When reviewing the history of a scan, I have a "Unknown Name" and action
taken was Permit. How can I change this entry to Deny?
--
Lou_makemyday

You can't change what has already ocurred, at least, according to current
understandings of time and physics.

For most users, the choice to allow unknowns is definitely the right thng to
do. If you want to be notified before such actions are taken, go to Tools,
Options, and scroll to the end of Real-time protection options.
"Choose if this program should..."
and check off "Software that has not yet been classified for risks."

I believe that you'll find that the vast majority of such software will turn
out to be drivers that you are knowingly installing.

You should be aware that if you do choose to refuse such an install,
whatever you are installing will probably fail, perhaps in difficult to
diagnose ways.

--

"Lou_makemyday" <(E-Mail Removed)> wrote in message
news:5569E280-8B29-4C15-B111-(E-Mail Removed)...
> When reviewing the history of a scan, I have a "Unknown Name" and action
> taken was Permit. How can I change this entry to Deny?
> --
> Lou_makemyday

Thanks Bill Sanderson MVP,

I appreciate your feedback. I do have that box checked. I have changed my
Default actions as follows to help prevent undesirable additions to my
computer. Do these settings make sense and allow legitimate programs to
install? High Alert-Quarantine, Med Alert-Default action, Low Alert Default
action. I would appreciate feedback on these settings. My wife's computer
was set to default action and she got infested with programs that either
popped up on I.E. Explorer or took over the URL box and would not allow her
to use other sites. I got rid of the "take-over program," but she still has
a spyware programs in Startup\Think-Adz.ink and in
WINNTT\System32\twinooa.exe. These do not appear in the Control Window for
removing programs. We took the computer to a friend who repairs computers
and he has tried to get rid of these by editing the registry, but apparently
not successful .... he either missed some entries or they came back???

Any thoughts on this?

Lou_makemyday


"Bill Sanderson MVP" wrote:

> You can't change what has already ocurred, at least, according to current
> understandings of time and physics.
>
> For most users, the choice to allow unknowns is definitely the right thng to
> do. If you want to be notified before such actions are taken, go to Tools,
> Options, and scroll to the end of Real-time protection options.
> "Choose if this program should..."
> and check off "Software that has not yet been classified for risks."
>
> I believe that you'll find that the vast majority of such software will turn
> out to be drivers that you are knowingly installing.
>
> You should be aware that if you do choose to refuse such an install,
> whatever you are installing will probably fail, perhaps in difficult to
> diagnose ways.
>
> --
>
> "Lou_makemyday" <(E-Mail Removed)> wrote in message
> news:5569E280-8B29-4C15-B111-(E-Mail Removed)...
> > When reviewing the history of a scan, I have a "Unknown Name" and action
> > taken was Permit. How can I change this entry to Deny?
> > --
> > Lou_makemyday
>
>
>

If you believe that you can stay cool and do some research when you are
prompted about items being installed, adding that checkbox may make sense.
For the average non-technical user, I would leave things at the defaults. I
do have the action settings set to quarantine for all items on some
machines.

Your wife's machine is not clean yet.

Think-adz.lnk (that's an L) is bad, and the executable is likely, as well.

I would recommend making certain that both Windows Defender, and your
antivirus app are up to date on your wife's machine, restarting in safe
mode, and scanning with both Defender and your antivirus--do full scans.

Additionally, you might want to submit

WINNTT\System32\twinooa.exe

to virustotal:

www.virustotal.com

look for the browse box at the top on the right--browse to that executable,
and submit it and wait for the results.

If your antivirus doesn't detect it, but others do, doing an online scan
from one of the vendors that does detect it would be a good idea.

I don't know whether Windows Defender and your antivirus are likely to clean
these particular threats or not--I'd do the scans, and then lets see whether
they appear to have been effective. I do see folks offering cleaning advice
for the .LNK critter in other forums, but I would not follow any advice in
those threads--I would try the scans. If, in fact, they don't do the job,
the next step would be to post a HijackThis log in a cleaning forum, and ask
for current advice on these threats--at least one thread I saw involved use
of a tool whose author has withdrawn it temporarily because of a problem--so
it will be important to get current advice, not try to follow an old thread.





