[coastie65]

Hey techie, I am leaning in that direction and the reason I wanted to download and run Both SUPERantispyware & Malwarebytes. The only other thingI can think of at the moment is when he is in normal mode, there is a lot of resources being used that it slows down the scan. This can be checked in Task Manager, and see what is using a lot of CPU / Memory. coastie

[MoyerNP]

It is running normal cpu and ram.

[coastie65]

If I remember correctly, you said it ran fine in Safe mode, which is the preferable way to run those things. Is this correct ?

[MoyerNP]

What do you mean by "preferable way to run those things"?

[coastie65]

Hi Moyer, It is preferable to run the scans in safe mode, as it is a better and more more effective way to do so. In safe mode, you have stuff possibly interfering with it when it is running and will do a better scan. coastie

[coastie65]

Hi, Something i forgot to mention. I was thinking about that last night after i went to bed and vaguely remembered having the same issue sometime way back. I couldn't remember the solution though. How much memory do you have in your computer ? coastie

[SpiritWind]

Hi :

There is a very sophisticated piece of malware that has recently been "released" and I

want you to try 2 possible "things" to see IF you have been "infected" by it !? One of its

Symptoms is the inability to download the FREE Malwarebytes Anti-Malware .

1) Do a Windows "Search" on your computer for "tdss" and more specifically

"TDSSserv.sys" and let me know what, IF anything, you find !? IF you find the

"TDSSserv.sys", DEFINITELY "Disable" it, then try and get and run a Scan of

Malwarebytes' Anti-Malware .

2) Attempt to download, then use the FREE "SDFix" program ; Info on this program is at

www.bleepingcomputer.com/forums/topic131299.html . NOTE : This program is

designed to run in "Safe Mode" .

[MoyerNP]

I could not find TDSSserv.sys. I am able to download the malwarebytes. I am running the scan right now.

[SpiritWind]

:D Hi :

PRIOR to doing a Windows "Search", One should at least temporary, UNCHECK the

"Hide protected operating system files" Setting ; have you done that ? IF Yes, have you

found ANY "tdss" and/or "TDSS" related files ? IF yes, please "copy, then paste" the

"Result" into your next Post .

Several times you mentioned you were unable to download, etc Malwarebytes

Anti-Malware ; what changed ? I hope you are NOT running its "Scan" in "Safe Mode"

because it is of very little practical value . IF you have Updated Malwarebytes

Anti-Malware PRIOR to running its scan, it MIGHT be helpful IF you Post its "Results"

in your next Post .

[MoyerNP]

How do I un check that thing? I ran the scan in normal mode. It found 19 MyWebSearch and 2 Vundo. I removed them Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 6.0.6001 Service Pack 1

2/13/2009 8:07:55 PM
mbam-log-2009-02-13 (20-07-55).txt

Scan type: Full Scan (C:|D:|F:|)
Objects scanned: 160439
Time elapsed: 1 hour(s), 37 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEYCLASSESROOTInterface{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCLASSESROOTCLSID{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCLASSESROOTCLSID{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCLASSESROOTTypelib{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftInternet ExplorerSearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerSearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SpiritWind]

Hi :

Where "Hide Protected Operating System Files" Setting would be on a Vista Home

Premium OS I have no idea; however, on my Win XP OS, I go to Control Panel >

Folder Options > View . I read an article in Dec 2005 that said it can be found by going to:

Tools > Folder Options > View , so perhaps One of those might "work" . IF you are the

ONLY User of this computer, it would be wise to "uncheck" that Setting on a more or less

permanent basis .

Malwarebytes Anti-Malware appears to be functioning properly, so I do NOT know WHY you

could not download it before ( this last time ) .

IF you are interested in looking for possible undetected "Vundo"- type infections, I

recommend you use the FREE "VundoFix", available WITH Instructions, at

vundofix.atribune.org/ . And as an additional security precaution, you still should

consider using the "SDFix" program I recommended earlier !?

On this Forum, we usually recommend using "SUPERAntiSpyware" in tandem with

Malwarebytes Anti-Malware . I stopped recommending Webroot programs several yrs

ago because it seemed their programming was moving towards the "bloatware"

category .

[MoyerNP]

I did not find that file "tdss". I downloaded the free vundo fix and I am scanning now. I ran the Comodo anti virus and found nothing.

[coastie65]

Hey Moyer, The only thing I can think of is that there is something running in the background that is interfering with the scan. What it may be, I don't have a clue. I would try shutting down all unecessary programs that may be running and then trying it. coastie

[MoyerNP]

I tried that. Any program you can think of I can try turning off then running the scan.

[SpiritWind]

:D Hi :



Best to see a "List" of the programs on your computer; that is most easily done by using

the FREE "HijackThis" available from www.filehippo.com/download_hijackthis .

