Is spoolsv.exe a Virus?
When I boot up, my ZoneAlarm firewall says that Spooler SubSystem App is trying to access the internet via spoolsv.exe. I know that spoolsv.exe is the print queue manager in Windows. What I don't understand is why it would need to access the internet.
A google search reveals that several viruses exist with that name. My anti-virus program does not detect anything nor did the Trend Micro or Panda online virus detectors. Am I infected with a virus? If so, how do I detect and eliminate it?
It's possible this is a virus or spyware, but my searching found that LOTS of people have this problem with ZoneAlarm, and that in most cases, it's harmless. Apparently the real spoolsv.exe program handles networked printers and occasionally needs to communicate with a remote printer, or check to see if there any networked printers.
I'd run the Microsoft Anti-Spyware program to see if picks up anything on this file, just to be sure. If it seems to check out okay, tell ZoneAlarm to deny internet access by spoolsv. If you then experience any problems printing, tell ZoneAlarm to allow the access.
This article was posted by Bob Rankin on 26 Aug 2005
|For Fun: Buy Bob a Snickers.|
Restoring from Backup
The Top Twenty
Thunderbird is Slow
There's more reader feedback... See all 22 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Is spoolsv.exe a Virus? (Posted: 26 Aug 2005)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Is spoolsv.exe a Virus?"(See all 22 comments for this article.)
07 Sep 2005
Try telling ZA to deny without letting it remember the choice. If you have no printing problems over the course of several sessions, make it permanent. If it hoses your printing, change to allow and make that permanent.
05 Mar 2006
I realise I'm seriously late on this topic, but I just found your website (and I love it!) advertised with Randy's This is True. Anyway, my question about this topic is this: I don't have a printer on my home computer but spoolsv.exe still tries to access the internet for some unknown reason. I have McAfee Virus Scan/Adaware Free/and Spybot S/D (amoung others). None of these have found viruses or other malicious files. Have you ever heard of spoolsv.exe requesting outbound access w/o a printer installed?
Thanks so much and THANK you again for your great website.
EDOTOR'S NOTE: My understanding is that SPOOLSV occasionally polls to check for networked printers. If you're worried about this, you can safely block it with a software-based firewall. But I don't think that's necessary.
24 Apr 2006
Just type `net stop spooler` on command line. When you need to print any thing, type `net start spooler` and after finishing, type `net stop spooler` again.
EDITOR'S NOTE: Okay... but why? Seems like a hassle, and there's nothing to indicate that leaving spooling ON is a problem.
28 Apr 2006
I have had similar experiences and allowing the firewall to block access does not stop my Canon printer operating. However I have found a duplicate spoolsv.exe file in Windows\ServicePackFiles\i386 but it is a different version - 2180 as opposed to 2696. Could this be a Trojan? None of my virus control or add-aware programs spot it.
EDITOR'S NOTE: If your A/V scan didn't flag it, I wouldn't be concerned.
07 May 2006
I was able to fix this error on Win XP SP2 by uninstalling McAfee Privacy Service.
22 Sep 2006
Hi, spoolsv.exe was given permission to access the internet via Zonealarm earlier today. Since then I have been unable to access the internet, although my email still works. When I went into the control panel to access the Printer and Fax info, my computer hung. A search for spoolsv.exe (including hidden and system folders) did not come up with anything unusual. Spyware software picked up nothing, but ant virus software picked up a Trojan. Deleting this trojan has not restored my internet access, hence I am using my laptop. This is a work in progress.
EDITOR'S NOTE: I would get rid of ZoneAlarm... it's completely unnecessary and often causes problems like this one. See http://askbobrankin.com/do_i_need_a_firewall.html
04 Oct 2006
Hi, Cool site. I have this same problem, BUT I DO NOT have a printer hooked up to this computer. Why should spoolsv.exe try to access the internet on a computer without a printer and the printing port is disabled. Thanks for in advance.
EDITOR'S NOTE: I think spoolsv is occasionally polling on the network to see if there are any (new) network-attached printers.
12 Oct 2006
i do not have printer attached to my pc.however, i have deleted the printer file in the spool file which located at system 32...the file keep appearing again and again...even i have deleted the file..the wording appear like this SPOOLSV.EXE -- pls insert disk to drive A as the drive is empty.help me....
EDITOR'S NOTE: Did you delete the SPOOLSV.EXE file? That's not advised...
21 Oct 2006
The spoolsv.exe is running on my machine (WinXP Pro) but I do not have a printer. Does that mean it's a virus?
EDITOR'S NOTE: No, see the earlier comments. It runs on all XP computers, regardless of any printers that may be installed.
29 Oct 2006
I have been looking up the ip addresses each time my Zone Alarm shows spooler subsystem app has tried to access the internet. The addresses are different microsoft addresses. The one that shows up the most is the hotmail logon page. I run norton with auto updates and daily scans as well as spy sweeper daily and so I am skeptical that I have any infection. I do not have a network printer. I would just like to know what I have to do to get that service to stop trying to access the internet?
