On my home computer, recently Zonealarm has begun asking if SPOOLSV.EXE can access the net. I've researched the file, including here, and learned that normally it's a printer spool. However, I've also seen that several viruses now overwrite the file and use it as a trojan/back door.

Steps I've taken:
1) studied the threads here about SPOOLSV.EXE (no useful answer);
2) searched my pc and found 3 instances:
c:\windows\i386, c:\windows\system32, and c:\windows\system32\dllcache;
3) scanned my pc using several of the online scans I've found here (no virus found);
4) scanned my pc using NAV with the latest definitions (no virus found);
5) run adaware and spybot to clear spyware;
6) studied how Symantec and Sophos say the trojans operate and then examined my WIN.INI and reg keys (no trace of the entries the trojans add);
7) tried killing the process (it came back);
8) deleted SPOOLSV.EXE from c:\windows\system32 (it came back to \system32 and to RAM).

After all this, SPOOLSV.EXE still tries to access the net.

Note: system restore is OFF.

I'm stumped at this point and really could use you guys' help.

Here's my HIJACK THIS log file:

Logfile of HijackThis v1.97.7
Scan saved at 7:24:38 AM, on 12/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Alienware Support\Test_BS.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\bin\tools\norton\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\bin\net\seti\SETI@home.exe
C:\bin\net\tools\CHOICE~1\ChoiceMail.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\bin\tools\norton\Norton Utilities\NPROTECT.EXE
C:\bin\net\tools\pgp\PGPtray.exe
C:\bin\tools\zalarm\zapro.exe
C:\bin\tools\pdesk\PDESK.EXE
C:\WINDOWS\System32\PGPsdkServ.exe
C:\bin\tools\norton\SPEEDD~1\nopdb.exe
C:\bin\tools\ontrack\MXTask.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\bin\tools\ontrack\mxtask.exe
C:\bin\net\opera\opera.exe
C:\bin\tools\pdesk\pdexplo.exe
C:\bin\tools\hijack this\zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C|/bin/net/webpage/pages/home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com
N2 - Netscape 6: user_pref("browser.startup.homepage", "file://localhost/C:/bin/net/webpage/pages/home.htm"); (C:\Documents and Settings\dennis\Application Data\Mozilla\Profiles\default\hi4sakri.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5Cbin%5Cnet%5Cmozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\dennis\Application Data\Mozilla\Profiles\default\hi4sakri.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\bin\net\tools\spybot\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\bin\tools\norton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\bin\tools\norton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ProductivIT] "C:\Program Files\Alienware Support\Test_BS.exe" -h
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [NAV Agent] C:\bin\tools\norton\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [seticlient] c:\bin\net\seti\SETI@home.exe -min
O4 - HKCU\..\Run: [ChoiceMail] C:\bin\net\tools\CHOICE~1\ChoiceMail.exe
O4 - HKCU\..\Run: [Mruu] C:\Documents and Settings\dennis\Application Data\asur.exe
O4 - Startup: Toolbar.lnk = C:\bin\tools\pdesk\PDESK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\bin\tools\zalarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/controls/launcher.ocx
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} - http://client2.tvtonic.com/Webservice/Public/WXStageInstall/2.6/TVTStage1.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.4019907407
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Josh, you are a sharp guy. My opinion is that you are right. Reason? In all the years and hundreds of units, I have never had a print spooler attempt to access the internet! And why would a print spooler be interested in the internet anyway? The only print spoolers that I know are in the print system directory, and that's where they stay, not in your sys32 folder! A spooler only does exactly what the name implies, loads print jobs into a que to be printed in order after XP has processed the data.

Just as an afterthought, this is why I keep Norton firewall active and updated even though I have a router. Just in case a trojan happens to ship in somehow, Norton (hopefully) will nail it when it attempts to dial out.

It is not a trojan. It is part of the dll library and is "phoning home" to Microsoft. It is not just XP that Zone Alarm gets this traffic request for, but also 2000. I open Zone Alarm and select to deny it "Access(trusted/interent) and Server(trusted/internet".

Not arguing with you, just wondering. Why would a print spooler phone to Microsoft? The only "phone to M.Soft" I am aware of is Windows Media Player6 which sends marketing info, and the Clock adjuster (I switched mine to US.Federal). I have Norton Firewall, and have never recorded a spooler dialing out.

I've had this pc behind the firewall for 2 years, and SPOOLSV.EXE only started accessing the net yesterday.

Compare the file size and file date with a differt computer runing the same OS build.

I haven't had the accessing internet issue (I use BlackIce, which might be a difference), but I just tracked down a flickering display issue to the brsvc01a.exe file that is mentioned above in the hijack file. It seems to be part of the Brother printer software that probes for other printers on the network, so I wonder if that might be the source of your issue as well. On my 1.5 Gig system it hogged the cpu every 10 seconds sufficient to flicker my word processer display (openoffice 1.1.0), and showed up that way on the performance accessory as well (Windows XP professional, all patches, etc.)
Good luck

I have the same problem since yesterday, probably after i installed an auto-update from Microsoft. It's indeed very strange that a printer spooler needs to access the internet. I've configured my Zonealarm so it can't access the internet. Can any1 tell me if it is possible to remove this service cause i don't need it since i haven't got a printer.

dear people, spoolsv.exe is in my opinion not a trojan.
It is just a print spool protocol that try's to print over a tcp/ip protocol.
If you wanted to dissable this function just go to START-RUN and typ in msconfig.(if you don't have msconfig ask your administrator to fix this)
then you go to services and disable Printer Spooler. and then all the panik is over for ones and for all.

for more info go to http://support.microsoft.com/default.aspx?scid=kb;en-us;228904

Peace

Whatever it is, it started today, 17,Dec,2003. It is hogging 95% of CPU (%usage).
It does come back after a while, no matter what you do to it. It stops "working" for a while, then resumes.

If you ask me, it is some kind of
a)BUG
b)virus
c)trojan

Say whatever you like, I would like it out of my system.

Thanks,
John M...
===========

i have recented noticed the same problem with spoolsv.exe
it has only recently started trying to access the internet and i also caught it using zonealarm.
it has only been doing this for a few days now.

my 2 cents.

As everyone knows, this process is used by printer spooler service. You can stop the service and it will kill the process...obviously. However, you will not be able to print. It'll tell you the "print subsystem" is unavailable. So you need to have it running. If you block it on your firewall, you will not be able to print. So you need to allow it. The minute you print, it should only access 2 port connections: 1 UDP and 1 TCP. This should both be disconnected (and not listening) after printing. There is no reason why you have ports LISTENING using this service, unless you have wireless connection to your print server. However, they should all be using UDP ports.

Cheers.

Look at this URL:
www.sophos.com/virusinfo/analyses/trojgraybirda.html

Looks like one antivirus outfit has determined this may be a trojan.