windows defender



i recently installed windos defender and everytime i run ascan it ALWAYS
shows malware named Browser Modifier Win32/Foto, click on remove it , it says
succeeded, yet i can scan like 2 minutes later and its back on there to be
removed again, is windows defender removing it o what is going on??? plz help

Mr Cat

Hi Jazmine

It helps to have other weapons in your arsenal to fight malware. I couldn't
find a good match describing Win32/Foto, so I suggest you try the following:
Download/Install free version of SuperAntiSpyware from,
update the definitions. Keep your browser closed and run a full scan.
Quarantine/remove the malware. Good luck and Happy New Year. Let us know if
that resolved your issue. Thanks.


Hello jazmine,

Additional info: Doesn't hurt to try Mr Cat's recommendation first.

So does the same thing happen when you reboot into Safe Mode (F-8) and do a
scan to then eradicate the pest?

Can you let us know where its being detected ?

So--the way to dig into this:

Windows Defender records, in the System event log, at the time of the scan,
the precise path and filename of each detection.

So--right click My Computer, choose Manage.
Click on the plus sign in front of Event Viewer.
Click on the System events log, in the left column.
Click on View (top menu), filter.
Click the down-arrow at the right of Event Source, and choose "WinDefend."
Click apply, click OK.

Now--in the right window, scroll back to the time of the original detection,
and look for yellow-triangle marked records for those original detections.
Double-click a record in the right window to open it and see the full
detail. You can cut and paste, via a button--back to this thread.

Some possibilities are that the items detected are in the System Restore
storage area, an antivirus Quarantine, or, perhaps, is an archive file of
some sort, which might contain valid data in addition to the spyware

I'm guessing, but I would imagine the detections are either in an archive
file (zip type compressed file) which Defender doesn't remove, since such
files could contain other wanted/needed information, or they are in a restore
folder which also isn't touched by Defender, or they are in a quarantine

All occurrences are harmless in that state but could cause a problem if
uncompressed or restºred.

I hope this post is helpful.

Let us know how it works ºut.
- -- ---

The anger of lovers renews the strength of love. —Publilius Syrus

Kyle Eubanks

Hello. I am having the same problems with windows defender and win32/foto
modifier. I followed the steps pertaining to my computer management and here
is a copy of my first detected warning i hope someone can be of some help and
help me figure this out.

Log Name: System
Source: Microsoft-Windows-Windows Defender
Date: 1/8/2008 10:30:41 PM
Event ID: 3004
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: banks-PC
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {C961C556-7B1D-437F-8F74-B3A9393B8873}
User: banks-PC\banks
Name: Unknown
Severity ID:
Category ID:
Path Found:
iemain:HKCU@S-1-5-21-3483150513-97960051-1560356023-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
Alert Type: Unclassified software
Detection Type:
Event Xml:
<Event xmlns="">
<Provider Name="Microsoft-Windows-Windows Defender"
Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" EventSourceName="WinDefend" />
<EventID Qualifiers="0">3004</EventID>
<TimeCreated SystemTime="2008-01-09T04:30:41.000Z" />
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Security />
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">1.1.1505.0</Data>
<Data Name="Scan ID">{C961C556-7B1D-437F-8F74-B3A9393B8873}</Data>
<Data Name="Unused">
<Data Name="Unused">
<Data Name="Unused">
<Data Name="Unused">
<Data Name="Domain">banks-PC</Data>
<Data Name="User">banks</Data>
<Data Name="SID">S-1-5-21-3483150513-97960051-1560356023-1000</Data>
<Data Name="Threat Name">Unknown</Data>
<Data Name="Threat Id">
<Data Name="Threat Severity">
<Data Name="Threat Category">
<Data Name="FWLink">%%832</Data>
<Data Name="Path
Found">iemain:HKCU@S-1-5-21-3483150513-97960051-1560356023-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page</Data>
<Data Name="Threat Classification Index">0</Data>
<Data Name="Threat Classification">%%807</Data>
<Data Name="Unused">
<Data Name="Unused">
<Data Name="Detection Type Index">
<Data Name="Detection Type">

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question