Do you have a question? Post it now! No Registration Necessary. Now with pictures!
February 16, 2007, 10:06 pm
rate this thread
The culprit was found to be spoolsv.exe.
After a little reasearch I found that this is the official windows print
Following advice from http://torque.oncloud8.com/archives/000384.html , I
temporarily disabled it to get some breathing space and set out to
investigate why it had been so busy.
In C:\WINDOWS\system32\spool\PRINTERS I found two files, 00006.SHD and
00006.SPL, one of which showed itself as a Macromedia Flash file (?)
I deleted them (completely-sorry, collectors), restarted the spooler service
and all is now OK.
I have heard in the past of spoolsv.exe being replaced by a backdoor trojan,
but in this case it is not so.
Is there any record of malware abusing the spooler? I had no print jobs
Re: Abuse of spoolsv.exe?
Those file names look like normal spooler documents. The spooler service is
used to send documents to the printer efficiently, and files are created in
the above directory before being sent to the printer. The interpretation of
the file(s) being Flash are a result of a coincidence with the file
I expect that the spooler experienced some problem with processing the
files or print data and got stuck, I have seen this on rare occasions (not
related to any sort of infection). Check that Windows is up-to-date, and
the same for your printer drivers, and it shouldn't happen again.
Adam Piggott, Proprietor, Proactive Services (Computing).
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
-----END PGP SIGNATURE-----