Defender error 0x8050800c

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

When I run Defender (beta 2), it detects some things to remove, but if I tell
it to remove them, it gives this error. I uninstalled it and reinstalled it,
same problem. Then I read on here to uninstall it, reinstall it, and then
answer NO when it asks about checking for updates and running a scan, then go
go custom scan and select your drives. I did this, but it has the same
problem. Is there a fix for this?
 
Jud Mc said:
When I run Defender (beta 2), it detects some things to remove, but
if I tell it to remove them, it gives this error. I uninstalled it
and reinstalled it, same problem. Then I read on here to uninstall
it, reinstall it, and then answer NO when it asks about checking for
updates and running a scan, then go go custom scan and select your
drives. I did this, but it has the same problem. Is there a fix for
this?
Click to expand...

Try restarting in Safe Mode and running it there.

--
Frank Saunders, MS-MVP OE/WM
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/
 
This is an error on scanning, correct? You might run a chkdsk, but you
might also drop a note to Mike Treit, of Microsoft:

mtreit @ microsoft.com
(remove the spaces)

He's been interested in getting to the remaining causes of this error--be
sure to tell him your version numbers from Help, about, when writing.
 
Hello Jud,

This error is probably due to a bug--if you are on a dynamic partition. A
fix for this should be available soon.

If it is a basic partition, other users with this error have found that
running a chkdsk scan on the partition has eliminated this error.

I hope this post is helpful, let us know how it works ºut.
Еиçеl
 
This is an error on scanning, correct? You might run a chkdsk, but you
might also drop a note to Mike Treit, of Microsoft:
Click to expand...

Actually, it finishes scanning, and when I tell it to remove the bad items
is when I get the error message.
 
If it is a basic partition, other users with this error have found that
running a chkdsk scan on the partition has eliminated this error.
Click to expand...

It is a basic partition. I've tried running chkdsk and it finds errors.
However, when I schedule a chkdsk /f on the C: drive, it doesn't do anyting
(doesn't run at all). If I schedule a chkdek /f on my other internal HD or
my external HD they work - only the one for C drive doesn't work, and I've
tried it several times.
 
Sorry--different issue. I don't know this one off the top of my
head--here's how to investigate further.

One thing to definitely try is restarting Windows in safe mode, and re-doing
the scan and removal operation.

Aside from that, we might learn more by seeing the details of the actual
detected object.

This is found in the System Event log, in records with source WindDefend.

Start, run, eventvwr.msc.
Highlight the System event log in the left column.
Go to View, and choose Filter.
In Event Source, choose WinDefend in the drop-down control.
Hit Apply, then OK.
In the right column, scroll down in time until you reach the scan--you can
hit enter on an individual record to see the detail.
When you find the scan, you should see yellow-triangle warning messages (you
can filter for just these, too)--that represent the actual detections.

With a given record open to the details, there's a clipboard button you can
hit to cut and paste details--here's an example:
--------------------------
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 12/9/2005
Time: 10:05:23 PM
User: N/A
Computer: BILL
Description:
Windows Defender scan has detected spyware or other potentially unwanted
software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {ED4CA2AF-A8B9-43E2-B6A7-C675C2319AC8}
Scan Type: AntiSpyware
Scan Parameters: Quick Scan
User: BILL\Bills
Name: RealVNC
ID: 7480
Severity ID: 2
Category ID: 33
Path Found: regkey:HKLM\Software\ORL
Detection Type: Signatures
------------------------------------
What is most likely of interest will be the Path Found line.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


--
 
Try restarting in Safe Mode and running it there.

That was easier said than done, but I just finished trying it and it didn't
work.

I used to be able to get to Safe Mode in one or two tries. Now the great
majority of the time it doesn't go to the safe mode screen. And the great
majority of the time it does go to that screen, the up and down arrows don't
work, so I can't go to SAfe mode. And then when I finally got in, at 640x480
I couldn't see the icon for Defender, nor could I see it under "all
programs". I had to go back to normal mode and get the location, then go
through the process again to get to safe mode. Then I ran it (took 2+
hours), it dected 4 things to be removed, I clicked "remove all", the green
bar moved for a second or two and then it came up with the same error (and
the buttons are disabled).
 
....
With a given record open to the details, there's a clipboard button you can
hit to cut and paste details--here's an example:
--------------------------
Click to expand...

