C:\WINDOWS\System32\svchost.exe Proactive Defense Warning Options

[phil47]

Starting yesterday (10/22) I began to receive a warning each time I access the internet from Proactive Defense citing that C:\WINDOWS\System32\svchost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\PchSvcDataCollection 20071023203924.000000-000 Unicode null-terminated string Modify detected

It appears that the WINDOWS\System32\svchost.exe is trying to modify my system's startup menu. I have never seen this before. I having been using Kaspersky fro about 18 months now. Is this a virus or has the Proactive Defense had some sort of upgrade recently? These messages are really concerning me. I would appreciate any help possible. I have not installed or downloaded any new program.

-Phil47

[38 special]

That appears to be a trusted key, it seems autoupdate function from MS, maybe one particular setting that you made recently? Also, many programs are always autoupdating in the background. Have you already performed a full scan?

This post has been edited by 38 special: 24.10.2007 05:23

[phil47]

That appears to be a trusted key, it seems autoupdate function from MS, maybe one particular setting that you made recently? Also, many programs are always autoupdating in the background. Have you already performed a full scan?

I double checked my Windows update log and I received no updates at that time (I have not Oct 9th). I alos saw a similar message when I updaed Spysweeper cited that application as well. I will run a

[phil47]

That appears to be a trusted key, it seems autoupdate function from MS, maybe one particular setting that you made recently? Also, many programs are always autoupdating in the background. Have you already performed a full scan?

Thanks for the reply,
I double checked my Windows update log and I received no updates at that time (I have not Oct 9th). I alos saw a similar message when I updaed Spysweeper cited that application as well. I will run a fullsystem scan and let you know if I find anything.
-Phil47

[tigertron]

Starting yesterday (10/22) I began to receive a warning each time I access the internet from Proactive Defense citing that C:\WINDOWS\System32\svchost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\PchSvcDataCollection 20071023203924.000000-000 Unicode null-terminated string Modify detected

It appears that the WINDOWS\System32\svchost.exe is trying to modify my system's startup menu. I have never seen this before. I having been using Kaspersky fro about 18 months now. Is this a virus or has the Proactive Defense had some sort of upgrade recently? These messages are really concerning me. I would appreciate any help possible. I have not installed or downloaded any new program.

-Phil47

I have the same problem from a week ago and I can't find the reason for this. I think the only solution is to add svchost.exe to the thrusted apps if yours is signed to MS.

[PeterSmith]

I have the same problem from a week ago and I can't find the reason for this. I think the only solution is to add svchost.exe to the thrusted apps if yours is signed to MS.

It seems that one of the KAV updates a few days before changed something in the behaviour of the proactive defense.
Unfortunately nobody from Kaspersky will that confirm (even if this is a bug) ...
... on other forum entries a shot answer reappears often: Update to KAV 7 instead of using KAV 6.

[Kilauea]

Which Version of Kaspersky are you using ?



Kilauea

[tigertron]

I use KIS 6.0.2.621

[PeterSmith]

Which Version of Kaspersky are you using ?
Kilauea

6.02.621 (the newest downloadable one)

This is really annoying. Almost all programs are asking again and again (even the same changes are asked again and again) for registry changes for example.
Unfortunately this forces me to disable proactive defense OR allow more and more programs to change these entries (even allowing IEXPLORE all changes ... bad idea, but.... ).
After my KAV subscribtion ends, I will buy another product. I am really sure, the behaviour now has NOTHING TO DO with a real virus/trojan program, because the changes the registry are harmless. See above how I can handle this.

[Baz^^]

Hi Phil, Peter and everyone else.

Registry guard has undergone some updates not so long ago to include more keys that are vulnerable to being exploited. However, you should not be getting alerts very often at all, I rarely get any reg guard popups at all.

Perhaps could you consider upgrading to version 7 (free) and seeing if that alleviates the situation as suggested? (I know it is not ideal but it may help)

You could also try creating "allow" rules for those registry modifications that you deem to be harmless.

Find V7 here: http://www.kaspersky.com/productupdates

Instructions how to upgrade without a headache here: http://forum.kaspersky.com/index.php?showtopic=44499

This post has been edited by MAPKOBKA^^: 27.10.2007 15:03

[steve33]

Hi Phil, Peter and everyone else.

Registry guard has undergone some updates not so long ago to include more keys that are vulnerable to being exploited. However, you should not be getting alerts very often at all, I rarely get any reg guard popups at all.

Perhaps could you consider upgrading to version 7 (free) and seeing if that alleviates the situation as suggested? (I know it is not ideal but it may help)

You could also try creating "allow" rules for those registry modifications that you deem to be harmless.

Find V7 here: http://www.kaspersky.com/productupdates

Instructions how to upgrade without a headache here: http://forum.kaspersky.com/index.php?showtopic=44499

Hi All,

I am seeing the same problem and am using the same version of Kaspersky 6.0.2.621. The file affected is PchSvc.dll which svchost is handling. I am getting the warning about 4 times a day. I am sure it is not a virus but something in the mechanics i.e. upgrade of some function either in KAS or MS.
I do full virus scan each day and have found no problems.
If I were to delete svchost in Anti-hacker and go to learnmode would I get a message then for each and every dll?
I guess the quickest way is to set a rule.
I know the upgrade to 7.0 can be done but that doesn't explain the problem.

Any thoughts?

Steven

[bamapete]

All I know is that a few weeks ago I was getting I believe some registry prompts after performing a windows update, and the fix ended up being to add the following (which appears to be the same thing in the first post of this thread) to trusted zone, or rather as an "exclusion mask" to be specific. No popups about it since then.

"C:\WINDOWS\system32\svchost.exe. Starting Internet Browser"

[steve33]

All I know is that a few weeks ago I was getting I believe some registry prompts after performing a windows update, and the fix ended up being to add the following (which appears to be the same thing in the first post of this thread) to trusted zone, or rather as an "exclusion mask" to be specific. No popups about it since then.

"C:\WINDOWS\system32\svchost.exe. Starting Internet Browser"

Thanks, I'll try that.
One question.. Were you running Kaspersky v6 or v7 when the registry prompts occured?

[bamapete]

Thanks, I'll try that.
One question.. Were you running Kaspersky v6 or v7 when the registry prompts occured?

v7, latest