EDITOR'S NOTE: If you really want to block it from internet access, do so with Zone Alarm. But it won't make you any more secure.
05 Dec 2006
Same or similar problems here with the spoolsv.exe, it seems. Started when I installed a new printer, HP tri function. I often have problems that smell of back door vulnerability, such as I just went online for banking transfer of funds. Not only did I get a pop up saying something that did not reflect what the actual web site indicated was happening after some delay. But when I had to relog in (why?) after entering password and user name, the process hung and engaged major CPU. Similar problems on other pages when ordering that didin't used to be a problem. Like I'm beeing spied on in secure pages. WHat to do??!!! HP installed a totally megabite rediculous weight of files on my computer, many seem on when I don't need them slowing things down and doing way too much snooping. - Ysha
EDITOR'S NOTE: You may well have a spyware problem... but it has nothing to do with either SPOOLSV (the microsoft windows component) or the HP printer driver. Search this site for X-RAYPC and scan with it.
15 Apr 2007
Had the same problem spoolsv.exe running 100% CPU - resolved by cancelling all print jobs and re-booting. Thanks for your helpful site Bob.
24 Apr 2007
so everyone keeps asking if its a virus, i dont hear a yes or no, and since i am not seeing a flat out no, i can assume its a virus.
EDITOR'S NOTE: This is as clear as I can make it... In MOST cases, it's just a harmless part of the Windows operating system. But it's POSSIBLE that someone has (or will) create a virus with the same name. Your anti-virus software should be the true test.
16 Jul 2007
If your spoolsv.exe is tring to acces the internet, for sure, it is a hazardous worm it is a keyloger, I got it and the only antivirus (except for the zone alarm you mention) detect's it. The pc-cillin 2007 can stop it from sending such e-mails and will let you know which program is doine this(in this case . the Avast will manualy allow or deny the e-mail sending but is nos telling you which program is doing this.
Tring to stop this program vua taskmanager is not possible some other program is calling very quickly to the spoolsv.exe file, but there is one utility called "process" that can kill the process and then you can rename or delete it. But this is not the end of the problem because as told there is a program that will revive the spoolsv.exe.
EDITOR'S NOTE: Ummm, no. The REAL spoolsv DOES access the Internet, and poses no threat. Always run an A/V scan if you suspect a rogue version.
09 Oct 2007
Spoolsv.exe MAY be a virus/trojan!!!!
I was unable to get Intenet/email access. While on phone with ISP tech support, Zone Alarm alerted me that mIRC was trying to act as a server. I denied. I've never had/used IRC. Ctrl+Alt+Dlt showed NO applications running. Full scan with AVG antiVirus found NOTHING. Usesd Start/Find to search for *mIRC*.* (asterisks being wildcards) Found a folder in Windows/System/dcache/scan containing numerous BAD files (One mirc.reg file with a REGEDIT4 HKEY....Username of 'Cracks_boy'. Hmmm.
Another file in the folder, 'start.bat' basically tells your computer to stop spoolsv.exe, UNinstall spoolsv.exe (which, I THINK should be in System 32 folder), and then REinstall cracks_boy's version of spoolsv.exe and RUN files called 'hiderun.exe, spoolsv.exe and mirc.exe...
All-in-all, this piece of crap runs IRC letting the jerk have full-access to your computer AND it's invisable to you and most antivirus programs.
EDITOR'S NOTE: Well, yes... a virus can be named ANYTHING, and as you've seen, the virus writers sometimes pick the name of a Windows system file.
11 Nov 2007
Hello Bob, thanks for offering your service! I got a problem with my lexmark usb printer x8350. It works normally but only without zonealarm. Even if I set zonealarm to idle it blocks the normal print procedure. To make the printer work normally it has to be shut down completely. Do you know how to adjust zonealarm or other windows services (spooler.exe) in zonealarm to make it work together with my printer?
EDITOR'S NOTE: Simplest way: Remove ZoneAlarm. The hardware firewall (in the network router) and/or the built-in Windows firewall does the job just fine for me.
01 Dec 2007
I had a problem on that spoolsv.exe and found this site to be useful. Check it out -- http://torque.oncloud8.com/archives/000384.html
22 Apr 2008
HI.Its Not a virus..this is problem woth printer.so, u can delete/uninstall the all the printers and install again.it will work,.before unistall the printer u should statr the printer spool service in services.msc.
Aftre install the printers start the printer spool service from service.msc.
04 Jun 2008
My PC had 15 or so printers installed, but only two constituted valid links. As in the suggestion above, I deleted all of the dormant printers and spoolsv stopped consuming resources ... wmiprsve also settled down. These two processes were previously throttling the CPU bandwidth between 0 and 50% on a 10 second interval. Thanks for the useful posts!
25 Aug 2009
The problem with spoolsv.exe taking excessive resources is usually down to excessively long printer queues - more often than not, the MS Office Image Printer (that people don't realise they've 'printed' to . Clearing the queues (rather than deleting/installing all printers) will usually resolve the resource hog.