OK, this is what I get for the most recent line:
========================
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 4/7/2006
Time: 8:31:36 PM
User: N/A
Computer: MAXWELL
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {D4B3E6C0-5FE9-4F12-983D-57922E6435FB}
User: MAXWELL\Jud
Threat Name: Unknown
Threat Id:
Threat Severity:
Threat Category:
Path Found: driver:mchInjDrv
Threat Classification: Unknown
Detection Type:


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
===================

Here is one of four that occurred a few minutes earlier:
================
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 4/7/2006
Time: 8:25:22 PM
User: N/A
Computer: MAXWELL
Description:
Windows Defender scan has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {228222E1-6864-4D8A-B055-D5561D0A9CAD}
Scan Type: AntiSpyware
Scan Parameters: Custom Scan
User: MAXWELL\Jud
Threat Name: Remotely Anywhere
Threat Id: 10446
Threat Severity: 2
Threat Category: 33
Path Found: file:C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP730\A0151875.msi->(MSI
Stream 48)->ra16app.exe;file:C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP730\A0151875.msi->(MSI Stream 48)->ra16dll.dll
Detection Type: Signatures


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
======================

At this point I don't know what to do with that information.
 
Well - let me see if I can help--These two don't look necessarily worriesome
on the surface.

The first one is an "unknown"--this is an object that would be of interest
to Spynet (meaning simply that it is a driver, and one not already
classified as "good" or "bad"--hence the unknown.

I happen to be familiar with this one because of a false positive a few
weeks back, maybe--you are probably running some other antispyware apps?

At any rate, in general, unknown objects are not by default brought to the
users attention for just the reason you mention--they aren't going to know
what to do with that information. Most examples we see posted here are
benign--drivers for various other legit software. However, there was one
case where the "unknown" object was a trojan or virus which was posted here
in the last few days. I recommend that the average user leave the box to be
alerted to unknown objects unchecked, unless they are willing to do the
research. And such users probably wouldn't be browsing through the system
event log either. (Please don't take this personally--I don't mean you
specifically--just trying to generalize!)

The second one would on first glance be more significant--it is signature
based-- and there's both an executable and a related .dll file, but they are
in a system restore storage area.

Remotely Anywhere is a commercial remote administration tool:

http://www.remotelyanywhere.com/products/workstation_edition.asp

It may be used by, say, a corporate admin or help desk operation. Some
similar tools are placed on systems when they are built--some IBM machines
come with a VNC variant installed, for example--as a support tool.

This detection is meant to call out to the user that such a tool is
installed--since some such tools may be present and active without any clear
notice to the user.

If you are aware of having had Remotely Anywhere on the system at some point
in the past, this detection would be expected. If you weren't aware it
would be good to know why it was there, and perhaps when. The date on the
containing .MSI file might be a good indication of the when, but I can't
easily describe to you how to get to that file and check the date--if I were
trying to do so, I'd go via the command prompt--but there are hidden
subdirectories involved, so it isn't straighforward.

The way to get rid of that detection is simple--you destroy the restore
point that contains it. One way to do this is to turn off, and then back on
again, the System Restore feature on the C: drive. This destroys ALL
restore points, so you need to be confident about the condition of the
system, and create another restore point immediately.

A slightly safer way is to start the all programs, accessories, system
tools, disk cleanup tool, wait out the first operations, then hit the "more
options" tab and choose the system restore related choice on that tab--that
choice will remove all but the most recent restore point--which we can hope
won't be the one containing this RAT (remote administration tool.)


So--that's my opinion--and it is just that--nothing really hard and
fast--about those two items. Ring any bells? Microsoft is aware that the
messages in this situation (stuff found but not cleaned) are not what they
should be, and indeed--the cleaning behaviors are likely to change before
this product is released--they are aware that the current situation is
perplexing to most users.
--
 
Sorry to hear that. Both Windows Defender, and, in safe mode with
networking, safety.live.com--are designed to work in safe mode and can clean
more things better in that mode.

The one thought I have I already posted elsewhere in the thread--safe mode
(or perhaps better the recovery console--may be easier for you to get
into)--might be a good way to get the chkdsk run done.

--
 
The one thought I have I already posted elsewhere in the thread--safe mode
(or perhaps better the recovery console--may be easier for you to get
into)--might be a good way to get the chkdsk run done.
Click to expand...

