Jump to content

Windows Defender Registry Key HKEY_USERS

Guest Thia

By Guest Thia
in Windows XP

 Share

Recommended Posts

Guest Thia

Guest Thia

Posted
Posted

I hope someone can help me with this. I have had a number of issues related

to Windows Defender and Windows Automatic Updates, and despite Microsoft

logging on to my computer umpteen times and trying to overcome this, am still

having issues with this. I was informed that I needed to contact my laptop

manufacturer and find out how to do a clean install and reinstall everything.

I am doing an online course right now and do not want to take this drastic

step unless I absolutely must.

 

I want to ask a few more questions of those who may know the answer to my

question. I went into the registry and looked at the key for Windows

Defender, as noted above in the subject line, and discovered this:

 

under the Run (folder)

ab (Default) REG_SZ (value no set)

ab Update Manager REG_SZ the data here points to an

update program for an anti-virus program (Norton) that my ISP provides to use

their email program. Their email program uses Yahoo.

 

I do not think this is correct and may be the reason I am not able to use

either Windows Defender or the automatic update in Windows.

 

Can anyone give me the correct data to enter here? I would be eternally

grateful!

  • Replies 7
  • Created
  • Last Reply

Popular Days

Popular Days

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: Windows Defender Registry Key HKEY_USERS

 

> ...I have had a number of issues related

> to Windows Defender and Windows Automatic Updates

 

What issues?

 

Did you open a free support incident with MS PSS about these issues?

 

Do you have a Norton application installed? If so, is your subscription

current?

===========================

Microsoft has established separate newsgroups for Windows Defender support

and comments. See

http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

 

Thia wrote:

> I hope someone can help me with this. I have had a number of issues

> related

> to Windows Defender and Windows Automatic Updates, and despite Microsoft

> logging on to my computer umpteen times and trying to overcome this, am

> still having issues with this. I was informed that I needed to contact my

> laptop manufacturer and find out how to do a clean install and reinstall

> everything. I am doing an online course right now and do not want to take

> this drastic step unless I absolutely must.

>

> I want to ask a few more questions of those who may know the answer to my

> question. I went into the registry and looked at the key for Windows

> Defender, as noted above in the subject line, and discovered this:

>

> under the Run (folder)

> ab (Default) REG_SZ (value no set)

> ab Update Manager REG_SZ the data here points to an

> update program for an anti-virus program (Norton) that my ISP provides to

> use their email program. Their email program uses Yahoo.

>

> I do not think this is correct and may be the reason I am not able to use

> either Windows Defender or the automatic update in Windows.

>

> Can anyone give me the correct data to enter here? I would be eternally

> grateful!

Guest Thia

Guest Thia

Posted
Posted

Re: Windows Defender Registry Key HKEY_USERS

 

 

 

"PA Bear [MS MVP]" wrote:

> > ...I have had a number of issues related

> > to Windows Defender and Windows Automatic Updates

>

> What issues?

>

I wasn't sure if I had a virus on my laptop (Toshiba pre-loaded WIN XP SP2)

and so I downloaded a number of programs, one of which was Sysinternals

Process Explorer and when I viewed the handles on any of the processes that

were there I saw many error messages. I am not completely comfortable with

analysing the meanings of these errors and did a lot of research to try to

understand this. One of the references I kept seeing in my research was to

"Unknown Account" or "Unknown user". By double clicking on the handle

"WindowStation" in the lower pane view, I receive a dialog box that shows

Details and Security. When I click on Security, under Group or user names,

the first listing shows an icon depicting a head with a question mark and

Account Unknown followed by (S-1-5-5-0-61194). Under this group name, the

usual group icons appear. i.e. Administrators, the icon representing myself,

Restricted, System.

 

When I continued to see these references, I asked for and received many

different hot fixes from Microsoft. None of them resolved this. I also did

an online scan through Windows Live and that did not change this. I finally

downloaded Windows Defender and was able to use it successfully.

 

Throughout this process, I was able to use both Windows Defender and the

automatic updates through Microsoft Update. I have Genuine Microsoft

products for both the operating system and Office 2007.

> Did you open a free support incident with MS PSS about these issues?

>

Yes I did and despite many attempts on the part of the technicians to

resolve this, they closed the incident and asked me instead to contact the

laptop mfgr (Toshiba) and inquire about doing a clean install and reinstall

everything. As I explained in my original post, I am doing an online course

(which I am already behind in and have to complete two more courses before

April 1st) and do not want to do this unless I absolutely must.

 

> Do you have a Norton application installed? If so, is your subscription current?

 

Again, this is a problem. My ISP (I am in Canada and their email program is

hosted through Yahoo) provides a free Norton anti-spyware as part of their

subscription. My subscription is up to date with them. I also contacted

them because although Yahoo identified the Norton program on my computer,

the ISPs software did not and I was unable to access it through their

interface. I was instructed to go to Symantec and use the removal tool on

their site, did so, rebooted the computer and once again began the process to

add the software. Again, this was unsuccessful.

 

I was also instructed to do this by the Microsoft technicians who tried to

resolve my issues. I have not checked whether Norton exists since they

instructed me to do this.

 

They also instructed me to download AVG Anti-Spyware (which is now on my

laptop) which identified a virus (Downloader.Zlob) This virus existed in

another program downloaded by a Microsoft technician. This program was

installed on my desktop and is shown in AVGs log thusly:

 

Desktop\Your_uninstaller.zip/Your uninstaller/Your Uninstaller 2006 Pro

v5[1].0.0.345.zip/run.exe -> Downloader.Zlob.chj : Cleaned with backup

(quarantined).

 

I was told by two technicians that this is not really a virus. If not, why

would AVG identify it as one and quarantine it?

 

> ===========================

> Microsoft has established separate newsgroups for Windows Defender support

> and comments. See

> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

> --

> ~Robear Dyer (PA Bear)

> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> AumHa VSOP & Admin http://aumha.net

> DTS-L http://dts-l.net/

>

>

 

I tried to access this newsgroup a number of times and each time received

the message that the service was not available and to try later. I have

never successfully connected to this. It was only after being told by the

technician that they were closing the incident and that I should contact the

laptop manufacturer, that I checked the registry key for Windows Defender and

then I posted this post to this discussion group. I am, by no means, a

skilled poster (this was my first post to this group and I have only posted

to other groups at other internet sites) and perhaps do not fully understand

the protocols. Excuse me if my post is not clear or is in the wrong area.

 

 

> Thia wrote:

> > I hope someone can help me with this. I have had a number of issues

> > related

> > to Windows Defender and Windows Automatic Updates, and despite Microsoft

> > logging on to my computer umpteen times and trying to overcome this, am

> > still having issues with this. I was informed that I needed to contact my

> > laptop manufacturer and find out how to do a clean install and reinstall

> > everything. I am doing an online course right now and do not want to take

> > this drastic step unless I absolutely must.

> >

> > I want to ask a few more questions of those who may know the answer to my

> > question. I went into the registry and looked at the key for Windows

> > Defender, as noted above in the subject line, and discovered this:

> >

> > under the Run (folder)

> > ab (Default) REG_SZ (value no set)

> > ab Update Manager REG_SZ the data here points to an

> > update program for an anti-virus program (Norton) that my ISP provides to

> > use their email program. Their email program uses Yahoo.

