IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> C:\WINDOWS\System32\svchost.exe Proactive Defense Warning
phil47
post 24.10.2007 05:07
Post #1


Newbie
*

Group: Members
Posts: 9
Joined: 30.09.2007




Starting yesterday (10/22) I began to receive a warning each time I access the internet from Proactive Defense citing that C:\WINDOWS\System32\svchost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\PchSvcDataCollection 20071023203924.000000-000 Unicode null-terminated string Modify detected

It appears that the WINDOWS\System32\svchost.exe is trying to modify my system's startup menu. I have never seen this before. I having been using Kaspersky fro about 18 months now. Is this a virus or has the Proactive Defense had some sort of upgrade recently? These messages are really concerning me. I would appreciate any help possible. I have not installed or downloaded any new program.

-Phil47
Go to the top of the page
 
+Quote Post
38 special
post 24.10.2007 05:22
Post #2


Advanced Member II
****

Group: Members
Posts: 338
Joined: 18.08.2005




That appears to be a trusted key, it seems autoupdate function from MS, maybe one particular setting that you made recently? Also, many programs are always autoupdating in the background. Have you already performed a full scan?

This post has been edited by 38 special: 24.10.2007 05:23
Go to the top of the page
 
+Quote Post
phil47
post 24.10.2007 05:39
Post #3


Newbie
*

Group: Members
Posts: 9
Joined: 30.09.2007




QUOTE(38 special @ 24.10.2007 04:22) *
That appears to be a trusted key, it seems autoupdate function from MS, maybe one particular setting that you made recently? Also, many programs are always autoupdating in the background. Have you already performed a full scan?



I double checked my Windows update log and I received no updates at that time (I have not Oct 9th). I alos saw a similar message when I updaed Spysweeper cited that application as well. I will run a
Go to the top of the page
 
+Quote Post
phil47
post 24.10.2007 05:40
Post #4


Newbie
*

Group: Members
Posts: 9
Joined: 30.09.2007




QUOTE(38 special @ 24.10.2007 04:22) *
That appears to be a trusted key, it seems autoupdate function from MS, maybe one particular setting that you made recently? Also, many programs are always autoupdating in the background. Have you already performed a full scan?


Thanks for the reply,
I double checked my Windows update log and I received no updates at that time (I have not Oct 9th). I alos saw a similar message when I updaed Spysweeper cited that application as well. I will run a fullsystem scan and let you know if I find anything.
-Phil47
Go to the top of the page
 
+Quote Post
tigertron
post 25.10.2007 22:01
Post #5


Advanced Member II
****

Group: Gold beta testers
Posts: 431
Joined: 2.03.2006
From: Bulgaria




QUOTE(phil47 @ 24.10.2007 04:07) *
Starting yesterday (10/22) I began to receive a warning each time I access the internet from Proactive Defense citing that C:\WINDOWS\System32\svchost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\PchSvcDataCollection 20071023203924.000000-000 Unicode null-terminated string Modify detected

It appears that the WINDOWS\System32\svchost.exe is trying to modify my system's startup menu. I have never seen this before. I having been using Kaspersky fro about 18 months now. Is this a virus or has the Proactive Defense had some sort of upgrade recently? These messages are really concerning me. I would appreciate any help possible. I have not installed or downloaded any new program.

-Phil47


I have the same problem from a week ago and I can't find the reason for this. I think the only solution is to add svchost.exe to the thrusted apps if yours is signed to MS.


--------------------
Go to the top of the page
 
+Quote Post
PeterSmith
post 25.10.2007 22:54
Post #6


Member
**

Group: Members
Posts: 16
Joined: 4.09.2007




QUOTE(tigertron @ 25.10.2007 20:01) *
I have the same problem from a week ago and I can't find the reason for this. I think the only solution is to add svchost.exe to the thrusted apps if yours is signed to MS.


It seems that one of the KAV updates a few days before changed something in the behaviour of the proactive defense.
Unfortunately nobody from Kaspersky will that confirm (even if this is a bug) ...
... on other forum entries a shot answer reappears often: Update to KAV 7 instead of using KAV 6.
Go to the top of the page
 
+Quote Post
Kilauea
post 25.10.2007 23:07
Post #7


German Forum Moderator
*************

Group: Moderators
Posts: 5311
Joined: 14.04.2005
From: germany




Which Version of Kaspersky are you using ?



