I have had Defender since it's release, and have had very little trouble
with it. I also have WOC (Windows One Care). I use AntiVir. These are all
on an XP Pro machine. I also use TClock to customize my clock and desktop,
and have used it for at least 4 years.

Suddenly, as of yesterday, and again today, Defender has REMOVED the tclock
dll file, and has STOPPED AntiVir from running. I removed Defender because
I cannot accept it's automatic behavior, even AFTER telling it to ignore
tclock. Now, of course, with Defender removed, WOC has gone yellow because
it wants Defender installed.

How do I get Defender to quit flagging TClock, quit shutting down AntiVir
and keep both WOC and ME happy?

Thanks.

This sounds like a possible false positive.

It'd be very helpful to have the details of the detections that resulted in
these removal actions.

These details are recorded in the System event log, with source "WinDefend"
at the time of the scan which did the detection.

Since you are on XP--you might want to use System Restore to revert the
executables to a time before this happened.

I see that there are new Windows Defender definitions today--so it will be
worth checking via a manual scan, whether this issue might already be fixed.

The event viewer has a cut and paste button to copy the details to the
clipboard, and thus get them back to this thread.

So:

1) lets see if you can grab the details of the detections and paste them
back here--or in the .signatures group--which is a good place to post false
positives.

2) Use system restore to get the system back to the way it should be.

3) then update Windows Defender--either via help, about, check for updates,
or WindowsUpdate--whatever works--and then initiate a scan of the machine
yourself--and see whether the same detections are made. If they are, I
would turn off scheduled scans until you can be certain this detection has
been fixed--which will involve updating definitions and testing by another
scan with each definition update. Microsoft has been very good about
correcting this kind of incident (if this is, in fact, a false
positive)--but it may take some time.

Let me know if you need more detailed help with these steps

--

"nancie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have had Defender since it's release, and have had very little trouble
>with it. I also have WOC (Windows One Care). I use AntiVir. These are
>all on an XP Pro machine. I also use TClock to customize my clock and
>desktop, and have used it for at least 4 years.
>
> Suddenly, as of yesterday, and again today, Defender has REMOVED the
> tclock dll file, and has STOPPED AntiVir from running. I removed Defender
> because I cannot accept it's automatic behavior, even AFTER telling it to
> ignore tclock. Now, of course, with Defender removed, WOC has gone yellow
> because it wants Defender installed.
>
> How do I get Defender to quit flagging TClock, quit shutting down AntiVir
> and keep both WOC and ME happy?
>
> Thanks.
>

Bill,

Thanks for your response. Below are the 3 sys events relevent to the
situation. I believe AntiVir was shut down (entry 3)because of the error
caused by Defender (entry 2) which caused Explorer to restart.

I have reinstalled Defender to keep WOC happy, and it immediately popped up
a window different from the notifications received yesterday and today,
(where all I could do was click Ignore), that requested "Always Allow" which
I promptly clicked! I will see if the situation has been remedied thusly,
but I sure am aggravated that Defender ignored ME when I told IT to ignore
TClock!

Another quick question.....does Defender live happily with Vista? We are
getting event ID 3004 and 3005 warnings on our Vista test machine
consistently. Software name is "unknown" so we can't track the exact
problem.

Thanks muchly.



ENTRY 1

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 6/15/2006
Time: 12:54:37 PM
User: N/A
Computer: N1
Description:
Windows Defender scan has detected spyware or other potentially unwanted
software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {7A955E4D-86AE-4527-90DC-08FC49764996}
Scan Type: AntiSpyware
Scan Parameters: Full Scan
User: NT AUTHORITY\NETWORK SERVICE
Name: Tclock
ID: 17380
Severity ID: 1
Category ID: 27
Path Found:
processid:1856;file:\Downloads\tclocklight-040702-3.zip->tcdll.tclock;file:\Documents
and Settings\Nan\Desktop\tclocklight-040702-3[1]\TCDLL.TCLOCK;file:C:\System
Volume
Information\_restore{E552D819-11E2-4279-993E-3729DEACB3B7}\RP463\A0036683.lnk
Detection Type: Signatures


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



ENTRY 2


Event Type: Error
Event Source: WinDefend
Event Category: None
Event ID: 1008
Date: 6/15/2006
Time: 12:55:12 PM
User: N/A
Computer: N1
Description:
Windows Defender has encountered an error when taking action on spyware or
other potentially unwanted software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {7A955E4D-86AE-4527-90DC-08FC49764996}
Scan Type: AntiMalware
User: NT AUTHORITY\NETWORK SERVICE
Name: Tclock
ID: 17380
Severity ID: 1
Category ID: 27
Path:
Action: Quarantine
Error Code: 0x80508022
Error description:


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



ENTRY 3

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 6/15/2006
Time: 12:55:13 PM
User: N/A
Computer: N1
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Thanks for entering this issue. I was just about to do so. I've told WD to
ignore the Tclock entry, but it keeps popping up with it during each
scheduled scan and this is getting on my nerves...
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"nancie" <(E-Mail Removed)> a écrit dans le message de news:
(E-Mail Removed)...
|I have had Defender since it's release, and have had very little trouble
| with it. I also have WOC (Windows One Care). I use AntiVir. These are
all
| on an XP Pro machine. I also use TClock to customize my clock and
desktop,
| and have used it for at least 4 years.
|
| Suddenly, as of yesterday, and again today, Defender has REMOVED the
tclock
| dll file, and has STOPPED AntiVir from running. I removed Defender
because
| I cannot accept it's automatic behavior, even AFTER telling it to ignore
| tclock. Now, of course, with Defender removed, WOC has gone yellow
because
| it wants Defender installed.
|
| How do I get Defender to quit flagging TClock, quit shutting down AntiVir
| and keep both WOC and ME happy?
|
| Thanks.
|
|