--

"Lou_makemyday" <(E-Mail Removed)> wrote in message
news:0D4D11C9-2473-4E32-8299-(E-Mail Removed)...
> Thanks Bill Sanderson MVP,
>
> I appreciate your feedback. I do have that box checked. I have changed
> my
> Default actions as follows to help prevent undesirable additions to my
> computer. Do these settings make sense and allow legitimate programs to
> install? High Alert-Quarantine, Med Alert-Default action, Low Alert
> Default
> action. I would appreciate feedback on these settings. My wife's
> computer
> was set to default action and she got infested with programs that either
> popped up on I.E. Explorer or took over the URL box and would not allow
> her
> to use other sites. I got rid of the "take-over program," but she still
> has
> a spyware programs in Startup\Think-Adz.ink and in
> WINNTT\System32\twinooa.exe. These do not appear in the Control Window
> for
> removing programs. We took the computer to a friend who repairs computers
> and he has tried to get rid of these by editing the registry, but
> apparently
> not successful .... he either missed some entries or they came back???
>
> Any thoughts on this?
>
> Lou_makemyday
>
>
> "Bill Sanderson MVP" wrote:
>
>> You can't change what has already ocurred, at least, according to current
>> understandings of time and physics.
>>
>> For most users, the choice to allow unknowns is definitely the right thng
>> to
>> do. If you want to be notified before such actions are taken, go to
>> Tools,
>> Options, and scroll to the end of Real-time protection options.
>> "Choose if this program should..."
>> and check off "Software that has not yet been classified for risks."
>>
>> I believe that you'll find that the vast majority of such software will
>> turn
>> out to be drivers that you are knowingly installing.
>>
>> You should be aware that if you do choose to refuse such an install,
>> whatever you are installing will probably fail, perhaps in difficult to
>> diagnose ways.
>>
>> --
>>
>> "Lou_makemyday" <(E-Mail Removed)> wrote in message
>> news:5569E280-8B29-4C15-B111-(E-Mail Removed)...
>> > When reviewing the history of a scan, I have a "Unknown Name" and
>> > action
>> > taken was Permit. How can I change this entry to Deny?
>> > --
>> > Lou_makemyday
>>
>>
>>

Bill Sanderson MVP: Thanks again for the good advice. I'll try to find some
help as you suggested.
--
Lou_makemyday


"Bill Sanderson MVP" wrote:

> If you believe that you can stay cool and do some research when you are
> prompted about items being installed, adding that checkbox may make sense.
> For the average non-technical user, I would leave things at the defaults. I
> do have the action settings set to quarantine for all items on some
> machines.
>
> Your wife's machine is not clean yet.
>
> Think-adz.lnk (that's an L) is bad, and the executable is likely, as well.
>
> I would recommend making certain that both Windows Defender, and your
> antivirus app are up to date on your wife's machine, restarting in safe
> mode, and scanning with both Defender and your antivirus--do full scans.
>
> Additionally, you might want to submit
>
> WINNTT\System32\twinooa.exe
>
> to virustotal:
>
> www.virustotal.com
>
> look for the browse box at the top on the right--browse to that executable,
> and submit it and wait for the results.
>
> If your antivirus doesn't detect it, but others do, doing an online scan
> from one of the vendors that does detect it would be a good idea.
>
> I don't know whether Windows Defender and your antivirus are likely to clean
> these particular threats or not--I'd do the scans, and then lets see whether
> they appear to have been effective. I do see folks offering cleaning advice
> for the .LNK critter in other forums, but I would not follow any advice in
> those threads--I would try the scans. If, in fact, they don't do the job,
> the next step would be to post a HijackThis log in a cleaning forum, and ask
> for current advice on these threats--at least one thread I saw involved use
> of a tool whose author has withdrawn it temporarily because of a problem--so
> it will be important to get current advice, not try to follow an old thread.
>
>
>
>
>
> --
>
> "Lou_makemyday" <(E-Mail Removed)> wrote in message
> news:0D4D11C9-2473-4E32-8299-(E-Mail Removed)...
> > Thanks Bill Sanderson MVP,
> >
> > I appreciate your feedback. I do have that box checked. I have changed
> > my
> > Default actions as follows to help prevent undesirable additions to my
> > computer. Do these settings make sense and allow legitimate programs to
> > install? High Alert-Quarantine, Med Alert-Default action, Low Alert
> > Default
> > action. I would appreciate feedback on these settings. My wife's
> > computer
> > was set to default action and she got infested with programs that either
> > popped up on I.E. Explorer or took over the URL box and would not allow
> > her
> > to use other sites. I got rid of the "take-over program," but she still
> > has
> > a spyware programs in Startup\Think-Adz.ink and in
> > WINNTT\System32\twinooa.exe. These do not appear in the Control Window
> > for
> > removing programs. We took the computer to a friend who repairs computers
> > and he has tried to get rid of these by editing the registry, but
> > apparently
> > not successful .... he either missed some entries or they came back???
> >
> > Any thoughts on this?
> >
> > Lou_makemyday
> >
> >
> > "Bill Sanderson MVP" wrote:
> >
> >> You can't change what has already ocurred, at least, according to current
> >> understandings of time and physics.
> >>
> >> For most users, the choice to allow unknowns is definitely the right thng
> >> to
> >> do. If you want to be notified before such actions are taken, go to
> >> Tools,
> >> Options, and scroll to the end of Real-time protection options.
> >> "Choose if this program should..."
> >> and check off "Software that has not yet been classified for risks."
> >>
> >> I believe that you'll find that the vast majority of such software will
> >> turn
> >> out to be drivers that you are knowingly installing.
> >>
> >> You should be aware that if you do choose to refuse such an install,
> >> whatever you are installing will probably fail, perhaps in difficult to
> >> diagnose ways.
> >>
> >> --
> >>
> >> "Lou_makemyday" <(E-Mail Removed)> wrote in message
> >> news:5569E280-8B29-4C15-B111-(E-Mail Removed)...
> >> > When reviewing the history of a scan, I have a "Unknown Name" and
> >> > action
> >> > taken was Permit. How can I change this entry to Deny?
> >> > --
> >> > Lou_makemyday
> >>
> >>
> >>
>
>
>

