Abuse of spoolsv.exe?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Yesterday my PC was almost freezing and when I checked, CPU usage was around
The culprit was found to be spoolsv.exe.
After a little reasearch I found that this is the official windows print
Following advice from http://torque.oncloud8.com/archives/000384.html ,  I
temporarily disabled it to get some breathing space and set out to
investigate why it had been so busy.
In C:\WINDOWS\system32\spool\PRINTERS  I found two files, 00006.SHD and
00006.SPL, one of which showed itself as a Macromedia Flash file (?)
I deleted them (completely-sorry, collectors), restarted the spooler service
and all is now OK.

I have heard in the past of spoolsv.exe being replaced by a backdoor trojan,
but in this case it is not so.
Is there any record of malware abusing the spooler? I had no print jobs

Re: Abuse of spoolsv.exe?

Hash: SHA1

Potblak wrote:
Quoted text here. Click to load it

Those file names look like normal spooler documents. The spooler service is
used to send documents to the printer efficiently, and files are created in
the above directory before being sent to the printer. The interpretation of
 the file(s) being Flash are a result of a coincidence with the file

I expect that the spooler experienced some problem with processing the
files or print data and got stuck, I have seen this on rare occasions (not
related to any sort of infection). Check that Windows is up-to-date, and
the same for your printer drivers, and it shouldn't happen again.
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk /

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
Version: GnuPG v1.4.6 (MingW32)


Site Timeline