(Win xp home, Spybot 1.4, detection update 2007-03-28)

Hi all,

As shown below, I keep having these usage tracks detected. The Most recent application and Most recent application ID detections cannot be fixed, and Spybot requests to run again during the next boot. The Anonymous ID detection gets a green check as if it has been fixed by SS&D, but if I immediately run a second scan, it is again detected.

I'm most curious about the anonymous ID detection. I think it is either a false positive regarding detection, or it is being detected correctly, but the fix that SS&D applies is wrong, so it gets detected again.

I searched the forum for info about MS Media Player Anonymous ID, but I only found directions on how to exclude it from future searches. What I really want to know, what is the proper value for that registry key, and is SS&D detecting that the registry entry is wrong when it's really right? Or, is SS&D fixing it wrong, so it always gets detected again?

Thanks...



MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS DirectInput: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2007-02-07 TeaTimer.exe (1.5.0.6)
2006-09-15 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-28 Includes\Beta.sbi
2005-02-16 Includes\Beta.uti (*)
2007-03-28 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-03-28 Includes\DialerC.sbi
2007-03-21 Includes\Hijackers.sbi
2007-03-28 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-03-28 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-03-21 Includes\Malware.sbi
2007-03-28 Includes\MalwareC.sbi
2007-03-21 Includes\PUPS.sbi
2007-03-28 Includes\PUPSC.sbi
2007-03-28 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-03-28 Includes\SecurityC.sbi
2007-03-21 Includes\Spybots.sbi
2007-03-28 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti (*)
2007-03-21 Includes\Trojans.sbi
2007-03-28 Includes\TrojansC.sbi

Go into Windows Media Player > Tools > Options. In the Options window click the Privacy tab. In the "Enhanced Content Provider Services" section uncheck "Send unique Player ID to content providers". Rerun a Spybot "Check for problems" with "Usage tracks" and see if the following detection went away:


MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

Hello, and thanks for your reply,

Here's what I've figured out so far:

If I check that check box in Media Player's options, it's reported by Spybot as a detection. When I look at that binary value's value in the registry, it's displayed as 01 (zero-one).

If I uncheck the check box in Media Player's options and re-scan with Spybot, Spybot still reports it as a detection. However, when I look at that binary value's value again, it's displayed as 00 (zero-zero).

If I delete the Spybot detected binary value SendUserGUID from that registry key, then Spybot doesn't report it as a detection, and the feature shows as unchecked in the media player options menu.

If I again check the check box in Media Player's options and re-scan with Spybot, Spybot again reports it as a detection, and when I view that key of the registry, I see that the SendUserGUID value has been added back, and, its value is 01.

If, in Spybot, I select it as a problem to fix, and let Spybot fix it, Spybot appears to have successfully fixed it, and displays a green check next to the problem. And, when I view the value of that binary value, it shows as 00, as it should. However, if I re-scan with Spybot, it shows up as a detection, even though the value of that binary value is 00.

This makes me think Spybot's fix for this detection is correct, but its method of detecting this detection is where the flaw lies. If the value is not equal to zero, it should show up as a detection. If the value is equal to zero, it should not show up as a detection, but it still does.

For now, it doesn't seem to harm anything when I delete the binary value from the key, so I guess I'll do that. However, perhaps this is something the Spybot developers should know about, if they don't already.

Thanks...

as far as I can tell the problem is not SpyBot but Windows. It happens with a lot of usage tracks, SpyBot removes then and Windows instantly recreates then.

as far as I can tell the problem is not Spybot but Windows. It happens with a lot of usage tracks, Spybot removes then and Windows instantly recreates then.

I don't think this is the case for this particular Spybot detection/fix scenario.