--
toni k.


"Lou_makemyday" wrote:

> When reviewing the history of a scan, I have a "Unknown Name" and action
> taken was Permit. How can I change this entry to Deny?
> --
> Lou_makemyday

-- I have the same problem. However it also said that this may have
potentially unwanted behavior. I am not a techie and so I could really use
some help. How do I decide and how can I get rid of those if I decide I want
to. Thanks to any advice in advance.
..

tonikrys,
You will have to direct your question to Bill Sanderson, MVP; he is the
person who may have that knowledge.
--
Lou_makemyday


"tonikrys" wrote:

>
> -- I have the same problem. However it also said that this may have
> potentially unwanted behavior. I am not a techie and so I could really use
> some help. How do I decide and how can I get rid of those if I decide I want
> to. Thanks to any advice in advance.
> .
>
>

Windows Defender can't get rid of things that are already permitted, unless
they are "known" to have undesirable characteristics. So--if you've
permitted an unknown, Windows Defender can't remove it unless it is later
determined to be known bad.

That said, for folks without in-depth technical knowledge, I would recommend
leaving the default settings alone and not worrying about those entries.

Potentially unwanted behavior may simply mean that the type of executable
involved COULD do "bad things." That applies to any executable. It doesn't
indicate that Windows Defender knows that there is something wrong with the
particular code involved.

Many items generating such entries are routine installations of drivers for
hardware, or, perhaps software which isn't mainstream--not necessarly
anything wrong at all.

Looking at history on my own system, the most recent examples of this sort
of entry involve my installing the FTP server portion of IIS (on XP) and
enabling that through the firewall.

Since I was knowingly doing this (indeed, perhaps risky)--I didn't hesitate
to permit.

Such entries usually have a long path name as part of the description of
what is being permitted--that may be a good clue about the nature of what
was permitted--see if it involves software you've knowingly installed and
want to be operating correctly.


--

"tonikrys" <(E-Mail Removed)> wrote in message
news:3678274D-F8A7-4C09-9F0A-(E-Mail Removed)...
>
> -- I have the same problem. However it also said that this may have
> potentially unwanted behavior. I am not a techie and so I could really
> use
> some help. How do I decide and how can I get rid of those if I decide I
> want
> to. Thanks to any advice in advance.
> .
>
>

--
toni k.


"Bill Sanderson MVP" wrote:

> Windows Defender can't get rid of things that are already permitted, unless
> they are "known" to have undesirable characteristics. So--if you've
> permitted an unknown, Windows Defender can't remove it unless it is later
> determined to be known bad.
>
> That said, for folks without in-depth technical knowledge, I would recommend
> leaving the default settings alone and not worrying about those entries.
>
> Potentially unwanted behavior may simply mean that the type of executable
> involved COULD do "bad things." That applies to any executable. It doesn't
> indicate that Windows Defender knows that there is something wrong with the
> particular code involved.
>
> Many items generating such entries are routine installations of drivers for
> hardware, or, perhaps software which isn't mainstream--not necessarly
> anything wrong at all.
>
> Looking at history on my own system, the most recent examples of this sort
> of entry involve my installing the FTP server portion of IIS (on XP) and
> enabling that through the firewall.
>
> Since I was knowingly doing this (indeed, perhaps risky)--I didn't hesitate
> to permit.
>
> Such entries usually have a long path name as part of the description of
> what is being permitted--that may be a good clue about the nature of what
> was permitted--see if it involves software you've knowingly installed and
> want to be operating correctly.
>
>
> --
>
> "tonikrys" <(E-Mail Removed)> wrote in message
> news:3678274D-F8A7-4C09-9F0A-(E-Mail Removed)...
> >
> > -- I have the same problem. However it also said that this may have
> > potentially unwanted behavior. I am not a techie and so I could really
> > use
> > some help. How do I decide and how can I get rid of those if I decide I
> > want
> > to. Thanks to any advice in advance.
> > .
> >
> >
>
>
>