Author Topic: Are spoolsv.exe and spoolss.dll a virus?? (Read 7603 times)

mk47 · « **on:** December 24, 2008, 05:10:18 PM »

Hi all,

I use Avast 4.8 Home Edition; which is updated daily. For the past week, avast has been warning me of the following suspicious files, I have tried to use the delete function, but they magically reappear. I've also tried searching the net for info on these files, only to be left in more confusion as some say they are essential windows files while some say they are viruses. However, Avast says they are suspicious; all listed as Type: Rootkit: hidden file.

C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\2\ppbiUif.dll
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\2\ppbiNT.dll
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\ppbiNT.dll
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\ppbiUif.dll
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\pport_res.dll
C:\WINDOWS\system32\spoolsv.exe\prtprocs\w32x86\ppbiPr.dll
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\2\ppbiUif.dll
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\2\ppbiNT.dll
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\ppbiNT.dll
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\ppbiUif.dll
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\pport_res.dll
C:\WINDOWS\system32\spoolss.dll\prtprocs\w32x86\ppbiPr.dll

Thanks in advance for your help.
MK47

DavidR · « **Reply #1 on:** December 24, 2008, 06:06:02 PM »

Don't delete, never a good first option unless you are 100% sure, I also believe the suggested, recommended action is Ignore and send the files to avast for analysis.

Ensure that you have the latest VPS update (about avast), 081224-0 as there have been a number of topics relating to these files, try a forum search for the one of the file names (withoit the .dll).

What is your system, laptop/desktop and what manufacturer ?

mk47 · « **Reply #2 on:** December 24, 2008, 07:29:45 PM »

Thanks for your reply DavidR,

I have ensured I have the latest VPS update, 081224-0.

I am running Windows XP Home Edition SP 3 on an old custom AMD athlon 650mhz CPU.

After doing a forum search as suggested, I submitted the files to virustotal with the following results. Links below.

<link>http://www.virustotal.com/analisis/5d715fddfb45c69ef3935562142937ac</link>
<link>http://www.virustotal.com/analisis/f152d32d350ced85b134c50929fc3d44</link>

DavidR · « **Reply #3 on:** December 24, 2008, 07:58:02 PM »

Whilst the VT results are a good indication it is most likely a false positive. The main problem being the scan that is detecting them isn't using the standard virus signature database (or they wouldn't be detected), but a heuristic method, which are more prone to false positive detection.

So on the next boot (8 minutes after it) the anti-rootkit scan runs (it is that which is doing the detection), select Ignore and allow the files to be sent to avast for analysis.

Lisandro · « **Reply #4 on:** December 24, 2008, 10:53:37 PM »

Which is your computer? An ACER?

Author Topic: Are spoolsv.exe and spoolss.dll a virus?? (Read 7603 times)

mk47

Are spoolsv.exe and spoolss.dll a virus??

DavidR

Re: Are spoolsv.exe and spoolss.dll a virus??

mk47

Re: Are spoolsv.exe and spoolss.dll a virus??

DavidR

Re: Are spoolsv.exe and spoolss.dll a virus??

Lisandro

Re: Are spoolsv.exe and spoolss.dll a virus??