> >

> > I do not think this is correct and may be the reason I am not able to use

> > either Windows Defender or the automatic update in Windows.

> >

> > Can anyone give me the correct data to enter here? I would be eternally

> > grateful!

>

>

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: Windows Defender Registry Key HKEY_USERS

 

> I tried to access this newsgroup a number of times and each time received

> the message that the service was not available and to try later.

 

The Defender newsgroups remain accessible using an NNTP newsreader (e.g.,

Outlook Express). See the instructions on

http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

=====================

> They also instructed me to download AVG Anti-Spyware (which is now on my

> laptop) which identified a virus (Downloader.Zlob)...

 

<pft> No anti-spyware application (let alone AVG AS) or anti-virus

application can resolve Zlob infections; and chances are it's brought along

its "friends" SDBot and Vundo.

 

Run a /thorough/ check for hijackware, including posting your hijackthis log

to an appropriate forum (I recommend AumHa Forums).

 

Checking for/Help with Hijackware

http://aumha.org/a/parasite.htm

http://aumha.org/a/quickfix.htm

http://aumha.net/viewtopic.php?t=5878

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

http://mvps.org/winhelp2002/unwanted.htm

http://inetexplorer.mvps.org/data/prevention.htm

http://inetexplorer.mvps.org/tshoot.html

http://www.mvps.org/sramesh2k/Malware_Defence.htm

http://defendingyourmachine2.blogspot.com/

http://www.elephantboycomputers.com/page2.html#Removing_Malware

 

When all else fails, HijackThis v2.0.2

(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.

It will help you to both identify and remove any hijackware/spyware with

assistance from an expert. **Post your log to

http://forums.spybot.info/forumdisplay.php?f=22,

http://castlecops.com/forum67.html,

http://forums.subratam.org/index.php?showforum=7,

http://aumha.net/viewforum.php?f=30, or other appropriate forums for review

by an expert in such matters, not here.**

==================================

A format & reinstall (not a Repair Install) *will* resolve the problems.

Chances are the laptop has a hidden Recovery partition that can be used to

return the machine to OOBE state. Contact Toshiba Support.

 

I would not recommend installing *any* Norton software on the machine

afterwards. You do NOT have to install the security software offered by

your ISP, free or not. The expert handling your HijackThis log thread will

be able to offer you some reasonable alternatives, some of them free.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

 

 

 

Thia wrote:

> "PA Bear [MS MVP]" wrote:

>

>>> ...I have had a number of issues related

>>> to Windows Defender and Windows Automatic Updates

>>

>> What issues?

>>

> I wasn't sure if I had a virus on my laptop (Toshiba pre-loaded WIN XP

> SP2)

> and so I downloaded a number of programs, one of which was Sysinternals

> Process Explorer and when I viewed the handles on any of the processes

> that

> were there I saw many error messages. I am not completely comfortable with

> analysing the meanings of these errors and did a lot of research to try to

> understand this. One of the references I kept seeing in my research was

> to

> "Unknown Account" or "Unknown user". By double clicking on the handle

> "WindowStation" in the lower pane view, I receive a dialog box that shows

> Details and Security. When I click on Security, under Group or user

> names,

> the first listing shows an icon depicting a head with a question mark and

> Account Unknown followed by (S-1-5-5-0-61194). Under this group name, the

> usual group icons appear. i.e. Administrators, the icon representing

> myself, Restricted, System.

>

> When I continued to see these references, I asked for and received many

> different hot fixes from Microsoft. None of them resolved this. I also

> did

> an online scan through Windows Live and that did not change this. I

> finally

> downloaded Windows Defender and was able to use it successfully.

>

> Throughout this process, I was able to use both Windows Defender and the

> automatic updates through Microsoft Update. I have Genuine Microsoft

> products for both the operating system and Office 2007.

>

>> Did you open a free support incident with MS PSS about these issues?

>>

> Yes I did and despite many attempts on the part of the technicians to

> resolve this, they closed the incident and asked me instead to contact the

> laptop mfgr (Toshiba) and inquire about doing a clean install and

> reinstall

> everything. As I explained in my original post, I am doing an online

> course

> (which I am already behind in and have to complete two more courses before

> April 1st) and do not want to do this unless I absolutely must.

>

>

>> Do you have a Norton application installed? If so, is your subscription

>> current?

>

> Again, this is a problem. My ISP (I am in Canada and their email program

> is

> hosted through Yahoo) provides a free Norton anti-spyware as part of their

> subscription. My subscription is up to date with them. I also contacted

> them because although Yahoo identified the Norton program on my computer,

> the ISPs software did not and I was unable to access it through their

> interface. I was instructed to go to Symantec and use the removal tool on

> their site, did so, rebooted the computer and once again began the process

> to add the software. Again, this was unsuccessful.

>

> I was also instructed to do this by the Microsoft technicians who tried to

> resolve my issues. I have not checked whether Norton exists since they

> instructed me to do this.

>

> They also instructed me to download AVG Anti-Spyware (which is now on my

> laptop) which identified a virus (Downloader.Zlob) This virus existed in

> another program downloaded by a Microsoft technician. This program was

> installed on my desktop and is shown in AVGs log thusly:

>

> Desktop\Your_uninstaller.zip/Your uninstaller/Your Uninstaller 2006 Pro

> v5[1].0.0.345.zip/run.exe -> Downloader.Zlob.chj : Cleaned with backup

> (quarantined).

>

> I was told by two technicians that this is not really a virus. If not,

> why

> would AVG identify it as one and quarantine it?

>

>

>> ===========================

>> Microsoft has established separate newsgroups for Windows Defender

>> support

>> and comments. See

>> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

>> --

>

> I tried to access this newsgroup a number of times and each time received

> the message that the service was not available and to try later. I have

> never successfully connected to this. It was only after being told by the

> technician that they were closing the incident and that I should contact

> the

> laptop manufacturer, that I checked the registry key for Windows Defender

> and then I posted this post to this discussion group. I am, by no means,

> a

> skilled poster (this was my first post to this group and I have only

> posted

> to other groups at other internet sites) and perhaps do not fully

> understand

> the protocols. Excuse me if my post is not clear or is in the wrong area.

>

>> Thia wrote:

>>> I hope someone can help me with this. I have had a number of issues

>>> related

>>> to Windows Defender and Windows Automatic Updates, and despite Microsoft

>>> logging on to my computer umpteen times and trying to overcome this, am

>>> still having issues with this. I was informed that I needed to contact

>>> my

>>> laptop manufacturer and find out how to do a clean install and reinstall

>>> everything. I am doing an online course right now and do not want to

>>> take

>>> this drastic step unless I absolutely must.

>>>

>>> I want to ask a few more questions of those who may know the answer to

>>> my

>>> question. I went into the registry and looked at the key for Windows

>>> Defender, as noted above in the subject line, and discovered this:

>>>

>>> under the Run (folder)

>>> ab (Default) REG_SZ (value no set)

>>> ab Update Manager REG_SZ the data here points to an

>>> update program for an anti-virus program (Norton) that my ISP provides

>>> to

>>> use their email program. Their email program uses Yahoo.

