PDA

View Full Version : I'm still having Immunization Problems...



poolsharkzz
2008-01-13, 22:26
Hello to all,

I am still having Immunization Problems with the new Spybot 1.5.2.19 RC1.

I wrote about this problem back on 12-22-07, md usa spybot fan replyed, but no real solution found.

Does anyone have any ideas?

Please advise,

Odd Todd

honda12
2008-01-13, 22:33
Hi OddTodd,

Have you tried immunizing then pressing the undo button - and then re-immunizing?

honda :)

poolsharkzz
2008-01-13, 22:44
honda12,

Thanks for responding, that was really quick...

Yes, I just followed your instructions, but it didn't work.

I want to get to the bottom of this, if possible!

Did you get the chance to review my past thread from 12-22-07?

OddTodd

honda12
2008-01-13, 22:53
Hi OddTodd,

I see you are running spyware-blaster - Try disabling it's protection and then try to immunize spybot.

I believe there has been cases in the past where some programs 'undo' each others protection (non-intentionally)

honda12
2008-01-13, 23:03
Also I see you ran Free Windows Registry Repair - I recommend you use a more reputable cleaner (for example ccleaner) because there have been reports that Free Windows Registry Repair gives the user huge amounts of registry entries to be cleaned. This registry cleaner, I would class as over-vigorous in its cleaning, and therefore increasing it's risk of you deleting an important entry.

Registry cleaning should be done in a careful manner :)

Always remember to backup your registry before cleaning :red:

md usa spybot fan
2008-01-13, 23:29
OddTodd:

Solution from your other thread (http://forums.spybot.info/newreply.php?do=newreply&p=149540):


I don't know how the problem started but it appears that the presents of the subkey in the registry hive stimulates Spybot to immunize the key.

If you delete the subkeys of the HKEY_USERS\S-1-5-20_Classes key the problem disappears and Spybot no longer attempts to immunize in that key.

I don't know what to tell you about the HKEY_USERS\S-1-5-21_Classes key because I don't have one and don't know how it is used.

poolsharkzz
2008-01-14, 02:05
Guys - Please listen....

I am sorry, but I think you guys are missing what I am trying to ask/tell you....

1) I have done every trick mentioned and not mentioned in these forums to try to solve this - nothing works.

2.) Many times - with all the newer (1.5) versions of Spybot - I have deleted the keys responsible for the non-Immunization (S-1-5-20 & S-1-5-21).

3) What is happening here is that after I have deleted these registry keys and then I either restart my system or even just reboot - them registry keys keep returning!

4.) Something - it's either a program or a service or a tweak I did or a unknown or unneeded user profile or something new or ???????? is re-creating those registry keys each and every time after I have deleted them...

or could it be possibly be something that still needs fixing with Spybot???

I have not deleted these keys manually using the built-in registry editor - I have always used Free Windows Registry Repair 1.2 - which seems to be the only program to find these unneccessary keys.

5.) My question is this:

What is creating/re-creating these registry keys and how do I stop it from happening?

I really appreciate all your help. I am just a little bit frustrated about all of this - I am not angry - I just want to figure out the root cause and solve the problem.


md usa spybot fan -

Yes, you are completely correct, deleting the subkeys of HKEY_USERS\S-1-5-20_Classes key fixes the problem - but only for the S-1-5-20 "Immunization Items" in Spybot and thats only until I either restart my rig or reboot - this move is only a temp band-aid - I need to learn the root cause....

Not to mention HKEY_USERS\S-1-5-21_Classes key, which you said you had no clue...


honda12 -

Yes, I use Free Windows Registry Repair, I have had no problems with using it to date (as yet) and I agree, it is very much more of an "over-vigorous" registry cleaner, but that's what I use it for and I always create a backup file - as well as a complete registry backup.

I use CCleaner as well - great program but it doesn't find the S-1-5-20 and S-1-5-21 "problem keys".

I am stuck in the mud - any ideas??

Where do we go from here??

md usa spybot fan
2008-01-14, 07:00
md usa spybot fan -

...

Not to mention HKEY_USERS\S-1-5-21_Classes key, which you said you had no clue...
What I said was that I don't have the HKEY_USERS\S-1-5-21_Classes key.

User's have HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes key but I don't know how a HKEY_USERS\S-1-5-21_Classes gets geterated or is used.

_______________

You could us a registry monitor program such as Sysinternals Regmon to attempt to determine what is recreating the registry entries after you delete them.

Sysinternals:
Windows Sysinternals Documentation, downloads and additional resources
http://technet.microsoft.com/en-us/sysinternals/default.aspx

PepiMK
2008-01-14, 10:41
Hmmm... in some something_Classes keys, I've seen parts of the standard immunization path (\Software\Microsoft\Windows\CurrentVersion\........). These do not belong there (often contain just empty keys), but can fool the immunization to believe this is a regular user key (and not the classes key).

Haven't found out yet if that was a very early Spybot beta doing this, or any other software capable of doing the same kind of immunization, or something completely different...

poolsharkzz
2008-01-15, 19:25
md usa spybot fan -

All right, now we are getting somewhere!