Kilauea






--------------------
Go to the top of the page
 
+Quote Post
tigertron
post 26.10.2007 23:15
Post #8


Advanced Member II
****

Group: Gold beta testers
Posts: 431
Joined: 2.03.2006
From: Bulgaria




I use KIS 6.0.2.621


--------------------
Go to the top of the page
 
+Quote Post
PeterSmith
post 27.10.2007 14:17
Post #9


Member
**

Group: Members
Posts: 16
Joined: 4.09.2007




QUOTE(Kilauea @ 25.10.2007 21:07) *
Which Version of Kaspersky are you using ?
Kilauea

6.02.621 (the newest downloadable one)

This is really annoying. Almost all programs are asking again and again (even the same changes are asked again and again) for registry changes for example.
Unfortunately this forces me to disable proactive defense OR allow more and more programs to change these entries (even allowing IEXPLORE all changes ... bad idea, but.... ).
After my KAV subscribtion ends, I will buy another product. I am really sure, the behaviour now has NOTHING TO DO with a real virus/trojan program, because the changes the registry are harmless. See above how I can handle this.
Go to the top of the page
 
+Quote Post
Baz^^
post 27.10.2007 15:01
Post #10


Wrestling Champion
**************

Group: Gold beta testers
Posts: 8799
Joined: 10.03.2007




Hi Phil, Peter and everyone else.

Registry guard has undergone some updates not so long ago to include more keys that are vulnerable to being exploited. However, you should not be getting alerts very often at all, I rarely get any reg guard popups at all.

Perhaps could you consider upgrading to version 7 (free) and seeing if that alleviates the situation as suggested? (I know it is not ideal but it may help)

You could also try creating "allow" rules for those registry modifications that you deem to be harmless.

Find V7 here: http://www.kaspersky.com/productupdates

Instructions how to upgrade without a headache here: http://forum.kaspersky.com/index.php?showtopic=44499

This post has been edited by MAPKOBKA^^: 27.10.2007 15:03


--------------------
Kind Regards,

Baz
Go to the top of the page
 
+Quote Post
steve33
post 31.10.2007 20:16
Post #11


Advanced Member I
***

Group: Members
Posts: 74
Joined: 31.05.2007




QUOTE(MAPKOBKA^^ @ 27.10.2007 15:01) *
Hi Phil, Peter and everyone else.

Registry guard has undergone some updates not so long ago to include more keys that are vulnerable to being exploited. However, you should not be getting alerts very often at all, I rarely get any reg guard popups at all.

Perhaps could you consider upgrading to version 7 (free) and seeing if that alleviates the situation as suggested? (I know it is not ideal but it may help)

You could also try creating "allow" rules for those registry modifications that you deem to be harmless.

Find V7 here: http://www.kaspersky.com/productupdates

Instructions how to upgrade without a headache here: http://forum.kaspersky.com/index.php?showtopic=44499


Hi All,

I am seeing the same problem and am using the same version of Kaspersky 6.0.2.621. The file affected is PchSvc.dll which svchost is handling. I am getting the warning about 4 times a day. I am sure it is not a virus but something in the mechanics i.e. upgrade of some function either in KAS or MS.
I do full virus scan each day and have found no problems.
If I were to delete svchost in Anti-hacker and go to learnmode would I get a message then for each and every dll?
I guess the quickest way is to set a rule.
I know the upgrade to 7.0 can be done but that doesn't explain the problem.

Any thoughts?

Steven
Go to the top of the page
 
+Quote Post
bamapete
post 31.10.2007 20:26
Post #12


Advanced Member III
*****

Group: Members
Posts: 509
Joined: 3.10.2007
From: Lower Alabama




All I know is that a few weeks ago I was getting I believe some registry prompts after performing a windows update, and the fix ended up being to add the following (which appears to be the same thing in the first post of this thread) to trusted zone, or rather as an "exclusion mask" to be specific. No popups about it since then.

"C:\WINDOWS\system32\svchost.exe. Starting Internet Browser"





--------------------
XP/SP3, Firefox. KIS 2012 v11.0.2.556(b). Ccleaner, Power Tools Lite, Smart Defrag. KISS, Keep it Simple Silly!
Go to the top of the page
 
+Quote Post
steve33
post 1.11.2007 02:27
Post #13


Advanced Member I
***

Group: Members
Posts: 74
Joined: 31.05.2007




QUOTE(bamapete @ 31.10.2007 20:26) *
All I know is that a few weeks ago I was getting I believe some registry prompts after performing a windows update, and the fix ended up being to add the following (which appears to be the same thing in the first post of this thread) to trusted zone, or rather as an "exclusion mask" to be specific. No popups about it since then.

"C:\WINDOWS\system32\svchost.exe. Starting Internet Browser"


Thanks, I'll try that.
One question.. Were you running Kaspersky v6 or v7 when the registry prompts occured?
Go to the top of the page
 
+Quote Post
bamapete
post 1.11.2007 15:44
Post #14


Advanced Member III
*****

Group: Members
Posts: 509
Joined: 3.10.2007
From: Lower Alabama




QUOTE(steve33 @ 1.11.2007 01:27) *
Thanks, I'll try that.
One question.. Were you running Kaspersky v6 or v7 when the registry prompts occured?


v7, latest


--------------------
XP/SP3, Firefox. KIS 2012 v11.0.2.556(b). Ccleaner, Power Tools Lite, Smart Defrag. KISS, Keep it Simple Silly!
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 24.11.2014 09:02