Abuse of spoolsv.exe?

[Potblak]

Yesterday my PC was almost freezing and when I checked, CPU usage was around
99%.
The culprit was found to be spoolsv.exe.
After a little reasearch I found that this is the official windows print
spooler.
Following advice from http://torque.oncloud8.com/archives/000384.html, I
temporarily disabled it to get some breathing space and set out to
investigate why it had been so busy.
In C:\WINDOWS\system32\spool\PRINTERS I found two files, 00006.SHD and
00006.SPL, one of which showed itself as a Macromedia Flash file (?)
I deleted them (completely-sorry, collectors), restarted the spooler service
and all is now OK.

I have heard in the past of spoolsv.exe being replaced by a backdoor trojan,
but in this case it is not so.
Is there any record of malware abusing the spooler? I had no print jobs
waiting.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yesterday my PC was almost freezing and when I checked, CPU usage was around
99%.
The culprit was found to be spoolsv.exe.
After a little reasearch I found that this is the official windows print
spooler.
Following advice from http://torque.oncloud8.com/archives/000384.html, I
temporarily disabled it to get some breathing space and set out to
investigate why it had been so busy.
In C:\WINDOWS\system32\spool\PRINTERS I found two files, 00006.SHD and
00006.SPL, one of which showed itself as a Macromedia Flash file (?)
I deleted them (completely-sorry, collectors), restarted the spooler service
and all is now OK.

I have heard in the past of spoolsv.exe being replaced by a backdoor trojan,
but in this case it is not so.
Is there any record of malware abusing the spooler? I had no print jobs
waiting.

Those file names look like normal spooler documents. The spooler service is
used to send documents to the printer efficiently, and files are created in
the above directory before being sent to the printer. The interpretation of
the file(s) being Flash are a result of a coincidence with the file
extensions.

I expect that the spooler experienced some problem with processing the
files or print data and got stuck, I have seen this on rare occasions (not
related to any sort of infection). Check that Windows is up-to-date, and
the same for your printer drivers, and it shouldn't happen again.
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF2Y+a7uRVdtPsXDkRAly0AJ0fv4N0+DHnMGCZXMCM8CHg/V8FswCfbZWL
Sd7OtdQ8O+jj72brixPNv+g=
=qIu8
-----END PGP SIGNATURE-----