1. Home
  2. Networking Firewalls
  3. spoolsv.exe false positive for Trojan?

spoolsv.exe false positive for Trojan?

Scanning with Xsoftspy I get a result:

Proxy-Agent.g Trojan C:\\Windows\\System32\\Spoolsv.exe Threat.

I opt to remove, but when I reboot and scan again, I get the same results. I have done this in BOTH Normal Mode and Safe Mode. I looked at the Spoolsv.exe file in the folders:

C:\\I386 C:\\Windows\\System32 C:\\WINDOWS\\SYSTEM32\\DLLCACHE

All three are the same version: 5.1.2600.0 All three are the same size: 50.0 KB All three say Created: Friday December 19, 2003 and Modified Thursday August 29, 2002

(How can a file be modified four months before it was created?)

and Accessed today (probably all three claim to be accessed today because I right clicked Properties for all of them).

Am I getting a false positive for a Trojan?

AND, should spoolsv.exe ALWAYS be listed in Task Manager Processes?

T.C.

Reply to
tcruise
Loading thread data ...

"tcruise" wrote in news:1114418570.934424.193380 @g14g2000cwa.googlegroups.com:

The one put there during the install.

It's legit.

The failsafe backup one and will be put back by the O/S if the one in System32 is lost.

The date modified date was the lastime M$ modified the program. The date created was the date the file was laid down on the machine.

There is nothing wrong with that.

Yes and because it's always running out of the System32 directory, it cannot be overlaid while it's running.

If the three all the same, then nothing is wrong if the spoolsv.exe that is running is not running out of the System32, then it's a Trojan.

If the one in System32 and System32\\DLLCACHE are the same as far as date create, modified and version number, those are the ones that count. And they look to be legit.

If you want to check out which directory spoolsv.exe is running out of, then use Process Explorer (free) right-click the running task and select Properties. If you want to know what is using a task then go to View

*Show Lower Pane* and *Show DLL(s)*. You can rigth-click in the lowere pane too.

formatting link
formatting link
It seems like you have much to do about nothing concerning this. It's a false positive.

In addition on the XP O/S should have applied SP2 by now and it doesn't look like you have done so. You should keep up to date with that kind of thing for security reasons.

Duane :)

Reply to
Duane Arnold

By setting the date incorrectly on your computer

Yes, it is the spooler service for your printers

Reply to
Mike

Thank you for your response. Xoftspy released an update today, and the system file spoolsv.exe no longer shows as a false positive for a Trojan...

As for SP2, on this particular system it is not an option. So, I have to depend on a decent firewall, a good AV program, and safe internet practices...

T.C.

Reply to
tcruise

Why?

Reply to
Mike

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.