Defender giving event id errors on boot

[Guest]

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 1/31/2007
Time: 8:20:42 AM
User: N/A
Computer: THEBEAST
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {9E1EAC6B-68E8-40B9-B1D7-10026CE30047}
User: THEBEAST
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:uphcleanhlp
Alert Type: Unclassified software
Detection Type:

AND
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 1/31/2007
Time: 8:20:42 AM
User: N/A
Computer: THEBEAST
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {ABF3BE4B-6AB6-43A0-A218-217E9B850120}
User: THEBEAST
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: service:uphcleanhlp
Alert Type: Unclassified software
Detection Type:
AND
The errors always come in 2/s and the numbers in the "Scan ID: { }" are
always different.
Is this a bug, and is there anything I can do to prevent this?
I have already removed and reinstalled, and the errors still exist.
I am using version:
Windows Defender Version: 1.1.1593.0
Engine Version: 1.1.2101.0
Definition Version: 1.15.2224.9
Product ID: 81664-417-6859527-04062

TIA!

 

[Guest]

This isn`t a bug so much as WD just doing its job warning you of what it sees
a potentially suspect driver (uphcleanhlp) you have installed which is making
changes to your system at startup. Ironically, this driver (uphcleanhlp.sys)
is thought to be a Microsoft one used to completely terminate a user session
when logging off. Do you have a program installed which may use this driver?
What version of Windows are you using?

Stu

 

[Incognitus]

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 1/31/2007
Time: 8:20:42 AM
User: N/A
Computer: THEBEAST
Description:
Windows Defender Real-Time Protection agent has detected changes.
Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {9E1EAC6B-68E8-40B9-B1D7-10026CE30047}
User: THEBEAST
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:uphcleanhlp
Alert Type: Unclassified software
Detection Type:

AND
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 1/31/2007
Time: 8:20:42 AM
User: N/A
Computer: THEBEAST
Description:
Windows Defender Real-Time Protection agent has detected changes.
Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {ABF3BE4B-6AB6-43A0-A218-217E9B850120}
User: THEBEAST
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: service:uphcleanhlp
Alert Type: Unclassified software
Detection Type:
AND
The errors always come in 2/s and the numbers in the "Scan ID: { }" are
always different.
Is this a bug, and is there anything I can do to prevent this?
I have already removed and reinstalled, and the errors still exist.
I am using version:
Windows Defender Version: 1.1.1593.0
Engine Version: 1.1.2101.0
Definition Version: 1.15.2224.9
Product ID: 81664-417-6859527-04062

TIA!

FYI:
driver:uphcleanhlp is not part of UPHClean.
UPHClean.exe is used.

service:uphcleanhlp is not part of UPHClean.
The service used by UPHClean is
User Profile Hive Cleanup.

I use UPHClean and uphcleanhlp is not on my computer as a service nor as a
driver.

If I were you I would investigate further.

 

[Bill Sanderson MVP]

These event logs entries are normal. You should, however, check that you
are on the latest version of the User Profile Hive cleanup service, which
you can find here:

http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

 

[Bill Sanderson MVP]

I'm not completely certain, but I believe these files relate to an older
version of the utility--hence (in part) my recommendation to install the
latest version. It'll be interesting to see whether that installation
removes these old pieces.

--

 

[Guest]

What version of Windows are you using?

I am on XP SP2

FYI:

driver:uphcleanhlp is not part of UPHClean.
UPHClean.exe is used.
service:uphcleanhlp is not part of UPHClean.
The service used by UPHClean is
User Profile Hive Cleanup.
I use UPHClean and uphcleanhlp is not on my computer as a service nor as a
driver.
If I were you I would investigate further.
==
OK..I did a search in the registry, and found about 5 entries, all looking
similar to this:
LEGACY_UPHCLEANHLP
NextInstance
|
0000
|
Class,ClassGUID,ConfigFlags,DeviceDesc,Legacy,Service
|
Control
|
ActiveService

This looks like everything else listed in Legacy! HUMMMM! Now what ??
I'm going to run my spybot S&D,as it usually finds weid stuff.

 

[Guest]

Yes Bill, I mentioned that I uninstalled and did a reinstall. I am using v
1.6.30.0 of User Profile Hive Cleanup Service. I uninstalled it, and defender
yesterday. When the User Profile Hive cleanup service was uninstalled, I
received no error ID in events viewer.
Maybe I'll do it again, and install the UPHCS... 1st, then defender, and see
what happens.

