svchost.exe & spoolsv.exe changed, Executable Files have been Changed? Options

[lazarus123]

I am using KAS 6, with the most recent updates and current virus sets. When Kaspersky starts, Anti-Hacker warns me that SVCHOST.EXE has changed. Then a second message reports that SPOOLSV.EXE has changed. However, when I do a full scan of the system, Kaspersky reports No Threats Detected.

I am very confused... is my system corrupted? How can I tell? Sometimes I receive multiple SVCHOST.EXE messages from Kaspersky. Should this file keep changing?

Please help... any advice would be greatly appreciated.

TIA,

Lazarus

[lazarus123]

PLEASE, IF ANYONE HAS ANY ADVICE, I REALLY NEED SOME HELP WITH THIS ISSUE.

FYI, I emailed Kaspersky support@us.kaspersky.com but have not received a reply...

[NickGolovko]

OK, as well as Lucian the Great seems to be away, maybe I can tell smth. Please post the exact size of svchost.exe in bytes.

[lazarus123]

Hello and thank you for offering assistance,

I have found 2 copies of SVCHOST.EXE. Here are the details:

1. C:\WINDOWS\system32\SVCHOST.EXE
14,336 bytes
8f078ae4ed187aaabc0a305146de6716 (checksum)

2. C:\WINDOWS\system32\dllcache\SVCHOST.EXE
14,336 bytes
8f078ae4ed187aaabc0a305146de6716 (checksum)

I have also found a Prefetch for SVCHOST.EXE. Here are the details:

C:\WINDOWS\Prefetch\SVCHOST.EXE-2D5FBD18.pf
35,436 bytes
275f2450267bc58ee42154133f8a19b8 (checksum)

I have noticed that the file size is significantly larger for the prefetched copy. Perhaps this is what Kaspersky is alerting about.

Thanks again for any help you can offer.

Lazarus

[NickGolovko]

If I am not mistaken, the Prefetch folder is not an ordinary one.. so the size may differ. Your svchost seems to be OK. Please scan svchost and spoolsv at http://virustotal.com.

[lazarus123]

Thank you for your help.

Since my initial post, additional files (all prefetch files) are also raising alerts from Kaspersky. I scanned all files in question at the site you linked in your previous message. All files look clean. This is great news.

I can only assume that Kaspersky is giving false-positives on these files. Is there an easy fix? It could get very taxing adding new items to the Trusted Zone every time Windows decides to Prefetch an application. Likewise, turning off Prefetch is a solution I'd prefer to aviod if at all possible, as it is a useful and effective feature on this particular system.

Thanks again for your help,

Lazarus

[Don Pelotas]

The easy solution to your problem is to delete the content of your C:\WINDOWS\Prefetch folder, Windows will recreate as needed anyway. This is not something you will see often (i never do), also it has nothing to do with false positive in Kav as it is Anti-Hacker warning of changes.

Btw. Have you gotten warnings from the proactive defense also?

[lazarus123]

Hello,

Thanks for the tip about deleting the Prefetch contents to fix the alerts I have been receiving from Anti-Hacker. I'm going to give it a try... crossing my fingers.

As to Proactive Defense, I found that Kaspersky was placing too heavy a burden on my system resources, so I disabled just that feature to increase system performance. With Proactive Defense activated, opening some applications was very time-consuming, others would hang and never open at all. With it disabled, the lag for opening applications is very minimal. I wish there was another way, but this was the only workable solution I could come up with. Any advice on configuration settings for KIS6 would be helpful.

Thanks again, I'll post at least one more time to this thread to report on the results of dumping Prefetch.

Lazarus

This post has been edited by lazarus123: 14.08.2006 02:15

[Don Pelotas]

Hello,

Thanks for the tip about deleting the Prefetch contents to fix the alerts I have been receiving from Anti-Hacker.  I'm going to give it a try... crossing my fingers.

As to Proactive Defense, I found that Kaspersky was placing too heavy a burden on my system resources, so I disabled just that feature to increase system performance.  With Proactive Defense activated, opening some applications was very time-consuming, others would hang and never open at all.  With it disabled, the lag for opening applications is very minimal.  I wish there was another way, but this was the only workable solution I could come up with.  Any advice on configuration settings for KIS6 would be helpful.

Thanks again,  I'll post at least one more time to this thread to report on the results of dumping Prefetch.

Lazarus

Did you enable all options in the PDM, because the Application integrity control has been know to cause high cPU usage in some config's, which is why it is off default, it will be fixed permanently in the MP1 (next major program update).

[lazarus123]

Update: I emptied Prefetch. Slowly XP has begun to repopulate the folder with applications again. At this point most of my frequently used programs are now present there. I have received some messages from Anti-Hacker about files changing, specifically for FireFox and Outlook Express. These programs seem to raise the interest of A-H, the other programs do not. However, SVCHOST & SPOOLSV have not found there way into Prefetch at this point, so I am not certain my problems are fixed at this point.

In regards to Protective Defense, I've tried all possible combinations of the four primary areas enabled/disabled. When I enable ANY settings in PD, windows slows to a crawl, and some windows' features completely stop responding... e.g. Add/Remove Programs. If I run KIS6 with PD disabled, there is almost no performance loss and response times are nearly normal. BTW: this is a P4 3GHz with 1G of RAM.

[NickGolovko]

Yeah, the Antihacker monitors the programs trying to connect to Internet, and svchost with spoolsv as well. I think there's nothing to worry about, moreover, about 20 anti-viruses say that the files are clean.

[lazarus123]

Everything appears to be working properly. Thanks for your help.

[Don Pelotas]

Lazarus

Just wanted to tell you that the PDM is much improved regarding CPU usage in the next version....i know because i'm using the beta ATM with all things enabled and you do not notice it.

[lazarus123]

That is great news; thanks for the info.

Any word on when this revision will be made available to the rest of us?

Thanks again.

Lazarus

[Don Pelotas]

Should be in the next month or two. You can use the version called 6.0.1.344 beta1 (it's not the first, just the most tested) until then if you wish, it's stable, more on the beta program here, remember the betacode if you do, you can't use your own.