>>>

>>> I do not think this is correct and may be the reason I am not able to

>>> use

>>> either Windows Defender or the automatic update in Windows.

>>>

>>> Can anyone give me the correct data to enter here? I would be eternally

>>> grateful!

Guest Thia

Guest Thia

Posted
Posted

Re: Windows Defender Registry Key HKEY_USERS

 

I did post a Hi-jack This Log to one site and never got a reply. This was

before I had any issues with Windows Defender or the automatic update

processes. Right now, I just do not have the time to devote to this (I have

to do an online test this evening and submit it within 24 hours). I will

access the sites you have suggested when I can. I do not need to use Windows

Defender nor the automatic updates. I can still manually download any

updates I need.

 

Another development since the technicians downloaded the Uninstaller, is

that I can no longer disable the local area connection (never had this

problem before). Now, I disconnect the cable when I am not on the internet.

 

What I had hoped for, at least, was an answer to whether the ISPs update

manager should be referenced in the Windows Defender key. This would give me

a clue as to why, despite many efforts on the part of Microsoft technicians

and myself, we could not get the Windows Defender to start.

 

Thank you for your quick response and feedback.

 

"PA Bear [MS MVP]" wrote:

> > I tried to access this newsgroup a number of times and each time received

> > the message that the service was not available and to try later.

>

> The Defender newsgroups remain accessible using an NNTP newsreader (e.g.,

> Outlook Express). See the instructions on

> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

> =====================

> > They also instructed me to download AVG Anti-Spyware (which is now on my

> > laptop) which identified a virus (Downloader.Zlob)...

>

> <pft> No anti-spyware application (let alone AVG AS) or anti-virus

> application can resolve Zlob infections; and chances are it's brought along

> its "friends" SDBot and Vundo.

>

> Run a /thorough/ check for hijackware, including posting your hijackthis log

> to an appropriate forum (I recommend AumHa Forums).

>

> Checking for/Help with Hijackware

> http://aumha.org/a/parasite.htm

> http://aumha.org/a/quickfix.htm

> http://aumha.net/viewtopic.php?t=5878

> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

> http://mvps.org/winhelp2002/unwanted.htm

> http://inetexplorer.mvps.org/data/prevention.htm

> http://inetexplorer.mvps.org/tshoot.html

> http://www.mvps.org/sramesh2k/Malware_Defence.htm

> http://defendingyourmachine2.blogspot.com/

> http://www.elephantboycomputers.com/page2.html#Removing_Malware

>

> When all else fails, HijackThis v2.0.2

> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.

> It will help you to both identify and remove any hijackware/spyware with

> assistance from an expert. **Post your log to

> http://forums.spybot.info/forumdisplay.php?f=22,

> http://castlecops.com/forum67.html,

> http://forums.subratam.org/index.php?showforum=7,

> http://aumha.net/viewforum.php?f=30, or other appropriate forums for review

> by an expert in such matters, not here.**

> ==================================

> A format & reinstall (not a Repair Install) *will* resolve the problems.

> Chances are the laptop has a hidden Recovery partition that can be used to

> return the machine to OOBE state. Contact Toshiba Support.

>

> I would not recommend installing *any* Norton software on the machine

> afterwards. You do NOT have to install the security software offered by

> your ISP, free or not. The expert handling your HijackThis log thread will

> be able to offer you some reasonable alternatives, some of them free.

> --

> ~Robear Dyer (PA Bear)

> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> AumHa VSOP & Admin http://aumha.net

> DTS-L http://dts-l.net/

>

>

>

>

> Thia wrote:

> > "PA Bear [MS MVP]" wrote:

> >

> >>> ...I have had a number of issues related

> >>> to Windows Defender and Windows Automatic Updates

> >>

> >> What issues?

> >>

> > I wasn't sure if I had a virus on my laptop (Toshiba pre-loaded WIN XP

> > SP2)

> > and so I downloaded a number of programs, one of which was Sysinternals

> > Process Explorer and when I viewed the handles on any of the processes

> > that

> > were there I saw many error messages. I am not completely comfortable with

> > analysing the meanings of these errors and did a lot of research to try to

> > understand this. One of the references I kept seeing in my research was

> > to

> > "Unknown Account" or "Unknown user". By double clicking on the handle

> > "WindowStation" in the lower pane view, I receive a dialog box that shows

> > Details and Security. When I click on Security, under Group or user

> > names,

> > the first listing shows an icon depicting a head with a question mark and

> > Account Unknown followed by (S-1-5-5-0-61194). Under this group name, the

> > usual group icons appear. i.e. Administrators, the icon representing

> > myself, Restricted, System.

> >

> > When I continued to see these references, I asked for and received many

> > different hot fixes from Microsoft. None of them resolved this. I also

> > did

> > an online scan through Windows Live and that did not change this. I

> > finally

> > downloaded Windows Defender and was able to use it successfully.

> >

> > Throughout this process, I was able to use both Windows Defender and the

> > automatic updates through Microsoft Update. I have Genuine Microsoft

> > products for both the operating system and Office 2007.

> >

> >> Did you open a free support incident with MS PSS about these issues?

> >>

> > Yes I did and despite many attempts on the part of the technicians to

> > resolve this, they closed the incident and asked me instead to contact the

> > laptop mfgr (Toshiba) and inquire about doing a clean install and

> > reinstall

> > everything. As I explained in my original post, I am doing an online

> > course

> > (which I am already behind in and have to complete two more courses before

> > April 1st) and do not want to do this unless I absolutely must.

> >

> >

> >> Do you have a Norton application installed? If so, is your subscription

> >> current?

> >

> > Again, this is a problem. My ISP (I am in Canada and their email program

> > is

> > hosted through Yahoo) provides a free Norton anti-spyware as part of their

> > subscription. My subscription is up to date with them. I also contacted

> > them because although Yahoo identified the Norton program on my computer,

> > the ISPs software did not and I was unable to access it through their

> > interface. I was instructed to go to Symantec and use the removal tool on

> > their site, did so, rebooted the computer and once again began the process

> > to add the software. Again, this was unsuccessful.

> >

> > I was also instructed to do this by the Microsoft technicians who tried to

> > resolve my issues. I have not checked whether Norton exists since they

> > instructed me to do this.

> >

> > They also instructed me to download AVG Anti-Spyware (which is now on my

> > laptop) which identified a virus (Downloader.Zlob) This virus existed in

> > another program downloaded by a Microsoft technician. This program was

> > installed on my desktop and is shown in AVGs log thusly:

> >

> > Desktop\Your_uninstaller.zip/Your uninstaller/Your Uninstaller 2006 Pro

> > v5[1].0.0.345.zip/run.exe -> Downloader.Zlob.chj : Cleaned with backup

> > (quarantined).

> >

> > I was told by two technicians that this is not really a virus. If not,

> > why

> > would AVG identify it as one and quarantine it?

