Results 1 to 9 of 9

Thread: Usage tracks question

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    24

    Default Usage tracks question

    (Win xp home, Spybot 1.4, detection update 2007-03-28)

    Hi all,

    As shown below, I keep having these usage tracks detected. The Most recent application and Most recent application ID detections cannot be fixed, and Spybot requests to run again during the next boot. The Anonymous ID detection gets a green check as if it has been fixed by SS&D, but if I immediately run a second scan, it is again detected.

    I'm most curious about the anonymous ID detection. I think it is either a false positive regarding detection, or it is being detected correctly, but the fix that SS&D applies is wrong, so it gets detected again.

    I searched the forum for info about MS Media Player Anonymous ID, but I only found directions on how to exclude it from future searches. What I really want to know, what is the proper value for that registry key, and is SS&D detecting that the registry entry is wrong when it's really right? Or, is SS&D fixing it wrong, so it always gets detected again?

    Thanks...



    MS Media Player: Anonymous ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

    MS DirectInput: Most recent application (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

    MS DirectInput: Most recent application ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

    Congratulations!: No immediate threats were found. ()



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2007-02-07 TeaTimer.exe (1.5.0.6)
    2006-09-15 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2007-01-15 advcheck.dll (1.2.1.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2007-01-02 Tools.dll (2.0.1.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2007-03-28 Includes\Beta.sbi
    2005-02-16 Includes\Beta.uti (*)
    2007-03-28 Includes\Cookies.sbi
    2006-12-08 Includes\Dialer.sbi
    2007-03-28 Includes\DialerC.sbi
    2007-03-21 Includes\Hijackers.sbi
    2007-03-28 Includes\HijackersC.sbi
    2006-10-27 Includes\Keyloggers.sbi
    2007-03-28 Includes\KeyloggersC.sbi
    2004-11-29 Includes\LSP.sbi
    2007-03-21 Includes\Malware.sbi
    2007-03-28 Includes\MalwareC.sbi
    2007-03-21 Includes\PUPS.sbi
    2007-03-28 Includes\PUPSC.sbi
    2007-03-28 Includes\Revision.sbi
    2006-12-08 Includes\Security.sbi
    2007-03-28 Includes\SecurityC.sbi
    2007-03-21 Includes\Spybots.sbi
    2007-03-28 Includes\SpybotsC.sbi
    2005-02-17 Includes\Tracks.uti (*)
    2007-03-21 Includes\Trojans.sbi
    2007-03-28 Includes\TrojansC.sbi

  2. #2
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Go into Windows Media Player > Tools > Options. In the Options window click the Privacy tab. In the "Enhanced Content Provider Services" section uncheck "Send unique Player ID to content providers". Rerun a Spybot "Check for problems" with "Usage tracks" and see if the following detection went away:

    Code:
    MS Media Player: Anonymous ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  3. #3
    Junior Member
    Join Date
    Aug 2006
    Posts
    24

    Default

    Hello, and thanks for your reply,

    Here's what I've figured out so far:

    If I check that check box in Media Player's options, it's reported by Spybot as a detection. When I look at that binary value's value in the registry, it's displayed as 01 (zero-one).

    If I uncheck the check box in Media Player's options and re-scan with Spybot, Spybot still reports it as a detection. However, when I look at that binary value's value again, it's displayed as 00 (zero-zero).

    If I delete the Spybot detected binary value SendUserGUID from that registry key, then Spybot doesn't report it as a detection, and the feature shows as unchecked in the media player options menu.

    If I again check the check box in Media Player's options and re-scan with Spybot, Spybot again reports it as a detection, and when I view that key of the registry, I see that the SendUserGUID value has been added back, and, its value is 01.

    If, in Spybot, I select it as a problem to fix, and let Spybot fix it, Spybot appears to have successfully fixed it, and displays a green check next to the problem. And, when I view the value of that binary value, it shows as 00, as it should. However, if I re-scan with Spybot, it shows up as a detection, even though the value of that binary value is 00.

    This makes me think Spybot's fix for this detection is correct, but its method of detecting this detection is where the flaw lies. If the value is not equal to zero, it should show up as a detection. If the value is equal to zero, it should not show up as a detection, but it still does.

    For now, it doesn't seem to harm anything when I delete the binary value from the key, so I guess I'll do that. However, perhaps this is something the Spybot developers should know about, if they don't already.

    Thanks...

  4. #4
    Member FAUST's Avatar
    Join Date
    Jan 2007
    Posts
    53

    Default

    as far as I can tell the problem is not SpyBot but Windows. It happens with a lot of usage tracks, SpyBot removes then and Windows instantly recreates then.
    What if love's intolerable pain never leaves us?
    Do we dash our bleeding hearts on the rocks of loneliness?
    And cry unto the lords above who turn away in haste?
    MY DYING BRIDE

  5. #5
    Junior Member
    Join Date
    Aug 2006
    Posts
    24

    Default

    Quote Originally Posted by FAUST View Post
    as far as I can tell the problem is not Spybot but Windows. It happens with a lot of usage tracks, Spybot removes then and Windows instantly recreates then.
    I don't think this is the case for this particular Spybot detection/fix scenario.

