Windows Defender and UPHclean v1.6

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I get the following message from the Windows event viewer (system folder):

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 2/21/2006
Time: 4:03:25 PM
User: N/A
Computer: XXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {297DE0BE-FC95-4304-89F8-079022C59430}
User: XXXX
Threat Name: Unknown
Threat Id:
Threat Severity:
Threat Category:
Path Found: service:uphcleanhlp
Threat Classification: Unknown
Detection Type:


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

According to this event message, Windows Defender Real-Time Protection
agent has detected potential malware.

I don't get any warning from WD about the potential malware, just from the
windows event viewer.

UPHclean is a MS program. anyone no why this happens and why. Maybe a bug
in the WD Beta2?

Your comments/thoughts appreciated
 
This isn't a bug--let me see if I can explain it further.

UPHClean is categorized by Spynet as not yet classified. You might think
that Microsoft, since they own the app, would force it to a known category,
but at least so far, they haven't.

If you to to tools general settings, and scroll down to near the bottom of
the list, you can see that there's a checkbox to enable user notifications
for objects in this category--i.e. get you an alert to go with that log
entry. You will, I believe, also need to join Spynet at the advanced level
to receive these alerts--read the privacy implications of this carefully.

For the average user, I believe that the default settings are very
appropriate--however, if you want to see the additional alerts, you can
learn quite a bit about what's going on during an app or driver install, for
example--and have the opportunity to block (perhaps by accident!) such a
driver install.

Anyway--you can enable further alerting for objects in this category--but do
so carefully.
 
Hello Bill,

Thanks for you reply and suggestions they are always appreciated.

I did have the notification boxes checked (both of them), but still did not
get any notifiction from WD just Windows XP event viewer.

I did check the advanced box for Spynet last night but did not get any
notification from them.

However, I am no longer getting anymore reports for the event noted in my
original message. Don't know why, guess the problem went away after joining
Spynet.

Again, Thanks for your suggestions and taking the time to reply. I have
read many of your replies to other questions and found them to be accurate
and very helpful.

Have a Great Day

Frank M
 
Thanks. I've only got UPHClean installed on servers, and they get rebooted
only when security updates require that, so I haven't had a chance to see
whether I get any alerts on this one or not.

--
 
Gentlemen:

I have UPHclean and I have never gotten any warning from Defender in my
event viewer. Thats with XP SP2 on a Dell Dimension 3000. I started out as
a basic member of Spynet and recently changed to advanced. That did not seem
to make a difference. The information alerts that I get now from my system
tray usually do not require any action and are designated with a check mark.
It sure beats the old multiple popups for allowed changes from MSAS that
would cover each other up or disappear to quickly to read. I asume that a
decision is required from me only if the Defender system tray icon has a
question mark. Is that right?
 
Old Rebel said:
Gentlemen:

I have UPHclean and I have never gotten any warning from Defender in my
event viewer. Thats with XP SP2 on a Dell Dimension 3000. I started out
as
a basic member of Spynet and recently changed to advanced. That did not
seem
to make a difference. The information alerts that I get now from my
system
tray usually do not require any action and are designated with a check
mark.
It sure beats the old multiple popups for allowed changes from MSAS that
would cover each other up or disappear to quickly to read. I asume that a
decision is required from me only if the Defender system tray icon has a
question mark. Is that right?
Click to expand...

Interesting--when I reboot servers, I'll try to remember to check on
this--maybe it indicates a version of UPHClean that isn't the final one--it
was distributed privately via email from the author (a Microsoft employee)
for a while, as I recall.

I've yet to see the icon with a question mark--so I don't know the answer to
that final query. I'll see if I can think of a way to prompt it.
 
I am also running UPHclean v1.6d on a Dell 8300 P4 3.2 ghz with Windows XP
sp2 (Home Version). I was going to add a link to UPHclean software but Old
Rebel already did that. Good Job Old Rebel.

As to Windows Defender everything is working fine. Scans are quick, 8
minutes for the Quick Scan and about 26 minutes for the Full Scan.( Drive
Size 120 Gig) Auto updates working great also. The only thing I noticed was
the windows event message that I reported in this thread and that went away.
I also run NIS 2006 on this machine and have no problems with WD and NIS
2006.
 
Mine shows 1.6.30 in add or remove programs, click for supprt info.

The only yellow triangle entries in the log on this server are two for VNC,
which I knew about, and one for driver PSSdk21--listed as an unknown. That
one I should look into.

Hmm - looks bad--keylogger. Can't find any sign of it in place, though.
11:51 in the morning on the 15th.....

There are traces of such a service in the registry--pssdk1, created by a
driver hnpssdk21.drv--but no such code exists anywhere on the system.

Running Blacklight--get appropriate warnings from Windows Defender, I see!

Ditto Sysinternals Rootkitrevealer. Similar warnings from Windows Defender.
This is tricky--I can easily see a rootkit watching for those exchanges and
taking some action based on them.

OK - rootkit revealer didn't like having WD interfere, and it throws its
dialogs only on the console session, and I was working with a Windows 2000
server via Remote Desktop.

I see some other machines with the same registry entries via googling, but
nobody is calling them bad.

OK - reading some more--looks like HNPSsdk.drv is a legit driver, which may
have been used by some malware, and has been a false positive at times. Not
sure why it showed up in that scan, except that there are registry entries
for it--perhaps something that I tried and removed at some point.

Rootkitrevealer found nothing of note.

Turn Defender back on, getting out of here!



--
 
Are we having fun yet , or what? I jsust left the AOL Spyware Discussion
message board, and my macromedia player alerted me that a dangerous web site
was trying to connect to my player. Last week, it was a McAfee alert to a
truncated bit of something media related on the same Board. I sure am glad
these newgroups do not have pictures and ads! WindDef and Ewido quick scans
found nothing, BTW, thanks goodness. McAFee is snoozing.
 
Back
Top