> >

> >

> >> ===========================

> >> Microsoft has established separate newsgroups for Windows Defender

> >> support

> >> and comments. See

> >> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

> >> --

> >

> > I tried to access this newsgroup a number of times and each time received

> > the message that the service was not available and to try later. I have

> > never successfully connected to this. It was only after being told by the

> > technician that they were closing the incident and that I should contact

> > the

> > laptop manufacturer, that I checked the registry key for Windows Defender

> > and then I posted this post to this discussion group. I am, by no means,

> > a

> > skilled poster (this was my first post to this group and I have only

> > posted

> > to other groups at other internet sites) and perhaps do not fully

> > understand

> > the protocols. Excuse me if my post is not clear or is in the wrong area.

> >

> >> Thia wrote:

> >>> I hope someone can help me with this. I have had a number of issues

> >>> related

> >>> to Windows Defender and Windows Automatic Updates, and despite Microsoft

> >>> logging on to my computer umpteen times and trying to overcome this, am

> >>> still having issues with this. I was informed that I needed to contact

> >>> my

> >>> laptop manufacturer and find out how to do a clean install and reinstall

> >>> everything. I am doing an online course right now and do not want to

> >>> take

> >>> this drastic step unless I absolutely must.

> >>>

> >>> I want to ask a few more questions of those who may know the answer to

> >>> my

> >>> question. I went into the registry and looked at the key for Windows

> >>> Defender, as noted above in the subject line, and discovered this:

> >>>

> >>> under the Run (folder)

> >>> ab (Default) REG_SZ (value no set)

> >>> ab Update Manager REG_SZ the data here points to an

> >>> update program for an anti-virus program (Norton) that my ISP provides

> >>> to

> >>> use their email program. Their email program uses Yahoo.

> >>>

> >>> I do not think this is correct and may be the reason I am not able to

> >>> use

> >>> either Windows Defender or the automatic update in Windows.

> >>>

> >>> Can anyone give me the correct data to enter here? I would be eternally

> >>> grateful!

>

>

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: Windows Defender Registry Key HKEY_USERS

 

It will take time to diagnose and clean the machine but probably not as much

time as it will take to back-up your data and reinstall Windows.

Personally, I would not allow a computer that's not fully patched or without

Automatic Updates being functional to access the internet or any networks.

 

There is no quick fix for your Zlob/SDBot/Vundo infections.

 

Good luck to you.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

Thia wrote:

> I did post a Hi-jack This Log to one site and never got a reply. This was

> before I had any issues with Windows Defender or the automatic update

> processes. Right now, I just do not have the time to devote to this (I

> have

> to do an online test this evening and submit it within 24 hours). I will

> access the sites you have suggested when I can. I do not need to use

> Windows Defender nor the automatic updates. I can still manually download

> any updates I need.

>

> Another development since the technicians downloaded the Uninstaller, is

> that I can no longer disable the local area connection (never had this

> problem before). Now, I disconnect the cable when I am not on the

> internet.

>

> What I had hoped for, at least, was an answer to whether the ISPs update

> manager should be referenced in the Windows Defender key. This would give

> me a clue as to why, despite many efforts on the part of Microsoft

> technicians and myself, we could not get the Windows Defender to start.

>

> Thank you for your quick response and feedback.

>

> "PA Bear [MS MVP]" wrote:

>

>>> I tried to access this newsgroup a number of times and each time

>>> received

>>> the message that the service was not available and to try later.

>>

>> The Defender newsgroups remain accessible using an NNTP newsreader (e.g.,

>> Outlook Express). See the instructions on

>> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

>> =====================

>>> They also instructed me to download AVG Anti-Spyware (which is now on my

>>> laptop) which identified a virus (Downloader.Zlob)...

>>

>> <pft> No anti-spyware application (let alone AVG AS) or anti-virus

>> application can resolve Zlob infections; and chances are it's brought

>> along

>> its "friends" SDBot and Vundo.

>>

>> Run a /thorough/ check for hijackware, including posting your hijackthis

>> log to an appropriate forum (I recommend AumHa Forums).

>>

>> Checking for/Help with Hijackware

>> http://aumha.org/a/parasite.htm

>> http://aumha.org/a/quickfix.htm

>> http://aumha.net/viewtopic.php?t=5878

>> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

>> http://mvps.org/winhelp2002/unwanted.htm

>> http://inetexplorer.mvps.org/data/prevention.htm

>> http://inetexplorer.mvps.org/tshoot.html

>> http://www.mvps.org/sramesh2k/Malware_Defence.htm

>> http://defendingyourmachine2.blogspot.com/

>> http://www.elephantboycomputers.com/page2.html#Removing_Malware

>>

>> When all else fails, HijackThis v2.0.2

>> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.

>> It will help you to both identify and remove any hijackware/spyware with

>> assistance from an expert. **Post your log to

>> http://forums.spybot.info/forumdisplay.php?f=22,

>> http://castlecops.com/forum67.html,

>> http://forums.subratam.org/index.php?showforum=7,

>> http://aumha.net/viewforum.php?f=30, or other appropriate forums for

>> review

>> by an expert in such matters, not here.**

>> ==================================

>> A format & reinstall (not a Repair Install) *will* resolve the problems.

>> Chances are the laptop has a hidden Recovery partition that can be used

>> to

>> return the machine to OOBE state. Contact Toshiba Support.

>>

>> I would not recommend installing *any* Norton software on the machine

>> afterwards. You do NOT have to install the security software offered by

>> your ISP, free or not. The expert handling your HijackThis log thread

>> will

>> be able to offer you some reasonable alternatives, some of them free.

>> --

>> ~Robear Dyer (PA Bear)

>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> AumHa VSOP & Admin http://aumha.net

>> DTS-L http://dts-l.net/

>>

>>

>>

>>

>> Thia wrote:

>>> "PA Bear [MS MVP]" wrote:

>>>

>>>>> ...I have had a number of issues related

>>>>> to Windows Defender and Windows Automatic Updates

>>>>

>>>> What issues?

>>>>

>>> I wasn't sure if I had a virus on my laptop (Toshiba pre-loaded WIN XP

>>> SP2)

>>> and so I downloaded a number of programs, one of which was Sysinternals

>>> Process Explorer and when I viewed the handles on any of the processes

>>> that

>>> were there I saw many error messages. I am not completely comfortable

>>> with

>>> analysing the meanings of these errors and did a lot of research to try

>>> to

>>> understand this. One of the references I kept seeing in my research was

>>> to

>>> "Unknown Account" or "Unknown user". By double clicking on the handle

>>> "WindowStation" in the lower pane view, I receive a dialog box that

>>> shows

>>> Details and Security. When I click on Security, under Group or user

>>> names,

>>> the first listing shows an icon depicting a head with a question mark

>>> and

>>> Account Unknown followed by (S-1-5-5-0-61194). Under this group name,

>>> the

>>> usual group icons appear. i.e. Administrators, the icon representing

>>> myself, Restricted, System.

>>>

>>> When I continued to see these references, I asked for and received many

>>> different hot fixes from Microsoft. None of them resolved this. I also

>>> did

>>> an online scan through Windows Live and that did not change this. I

>>> finally

>>> downloaded Windows Defender and was able to use it successfully.