 

[Guest]

OUCH!
Well, I deleted both programs rebooted, installed the UPH.. rebooted, then
installed defender. I made sure all boxes were checked, then rebooted again.
I am still getting the same event ID errors:
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 1/31/2007
Time: 8:53:45 PM
User: N/A
Computer: THEBEAST
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {B7D85D88-4F2E-450C-B5D3-0E2177C57B5C}
User: THEBEAST\MISTRESS
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: service:uphcleanhlp
Alert Type: Unclassified software
Detection Type:
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 1/31/2007
Time: 8:53:45 PM
User: N/A
Computer: THEBEAST
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {8F3F0322-4A6D-4E85-BD24-1FC46BF05EEE}
User: THEBEAST\MISTRESS
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:uphcleanhlp
Alert Type: Unclassified software
Detection Type:

 

[Incognitus]

I am on XP SP2


driver:uphcleanhlp is not part of UPHClean.
UPHClean.exe is used.
service:uphcleanhlp is not part of UPHClean.
The service used by UPHClean is
User Profile Hive Cleanup.
I use UPHClean and uphcleanhlp is not on my computer as a service nor as a
driver.
If I were you I would investigate further.
==
OK..I did a search in the registry, and found about 5 entries, all looking
similar to this:
LEGACY_UPHCLEANHLP
NextInstance
|
0000
|
Class,ClassGUID,ConfigFlags,DeviceDesc,Legacy,Service
|
Control
|
ActiveService

This looks like everything else listed in Legacy! HUMMMM! Now what ??
I'm going to run my spybot S&D,as it usually finds weid stuff.

In the registry I have both:
LEGACY_UPHCLEANHLP
and
LEGACY_UPHCLEAN

When you upgraded UPHClean perhaps the older version wasn't removed entirely
as Bill Sanderson suggested.

From the README.txt:


UPGRADING
=========

If you used the manual installation method to install UPHClean you must
follow
the manual removal instructions before attempting to use the MSI package to
install. You can find out if you used the MSI package by looking for an
entry
for User Profile Hive Cleanup Service in Add/Remove Programs under Control
Panel.

If you used the MSI package to install then you can proceed with the new
package
without removal.

REMOVAL
=======

If you used automatic installation:
- Open Control Panel
- Open Add/Remove Programs
- Click on User Profile Hive Service and select Remove

If you manually installed:
- Run the program with the -remove switch to stop the service and remove it
(e.g. uphclean -remove)
- Remove the UPHClean directory under c:\program files

Also:
UPHClean v1.6d readme.txt
Updated April 27, 2005 by Robin Caron

Send all feedback/comments/problems to (e-mail address removed)

 

[Jean Rosenfeld]

As Bill said it is quite normal. I have them too.They are not actually error
logs but warning logs (not yet classified means WD database does not know
whether it's a legit thing or not, up to the usr to decide). I don't know
why the LEGACY_UPHCLEANHLP key is installed with UPH cleanup, as there is no
corresponding service. Since that is the case, it's a mystery why WD flags
it.

I would stop worrying about it if I were you.

 

[Guest]

I am not worried. I like to keep good track of things that belong and don't
belong on my machine.
Is there a way to have it stop reporting this?
Thanks!

As Bill said it is quite normal. I have them too.They are not actually error
logs but warning logs (not yet classified means WD database does not know
whether it's a legit thing or not, up to the usr to decide). I don't know
why the LEGACY_UPHCLEANHLP key is installed with UPH cleanup, as there is no
corresponding service. Since that is the case, it's a mystery why WD flags
it.

I would stop worrying about it if I were you.

 

[Dave M]

Good question, Puff, not that I know of within Defender. The only
workaround I've found so far is to use a more advanced event viewer than
Microsoft's built in one, and then filter those specific warnings out by
name "uphcleanhlp". Even then, I can only filter one such name at a time.
Guess you could filter all events ids numbered 3004, but I think you may
miss something important if you did that. Here's a link to the free event
viewer that I use. It has the ability to save different filter setups
across invocations of the viewer, and is much more powerful than what comes
with windows:

http://www.eventlogxp.com/

 

[Guest]

FWIW. I don`t think this will be possible unless the developers rewrite the
code for the way in which WD analyses your system. I would tend to take Jeans
approach of `not worrying too much` but, nevertheless, be aware. Question you
must ultimately ask of yourself is: are the flagged entries associated with a
program you are confident with? If you can`t trust MS, who can you trust?
Dave`s URL is a good Event Viewer but ultimately you will have to pay for it.

Stu

I am not worried. I like to keep good track of things that belong and don't
belong on my machine.
Is there a way to have it stop reporting this?
Thanks!

 

[Guest]

Thanks lots everyone for your input and feedback!
I will take all of your suggestions under advisement, and put this issue on
the back burner!

Grand weekend all!
Ms. Puff
== == == ==