Bad products blocked

[piranha]

I updated my spybot, do immunization and got only 14316 bad products blocked. My buddy reports to have 17600 !!! :sad:

Explain ? Solution ?

Windows XP home SP2

thanks

 

[md usa spybot fan]

piranha:

Are you immunizing from a "Computer administrator" account?

If you are immunizing from a "Computer administrator" account, you may not be immunizing in all the registry hives possible during Spybot's immunization.

• Download the attached Query1.zip file.
• Extract Query1.bat into its own folder (see Note #1).
• Execute Query1.bat by double clicking on it.
• After the execution of Query1.bat it should have created a Query1.txt file in the same folder as the Query1.bat file (see Note #2). Copy the contents of the Query1.txt file to the clipboard:
  • Double click on the Query1.txt file and it should open with Notepad.
  • Select all (Ctrl+A)
  • Copy (Ctrl+C)
• Then Paste (Ctrl+V) into a new post (reply) in this thread.

Then we can see what Registry keys are/are not accessible by the user.

Note #1: The code in the Query1.bat.

 ECHO QUERY1

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com" > Query1.txt

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com" >> Query1.txt

REG QUERY "HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com" >> Query1.txt

REG QUERY "HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com" >> Query1.txt

REG QUERY "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com" >> Query1.txt

REG QUERY "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com" >> Query1.txt

EXIT

Note #2: The output that I get (Windows XP Home from a Computer Administrator account).

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
    <NO NAME>	REG_DWORD	0x5

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
    <NO NAME>	REG_DWORD	0x5

! REG.EXE VERSION 3.0

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
    <NO NAME>	REG_DWORD	0x5

! REG.EXE VERSION 3.0

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
    <NO NAME>	REG_DWORD	0x5

! REG.EXE VERSION 3.0

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
    <NO NAME>	REG_DWORD	0x5

! REG.EXE VERSION 3.0

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
    <NO NAME>	REG_DWORD	0x5

 

[piranha]

yes i immunized from a administrator account

I did what you suggested, and i got this...... (Still got 14316 products blocked only... :sad: )


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
<SANS NOM> REG_DWORD 0x5

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
<SANS NOM> REG_DWORD 0x5

! REG.EXE VERSION 3.0

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
<SANS NOM> REG_DWORD 0x5

! REG.EXE VERSION 3.0

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
<SANS NOM> REG_DWORD 0x5

! REG.EXE VERSION 3.0

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\180solutions.com
<SANS NOM> REG_DWORD 0x5

 

[md usa spybot fan]

It appears that the user account that you are immunizing from does not have access to the HKEY_USERS\S-1-5-19 registry hive. I saw this happen once before:

• Immunization changed from 9239 to 7577
  http://forums.spybot.info/showthread.php?t=3026

Read that thread and take a look at the instruction in this post to see if the registry hive shows up in Registry Editor:

• http://forums.spybot.info/showpost.php?p=16025&postcount=5

 

[piranha]

Your are right, no HKEY_USERS\S-1-5-19 in my registry

Is that means spyware and malware could enter easily in my pc ?

 

[md usa spybot fan]

It may not be a problem at all.

In the thread I referenced earlier, slotdr indicated that they disabled the Windows User Mode Driver Framework service which caused the HKEY_USERS\S-1-5-19 registry hive not to be available.

On my Windows XP Home system the HKEY_USERS\S-1-5-19 registry hive is available even though I do not have the Windows User Mode Driver Framework service. According to the following Microsoft article the Windows User Mode Driver Framework service was introduced with Windows Media Player 10 (I still run Windows Media Player 9):

• The Windows User Mode Driver Framework service (Wdfmgr.exe) appears in Windows Task Manager after you install Windows Media Player 10
  http://support.microsoft.com/kb/892552

You could check in services.msc (instructions in the article above) and see if you have the Windows User Mode Driver Framework service and if it is disabled. If the service is present and disabled, you could start the service and then see if the HKEY_USERS\S-1-5-19 registry hive is available using Regedit.

 

[piranha]

I use a french XP home and use version 11 of Win Média Player dont find that Windows User Mode Driver Framework services ou something like that


dont see either Wdfmgr.exe in Win task manager