Windows Defender Configuration has changed...by MALWARE!!

zarm · Jun 9, 2008

Hi,

After I removed Bonjour from my laptop, windows defender always pop out an alert:

"A system change was made by a known application...change type: application execution...C:\windows\system32\mswsock.dll".

This happens when I connected to the network/internet and also disconnected from them.

When I checked through Event Viewer, I found some errors:

1- Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = 1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = 2

2- Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\Real-Time Protection\EnableUnknownPrompts = 0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\EnableUnknownPrompts = 1

3- Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\1 = 6

Please HELP!!!!!! My laptop is just 5 months old but it goes slow day by day...

Thanks in advance!

SCSIraidGURU · Jun 9, 2008

Try a Trendmicro free scan.

Bare Foot Kid · Jun 9, 2008

Hello zarm,

Welcome to the forums!

I get this same message anytime I have to re-boot my internet modem.
Now I am not saying that yours can't be evilware; but it may be worth
checking out. The way I get around it is to re-boot with my computer off;
re-boot the modem then boot my machine back up.

Though it would be a real good idea to do thorough virus and spyware scans.

View attachment 4430

zarm said:
"A system change was made by a known application...change type: application execution...C:\windows\system32\mswsock.dll".

Maybe if you attach a HijackThis log file (not copy/paste) someone will look at it for you.
Just heed the warnings that come with HijackThis!

TrendSecure | Download TrendMicro HijackThis

Later :shock:

Ted

ripbox · Jun 9, 2008

Bonjour is something that is installed by apple when installing itunes

Bonjour, formerly Rendezvous, is Apple Inc.'s trade name for its implementation of Zeroconf, a service discovery protocol used in Apple's Mac OS X operating system from version 10.2 onwards, and on Microsoft Windows operating systems when installed (it is installed with iTunes, for example). Intended for use on local area networks, Bonjour uses multicast Domain Name System service records to locate devices such as printers, as well as other computers, and the services that those devices offer.
The software is released under a terms-of-limited-use license by Apple. While it is freeware for clients, developers and software companies who want to include in their software package should check with Apple on licensing agreements.

i sure that this is not malware affecting your system yet windows defender just getting a little over zellis
Bonjour is a general method to discover services on a local area network so im sure its just complaining about a change that needs to be made

http://en.wikipedia.org/wiki/Bonjour_(software)

zarm · Jun 10, 2008

Hi All,

Thanks for your attention!

zarm · Jun 10, 2008

SCSIraidGURU said:
Try a Trendmicro free scan.

GURU, I tried to follow your advice but the dialogbox below come out and after I clicked ok it still come out until I click cancel then the scanner in idle mode...i dont know??

Result from trendmicro free scan....
Scanning and Cleaning Complete

HouseCall did not find any potential threats on your computer. Make sure you run HouseCall once a week to keep your PC clean and malware free.

zarm · Jun 10, 2008

Bare Foot Kid said:
Hello zarm,

Welcome to the forums!

I get this same message anytime I have to re-boot my internet modem.
Now I am not saying that yours can't be evilware; but it may be worth
checking out. The way I get around it is to re-boot with my computer off;
re-boot the modem then boot my machine back up.

Though it would be a real good idea to do thorough virus and spyware scans.

Maybe if you attach a HijackThis log file (not copy/paste) someone will look at it for you.
Just heed the warnings that come with HijackThis!

TrendSecure | Download TrendMicro HijackThis

Later Ted

Hello BareFootKid,

Here is HijackThis log file. Hope you and other specialist can give excellent words! Thank Sir...

sidney1st · Jun 11, 2008

Hi,
Regarding the hijackthis log i have a few questions.
Is your laptop a HP pavillon?
Do you run BBC iplayer?

With regards to the Defender alert, before telling how to avoid the alert when it is related to a known windows system file, would you please give the size of mswsock.dll (exact size please).

zarm · Jun 11, 2008

sidney1st said:
Hi,
Regarding the hijackthis log i have a few questions.
Is your laptop a HP pavillon?
Do you run BBC iplayer?