>>>

>>> Throughout this process, I was able to use both Windows Defender and the

>>> automatic updates through Microsoft Update. I have Genuine Microsoft

>>> products for both the operating system and Office 2007.

>>>

>>>> Did you open a free support incident with MS PSS about these issues?

>>>>

>>> Yes I did and despite many attempts on the part of the technicians to

>>> resolve this, they closed the incident and asked me instead to contact

>>> the

>>> laptop mfgr (Toshiba) and inquire about doing a clean install and

>>> reinstall

>>> everything. As I explained in my original post, I am doing an online

>>> course

>>> (which I am already behind in and have to complete two more courses

>>> before

>>> April 1st) and do not want to do this unless I absolutely must.

>>>

>>>

>>>> Do you have a Norton application installed? If so, is your

>>>> subscription

>>>> current?

>>>

>>> Again, this is a problem. My ISP (I am in Canada and their email

>>> program

>>> is

>>> hosted through Yahoo) provides a free Norton anti-spyware as part of

>>> their

>>> subscription. My subscription is up to date with them. I also

>>> contacted

>>> them because although Yahoo identified the Norton program on my

>>> computer,

>>> the ISPs software did not and I was unable to access it through their

>>> interface. I was instructed to go to Symantec and use the removal tool

>>> on

>>> their site, did so, rebooted the computer and once again began the

>>> process

>>> to add the software. Again, this was unsuccessful.

>>>

>>> I was also instructed to do this by the Microsoft technicians who tried

>>> to

>>> resolve my issues. I have not checked whether Norton exists since they

>>> instructed me to do this.

>>>

>>> They also instructed me to download AVG Anti-Spyware (which is now on my

>>> laptop) which identified a virus (Downloader.Zlob) This virus existed in

>>> another program downloaded by a Microsoft technician. This program was

>>> installed on my desktop and is shown in AVGs log thusly:

>>>

>>> Desktop\Your_uninstaller.zip/Your uninstaller/Your Uninstaller 2006 Pro

>>> v5[1].0.0.345.zip/run.exe -> Downloader.Zlob.chj : Cleaned with backup

>>> (quarantined).

>>>

>>> I was told by two technicians that this is not really a virus. If not,

>>> why

>>> would AVG identify it as one and quarantine it?

>>>

>>>

>>>> ===========================

>>>> Microsoft has established separate newsgroups for Windows Defender

>>>> support

>>>> and comments. See

>>>> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

>>>> --

>>>

>>> I tried to access this newsgroup a number of times and each time

>>> received

>>> the message that the service was not available and to try later. I have

>>> never successfully connected to this. It was only after being told by

>>> the

>>> technician that they were closing the incident and that I should contact

>>> the

>>> laptop manufacturer, that I checked the registry key for Windows

>>> Defender

>>> and then I posted this post to this discussion group. I am, by no

>>> means,

>>> a

>>> skilled poster (this was my first post to this group and I have only

>>> posted

>>> to other groups at other internet sites) and perhaps do not fully

>>> understand

>>> the protocols. Excuse me if my post is not clear or is in the wrong

>>> area.

>>>

>>>> Thia wrote:

>>>>> I hope someone can help me with this. I have had a number of issues

>>>>> related

>>>>> to Windows Defender and Windows Automatic Updates, and despite

>>>>> Microsoft

>>>>> logging on to my computer umpteen times and trying to overcome this,

>>>>> am

>>>>> still having issues with this. I was informed that I needed to

>>>>> contact

>>>>> my

>>>>> laptop manufacturer and find out how to do a clean install and

>>>>> reinstall

>>>>> everything. I am doing an online course right now and do not want to

>>>>> take

>>>>> this drastic step unless I absolutely must.

>>>>>

>>>>> I want to ask a few more questions of those who may know the answer to

>>>>> my

>>>>> question. I went into the registry and looked at the key for Windows

>>>>> Defender, as noted above in the subject line, and discovered this:

>>>>>

>>>>> under the Run (folder)

>>>>> ab (Default) REG_SZ (value no set)

>>>>> ab Update Manager REG_SZ the data here points to

>>>>> an

>>>>> update program for an anti-virus program (Norton) that my ISP provides

>>>>> to

>>>>> use their email program. Their email program uses Yahoo.

>>>>>

>>>>> I do not think this is correct and may be the reason I am not able to

>>>>> use

>>>>> either Windows Defender or the automatic update in Windows.

>>>>>

>>>>> Can anyone give me the correct data to enter here? I would be

>>>>> eternally

>>>>> grateful!

Guest Thia

Guest Thia

Posted
Posted

Re: Windows Defender Registry Key HKEY_USERS

 

Thanks for your advice. Once I am done with this test, I will take the

necessary action.

 

One thing I do not understand, is if Microsoft recommended all the

anti-virus software and even used a tool that was identified as having a

virus, why would they proceed with this course of action. They downloaded

the AVG which identified the Downloader.Zlob in the Uninstaller zip that they

loaded on my desktop. Am I missing something here?

 

By the way, Windows Defender is no longer on my laptop and the process to

uninstall it did not remove the key I referred to in the registry, so I

deleted it.

 

I did access the sites you mentioned and downloaded a number of tools as

suggested. I will follow the instructions provided and let you know (on the

AUmha.net site) what results from those efforts.

 

 

 

"PA Bear [MS MVP]" wrote:

> It will take time to diagnose and clean the machine but probably not as much

> time as it will take to back-up your data and reinstall Windows.

> Personally, I would not allow a computer that's not fully patched or without

> Automatic Updates being functional to access the internet or any networks.

>

> There is no quick fix for your Zlob/SDBot/Vundo infections.

>

> Good luck to you.

> --

> ~Robear Dyer (PA Bear)

> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> AumHa VSOP & Admin http://aumha.net

> DTS-L http://dts-l.net/

>

> Thia wrote:

> > I did post a Hi-jack This Log to one site and never got a reply. This was

> > before I had any issues with Windows Defender or the automatic update

> > processes. Right now, I just do not have the time to devote to this (I

> > have

> > to do an online test this evening and submit it within 24 hours). I will

> > access the sites you have suggested when I can. I do not need to use

> > Windows Defender nor the automatic updates. I can still manually download

> > any updates I need.

> >

> > Another development since the technicians downloaded the Uninstaller, is

> > that I can no longer disable the local area connection (never had this

> > problem before). Now, I disconnect the cable when I am not on the

> > internet.

> >

> > What I had hoped for, at least, was an answer to whether the ISPs update

> > manager should be referenced in the Windows Defender key. This would give

> > me a clue as to why, despite many efforts on the part of Microsoft

> > technicians and myself, we could not get the Windows Defender to start.

> >

> > Thank you for your quick response and feedback.

> >

> > "PA Bear [MS MVP]" wrote:

> >

> >>> I tried to access this newsgroup a number of times and each time

> >>> received

> >>> the message that the service was not available and to try later.

> >>

> >> The Defender newsgroups remain accessible using an NNTP newsreader (e.g.,

> >> Outlook Express). See the instructions on

> >> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

> >> =====================

> >>> They also instructed me to download AVG Anti-Spyware (which is now on my

> >>> laptop) which identified a virus (Downloader.Zlob)...

