Since today, i've had Sygate Firewall ask me if I wanted to allow this file to access the net, and I have refused to let it connect. This is strange since i've never been asked about this file. I've checked in the windows/system32 folder and saw that there is a "spoolsv.exe" and the one above. Which one is good and which one isn't? Btw, I ran a scan with Adaware and Spybot and nothing turned up. Any help appreciated Thanx.

You need to be careful when submitting this kind of thread....SPELLING! write it exactly as your firewall log reports it use capitals only if sygate does etc e.g. SPOOLSVC.exe or spooolsvc.exe They all differ alot are added as a result of viruses and spyware but beware before you go deleting things some are genuine windows programs most are in the System32 folder go here to find yours Start up Lists

Yea that's EXACTLY how it is spelled in the system32 folder.

Do not allow it,and run your AV (w/updated definitions,of course),and online scans if necessary. • TheKid •

Hoping you've done what The Kid has told you then you will probaly find that you have this Troj/SXTB-A is an IRC backdoor Trojan that has spreading capability. Troj/SXTB-A copies itself into the Windows system folder as SpoolSvc.exe and into <Windows>\system32\cmst32.exe and creates the BAT file <Windows>\System32\runtime.bat. The Trojan sets the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft MSUPDATE = SpoolSvc.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Microsoft MSUPDATE = SpoolSvc.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1 The Trojan may also change several other registry entries, delete EXE files from the startup folder and delete hidden shares. Troj/SXTB-A logs onto a predefined IRC server and waits for backdoor commands. The spreading functionality of the Trojan can be activated by a backdoor command. When activated, the Trojan will attempt to copy itself into shares with filenames cmst32.exe and Svnet32.exe and set the following entry in the system.ini file on the remote machine: [Boot] Shell = explorer.exe Svnet32.exe Troj/SXTB-A may also drop the following two EXE files: <System>\ServDll32.exe <System>\svhost32.exe These EXE files are clean utilities and hence are not detected by this identity. Go Here For Removal Info

Yes, that's exactly what the housecall virus scan detected on my system. Kinda strange that AVG missed that one. Another thing that's been happening is that my internet connection keeps getting disabled and then comes back again. Not sure if it's related to this though (btw, i've checked the cables to make sure they're well in place and they are).