and efforts with this issue Ron.

[AdvancedSetup]

Let me have you run this on the Keltner-PC system.

 

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files
  

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.
 

[icemansk]

Other two machines ran for hours together, no blocking.   Turned on Keltner-PC, immediately got a pop-up.  Trying to use manroomlaptop spoolsv.exe.  Took Keltner-PC off the network/sharing.  Will run the above when I return from appointment at 2 pm PST.

 

Thanks again Ron.

MWB ProtLog 9_17_2015.txt

[icemansk]

Here is the MiniToolBox log.  Had more time than I thought before appt.

MTB.txt

[AdvancedSetup]

This is an odd and unexpected error in the logs.

 

Application errors:
==================
Error: (09/17/2015 11:09:16 AM) (Source: Microsoft-Windows-User Profiles Service) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
 DETAIL - Unspecified error

 

 

Can you please try to create a new user with Admin rights. Then restart the computer and logon as that new user and see if there is any change and let me know.

[AdvancedSetup]

Also, please look and see what the DNS server is set to for all 3 computer please.

 

If you need help on how to do that let me know please.

 

IPCONFIG /ALL from an elevated admin command prompt should show what DNS is set to.

[icemansk]

DNS for all three

192.168.254.254

74.40.74.41

 

I created the new user, but I am going to let Keltner-PC run a bit longer before I restart to see if I get any pop-ups after taking it off the network.  It has not since turning off network discovery and sharing.

[icemansk]

Ok, even with network discovery off and sharing off, with the other machines running.

This is the original block.

Protection, 9/17/2015 2:46 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Stopping,
Protection, 9/17/2015 2:46 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Stopped,
Protection, 9/17/2015 2:46 PM, SYSTEM, KELTNER-PC, Protection, Refresh, Success,
Protection, 9/17/2015 2:46 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Starting,
Protection, 9/17/2015 2:46 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, Started,
Detection, 9/17/2015 3:15 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 49873, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/17/2015 3:15 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 49873, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/17/2015 3:15 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 49877, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/17/2015 3:15 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 49878, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/17/2015 3:15 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 49879, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/17/2015 3:47 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 51275, Outbound, C:\Windows\System32\spoolsv.exe,
Detection, 9/17/2015 3:47 PM, SYSTEM, KELTNER-PC, Protection, Malicious Website Protection, IP, 198.105.244.114, stevelaptop.home, 51276, Outbound, C:\Windows\System32\spoolsv.exe,

(end)

[icemansk]

Ok, using new Admin user.