In my post above, I've show that the value of the Spybot detected binary value is 01, when the feature is enabled in Media Player, and 00 when the feature is disabled in Media Player. And, I've also shown that Spybot detects it as a problem, no matter if the value is 00 or 01. And, when Spybot does detect it as a problem and you let Spybot apply its fix, Spybot changes the value to 00 (program feature disabled), yet Spybot still continues to detect it as a problem even though the value remains 00. There's a mismatch between Spybot's detection for this problem, and Spybot's fix for this problem, and I think this shows there's something wrong with Spybot's detection of the problem.

How do I submit this to the Spybot folks for their review?

Who Knew:

Although I don't know what, here has to be something else in play in your system but not in mine.

In the following detection:

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0
"!=B=0" indicates: not equal (!=) binary (b) equal 0 (=0). In other words the SendUserGUID registry entry is not binary zero.

I'm running Windows XP (Home) and I'm still using Windows Media Player 9.00.00.3349.

When I check "Send unique Player ID to content providers" and click "Apply" the following registry entry immediately changes:

[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences]
From:

"SendUserGUID"=hex:00
To:

"SendUserGUID"=hex:01
And Spybot detects it.

If I uncheck "Send unique Player ID to content providers" and click "Apply" the following registry entry immediately changes:

[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences]
From:

"SendUserGUID"=hex:01
To:

"SendUserGUID"=hex:00
And Spybot no longer detects it.

I don't what is causing the difference in our observations, but at lease you know the cause of the following detection:

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0
----------------------------------------------------------

As far as this observation goes:

If I uncheck the check box in Media Player's options and re-scan with Spybot, Spybot still reports it as a detection. However, when I look at that binary value's value again, it's displayed as 00 (zero-zero).
Try exiting and restarting Spybot before the "Check for problems". Spybot may still have that registry entry in memory or paged.

Thanks for the further info.

I have xp home, but use Windows Media Player 11.

I'll test again, making sure that I restart things between changes.

Who Knew:

Please note: I never attempted to do a "Fix selected problems" after I received the detection in Spybot after doing a "Check for problems".

The original intent of my investigation was to determine the cause of the Spybot detection. I did that by tracing the detection you receive to the checking/unchecking if the "Send unique Player ID to content providers" in the "Enhanced Content Provider Services" section of the "Options" window that is displayed when you go into Windows Media Player's "Tools" > "Options".


… and I think this shows there's something wrong with Spybot's detection of the problem.

How do I submit this to the Spybot folks for their review?
You may think that there is a problem with the detection, correction, etc. of Spybot's handling of the registry entry, but please keep in mind that no matter how flawed you think the detection/correction may be, it evidently is the only thing that alerted you to the fact that you or something else (even Windows Media Player itself) set a value in the system registry that seemingly sends the unique GUID of your system "… to content providers" (who/whom ever they may be).

Without that detection you would have never known that "Send unique Player ID to content providers" was check.

Who Knew:

Please note: I never attempted to do a "Fix selected problems" after I received the detection in Spybot after doing a "Check for problems".

The original intent of my investigation was to determine the cause of the Spybot detection. I did that by tracing the detection you receive to the checking/unchecking if the "Send unique Player ID to content providers" in the "Enhanced Content Provider Services" section of the "Options" window that is displayed when you go into Windows Media Player's "Tools" > "Options".


You may think that there is a problem with the detection, correction, etc. of Spybot's handling of the registry entry, but please keep in mind that no matter how flawed you think the detection/correction may be, it evidently is the only thing that alerted you to the fact that you or something else (even Windows Media Player itself) set a value in the system registry that seemingly sends the unique GUID of your system "… to content providers" (who/whom ever they may be).

Without that detection you would have never known that "Send unique Player ID to content providers" was check.

Quite right. I'm not unthankful. My interest in this matter is one of academics and curiousity. It's worthwhile noting that I had already found that setting and unchecked the check box. When version 11 Media Player is installed, the user is presented a wizard, where all of the user's preferences are surveyed and settings are set. Only recently have I turned on usage tracks checking in Spybot, and In my case, Spybot still found it as a problem and was unable to fix it such that the problem finding method was satisfied and it was no longer detected as a problem by Spybot.