Spoolsv.exe

Hi,

what is spoolsv.exe (taking up 6.040 K and listed as SYSTEM in my Processes
list) and why is it trying periodically to access the internet?
I have denied his access for know.

Thanks,

Henning

On Tue, 30 Nov 2004 06:11:05 -0800, "hlowyck"
wrote:

Hi,

what is spoolsv.exe (taking up 6.040 K and listed as SYSTEM in my Processes
list) and why is it trying periodically to access the internet?
I have denied his access for know.

Thanks,

Henning

Henning,

The process itself is a system component.
http://www.liutilities.com/products/wintaskspro/processlibrary/spoolsv/

It may point to a malware infection however.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ciadoor.b.html
http://www.dslreports.com/forum/remark%2C8734856

How current is your virus protection? Try one or more of these free online
virus scans, which should complement your current protection:
http://www.bitdefender.com/scan/license.php
http://www.pandasoftware.com/activescan
http://www.ravantivirus.com/scan/
http://security.symantec.com/ssc/home.asp
http://housecall.trendmicro.com/housecall/start_corp.asp

Now check for, and learn to defend against, additional problems - adware,
crapware, spyware.

Start by downloading each of the following additional free tools:
AdAware http://www.lavasoftusa.com/
HijackThis http://www.majorgeeks.com/download.php?det=3155
LSP-Fix http://www.cexx.org/lspfix.htm
WinsockXPFix http://www.spychecker.com/program/winsockxpfix.html
Spybot S&D http://www.safer-networking.org/index.php?page=download
Stinger http://us.mcafee.com/virusInfo/default.asp?id=stinger

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. AdAware and Spybot S&D have install routines - run them.
The other downloaded programs can be copied into, and run from, any convenient
folder.

First, run Stinger. Have it remove any problems found.

Next, run AdAware. First update it, configure for full scan
(http://forums.spywareinfo.com/index.php?showtopic=11150), then scan. When
scanning finishes, remove all Critical Objects found.

Next, run Spybot S&D. First update it, then run a scan ("Check for problems").
Trust Spybot, and delete everything ("Fix Problems") that is displayed in Red.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
http://forums.spywareinfo.com/index.php?showtopic=227
http://forums.spywareinfo.com/index.php?showtopic=11150

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts, here):
Aumha: http://forum.aumha.org/index.php
Net-Integration: http://forums.net-integration.net/
Spyware Info: http://forums.spywareinfo.com/
Spyware Warrior: http://spywarewarrior.com/index.php
Tom Coyote: http://forums.tomcoyote.org/

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Hi Chuck

thanks for your elaborate explanation and links. I had hours of 'fun'
reading up on the spoolsv issue. I found that my laptop was already good,
dare I say over-, protected. Several spyware and virusscans revealed nothing,
nada. Neither does it show any signs of a Trojan when checking foor trojan
signatures. The only thing I can conclude after the quest is that we have to
live with spoolsv.exe and keep on blocking it, although it takes up system
resources.
Here's what Sygate tells me when I trace the IP address that spoolsv is
trying to access: 30.30.32.205 port 1041

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 7990 Science Applications Ct
Address: M/S CV 50
City: Vienna
StateProv: VA
PostalCode: 22183-7000
Country: US

NetRange: 30.0.0.0 - 30.255.255.255
CIDR: 30.0.0.0/8
NetName: ARPAX25-TEMP
NetHandle: NET-30-0-0-0-1
Parent:
NetType: Direct Allocation
Comment: Defense Information Systems Agency
Comment: Washington, DC 20305-2000 US
RegDate:
Updated: 2002-10-07

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-703-676-1051
OrgTechEmail:

# ARIN WHOIS database, last updated 2004-11-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Is this big brother watching me????

Anyone?



"Chuck" wrote:

On Tue, 30 Nov 2004 06:11:05 -0800, "hlowyck"
wrote:

Hi,

what is spoolsv.exe (taking up 6.040 K and listed as SYSTEM in my Processes
list) and why is it trying periodically to access the internet?
I have denied his access for know.

Thanks,

Henning

Henning,

The process itself is a system component.
http://www.liutilities.com/products/wintaskspro/processlibrary/spoolsv/

It may point to a malware infection however.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ciadoor.b.html
http://www.dslreports.com/forum/remark%2C8734856

How current is your virus protection? Try one or more of these free online
virus scans, which should complement your current protection:
http://www.bitdefender.com/scan/license.php
http://www.pandasoftware.com/activescan
http://www.ravantivirus.com/scan/
http://security.symantec.com/ssc/home.asp
http://housecall.trendmicro.com/housecall/start_corp.asp

Now check for, and learn to defend against, additional problems - adware,
crapware, spyware.

Start by downloading each of the following additional free tools:
AdAware http://www.lavasoftusa.com/
HijackThis http://www.majorgeeks.com/download.php?det=3155
LSP-Fix http://www.cexx.org/lspfix.htm
WinsockXPFix http://www.spychecker.com/program/winsockxpfix.html
Spybot S&D http://www.safer-networking.org/index.php?page=download
Stinger http://us.mcafee.com/virusInfo/default.asp?id=stinger

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. AdAware and Spybot S&D have install routines - run them.
The other downloaded programs can be copied into, and run from, any convenient
folder.

First, run Stinger. Have it remove any problems found.

Next, run AdAware. First update it, configure for full scan
(http://forums.spywareinfo.com/index.php?showtopic=11150), then scan. When
scanning finishes, remove all Critical Objects found.

Next, run Spybot S&D. First update it, then run a scan ("Check for problems").
Trust Spybot, and delete everything ("Fix Problems") that is displayed in Red.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
http://forums.spywareinfo.com/index.php?showtopic=227
http://forums.spywareinfo.com/index.php?showtopic=11150

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts, here):
Aumha: http://forum.aumha.org/index.php
Net-Integration: http://forums.net-integration.net/
Spyware Info: http://forums.spywareinfo.com/
Spyware Warrior: http://spywarewarrior.com/index.php
Tom Coyote: http://forums.tomcoyote.org/

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.