With regards to the Defender alert, before telling how to avoid the alert when it is related to a known windows system file, would you please give the size of mswsock.dll (exact size please).

Hi Sid,

I'm using Presario V3631TU but not running BBC iplayer (even I never know about this player before).

About the size of mswsock.dll, from properties I got 223,232bytes/218KB (size) and 225,280bytes/220KB (size on disk). Am I correct?

Thank you in advance.

sidney1st · Jun 11, 2008

Then, no problems with the files i were thinking of.

You should (just my opinion) deinstall the Akamai activex and the toolbars which may alter your system.

With regards to the WD warnings, try this (if not done already)

In Defender, go to tools/options/Choose if windows Defender should notify you about
Untick "Software that has not been classified for risks" and do not forget to save.
Reboot

zarm · Jun 13, 2008

I'm quite release when u said no problem. But how do I uninstall akamai? I remembered this activeX was installed to download Adobe CS3 file. Try to install via Add/Remove but not find this akamai?

Thank u Sid.

sidney1st · Jun 13, 2008

It is an activeX, you can deinstall it in IE/Tools/manage add-ons

With regards of the ddl file, i said no problem because the version is right

Sometimes malware come from the same file which has been replaced and therefore the size is different. So there is no problem in your hijackthis (no known bad files).

anthrojan · Jun 29, 2008

Help! I have the same problem but none of your suggestions have helped. The problem is really slowing down my computer. I don't use iTunes and can't find anything with the name akamai. I've run virus and malware scans and found nothing. I'm a little frustrated

I'd appreciate any help.

sidney1st · Jun 30, 2008

Hi anthrojan and welcome to the Vista forums!
Download this prog, install it, run it and attach the log file. http://download.hijackthis.eu/HJTInstall.exe

anthrojan · Jun 30, 2008

Here's the log-thanks!

sidney1st · Jun 30, 2008

No malwares in your log.

To start with, clean temp files, Internet cache, etc... (crap cleaner does it very safely) and defrag your drive!
Then you could try this to find where from are coming your problems.
1/ In tolls/addons management, deactivate all plugins installed by yourself or by progs you installed.
2/ I noticed that you have some bars (yahoo, google), deactivate them.
3/ Open MSconfig, in startup untick all programs which are not necessary:
Nvidia, Adobe, Meteo, HP...
4/ Reboot and check if your machine runs fine.

anthrojan · Jul 1, 2008

I did everything that you recommended. The computer is definately faster but the same message pops up as soon as I log on-kinda like it's flipping me off! Any other ideas or should I just live with it? Thanks for the help!

sidney1st · Jul 1, 2008

For the popup:
Control Panel / Windows Defender / tools / options
Scroll down to "Choose if windows Defender should notify you about"
Uncheck Software that has not been classified for risks"
Click "SAVE"
If not solved, uncheck too: "Changes made to your computer
by software that is permitted to run"
Click "Save"

anthrojan · Jul 3, 2008

Thanks again. The message is gone and the computer is running faster BUT...it's like the symptoms are cured but what's the cause of the original trouble? Why are there changes being constantly made by mswsock.dll? Any ideas??

sidney1st · Jul 3, 2008

Maybe some registry changes that Defender does not appreciate or it could happen when you have a physical connection problem between your machine and the router (i've seen the case).

Windows Defender Configuration has changed...by MALWARE!!

New Member

My Computer

New Member

My Computer

R.I.P. August 13th 2014

My Computer

Nerd

My Computer

New Member

My Computer

New Member

Attachments

My Computer

New Member

Attachments

My Computer

Member

My Computer

New Member

My Computer

Member

My Computer

New Member

My Computer

Member

My Computer

New Member

My Computer

Member

My Computer

New Member

Attachments

My Computer

Member

My Computer

New Member

My Computer

Member

My Computer

New Member

My Computer

Member

My Computer