system 32 & dhcp... values?

Discussion in 'Ghost Security Suite (GSS)' started by beethoven, Sep 8, 2005.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Since upgrading to the new version I get a range of alerts from hd\winnt\system32... all wanting to delete a key: hklm\system\controlset001\... and then affecting the following values:
    • dhcpnameserver
    • dhcpdomain
    • dhcpsubnetmaskopt
    • dhcpdomain
    • dhcpdefaultgateway
    • dhcpnameserver
    and so on, seemingly repeating.

    I am using RD as is without any rulesets - what should I do? Just blocking it does not seem to work, as it appears back at least upon reboot irrespective of the always button ticked.

    o_O
     
  2. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi Beethoven,
    can you tell us what app is trying to delete the values?
     
  3. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Sorry, services.exe :oops:
     
  4. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    I'm not sure if you should allow it or not,What ver. of windows you running? In WinXP, svchost.exe deletes them (and i think adds them back). So yours could be legit,if your systems clean of malware etc.then i personally would allow it and see what happens (do a backup of your registry/or HD first though just in case).

    That's just my opinion though so you might want to wait for someone to give you a definate answer.
     
  5. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    This particular PC is running W2K - I noticed on another PC running XP that similar requests are coming from Svchost.exe?
     
  6. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Beethoven, I see the exact same behavior with my 2 XP computers here on the home LAN, by chance are your computers on a network? On my systems the entry times coincide with the IP address renewal from the DHCP server in the router. Could it be that you are seeing the same thing?

    Followup:
    I am now not so sure about what I said above. Looking at the RD log there are now entries for almost each hour of the day. So I am as confused as everyone else, why is svchost deleting/setting values to these keys on such a regular basis.
     
    Last edited: Sep 9, 2005
  7. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    disciple - you are right, it's a LAN network. Right now I am only using one XP pc (the others are sleeping - it's weekend in Sydney :)
    On this one I have allowed svchost.exe to do its work, so I don't get any alerts (though I am really not sure whether it is the right decision) o_O

    The other pc running the new RD is W2K and for this one services.exe will be asking once I start the pc. It usually goes through a cycle of alerts which I block and eventually falls silent. Can't say that I get the same alert during the day again.

    Hopefully Jason or someone else has a bit more insight :)
     
Thread Status:
Not open for further replies.