> >>

> >> <pft> No anti-spyware application (let alone AVG AS) or anti-virus

> >> application can resolve Zlob infections; and chances are it's brought

> >> along

> >> its "friends" SDBot and Vundo.

> >>

> >> Run a /thorough/ check for hijackware, including posting your hijackthis

> >> log to an appropriate forum (I recommend AumHa Forums).

> >>

> >> Checking for/Help with Hijackware

> >> http://aumha.org/a/parasite.htm

> >> http://aumha.org/a/quickfix.htm

> >> http://aumha.net/viewtopic.php?t=5878

> >> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

> >> http://mvps.org/winhelp2002/unwanted.htm

> >> http://inetexplorer.mvps.org/data/prevention.htm

> >> http://inetexplorer.mvps.org/tshoot.html

> >> http://www.mvps.org/sramesh2k/Malware_Defence.htm

> >> http://defendingyourmachine2.blogspot.com/

> >> http://www.elephantboycomputers.com/page2.html#Removing_Malware

> >>

> >> When all else fails, HijackThis v2.0.2

> >> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.

> >> It will help you to both identify and remove any hijackware/spyware with

> >> assistance from an expert. **Post your log to

> >> http://forums.spybot.info/forumdisplay.php?f=22,

> >> http://castlecops.com/forum67.html,

> >> http://forums.subratam.org/index.php?showforum=7,

> >> http://aumha.net/viewforum.php?f=30, or other appropriate forums for

> >> review

> >> by an expert in such matters, not here.**

> >> ==================================

> >> A format & reinstall (not a Repair Install) *will* resolve the problems.

> >> Chances are the laptop has a hidden Recovery partition that can be used

> >> to

> >> return the machine to OOBE state. Contact Toshiba Support.

> >>

> >> I would not recommend installing *any* Norton software on the machine

> >> afterwards. You do NOT have to install the security software offered by

> >> your ISP, free or not. The expert handling your HijackThis log thread

> >> will

> >> be able to offer you some reasonable alternatives, some of them free.

> >> --

> >> ~Robear Dyer (PA Bear)

> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> AumHa VSOP & Admin http://aumha.net

> >> DTS-L http://dts-l.net/

> >>

> >>

> >>

> >>

> >> Thia wrote:

> >>> "PA Bear [MS MVP]" wrote:

> >>>

> >>>>> ...I have had a number of issues related

> >>>>> to Windows Defender and Windows Automatic Updates

> >>>>

> >>>> What issues?

> >>>>

> >>> I wasn't sure if I had a virus on my laptop (Toshiba pre-loaded WIN XP

> >>> SP2)

> >>> and so I downloaded a number of programs, one of which was Sysinternals

> >>> Process Explorer and when I viewed the handles on any of the processes

> >>> that

> >>> were there I saw many error messages. I am not completely comfortable

> >>> with

> >>> analysing the meanings of these errors and did a lot of research to try

> >>> to

> >>> understand this. One of the references I kept seeing in my research was

> >>> to

> >>> "Unknown Account" or "Unknown user". By double clicking on the handle

> >>> "WindowStation" in the lower pane view, I receive a dialog box that

> >>> shows

> >>> Details and Security. When I click on Security, under Group or user

> >>> names,

> >>> the first listing shows an icon depicting a head with a question mark

> >>> and

> >>> Account Unknown followed by (S-1-5-5-0-61194). Under this group name,

> >>> the

> >>> usual group icons appear. i.e. Administrators, the icon representing

> >>> myself, Restricted, System.

> >>>

> >>> When I continued to see these references, I asked for and received many

> >>> different hot fixes from Microsoft. None of them resolved this. I also

> >>> did

> >>> an online scan through Windows Live and that did not change this. I

> >>> finally

> >>> downloaded Windows Defender and was able to use it successfully.

> >>>

> >>> Throughout this process, I was able to use both Windows Defender and the

> >>> automatic updates through Microsoft Update. I have Genuine Microsoft

> >>> products for both the operating system and Office 2007.

> >>>

> >>>> Did you open a free support incident with MS PSS about these issues?

> >>>>

> >>> Yes I did and despite many attempts on the part of the technicians to

> >>> resolve this, they closed the incident and asked me instead to contact

> >>> the

> >>> laptop mfgr (Toshiba) and inquire about doing a clean install and

> >>> reinstall

> >>> everything. As I explained in my original post, I am doing an online

> >>> course

> >>> (which I am already behind in and have to complete two more courses

> >>> before

> >>> April 1st) and do not want to do this unless I absolutely must.

> >>>

> >>>

> >>>> Do you have a Norton application installed? If so, is your

> >>>> subscription

> >>>> current?

> >>>

> >>> Again, this is a problem. My ISP (I am in Canada and their email

> >>> program

> >>> is

> >>> hosted through Yahoo) provides a free Norton anti-spyware as part of

> >>> their

> >>> subscription. My subscription is up to date with them. I also

> >>> contacted

> >>> them because although Yahoo identified the Norton program on my

> >>> computer,

> >>> the ISPs software did not and I was unable to access it through their

> >>> interface. I was instructed to go to Symantec and use the removal tool

> >>> on

> >>> their site, did so, rebooted the computer and once again began the

> >>> process

> >>> to add the software. Again, this was unsuccessful.

> >>>

> >>> I was also instructed to do this by the Microsoft technicians who tried

> >>> to

> >>> resolve my issues. I have not checked whether Norton exists since they

> >>> instructed me to do this.

> >>>

> >>> They also instructed me to download AVG Anti-Spyware (which is now on my

> >>> laptop) which identified a virus (Downloader.Zlob) This virus existed in

> >>> another program downloaded by a Microsoft technician. This program was

> >>> installed on my desktop and is shown in AVGs log thusly:

> >>>

> >>> Desktop\Your_uninstaller.zip/Your uninstaller/Your Uninstaller 2006 Pro

> >>> v5[1].0.0.345.zip/run.exe -> Downloader.Zlob.chj : Cleaned with backup

> >>> (quarantined).

> >>>

> >>> I was told by two technicians that this is not really a virus. If not,

> >>> why

> >>> would AVG identify it as one and quarantine it?

> >>>

> >>>

> >>>> ===========================

> >>>> Microsoft has established separate newsgroups for Windows Defender

> >>>> support

> >>>> and comments. See

> >>>> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

> >>>> --

> >>>

> >>> I tried to access this newsgroup a number of times and each time

> >>> received

> >>> the message that the service was not available and to try later. I have

> >>> never successfully connected to this. It was only after being told by

> >>> the

> >>> technician that they were closing the incident and that I should contact

> >>> the

> >>> laptop manufacturer, that I checked the registry key for Windows

> >>> Defender

> >>> and then I posted this post to this discussion group. I am, by no

> >>> means,

> >>> a

> >>> skilled poster (this was my first post to this group and I have only

> >>> posted

> >>> to other groups at other internet sites) and perhaps do not fully

> >>> understand

> >>> the protocols. Excuse me if my post is not clear or is in the wrong

> >>> area.

