Event ID 1006 — Microsoft Antimalware Engine Spyware Removal

Applies To: Windows Server 2008 R2

During a Windows Defender scan, the Microsoft Antimalware Engine quarantines or removes any spyware or potentially unwanted software detected on the computer. When spyware or other potentially unwanted software is quarantined, it is moved to an isolated folder on the computer.

As new definitions are released, items in quarantine can be scanned again to see if the spyware or other potentially unwanted software can be cleaned and released from quarantine. When spyware or other potentially unwanted software is removed, it is deleted from the computer.

Event Details

Product: Windows Operating System
ID: 1006
Source: Microsoft-Windows-Windows Defender
Version: 6.1
Symbolic Name: MALWAREPROTECTION_MALWARE_DETECTED
Message: %1 scan has detected spyware or other potentially unwanted software.
For more information please see the following:
%15
%tScan ID:%b%3
%tScan Type:%b%5
%tScan Parameters:%b%7
%tUser:%b%8\%9
%tName:%b%11
%tID:%b%12
%tSeverity ID:%b%13
%tCategory ID:%b%14
%tPath Found:%b%16
%tDetection Type: %b%22

Resolve

Remove spyware or other potentially unwanted software

If a Windows Defender scan detects spyware or other potentially unwanted software, you will receive an alert. If you are not sure whether this is spyware or other potentially unwanted software, you can use the Advice section or click View more information about this item online in the alert. The alerts are listed in the Windows Defender history.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To remove an application by using Windows Defender:

  1. In the Scan Results window of Windows Defender under the action column, click Remove.
  2. If this is an application that is not spyware or other potentially unwanted software, click Ignore to ignore the alert for this scan, or click Always Allow to ignore this alert in the current scan and all future Windows Defender scans.
  3. Click Apply Actions.
  4. Under Scan Results, wait for Actions completed to display, and then close Windows Defender.

Verify

When Windows Defender takes an action on spyware or other potentially unwanted software, an entry is created in the Windows Defender History. To verify that the spyware or other potentially unwanted software was successfully removed from your computer, you should verify that an entry was created in the Windows Defender History and that the appropriate action was taken.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To verify that the spyware or other potentially unwanted software was successfully removed:

  1. Click Start, point to All Programs, and then click Windows Defender.
  2. Click History.
  3. Under Programs and Actions, verify that the Action Taken column says Remove.
  4. Verify that the Status column says Succeeded.
  5. Close Windows Defender.

Note: If you clicked Ignore or Always Allow for the action in the Windows Defender alert, the Action Taken column will display either Ignore or Always Allow.

Microsoft Antimalware Engine Spyware Removal

Core Security