Update for Internet Explorer (896727)

[Cartel]

Hi all,

I did this update today, (KB896727) and now I have spool32.exe running all the time.

I dont have a printer........

Is this update necessary ?

Do you have a better way to do this cause I dont want spool32 crap running and I never had a problem with my computer anyway, thanks.

Edited August 16, 2005 by Cartel

[trickytwista]

disable it if you dont use it, cheers

[eidenk]

Some apps load spool32.exe even if there is no printer. Then it remains running even after the app has closed.

Editpad that I am using as my Notepad replacement does it. And if I delete spool32, Editpad won't fully load anymore.

Anyway spool32 running or not does not seem to affect stability and performance.

[Cartel]

Thanks for the quick replies,

I ditched the update for now and spool32 is gone, call me crazy but I think spool32 is letting "others" print my screen ? Maybe its a little easier to see what I'm doing with it running ?

There's a law comming that must let law enforcment have a "back door" to ANYONES computer.

I think 98se is a little harder to get into than XP and these updates seem to put "normal" XP components in my computer for this or a similar purpose, no ?

[MDGx]

You're in danger of being "snooped" upon only if your connection/network is unprotected [no hardware/software firewall, no antivirus monitor, no antispyware monitor] *and* more so if file + print sharing are enabled.

The risk factor is further increased by not installing all available Internet Explorer security patches [especially KB896727, which is *the* current IE security patch]:

http://www.mdgx.com/ietoy.htm#IEC

This is valid even if not using IE for browsing, because of IE "integration" into the OS.

Worse, if NetBios protocol is also enabled, ports 137, 138 + 139 can be Achille's heel.

And these are only the most obvious weak points of entry for malware and the likes.

Details here [long but good read]:

http://www.mdgx.com/xp2.htm#XFG

Security links:

http://www.mdgx.com/modem.htm#TS

Firewalls [free(ware)]:

http://www.mdgx.com/fw.htm#FWL

Antispyware [free(ware)]:

http://www.mdgx.com/fw.htm#ASP

Spool32 is the printer spooler, which loads every time a printing aware application sends a request for a [pending or sheduled] printing job, print preview or adding page(s)/document(s) to the printing queue, even if there is no printer installed.

The bad news is spool32 does remain resident [thank you eidenk] once it has been "activated", and also takes up valuable resources [besides being targeted by malware], at least until the user stops it, anyway.

Spool32 can be easily closed in all 9x OSes:

Download + install CoolKill [797 KB, freeware]:

http://www.prowebsitemanagement.com/downloads/coolkill.zip

Run COOLKILL.EXE -> right-click on the CoolKill icon in Taskbar tray -> highlight SPOOL32.EXE -> left-click on it to terminate this process.

Hope this helps.

[eidenk]

I ditched the update for now and spool32 is gone, call me crazy but I think spool32 is letting "others" print my screen ? Maybe its a little easier to see what I'm doing with it running ?

One is never paranoid enough and for sure firewalls aren't foolproof at all for outgoing traffic.

I have always such doubts before installing any security update. Are they correcting a flaw that has been discovered to replace it by a new one ?

The best way to know if "snapshots" are sent out is to capture your network packets and look at the data. For doing this there are several tools you can use but all rely on using WinPcap. There is Packetyzer, Ethereal, Analyzer, BillSniff, EtherSnoop or others. Most are free. Those I have listed are. A good one is Nuzzler Intrusion Detection System 3.0 but I see it cannot be downloaded anymore from its makers. Version 2.0.7 here.

Of course if such an hypothetical Trojan (who could be any loaded dll and there are scores of them in a system) is intelligent enough to send data out only when there is a lot of normal outgoing traffic such as when doing filesharing, it will be much more difficult if not next to impossible to detect.

PS : And if it is smart enough to detect packet sniffers running and not send anything while they are running you cannot detect such a Trojan at all unless you manage to capture the packets from outside of your machine. But this requires some more knowledge and hardware than I have. A minimalist linux box with the proper tools between the Windows box and the modem I would imagine would probably be the thing to do if one wanted to be absolutely sure (and had enough time to spend on that) that no "snapshots" are made by government agencies exploiting a flaw introduced for that purpose by MS as you seem to suggest.

PS : I have problems with the latest winPcap 3.1 drivers that I have just installed. It won't recognize the network adapters in some apps. 3.0 are working fine.

Edited August 17, 2005 by eidenk

[Cartel]

Hi all,

I dont really care if someone sniffs my packet. I dont want any extra crap running i dont even want to see it on the list. I got rid of the KB891711 update because rundll was running.I dont have a printer so spool32 can get bent along with another bunk update as far as im concerned. I hated xp for the stupid ports and universal crap was a nightmare to seal up and if you mess up your pooched and on xp those processes usually meant virus, unusual running objects scare me.

[eidenk]

unusual running objects scare me.

Tell me something. Aren't you afraid of having unusual dlls and vxds loaded ?

Or are you just concerned with exes because it's the only thing you obviously see with the task manager.

[somewan]

The best way to know if "snapshots" are sent out is to capture your network packets and look at the data. For doing this there are several tools you can use but all rely on using WinPcap.

Of course if such an hypothetical Trojan (who could be any loaded dll and there are scores of them in a system) is intelligent enough to send data out only when there is a lot of normal outgoing traffic such as when doing filesharing, it will be much more difficult if not next to impossible to detect.

PS : And if it is smart enough to detect packet sniffers running and not send anything while they are running you cannot detect such a Trojan at all unless you manage to capture the packets from outside of your machine. But this requires some more knowledge and hardware than I have. A minimalist linux box with the proper tools between the Windows box and the modem I would imagine would probably be the thing to do if one wanted to be absolutely sure.

The first problem you mentioned - finding the needle (the suspect traffic) in the haystack of filesharing and web browsing traffic - is a tough one to crack, at least in a way that isn't horribly time-consuming. It's even worse if you consider that the traffic may be compressed or even encrypted. For that reason it's also impossible to be absolutely sure (even if monitoring the traffic from a different machine).

But you may be overestimating the harware and knowledge requirements for setting up a second machine for traffic monitoring. Ten years ago, installing Linux, NetBSD, etc. was tricky at times, but these days it tends to be simple, and several of them come with "tcpdump" preinstalled. As for the hardware, people are throwing away everything you need, every day, so you could get it all for free, if you knew where to look. For example, one machine I've used for the task is a Pentium 60 MHz I got for free from my college.

On the topic of paranoia and conspiracy theories... It is sometimes interesting to consider not what's likely, but what's *possible*. Any Win9x program has the power to install itself into the kernel, to modify any file and read/write any area of the memory. For XP or Linux, the same is true for programs executed with superuser (administrator/root) privileges. That means they can hide themselves from listings of processes and files. They could replace the boot sector or even flash themselves into the BIOS. Fortunately no virus has made use of the latter option, but in the DOS heydays replacing the boot sector was relatively common. There has also been at least one virus that destroyed the BIOS, but none that infected it (as far as I know).