After installation, press the "Open the Misc Tools section" button, then click "Open Uninstall

Manager" button . A "list" should appear !? "Copy, then Paste" that "list" into your next

Reply .

P.S. Are you using BOTH Webroot AV & Comodo AV !?

[MoyerNP]

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
ArcSoft PhotoImpression 6
ArcSoft Print Creations
BOClean
Broadcom 802.11 Wireless LAN Adapter
CCleaner (remove only)
Combat Arms
Comodo BackUp
COMODO Internet Security
Comodo i-Vault
COMODO Memory Firewall
COMODO SafeSurf
COMODO System Cleaner 1.1.63928.28(32bit)
CrossLoop 2.41
Deal or No Deal
DebugMode Wax 2.0
Defraggler (remove only)
EPSON CX7400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7400 Series Scanner Driver Update
ESU for Microsoft Vista
GMail Drive Shell Extension
Google Desktop
Google Earth
Google Gears
Google SketchUp 6
Google SketchUp 6
Google Update Helper
Google Updater
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Doc Viewer
HP Help and Support
HP Quick Launch Buttons 6.20 B1
HP QuickPlay 3.6
HP Update
HP User Guides 0057
HP Wireless Assistant
HPNetworkAssistant
Intel Performance Power Manager
Java™ 6 Update 12
Java™ SE Runtime Environment 6
LightScribe System Software 1.10.19.1
Malwarebytes' Anti-Malware
MemInfo (remove only)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Works
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
muvee autoProducer 6.0
NVIDIA Drivers
Picasa 3
Privoxy (remove only)
Project Torque
QuickPlay SlingPlayer 0.4.6
Recuva (remove only)
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Secunia PSI
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
SmartAudio
Spy Sweeper
Synaptics Pointing Device Driver
Tor 0.2.0.33
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Vidalia 0.1.10
Vongo
Windows Live Sign-in Assistant
Xfire (remove only)

I do have Comodo Av with my Comodo Firewall. I had it closed when I did the scan, so that can not be the problem.

[crazy4laptops]

i think i know why your scans take so long... if webroot is doing an in depth scan (scans of every single file)

with all those programs, ya theres your problem right there... scanning every single file in all those programs will take about 10 hrs (and a fragmented drive doesnt help much there)

i am curious as to why you have 10 installs of office 2007 sp1

[coastie65]

Hey Crazy, I saw that too with 10 installs of Office '07. I'm thinking that can't be good.

[SpiritWind]

Hi :


Basic computer principles is to have a MAXIMUM of 1 antiVIRUS providing "real-time"

protection, a MAXIMUM of 1 antiSPYWARE/antiTROJAN providing "real-time" protection, &

a MAXIMUM of 1 FIREWALL providing "real-time" protection . With BOTH Webroot AV with

AntiSPYWARE AND Comodo Internet Security, you have 2 programs "conflicting" with each

other in at least some of those "categories" . Your HijackThis Uninstall Log indicates you

have the "full" Comodo "Internet Security" and according to the Info on the Comodo Site,

that program includes a "Defense +" "component that says :

"Defense+:
The Defense+ component of Comodo Internet Security is a host intrusion prevention system that constantly monitors the activities of all executable files on PCs.

Host Intrusion Prevention:* Defense+ proactively protects critical operating system files, registry entries and personal data from internal attacks by root-kits, key-loggers, Trojans and other malware. "
This is what the malware-fighting community calls a "HIPS" ( Host Intrusion Prevention
System ) type of program, which can cause problems; Comodo is NOT known for having

quality program(s) in that "area" of coverage and their AV has been known to be low quality

for quite some time . And their "firewall(s)" can be quite a learning "experience" . I definitely

recommend you uninstall the Comodo "Internet Security" .

Also noticed you have the malware-prone and outdated Adobe Reader. Recently,

Researchers found a new hackertoolkit that uses nothing but Adobe securityleaks in order to infect systems. "PDF Xploit Pack" ( www.trustedsource.org/blog/153/Rise-Of-The-PDF-Exploits )adds all kind of exploits to PDF-files. When a certain exploit has successfully infected the OS, the IP address is sent to the attackers, so they need to try again. This to reduce the time it takes to manage the bots.
Use of PDF-files is becoming more and more popular among malcreants, this because other toolkits also have PDF exploits now. A year ago only 3% of the exploits were PDF directed. So it would be wise to uninstall this "Reader" and switch to either the FREE "Foxit Reader" or "CutePDF".

From my research, it is unwise to have BOTH Adobe's Flash Player and Shockwave Player

and since Shockwave is "older", that is the One to uninstall .

NOTE : Quite frankly, I would NOT have ANY Comodo program on my computer .

But perhaps One of their "firewall(s) is compatible with a Vista 64 bit OS !?

[MoyerNP]

Comodo has nothing to do with it because I had it turned off. I will try uninstalling the old office 07's.