SPOOLSV.EXE Question

[elfa]

First of all, am I supposed to have one? And why is it in UPPER CASE letters.
It's in C:\winnt\system32. 44K in size and dated 7/26/2000.

It's ALWAYS in Task Manager/Processes after startup.

thanks

elfa
(who just found yet another copy of the Nachi worm after startup....and this is
just after running AVG the night before without finding anything wrong)

 

[Ka Khiong Kwok]

Yes you are. That's your print spool server.
Hope this helped.

Regards,

Ka.

 

[Duane Arnold]

First of all, am I supposed to have one? And why is it in UPPER CASE
letters. It's in C:\winnt\system32. 44K in size and dated 7/26/2000.

It's ALWAYS in Task Manager/Processes after startup.

thanks

elfa
(who just found yet another copy of the Nachi worm after
startup....and this is just after running AVG the night before without
finding anything wrong)

It's the print spooler for the O/S. The easy check to see if it's valid
is check it aginst spoolsv.exe in Windows\system32\dllcache. If it has
the same date and time stamp, version, and (letters) case -- upper or
lower then it should be legit.

I find it suspect that SPOOLSV.EXE is in upper case. Most files sitting
in system32 and dllcache directories used by the O/S are lower case, with
few exceptions and I don't think spoolsv.exe is one of them.

You can search Google for *spoolsv.exe worm* and you'll get plenty of
hits.

You do know that worms attack open ports and services that are exposed to
the Internet? I do hope that you're not running an NT based O/S on the
Internet without a FW, with all the vulnerable service that are present
on a NT based O/S in it's default out of the box state or *unharden* to
attack.

It does seem that you're being *hacked* to death. Once the machine has
been compormised, it's too late for the AV -- way too late. The thing is
to prevent it from happening.

Duane

 

[elfa]

It's the print spooler for the O/S. The easy check to see if it's valid
is check it aginst spoolsv.exe in Windows\system32\dllcache. If it has
the same date and time stamp, version, and (letters) case -- upper or
lower then it should be legit.

I find it suspect that SPOOLSV.EXE is in upper case. Most files sitting
in system32 and dllcache directories used by the O/S are lower case, with
few exceptions and I don't think spoolsv.exe is one of them.

You can search Google for *spoolsv.exe worm* and you'll get plenty of
hits.

You do know that worms attack open ports and services that are exposed to
the Internet? I do hope that you're not running an NT based O/S on the
Internet without a FW, with all the vulnerable service that are present
on a NT based O/S in it's default out of the box state or *unharden* to
attack.

It does seem that you're being *hacked* to death. Once the machine has
been compormised, it's too late for the AV -- way too late. The thing is
to prevent it from happening.

Duane

I'm running ZoneAlarm. It's reached a point that I disconnect the PC from the
DSL modem until after ZoneAlarm loads after startup.

elfa

 

[Duane Arnold]

I'm running ZoneAlarm. It's reached a point that I disconnect the PC
from the DSL modem until after ZoneAlarm loads after startup.

elfa

ZA could be mis-configured for all that you know. Usually, FW(s) are very
good at stopping unsolicited inbound traffic to the machine from
unsolicited IP(s). If a worm is scanning the Internet from a compromised
machine looking for another machine to compromise, the FW will stop it if
configured properly. However, if your machine is soliciting input from an
IP/machine and it has been compromised or the the machine has been setup to
compromise other machines, then the FW is not going to stop the worm coming
in the traffic. You're not hanging out on p2p(s) are you?

Maybe for the time being and you think you're clean, I would not run on the
Internet using the Admin account for awhile. By using an account that is
not an Admin account, this will prevent things from coming to the heart of
the O/S the Windows directory and installing and running.

The protection of the machine starts with the O/S and everything else is
secondary to it, including the FW and the AV. Try to implement some of the
security measures discussed in the link. You should start with the Baseline
Security Analyzer which will tell you what Security patches are missing
from the machine.

http://www.uksecurityonline.com/husdg/windowsxp.php

I have to be honest here. If this were happening to me, I could no longer
trust the machine's setup and the FORMAT command would be coming into play
for a fresh start.

Duane

 

[Gregg Cattanach]

It's the print spooler for the O/S. The easy check to see if it's valid
is check it aginst spoolsv.exe in Windows\system32\dllcache. If it has
the same date and time stamp, version, and (letters) case -- upper or
lower then it should be legit.

I find it suspect that SPOOLSV.EXE is in upper case. Most files sitting
in system32 and dllcache directories used by the O/S are lower case, with
few exceptions and I don't think spoolsv.exe is one of them.

There isn't anything suspicious about a program being shown in all
uppercase. Many programs exist that way. In Windows 2000 they are usually
shown in their 'native' case. In Windows XP I believe there is a setting to
pretty it up and display them all in title case, even though they may
actually be in uppercase. Many files in system32 are in uppercase, (though
on my Windows2000 system spoolsv.exe doesn't happen to be one of them.)

My copy of spoolsv.exe on Windows 2000 has these properties:
Size: 44.2 KB (45,328 bytes)
Version: 5.0.2195.6659
Created: Monday, April 30, 2001, 7:46:46 PM
Modified: Thursday, June 19, 2003, 3:05:04 PM

HTH.

Gregg C.



Gregg C.

 

[elfa]

ZA could be mis-configured for all that you know. Usually, FW(s) are very
good at stopping unsolicited inbound traffic to the machine from
unsolicited IP(s). If a worm is scanning the Internet from a compromised
machine looking for another machine to compromise, the FW will stop it if
configured properly. However, if your machine is soliciting input from an
IP/machine and it has been compromised or the the machine has been setup to
compromise other machines, then the FW is not going to stop the worm coming
in the traffic. You're not hanging out on p2p(s) are you?

Maybe for the time being and you think you're clean, I would not run on the
Internet using the Admin account for awhile. By using an account that is
not an Admin account, this will prevent things from coming to the heart of
the O/S the Windows directory and installing and running.

The protection of the machine starts with the O/S and everything else is
secondary to it, including the FW and the AV. Try to implement some of the
security measures discussed in the link. You should start with the Baseline
Security Analyzer which will tell you what Security patches are missing
from the machine.

http://www.uksecurityonline.com/husdg/windowsxp.php

I have to be honest here. If this were happening to me, I could no longer
trust the machine's setup and the FORMAT command would be coming into play
for a fresh start.

Duane

Duane...you hit the nail on the head. There's a hardware prob with my machine.
Self extracting files won't self extract....etc. I can't put on any service
packs (either from CD or via the internet). I can't boot to DOS and reinstall
as I get I/O errors during setup. My hardrive utility tells me my HD is OK. A
memory checker tells me my memeory is OK. My system is all SCSI...so it could
be controller, MB, or God knows.

I'm out of work so buying a new PC is out of the question.

elfa

 

[Duane Arnold]

Duane...you hit the nail on the head. There's a hardware prob with my
machine. Self extracting files won't self extract....etc. I can't put
on any service packs (either from CD or via the internet). I can't
boot to DOS and reinstall as I get I/O errors during setup. My
hardrive utility tells me my HD is OK. A memory checker tells me my
memeory is OK. My system is all SCSI...so it could be controller, MB,
or God knows.

I'm out of work so buying a new PC is out of the question.

elfa

Hopefully, you'll get back to work and get things squared away. In the
meantime, maybe it's best to stay off the Internet using an Admin
Account. I don't know about the BIOS virus, but I hear that can happen
too.

I wish you the best of luck.

Duane