> >>>

> >>>> Thia wrote:

> >>>>> I hope someone can help me with this. I have had a number of issues

> >>>>> related

> >>>>> to Windows Defender and Windows Automatic Updates, and despite

> >>>>> Microsoft

> >>>>> logging on to my computer umpteen times and trying to overcome this,

> >>>>> am

> >>>>> still having issues with this. I was informed that I needed to

> >>>>> contact

> >>>>> my

> >>>>> laptop manufacturer and find out how to do a clean install and

> >>>>> reinstall

> >>>>> everything. I am doing an online course right now and do not want to

> >>>>> take

> >>>>> this drastic step unless I absolutely must.

> >>>>>

> >>>>> I want to ask a few more questions of those who may know the answer to

> >>>>> my

> >>>>> question. I went into the registry and looked at the key for Windows

> >>>>> Defender, as noted above in the subject line, and discovered this:

> >>>>>

> >>>>> under the Run (folder)

> >>>>> ab (Default) REG_SZ (value no set)

> >>>>> ab Update Manager REG_SZ the data here points to

> >>>>> an

> >>>>> update program for an anti-virus program (Norton) that my ISP provides

> >>>>> to

> >>>>> use their email program. Their email program uses Yahoo.

> >>>>>

> >>>>> I do not think this is correct and may be the reason I am not able to

> >>>>> use

> >>>>> either Windows Defender or the automatic update in Windows.

> >>>>>

> >>>>> Can anyone give me the correct data to enter here? I would be

> >>>>> eternally

> >>>>> grateful!

>

>

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: Windows Defender Registry Key HKEY_USERS

 

Again, no anti-virus application will be able to detect /and/ remove all

traces of your infections (again, I'm sure there's more than Zlob), let

alone AVG (which is not one I'd recommend at all).

 

I'm an Admin and Moderator at AumHa Forums. I will notice your post.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

 

Thia wrote:

> Thanks for your advice. Once I am done with this test, I will take the

> necessary action.

>

> One thing I do not understand, is if Microsoft recommended all the

> anti-virus software and even used a tool that was identified as having a

> virus, why would they proceed with this course of action. They

> downloaded

> the AVG which identified the Downloader.Zlob in the Uninstaller zip that

> they loaded on my desktop. Am I missing something here?

>

> By the way, Windows Defender is no longer on my laptop and the process to

> uninstall it did not remove the key I referred to in the registry, so I

> deleted it.

>

> I did access the sites you mentioned and downloaded a number of tools as

> suggested. I will follow the instructions provided and let you know (on

> the

> AUmha.net site) what results from those efforts.

>

>

>

> "PA Bear [MS MVP]" wrote:

>

>> It will take time to diagnose and clean the machine but probably not as

>> much time as it will take to back-up your data and reinstall Windows.

>> Personally, I would not allow a computer that's not fully patched or

>> without Automatic Updates being functional to access the internet or any

>> networks.

>>

>> There is no quick fix for your Zlob/SDBot/Vundo infections.

>>

>> Good luck to you.

>> --

>> ~Robear Dyer (PA Bear)

>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> AumHa VSOP & Admin http://aumha.net

>> DTS-L http://dts-l.net/

>>

>> Thia wrote:

>>> I did post a Hi-jack This Log to one site and never got a reply. This

>>> was

>>> before I had any issues with Windows Defender or the automatic update

>>> processes. Right now, I just do not have the time to devote to this (I

>>> have

>>> to do an online test this evening and submit it within 24 hours). I

>>> will

>>> access the sites you have suggested when I can. I do not need to use

>>> Windows Defender nor the automatic updates. I can still manually

>>> download

>>> any updates I need.

>>>

>>> Another development since the technicians downloaded the Uninstaller, is

>>> that I can no longer disable the local area connection (never had this

>>> problem before). Now, I disconnect the cable when I am not on the

>>> internet.

>>>

>>> What I had hoped for, at least, was an answer to whether the ISPs update

>>> manager should be referenced in the Windows Defender key. This would

>>> give

>>> me a clue as to why, despite many efforts on the part of Microsoft

>>> technicians and myself, we could not get the Windows Defender to start.

>>>

>>> Thank you for your quick response and feedback.

>>>

>>> "PA Bear [MS MVP]" wrote:

>>>

>>>>> I tried to access this newsgroup a number of times and each time

>>>>> received

>>>>> the message that the service was not available and to try later.

>>>>

>>>> The Defender newsgroups remain accessible using an NNTP newsreader

>>>> (e.g.,

>>>> Outlook Express). See the instructions on

>>>> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

>>>> =====================

>>>>> They also instructed me to download AVG Anti-Spyware (which is now on

>>>>> my

>>>>> laptop) which identified a virus (Downloader.Zlob)...

>>>>

>>>> <pft> No anti-spyware application (let alone AVG AS) or anti-virus

>>>> application can resolve Zlob infections; and chances are it's brought

>>>> along

>>>> its "friends" SDBot and Vundo.

>>>>

>>>> Run a /thorough/ check for hijackware, including posting your

>>>> hijackthis

>>>> log to an appropriate forum (I recommend AumHa Forums).

>>>>

>>>> Checking for/Help with Hijackware

>>>> http://aumha.org/a/parasite.htm

>>>> http://aumha.org/a/quickfix.htm

>>>> http://aumha.net/viewtopic.php?t=5878

>>>> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

>>>> http://mvps.org/winhelp2002/unwanted.htm

>>>> http://inetexplorer.mvps.org/data/prevention.htm

>>>> http://inetexplorer.mvps.org/tshoot.html

>>>> http://www.mvps.org/sramesh2k/Malware_Defence.htm

>>>> http://defendingyourmachine2.blogspot.com/

>>>> http://www.elephantboycomputers.com/page2.html#Removing_Malware

>>>>

>>>> When all else fails, HijackThis v2.0.2

>>>> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to

>>>> use.

>>>> It will help you to both identify and remove any hijackware/spyware

>>>> with

>>>> assistance from an expert. **Post your log to

>>>> http://forums.spybot.info/forumdisplay.php?f=22,

>>>> http://castlecops.com/forum67.html,

>>>> http://forums.subratam.org/index.php?showforum=7,

>>>> http://aumha.net/viewforum.php?f=30, or other appropriate forums for

>>>> review

>>>> by an expert in such matters, not here.**

>>>> ==================================

>>>> A format & reinstall (not a Repair Install) *will* resolve the

>>>> problems.

>>>> Chances are the laptop has a hidden Recovery partition that can be used

>>>> to

>>>> return the machine to OOBE state. Contact Toshiba Support.

>>>>

>>>> I would not recommend installing *any* Norton software on the machine

>>>> afterwards. You do NOT have to install the security software offered

>>>> by

>>>> your ISP, free or not. The expert handling your HijackThis log thread

>>>> will

>>>> be able to offer you some reasonable alternatives, some of them free.

