Error: 0x80501001

[Guest]

When scanning with WD it finds Spyware and advice me to: "Remove this
software immediately".

But when I try to remove it, I get an error: 0x80501001

The spyware is "Unclassified.Spyware.Loader" and it's 9 files like this:

E:\System Volume
Information\_restore{F6FFCD50-7EAE-468A-94BA-0CDCCDB2B293}\RP46\A0008557.EXE->(wise0059)

I have scanned with "restore point" both disabled and enabled but get the
same error everytime.

 

[JoeM]

Just got the same error this morning. Attempting to find out if I scan in
safe mode if that will fix it

 

[Bill Sanderson]

This one indicates that the spyware is contained in an archive, I
believe--so take a look at the system event log and see what the precise
path and object involved are, and try removing it by hand--probably no need
for safe mode.

--

 

[Bill Sanderson]

Whoops --just took a look at the message that started the thread:

Alternative explanations: Object involved is inaccessable--in the System
Restore area, or the quarantine area of an antivirus.

Same solution--remove by hand--empty quarantine or exclude it from
scanning --tools, general settings.

--

 

[Guest]

I tried that too but it didn't work.

Let me know how it goes...

 

[Guest]

It didn't work....got the same error message.

Sorry for the triple post....I don't know what went wrong there.

 

[Guest]

Here is what I did...

Disabled System Restore and clicked yes to delete restore points.
Rebooted
Deleted all quarantined objects in Ad-aware.
Checked McAfee for quarantined objects....none.
Scanned with Defender....

Same thing.....Failed to remove it and same error message.

Repeated the proces in safe mode with the same result.

 

[Bill Sanderson]

So--go to the system event log, filter the view on event source windefend.
Spot the yellow triangle message that gives the details on the
detection--and hit the button to copy those details to the clipboard, and
post them here--let's see what this one is. In this case--it is probably an
archive file.

--

 

[Guest]

First of all....I was able to manually remove it. I had to mess around with
with some settings that I never had to mess with before. I changed the
profile rights settings of the folder with the malware (System Volume
Information), from the System profile to my own profile. This allowed me to
manually delete the files.

But anyway...Here is what the log file from the scan said. I have "X'ed" out
the computer and user names.

Hændelsestype: Advarsel
Hændelseskilde: WinDefend
Hændelseskategori: Ingen
Hændelses-id: 1006
Dato: 01-03-2006
Klokkeslæt: 18:26:55
Bruger: Ikke tilgængelig
Computer: XXXXXX
Beskrivelse:
Windows Defender scan has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {C2860A37-D9F1-40C2-9125-75BE6E274C65}
Scan Type: AntiSpyware
Scan Parameters: Full Scan
User: XXXXXXX\XXXXXXX
Threat Name: Unclassified.Spyware.Loader
Threat Id: 15100
Threat Severity: 5
Threat Category: 2
Path Found: file:E:\System Volume
Information\_restore{F6FFCD50-7EAE-468A-94BA-0CDCCDB2B293}\RP46\A0008557.EXE->(wise0059);file:E:\System
Volume
Information\_restore{72F92272-DDD3-41E0-8D33-819056D33F49}\RP4\A0000628.EXE->(wise0059);file:E:\System
Volume
Information\_restore{72F92272-DDD3-41E0-8D33-819056D33F49}\RP4\A0000299.EXE->(wise0059);file:E:\System
Volume
Information\_restore{44094093-A5D8-49B6-9141-506E1AF21489}\RP1\A0003436.EXE->(wise0059);file:E:\System
Volume
Information\_restore{44094093-A5D8-49B6-9141-506E1AF21489}\RP1\A0002352.EXE->(wise0059);file:E:\System
Volume
Information\_restore{44094093-A5D8-49B6-9141-506E1AF21489}\RP1\A0001303.EXE->(wise0059);file:E:\System
Volume
Information\_restore{44094093-A5D8-49B6-9141-506E1AF21489}\RP1\A0000578.EXE->(wise0059);file:E:\System
Volume
Information\_restore{302453BC-35A6-4F3B-BE89-C7C45EA8D58C}\RP34\A0006080.EXE->(wise0059);file:E:\System
Volume
Information\_restore{302453BC-35A6-4F3B-BE89-C7C45EA8D58C}\RP34\A0005650.EXE->(wise0059);file:\Dokumenter\Homepage\Tu
Detection Type: Signatures

Yderligere oplysninger finder du under Hjælp og support på
http://go.microsoft.com/fwlink/events.asp.


And here is the message from where it failed to remove it (red circle /w
X)...and it seems you're right (archive file):

Hændelsestype: Fejl
Hændelseskilde: WinDefend
Hændelseskategori: Ingen
Hændelses-id: 1008
Dato: 01-03-2006
Klokkeslæt: 18:29:13
Bruger: Ikke tilgængelig
Computer: XXXXXX
Beskrivelse:
Windows Defender has encountered an error when taking action on potential
malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {C2860A37-D9F1-40C2-9125-75BE6E274C65}
Scan Type: AntiMalware
User: XXXXXX\XXXXX
Threat Name: Unclassified.Spyware.Loader
Threat Id: 15100
Threat Severity: 5
Threat Category: 2
Action: Remove
Error Code: 0x80508026
Error description: Windows Defender cannot remove a potentially harmful
item from the contents of an archived file. To remove the item, you need to
delete the archive or you can search for options for removing spyware in Help
and Support.

Yderligere oplysninger finder du under Hjælp og support på
http://go.microsoft.com/fwlink/events.asp.

*****************************************

 

[Bill Sanderson]

The error message about the archive is clearer than I'd remembered--perhaps
they have improved on these already?--at any rate, it does seem to give some
useful information about how to proceed--which is good!

I don't know why the earlier process of clearing the System Restore area
didn't clean that one out--glad you knew enough to be able to dig deeper for
it.

--

 

[Guest]

Yes me too.
I just did what I always do...Trying 'till I get it to work. And this one
wasn't a challange :O)
It was more like a "where to find it" than a "what to do" situation.
As I always say: "If I don't know how, I'll find out"

Anyway...Thanks for the help.