By asking on a newsgroup, I found the reason why chkdsk wouldn't run (it had
to do with Spyware Doctor). I fixed that and finally got chkdsk /f to run.
I just finished running Defender again, and had the same problem. After the
scan, I click "remove all" and about 2 seconds later it gives the error
message.
 
I recommend that the average user leave the box to be
alerted to unknown objects unchecked,
Click to expand...

I'll try that.
Remotely Anywhere is a commercial remote administration tool: ....
If you are aware of having had Remotely Anywhere on the system at some point
in the past, this detection would be expected. If you weren't aware it
Click to expand...

Just a few weeks ago I was testing LogMeIn and GoToMyPC. Is Remotely
Anywhere oart of one of those? If not, I might have tested it too.
The way to get rid of that detection is simple--you destroy the restore
point that contains it. One way to do this is to turn off, and then back on
again, the System Restore feature on the C: drive. This destroys ALL
restore points, so you need to be confident about the condition of the
system, and create another restore point immediately.
Click to expand...

Well, the system restore hasn't worked since I upgraded to SP2 (which was
within a month of when it came out). So I don't mind trying that too.
 
I happen to be familiar with this one because of a false positive a few
weeks back, maybe--you are probably running some other antispyware apps?
Click to expand...

I forgot to mention that, yes, I am routinely running Spyware Doctor too.
From time to time I run Ad-aware and Spybot S&D manually.
 
The way to get rid of that detection is simple--you destroy the restore

Defender was now detecting three items: remote access and two things that
were in Norton Antivirus Quarantine. I did two things and the problem went
away (maybe). I (1) turned off system restore. (2) I cleaned out the
things in NAV quarantine. Now Defender doesn't detect any bad things, but I
don't know for sure that the problem won't come back when there are things to
remove. Perhaps NAV won't let things in its quarantine be messed with or
something (just guessing). Anyway the immediate problem is gone, I just hope
Defender works when there is something for it to remove.

Thanks for all of your help!
 
I believe Spyware Doctor is the source of the driver cited--that's
definitely harmless as long as it is Spyware Doctor it comes with.

--
 
I saw a similar issue on a machine on Friday evening--it detected Kazaa and
several related baddies in an archive file which it wouldn't remove--I found
the files in "My Music" and removed them--the owner of the machine had
assured me that was fine to do. It also detected some things in a Norton
Quarantine area. I emptied the quarantine using Norton's tools. Quarantine
can be useful--if the content is really innocent stuff which has been
"infected" by something. More and more the content of Quarantine is purely
malware--if you disinfected it there'd be nothing left.....

Anyway, glad you got it cleaned up, and I suspect that by the time this
product releases there will be changes both in the behavior's you've seen,
and in the error messages generated.

--
 
Anyway, glad you got it cleaned up, and I suspect that by the time this
product releases there will be changes both in the behavior's you've seen,
and in the error messages generated.
Click to expand...

Yes, thank you again.
 
Bill Sanderson MVP said:
Sorry--different issue. I don't know this one off the top of my
head--here's how to investigate further.

One thing to definitely try is restarting Windows in safe mode, and re-doing
the scan and removal operation.

Aside from that, we might learn more by seeing the details of the actual
detected object.

This is found in the System Event log, in records with source WindDefend.

Start, run, eventvwr.msc.
Highlight the System event log in the left column.
Go to View, and choose Filter.
In Event Source, choose WinDefend in the drop-down control.
Hit Apply, then OK.
In the right column, scroll down in time until you reach the scan--you can
hit enter on an individual record to see the detail.
When you find the scan, you should see yellow-triangle warning messages (you
can filter for just these, too)--that represent the actual detections.

With a given record open to the details, there's a clipboard button you can
hit to cut and paste details--here's an example:
--------------------------
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 12/9/2005
Time: 10:05:23 PM
User: N/A
Computer: BILL
Description:
Windows Defender scan has detected spyware or other potentially unwanted
software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {ED4CA2AF-A8B9-43E2-B6A7-C675C2319AC8}
Scan Type: AntiSpyware
Scan Parameters: Quick Scan
User: BILL\Bills
Name: RealVNC
ID: 7480
Severity ID: 2
Category ID: 33
Path Found: regkey:HKLM\Software\ORL
Detection Type: Signatures
------------------------------------
What is most likely of interest will be the Path Found line.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Click to expand...
 
Back
Top