    In my post above, I've show that the value of the Spybot detected binary value is 01, when the feature is enabled in Media Player, and 00 when the feature is disabled in Media Player. And, I've also shown that Spybot detects it as a problem, no matter if the value is 00 or 01. And, when Spybot does detect it as a problem and you let Spybot apply its fix, Spybot changes the value to 00 (program feature disabled), yet Spybot still continues to detect it as a problem even though the value remains 00. There's a mismatch between Spybot's detection for this problem, and Spybot's fix for this problem, and I think this shows there's something wrong with Spybot's detection of the problem.

    How do I submit this to the Spybot folks for their review?

  6. #6
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Who Knew:

    Although I don't know what, here has to be something else in play in your system but not in mine.

    In the following detection:
    Code:
    MS Media Player: Anonymous ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0
    "!=B=0" indicates: not equal (!=) binary (b) equal 0 (=0). In other words the SendUserGUID registry entry is not binary zero.

    I'm running Windows XP (Home) and I'm still using Windows Media Player 9.00.00.3349.

    When I check "Send unique Player ID to content providers" and click "Apply" the following registry entry immediately changes:
    Code:
    [HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences]
    From:
    Code:
    "SendUserGUID"=hex:00
    To:
    Code:
    "SendUserGUID"=hex:01
    And Spybot detects it.

    If I uncheck "Send unique Player ID to content providers" and click "Apply" the following registry entry immediately changes:
    Code:
    [HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences]
    From:
    Code:
    "SendUserGUID"=hex:01
    To:
    Code:
    "SendUserGUID"=hex:00
    And Spybot no longer detects it.

    I don't what is causing the difference in our observations, but at lease you know the cause of the following detection:
    Code:
    MS Media Player: Anonymous ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1275210071-764733703-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0
    ----------------------------------------------------------

    As far as this observation goes:
    Quote Originally Posted by Who Knew View Post
    If I uncheck the check box in Media Player's options and re-scan with Spybot, Spybot still reports it as a detection. However, when I look at that binary value's value again, it's displayed as 00 (zero-zero).
    Try exiting and restarting Spybot before the "Check for problems". Spybot may still have that registry entry in memory or paged.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  7. #7
    Junior Member
    Join Date
    Aug 2006
    Posts
    24

    Default

    Thanks for the further info.

    I have xp home, but use Windows Media Player 11.

    I'll test again, making sure that I restart things between changes.

  8. #8
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Who Knew:

    Please note: I never attempted to do a "Fix selected problems" after I received the detection in Spybot after doing a "Check for problems".

    The original intent of my investigation was to determine the cause of the Spybot detection. I did that by tracing the detection you receive to the checking/unchecking if the "Send unique Player ID to content providers" in the "Enhanced Content Provider Services" section of the "Options" window that is displayed when you go into Windows Media Player's "Tools" > "Options".

    Quote Originally Posted by Who Knew View Post
    … and I think this shows there's something wrong with Spybot's detection of the problem.

    How do I submit this to the Spybot folks for their review?
    You may think that there is a problem with the detection, correction, etc. of Spybot's handling of the registry entry, but please keep in mind that no matter how flawed you think the detection/correction may be, it evidently is the only thing that alerted you to the fact that you or something else (even Windows Media Player itself) set a value in the system registry that seemingly sends the unique GUID of your system "… to content providers" (who/whom ever they may be).

    Without that detection you would have never known that "Send unique Player ID to content providers" was check.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  9. #9
    Junior Member
    Join Date
    Aug 2006
    Posts
    24

    Default

    Quote Originally Posted by md usa spybot fan View Post
    Who Knew:

    Please note: I never attempted to do a "Fix selected problems" after I received the detection in Spybot after doing a "Check for problems".

    The original intent of my investigation was to determine the cause of the Spybot detection. I did that by tracing the detection you receive to the checking/unchecking if the "Send unique Player ID to content providers" in the "Enhanced Content Provider Services" section of the "Options" window that is displayed when you go into Windows Media Player's "Tools" > "Options".


    You may think that there is a problem with the detection, correction, etc. of Spybot's handling of the registry entry, but please keep in mind that no matter how flawed you think the detection/correction may be, it evidently is the only thing that alerted you to the fact that you or something else (even Windows Media Player itself) set a value in the system registry that seemingly sends the unique GUID of your system "… to content providers" (who/whom ever they may be).

    Without that detection you would have never known that "Send unique Player ID to content providers" was check.
    Quite right. I'm not unthankful. My interest in this matter is one of academics and curiousity. It's worthwhile noting that I had already found that setting and unchecked the check box. When version 11 Media Player is installed, the user is presented a wizard, where all of the user's preferences are surveyed and settings are set. Only recently have I turned on usage tracks checking in Spybot, and In my case, Spybot still found it as a problem and was unable to fix it such that the problem finding method was satisfied and it was no longer detected as a problem by Spybot.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •