Defender vs. TClock

[nancie]

I have had Defender since it's release, and have had very little trouble
with it. I also have WOC (Windows One Care). I use AntiVir. These are all
on an XP Pro machine. I also use TClock to customize my clock and desktop,
and have used it for at least 4 years.

Suddenly, as of yesterday, and again today, Defender has REMOVED the tclock
dll file, and has STOPPED AntiVir from running. I removed Defender because
I cannot accept it's automatic behavior, even AFTER telling it to ignore
tclock. Now, of course, with Defender removed, WOC has gone yellow because
it wants Defender installed.

How do I get Defender to quit flagging TClock, quit shutting down AntiVir
and keep both WOC and ME happy?

Thanks.

 

[Bill Sanderson MVP]

This sounds like a possible false positive.

It'd be very helpful to have the details of the detections that resulted in
these removal actions.

These details are recorded in the System event log, with source "WinDefend"
at the time of the scan which did the detection.

Since you are on XP--you might want to use System Restore to revert the
executables to a time before this happened.

I see that there are new Windows Defender definitions today--so it will be
worth checking via a manual scan, whether this issue might already be fixed.

The event viewer has a cut and paste button to copy the details to the
clipboard, and thus get them back to this thread.

So:

1) lets see if you can grab the details of the detections and paste them
back here--or in the .signatures group--which is a good place to post false
positives.

2) Use system restore to get the system back to the way it should be.

3) then update Windows Defender--either via help, about, check for updates,
or WindowsUpdate--whatever works--and then initiate a scan of the machine
yourself--and see whether the same detections are made. If they are, I
would turn off scheduled scans until you can be certain this detection has
been fixed--which will involve updating definitions and testing by another
scan with each definition update. Microsoft has been very good about
correcting this kind of incident (if this is, in fact, a false
positive)--but it may take some time.

Let me know if you need more detailed help with these steps

 

[nancie]

Bill,

Thanks for your response. Below are the 3 sys events relevent to the
situation. I believe AntiVir was shut down (entry 3)because of the error
caused by Defender (entry 2) which caused Explorer to restart.

I have reinstalled Defender to keep WOC happy, and it immediately popped up
a window different from the notifications received yesterday and today,
(where all I could do was click Ignore), that requested "Always Allow" which
I promptly clicked! I will see if the situation has been remedied thusly,
but I sure am aggravated that Defender ignored ME when I told IT to ignore
TClock!

Another quick question.....does Defender live happily with Vista? We are
getting event ID 3004 and 3005 warnings on our Vista test machine
consistently. Software name is "unknown" so we can't track the exact
problem.

Thanks muchly.



ENTRY 1

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 6/15/2006
Time: 12:54:37 PM
User: N/A
Computer: N1
Description:
Windows Defender scan has detected spyware or other potentially unwanted
software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {7A955E4D-86AE-4527-90DC-08FC49764996}
Scan Type: AntiSpyware
Scan Parameters: Full Scan
User: NT AUTHORITY\NETWORK SERVICE
Name: Tclock
ID: 17380
Severity ID: 1
Category ID: 27
Path Found:
processid:1856;file:\Downloads\tclocklight-040702-3.zip->tcdll.tclock;file:\Documents
and Settings\Nan\Desktop\tclocklight-040702-3[1]\TCDLL.TCLOCK;file:C:\System
Volume
Information\_restore{E552D819-11E2-4279-993E-3729DEACB3B7}\RP463\A0036683.lnk
Detection Type: Signatures


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



ENTRY 2


Event Type: Error
Event Source: WinDefend
Event Category: None
Event ID: 1008
Date: 6/15/2006
Time: 12:55:12 PM
User: N/A
Computer: N1
Description:
Windows Defender has encountered an error when taking action on spyware or
other potentially unwanted software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {7A955E4D-86AE-4527-90DC-08FC49764996}
Scan Type: AntiMalware
User: NT AUTHORITY\NETWORK SERVICE
Name: Tclock
ID: 17380
Severity ID: 1
Category ID: 27
Path:
Action: Quarantine
Error Code: 0x80508022
Error description:


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



ENTRY 3

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 6/15/2006
Time: 12:55:13 PM
User: N/A
Computer: N1
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Pierre Szwarc]

Thanks for entering this issue. I was just about to do so. I've told WD to
ignore the Tclock entry, but it keeps popping up with it during each
scheduled scan and this is getting on my nerves...
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"nancie" <[email protected]> a écrit dans le message de (e-mail address removed)...
|I have had Defender since it's release, and have had very little trouble
| with it. I also have WOC (Windows One Care). I use AntiVir. These are
all
| on an XP Pro machine. I also use TClock to customize my clock and
desktop,
| and have used it for at least 4 years.
|
| Suddenly, as of yesterday, and again today, Defender has REMOVED the
tclock
| dll file, and has STOPPED AntiVir from running. I removed Defender
because
| I cannot accept it's automatic behavior, even AFTER telling it to ignore
| tclock. Now, of course, with Defender removed, WOC has gone yellow
because
| it wants Defender installed.
|
| How do I get Defender to quit flagging TClock, quit shutting down AntiVir
| and keep both WOC and ME happy?
|
| Thanks.
|
|

 

[nancie]

Peter,

I haven't had any problems since I deleted, reinstalled and had the window
pop up that asks to "always allow". I have not seen that specific window
before, and it seems that it only showed up because of the reinstall ( I
think). Anyway, TClock now shows in my allowed list and no more problems.
My AntiVir has not been halted either. I feel the reinstall move is about
the only way to get this particular error corrected at this time.

Can you comment on the issue I noted regarding Defender and Vista?

Thank you.

 

[nancie]

OMG..........PIERRE!!!! I am sorry I typed Peter!!!! I KNOW who I meant,
but somehow I did a "translation"! I admire you and all you do in so many
of these groups, and then do something inane like mess up your name.....my
apologies!

 

[Bill Sanderson MVP]

I knew there was a piece of this that I had been meaning to return to:

Windows Defender is built-in to Vista--it is a native part of the OS, and
can't be removed, although it can be turned off.

I see a number of reports of this sort, googling. Is this system a Dell?
There's a Dell management piece that apparently results in thes messages--I
don't believe they are anything to be concerned about, but it'd be nice to
be sure just what they refer to.

 

[nancie]

Well, the Vista machine is a homebuilt that isn't really fully set up for
Vista, but was just "sittin there" so we plopped on Vista. The graphics
card is totally inadequate for anything except basic and we won't mention
the monitor!...........except I just noticed it's a Dell!! Oh well, we'll
worry about it later, after we have a new card, more memory and a flat
screen!

Thanks for your invaluable assistance. You are always kind and gracious.

 

[Bill Sanderson MVP]

OK - it certainly isn't the Dell management software in this case. I
haven't looked too closely at these message codes--I'm wondering if they are
the equivalent of a "not yet classified" item in XP--in which case they are
often a driver or the like that simply hasn't gained enough spynet votes to
be classified, rather than something definitely bad.

You're welcome!

 

[Pierre Szwarc]

<LOL> No harm done.
And yes, Windows Defender lives quite happily with Vista. As a matter of
fact, it's an integral and non-removable part of Vista, just like the
Windows Firewall.
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"nancie" <[email protected]> a écrit dans le message de [email protected]...
| OMG..........PIERRE!!!! I am sorry I typed Peter!!!! I KNOW who I
meant,
| but somehow I did a "translation"! I admire you and all you do in so many
| of these groups, and then do something inane like mess up your name.....my
| apologies!

 

[Pierre Szwarc]

In my particular case the system is a Sony, and I upgraded the (yuck) XP
Home system it came with, with XP Pro. I also uninstalled all non-essential
Sony software, but there was no problem with TClock until about a week ago
anyway. The installed software was not modified for at least 3 months prior
to that, except naturally for the Windows June batch of updates.
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Bill Sanderson MVP" <[email protected]> a écrit dans le
message de news: (e-mail address removed)...
|I knew there was a piece of this that I had been meaning to return to:
|
| Windows Defender is built-in to Vista--it is a native part of the OS, and
| can't be removed, although it can be turned off.
|
| I see a number of reports of this sort, googling. Is this system a Dell?
| There's a Dell management piece that apparently results in thes
messages--I
| don't believe they are anything to be concerned about, but it'd be nice to
| be sure just what they refer to.

 

[Bill Sanderson MVP]

I'd encourage you to post in the .signatures group, since the Tclock
detection seems to be a false positive. Microsoft has a pretty good record
of fixing false positives, but they need to hear about them with details.
Posting the record from the system event log with the detected item would be
helpful.

 

[Pierre Szwarc]

Will do. Thanks
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Bill Sanderson MVP" <[email protected]> a écrit dans le
message de [email protected]...
| I'd encourage you to post in the .signatures group, since the Tclock
| detection seems to be a false positive. Microsoft has a pretty good
record
| of fixing false positives, but they need to hear about them with details.
| Posting the record from the system event log with the detected item would
be
| helpful.

 

[plun]

Hi Bill and Pierre

Well, all of these "clocks"......

Probably a detection mess beacuse of all Smitfraud infests with
so called "clock apps".

http://www.google.com/search?hl=sv&rls=com.microsoft:en-us&q=clock+smitfraud&btnG=Sök&lr=

It´s a wild jungle out there....

regards
plun

 

[Pierre Szwarc]

Could be... However, this particular clock is totally safe and should not be
detected as potentially harmful. Otherwise, what's the use of Spynet? BTW,
why don't we Spynet subscribers get a monthly report about its findings,
both good and bad?
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"plun" <[email protected]> a écrit dans le message de (e-mail address removed)...
| Hi Bill and Pierre
|
| Well, all of these "clocks"......
|
| Probably a detection mess beacuse of all Smitfraud infests with
| so called "clock apps".
|
|
http://www.google.com/search?hl=sv&rls=com.microsoft:en-us&q=clock+smitfraud&btnG=Sök&lr=
|
| It´s a wild jungle out there....
|
| regards
| plun

 

[plun]

Hi again

Well.... the challenge is probably this mess with different clocks.
MS will for sure fix it.

I have also waited for better "signals" from Spynet but this is
probably a problem for MS beacuse of all 3rd parties.....

To operate Spynet as a "HijackThis analysator" probably is too much
even for MS. Maybe also not in MS interrest to protect 3rd party apps.
So maybe "mission impossible"...

Every protection vendor works alot with safe apps and safe processes.
But this is a giant work with all versions today.

For users never visting unsafe sites this is not a problem so maybe
it´s better to learn users about risky sites.....

regards
plun

 

[nancie]

Well gentlemen,

I'll wade back in a little bit here.....I'm not having any more issues with
Defender since the reinstall and "always allow" option, but NOW my AntiVir
is messing with TClock and I'm trying to communicate with them to get things
fixed.

If this is because of the Smitfraud clocks issue, then it appears the
antivirus folks are using a blanket approach against all clocks, whether or
not they are problematic. I am really quite frustrated right now, as
AntiVir wants the offending file zipped and passworded and I haven't a clue
how to do it!! I guess I'll wait for my resident guru to be available
later!

I can't believe all the trouble this little utility is causing/receiving. I
hope things settle soon.

nan

 

[plun]

Hi Nancie

It´s easy to zip a file...

Just download Winzip and install
http://www.winzip.com/downwzeval.htm

How do I create a Zip file?

To create a new Zip file, open WinZip in the WinZip Wizard mode. (If
the WinZip Wizard does not open by default, just click the Wizard
button in the toolbar.) You will be asked "What do you want to do?"
Simply select "Create a new Zip file" and click Next. The WinZip Wizard
will guide you through the entire process.

http://www.winzip.com/aboutzip.htm

Mail it to Antivir, maybe they wants the password in one mail and the
zipped file in another mail... ?

regards
plun