Peter,

I haven't had any problems since I deleted, reinstalled and had the window
pop up that asks to "always allow". I have not seen that specific window
before, and it seems that it only showed up because of the reinstall ( I
think). Anyway, TClock now shows in my allowed list and no more problems.
My AntiVir has not been halted either. I feel the reinstall move is about
the only way to get this particular error corrected at this time.

Can you comment on the issue I noted regarding Defender and Vista?

Thank you.


"Pierre Szwarc" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for entering this issue. I was just about to do so. I've told WD to
> ignore the Tclock entry, but it keeps popping up with it during each
> scheduled scan and this is getting on my nerves...
> --
> Pierre Szwarc
> Paris, France
> PGP key ID 0x75B5779B
> ------------------------------------------------
> Multitasking: Reading in the bathroom !
> ------------------------------------------------
>
>

OMG..........PIERRE!!!! I am sorry I typed Peter!!!! I KNOW who I meant,
but somehow I did a "translation"! I admire you and all you do in so many
of these groups, and then do something inane like mess up your name.....my
apologies!


"nancie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Peter,
>
> I haven't had any problems since I deleted, reinstalled and had the window
> pop up that asks to "always allow". I have not seen that specific window
> before, and it seems that it only showed up because of the reinstall ( I
> think). Anyway, TClock now shows in my allowed list and no more problems.
> My AntiVir has not been halted either. I feel the reinstall move is about
> the only way to get this particular error corrected at this time.
>
> Can you comment on the issue I noted regarding Defender and Vista?
>
> Thank you.
>
>
> "Pierre Szwarc" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Thanks for entering this issue. I was just about to do so. I've told WD
>> to
>> ignore the Tclock entry, but it keeps popping up with it during each
>> scheduled scan and this is getting on my nerves...
>> --
>> Pierre Szwarc
>> Paris, France
>> PGP key ID 0x75B5779B
>> ------------------------------------------------
>> Multitasking: Reading in the bathroom !
>> ------------------------------------------------
>>
>>
>
>

I knew there was a piece of this that I had been meaning to return to:

Windows Defender is built-in to Vista--it is a native part of the OS, and
can't be removed, although it can be turned off.

I see a number of reports of this sort, googling. Is this system a Dell?
There's a Dell management piece that apparently results in thes messages--I
don't believe they are anything to be concerned about, but it'd be nice to
be sure just what they refer to.
--

"nancie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Another quick question.....does Defender live happily with Vista? We are
> getting event ID 3004 and 3005 warnings on our Vista test machine
> consistently. Software name is "unknown" so we can't track the exact
> problem.
>

Well, the Vista machine is a homebuilt that isn't really fully set up for
Vista, but was just "sittin there" so we plopped on Vista. The graphics
card is totally inadequate for anything except basic and we won't mention
the monitor!...........except I just noticed it's a Dell!! Oh well, we'll
worry about it later, after we have a new card, more memory and a flat
screen!

Thanks for your invaluable assistance. You are always kind and gracious.




"Bill Sanderson MVP" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I knew there was a piece of this that I had been meaning to return to:
>
> Windows Defender is built-in to Vista--it is a native part of the OS, and
> can't be removed, although it can be turned off.
>
> I see a number of reports of this sort, googling. Is this system a Dell?
> There's a Dell management piece that apparently results in thes
> messages--I don't believe they are anything to be concerned about, but
> it'd be nice to be sure just what they refer to.
> --
>
> "nancie" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> Another quick question.....does Defender live happily with Vista? We are
>> getting event ID 3004 and 3005 warnings on our Vista test machine
>> consistently. Software name is "unknown" so we can't track the exact
>> problem.
>>
>
>

OK - it certainly isn't the Dell management software in this case. I
haven't looked too closely at these message codes--I'm wondering if they are
the equivalent of a "not yet classified" item in XP--in which case they are
often a driver or the like that simply hasn't gained enough spynet votes to
be classified, rather than something definitely bad.

You're welcome!
--

"nancie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Well, the Vista machine is a homebuilt that isn't really fully set up for
> Vista, but was just "sittin there" so we plopped on Vista. The graphics
> card is totally inadequate for anything except basic and we won't mention
> the monitor!...........except I just noticed it's a Dell!! Oh well, we'll
> worry about it later, after we have a new card, more memory and a flat
> screen!
>
> Thanks for your invaluable assistance. You are always kind and gracious.

<LOL> No harm done.
And yes, Windows Defender lives quite happily with Vista. As a matter of
fact, it's an integral and non-removable part of Vista, just like the
Windows Firewall.
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"nancie" <(E-Mail Removed)> a écrit dans le message de news:
OqpGN$(E-Mail Removed)...
| OMG..........PIERRE!!!! I am sorry I typed Peter!!!! I KNOW who I
meant,
| but somehow I did a "translation"! I admire you and all you do in so many
| of these groups, and then do something inane like mess up your name.....my
| apologies!