Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

firewall "allow" question


  • Please log in to reply
7 replies to this topic

#1 randyrayd

randyrayd

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Location:Austin, of course.
  • Local time:12:42 AM

Posted 14 July 2005 - 12:57 PM

After some M$ updates and solving some IE issues, when booting my firewall suddenly starting asking permission for some M$ programs which may have been allowed before by default. I know svchost needs permission to connect but why would spoolsv need to connect to the internet and should I allow this? Isn't this program associated with my printer?

I haven't tried to print anything since denying the new alert, so don't know if the printer is affected.

Win2000Pro, IE6, HP officejet v40xi EZ Firewall from Computer Associates (almost identical to ZoneAlarm, maybe same company?)

Thanks,
Randall

BC AdBot (Login to Remove)

 


#2 coolchris706

coolchris706

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 14 July 2005 - 02:46 PM

I would allow them internet access as long as you are sure that they are associated with Windows. If you recently updated, then there is the possibility that some of these components got changed which could explain why your firewall is asking you to allow them again.

#3 randyrayd

randyrayd
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Location:Austin, of course.
  • Local time:12:42 AM

Posted 14 July 2005 - 04:47 PM

Thanks, coolchris. That's what I was thinking, but I guess I wanted second opinions. It just doesn't make sense that an app associated with printing needs internet access. If I was on a server network, I could understand a request for server access permission.

A system search appeared to show all apps to be in MS directories so I'm probably okay. I think I'll stop the process with Task Mgr and see if it replicates and shows back up in running apps.

Any other opinions are welcomed and I thank everyone for their help.

Randall

#4 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:12:42 AM

Posted 14 July 2005 - 05:44 PM

I wouldn't allow it until I found something that didn't work without it. If you enter spoolsv into our Startup Database (found at the top of this or any page) it comes back as a virus/worm/trojan.

Your post doesn't mention any anti-virus software that you use, unless its EZTrust that is bundled with the firewall. Are you using any?

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#5 TEB

TEB

  • Banned
  • 449 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 14 July 2005 - 06:01 PM

Spoolsv is the printer spool that makes contact with a printer allowing you to print documents. This is not a virus unless it starts from a location different then C:\windows\system 32\spoolsv.exe

#6 randyrayd

randyrayd
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Location:Austin, of course.
  • Local time:12:42 AM

Posted 14 July 2005 - 06:06 PM

[QUOTE]Process File: spoolsv or spoolsv.exe
Process Name: Microsoft Printer Spooler Service

[QUOTE]Description:
spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers.

Note: spoolsv.exe is also a process which is registered as the Backdoor.Ciadoor.B Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.[/QUOTE]

Since that is a bucketfull of confusion, I did some searches and I think it depends on the location of the app. If it's in a directory, then it's supposed to be okay. Now, I THINK mine is, but since I'm a partial idiot I'm not sure.

Also, being a partial idiot, I forgot to post that I have run updated Ad-Aware, M$ AntiSpyware, EZ Trust AV (with Firewall), and M$ Malicious Software Scan(or something of that nature). Everything is coming back negative, but I guess I'm paranoid when something new or unusual happens.

Thanks,
Randall

#7 randyrayd

randyrayd
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Location:Austin, of course.
  • Local time:12:42 AM

Posted 14 July 2005 - 06:27 PM

Techsomething, I just saw your post. How do I determin where it originates from? A search shows three instances which is scary.

SPOOLSV C:\1386
spoolsv C:\WINNT$NtUpdateRollupPackUninstall$
spoolsv C:\WINNT\system 32


Properties all appear to show as Microsoft files, but a weird thing is the "original name" and "internal name" all say spoolss.exe. which a Google search also shows as a M$ app. No spoolsv.exe to be found.

#8 randyrayd

randyrayd
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Location:Austin, of course.
  • Local time:12:42 AM

Posted 14 July 2005 - 10:01 PM

Never mind.....Sometimes the most simple solution is overlooked...at least by me. It was the update rollup that for some reason caused the spoolsv.exe to need to access the internet. I allowed access in the firewall, uninstalled the update, rebooted and got no request for access. Reinstalled and made the program "ask" for access and guess what???? There was the request from the firewall upon reboot.

Thanks for the help.

Randall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users