I will be downloading Sysinternals Regmon sometime in the next few days, been mega-swamped but this is high on the priority list.

What I will do is compile and attach reports with my next post for your and PepiMK's review - maybe we can get to the bottom of all this?


Quick question - is anybody else still having "Immunization problems"?

Thanks,

OddTodd

Bumblebee4711
2008-01-19, 21:08
I have problems with the IMMUNISATION too. I get the message: "Diese Aktion wird aufgrund fehlender AdministationsRechte unter Umständen nur teilweise durchgeführt. Etc. etc. . . " This warning is correct, SPYBOT does a partly immunisation.

The warning "Windows Vista - Für einige Funktionen werden Administratorrechte benötigt" does not help. I am working under/with the administration-rights, but get only "partly immunisation". The current help does not help too much either. I am missing the option under SPYBOT to get the administration-right.

I hope it will work under the new release. 19.01.2008 http://forums.spybot.info/images/smilies/sad.gif
:sad:

Bumblebee4711
2008-01-20, 11:06
:oops:

I checked this time the ENGLISH help. There it is written, how to overcome the "you need authorisation rights". It works. But the problem, that SPYBOT takes very, very long to start is still present.

:oops:

spybotsandra
2008-01-20, 14:56
Hello,

So have you already upgraded to the new Spybot beta (http://www.spybotupdates.biz/files/beta/spybotsd15he-beta2.exe)?
The problem with the long start is fixed there.

Best regards
Sandra
Team Spybot

Titano
2008-01-20, 22:21
Spybot 1.5.2 (in reality 1.5.1.19)

I have not a great problem to point out, but just an annoying issue.

It is already the second time that I download updates (since I installed the new beta) and I noticed that after the process of downloading and after having immunized, some files are still Unprotected (being 33 the first time and 3 the second).

In conclusion, every week, in correspondence of update-day, I have Immunize--> Undo --> Immunize again and sometime Immunize--> Deselect all-->Undo--> Immunize--> Select all--> Immunize again (maybe it is not the correct procedure but to the end I get the complete protection).

Using Spybot 1.4 (for years) I never had this issue.

Regards

Titano
__________________________________

Online Armor Beta Tester

poolsharkzz
2008-01-20, 23:44
md usa spybot fan & PepiMK,

Hello again to all!

Sorry it's been a week, been very busy!

Okay...

I have downloaded System Internal's Regmon, and made a few reports for your review, which are attached along with Free Window Registry Repair 1.2's Report.

Regmon's Reports are broken down as such:

Regmon1: Report was created right before I ran Free Window Registry Repair 1.2

Regmon2: Report was created right after I cleaned registry with Free Window Registry Repair 1.2

Regmon Final: Report was created right after restarting my system, which I did right after I cleaned registry and created Regmon2 Report.

Free Window Registry Repair 1.2's Reports are broken down by S-1-5-18, S-1-5-20, and S-1-5-21.

The S-1-5-20_Classes and S-1-5-21-3305080096-3069123988-1010101338-1006_Classes Items: They still show up after restarting and still do not Immunize.

This is a bit over my head, please comment and make suggestions.

If you need any additional information, please request.

Thanks again!

OddTodd


PS. I am having problems uploading the Regmon Reports. I think they are too big - any suggestions?

Could I directly e-mail them to you?

Please advise.

md usa spybot fan
2008-01-22, 20:04
OddTodd:

We have established that if certain registry sub-keys are present on your system where they should not normally be (namely the S-1-5-20_Classes and S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx_Classes registry hives) that Spybot to attempts to immunize in those keys. Patrick Kolla is now aware of that and may eventually find and fix the problem.

To overcome that problem from a Spybot immunization standpoint, just stop attempting to immunize those registry hives.

Other than that, you have not mentioned any other adverse affects the presents of those sub-keys are causing, so it may be wise to just well enough alone.
_______________

On the other hand, if you intend on continuing to try and find what software is recreating the registry keys that you claim you have deleted, there a few things that you should understand. I recommended the possibility of using Regmon because it monitors and displays Registry activity. In order to do that you must run the program while the registry is being changed, not before or after changes as you indicate that the Regmon reports you took so far represent. In other words you must run Regmon during the activity that you are interested in monitoring i.e. when the changes are occurring.

Also, if you are going to continue to use Regmon, I suggest that you the read the "Filtering Output" section in the REGMON Help File (REGMON.HLP), so that you can attempt to limit the output to just the registry keys that you are interested in. In addition, if you are correct that the registry key are being recreated at system startup, it is most likely that you will have to do a "Log Boot" to find what is doing it, so I suggest that you read the "Monitoring Boot-Time Registry Access (Windows NT/2K only)" section of the REGMON Help File also. It should be noted that when I used previous versions of Regmon, filtering did not appear work while doing a "Log Boot".

What you are looking for in the Regmon output is the program (Process) that is doing a Create Key (Request) on the sub-keys (Path) that you indicate are being recreated.

Good luck