>>>> --

>>>> ~Robear Dyer (PA Bear)

>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>> AumHa VSOP & Admin http://aumha.net

>>>> DTS-L http://dts-l.net/

>>>>

>>>>

>>>>

>>>>

>>>> Thia wrote:

>>>>> "PA Bear [MS MVP]" wrote:

>>>>>

>>>>>>> ...I have had a number of issues related

>>>>>>> to Windows Defender and Windows Automatic Updates

>>>>>>

>>>>>> What issues?

>>>>>>

>>>>> I wasn't sure if I had a virus on my laptop (Toshiba pre-loaded WIN XP

>>>>> SP2)

>>>>> and so I downloaded a number of programs, one of which was

>>>>> Sysinternals

>>>>> Process Explorer and when I viewed the handles on any of the processes

>>>>> that

>>>>> were there I saw many error messages. I am not completely comfortable

>>>>> with

>>>>> analysing the meanings of these errors and did a lot of research to

>>>>> try

>>>>> to

>>>>> understand this. One of the references I kept seeing in my research

>>>>> was

>>>>> to

>>>>> "Unknown Account" or "Unknown user". By double clicking on the handle

>>>>> "WindowStation" in the lower pane view, I receive a dialog box that

>>>>> shows

>>>>> Details and Security. When I click on Security, under Group or user

>>>>> names,

>>>>> the first listing shows an icon depicting a head with a question mark

>>>>> and

>>>>> Account Unknown followed by (S-1-5-5-0-61194). Under this group name,

>>>>> the

>>>>> usual group icons appear. i.e. Administrators, the icon representing

>>>>> myself, Restricted, System.

>>>>>

>>>>> When I continued to see these references, I asked for and received

>>>>> many

>>>>> different hot fixes from Microsoft. None of them resolved this. I

>>>>> also

>>>>> did

>>>>> an online scan through Windows Live and that did not change this. I

>>>>> finally

>>>>> downloaded Windows Defender and was able to use it successfully.

>>>>>

>>>>> Throughout this process, I was able to use both Windows Defender and

>>>>> the

>>>>> automatic updates through Microsoft Update. I have Genuine Microsoft

>>>>> products for both the operating system and Office 2007.

>>>>>

>>>>>> Did you open a free support incident with MS PSS about these issues?

>>>>>>

>>>>> Yes I did and despite many attempts on the part of the technicians to

>>>>> resolve this, they closed the incident and asked me instead to contact

>>>>> the

>>>>> laptop mfgr (Toshiba) and inquire about doing a clean install and

>>>>> reinstall

>>>>> everything. As I explained in my original post, I am doing an online

>>>>> course

>>>>> (which I am already behind in and have to complete two more courses

>>>>> before

>>>>> April 1st) and do not want to do this unless I absolutely must.

>>>>>

>>>>>

>>>>>> Do you have a Norton application installed? If so, is your

>>>>>> subscription

>>>>>> current?

>>>>>

>>>>> Again, this is a problem. My ISP (I am in Canada and their email

>>>>> program

>>>>> is

>>>>> hosted through Yahoo) provides a free Norton anti-spyware as part of

>>>>> their

>>>>> subscription. My subscription is up to date with them. I also

>>>>> contacted

>>>>> them because although Yahoo identified the Norton program on my

>>>>> computer,

>>>>> the ISPs software did not and I was unable to access it through their

>>>>> interface. I was instructed to go to Symantec and use the removal

>>>>> tool

>>>>> on

>>>>> their site, did so, rebooted the computer and once again began the

>>>>> process

>>>>> to add the software. Again, this was unsuccessful.

>>>>>

>>>>> I was also instructed to do this by the Microsoft technicians who

>>>>> tried

>>>>> to

>>>>> resolve my issues. I have not checked whether Norton exists since

>>>>> they

>>>>> instructed me to do this.

>>>>>

>>>>> They also instructed me to download AVG Anti-Spyware (which is now on

>>>>> my

>>>>> laptop) which identified a virus (Downloader.Zlob) This virus existed

>>>>> in

>>>>> another program downloaded by a Microsoft technician. This program

>>>>> was

>>>>> installed on my desktop and is shown in AVGs log thusly:

>>>>>

>>>>> Desktop\Your_uninstaller.zip/Your uninstaller/Your Uninstaller 2006

>>>>> Pro

>>>>> v5[1].0.0.345.zip/run.exe -> Downloader.Zlob.chj : Cleaned with backup

>>>>> (quarantined).

>>>>>

>>>>> I was told by two technicians that this is not really a virus. If

>>>>> not,

>>>>> why

>>>>> would AVG identify it as one and quarantine it?

>>>>>

>>>>>

>>>>>> ===========================

>>>>>> Microsoft has established separate newsgroups for Windows Defender

>>>>>> support

>>>>>> and comments. See

>>>>>> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

>>>>>> --

>>>>>

>>>>> I tried to access this newsgroup a number of times and each time

>>>>> received

>>>>> the message that the service was not available and to try later. I

>>>>> have

>>>>> never successfully connected to this. It was only after being told by

>>>>> the

>>>>> technician that they were closing the incident and that I should

>>>>> contact

>>>>> the

>>>>> laptop manufacturer, that I checked the registry key for Windows

>>>>> Defender

>>>>> and then I posted this post to this discussion group. I am, by no

>>>>> means,

>>>>> a

>>>>> skilled poster (this was my first post to this group and I have only

>>>>> posted

>>>>> to other groups at other internet sites) and perhaps do not fully

>>>>> understand

>>>>> the protocols. Excuse me if my post is not clear or is in the wrong

>>>>> area.

>>>>>

>>>>>> Thia wrote:

>>>>>>> I hope someone can help me with this. I have had a number of issues

>>>>>>> related

>>>>>>> to Windows Defender and Windows Automatic Updates, and despite

>>>>>>> Microsoft

>>>>>>> logging on to my computer umpteen times and trying to overcome this,

>>>>>>> am

>>>>>>> still having issues with this. I was informed that I needed to

>>>>>>> contact

>>>>>>> my

>>>>>>> laptop manufacturer and find out how to do a clean install and

>>>>>>> reinstall

>>>>>>> everything. I am doing an online course right now and do not want to

>>>>>>> take

>>>>>>> this drastic step unless I absolutely must.

>>>>>>>

>>>>>>> I want to ask a few more questions of those who may know the answer

>>>>>>> to

>>>>>>> my

>>>>>>> question. I went into the registry and looked at the key for

>>>>>>> Windows

>>>>>>> Defender, as noted above in the subject line, and discovered this:

>>>>>>>

>>>>>>> under the Run (folder)

>>>>>>> ab (Default) REG_SZ (value no set)

>>>>>>> ab Update Manager REG_SZ the data here points

>>>>>>> to

>>>>>>> an

>>>>>>> update program for an anti-virus program (Norton) that my ISP

>>>>>>> provides

>>>>>>> to

>>>>>>> use their email program. Their email program uses Yahoo.

>>>>>>>

>>>>>>> I do not think this is correct and may be the reason I am not able

>>>>>>> to

>>>>>>> use

>>>>>>> either Windows Defender or the automatic update in Windows.

>>>>>>>

>>>>>>> Can anyone give me the correct data to enter here? I would be

>>>>>>> eternally

>>>>>>> grateful!

 Share
Go to topic listing
×
×
  • Create New...