BleepingComputer.com: Security Suggestions Needed?.

Prior to reformatting my PC in May this year I never had problems with either SAS or MBAM. The first thing I did after installing my hard drive, video and Sound card drivers and while my PC was still offline was to install Comodo CIS but due to getting a corrupt file message on the copy of Comodo CIS I had downloaded to a disk prior to reformat I ended up using the Windows Firewall with Avira instead. When I installed SAS and MBAM both to be used as on demand and not installed at start up or working in real time I ran scans with them which came up clean as they had with the Avira AV scan. I noticed though that since then when doing my usual twice weekly scans when I open SAS it took a long time to open and when it did it would sometimes hang for a few minutes before finishing updates I would then scan with it and it found just as much as it always did always just tracking cookies. With MBAM although it would open up straight away I would often get a pop up saying it had encountered a problem and needed to close. I could get it to scan sometimes both full and quick where again it never found anything at all. In the end I got tired of the pop ups and uninstalled it and started using A-Squared as a back up to SAS. It worked fine found a couple of tracking cookies that SAS didn't and I was happy. Since then I have used Comodo CIS and due to update problems with the Comodo AV I now am using Comodo Firewall with Defence+ and Proactive Security and Avira Antivir. I have also scanned my PC with Windows Malicious Removal Tool (full scan), Windows Security Essentials Beta, CWShredder and none of them have ever found anything other than the occasional tracking cookie. I am very security conscious and come here all the time to try and keep up with the latest advice.

In the time I have used the above problems I have reinstalled MBAM at least three different times and always got the same "needs to close" pop up. It is like something on my PC is conflicting with it and I cannot seem to figure it out. My PC is not slower and seems to work just as fast as it ever has. It does not act like I am infected but still this thing with the slow start up of SAS and not being able to explain why MBAM won't work leads me to think I may have some sort of bug which I cannot find. I also have an intermittent problem with twice now my XP account settings have restored to the default settings as well as my Sounds and Audio device settings. Although all my data is still there it seems to all intents like I have a new account.

My problem / question is, does anyone have any idea what would cause these things to happen or am I being too particular and these are just every day bugs and glitches that we all experience sooner or later.

You might want to ask your question over here
http://www.malwarebytes.org/forums/index.php?act=idx

I tried that already a couple of weeks back Garmanma, I never got one response and got the feeling they offer no help for the free version. I found a couple of threads there in regard to similar but none of them had been resolved.

Let me get some more eyes on this

I had trouble with SBS&D once and until I used REVO on a failed reinstall in advanced mode it wouldn't work. The REVO uninstall dug a little deeper and took something else out. At that point I was able to reinstall with no problems, ADD/REMOVE just doesn't work sometimes I think.

Dan

You posted in the wrong forum over at MBAM, the general forum would have been best.

The HJT helpers are too busy with infections to troubleshoot compatibility problems

http://www.malwarebytes.org/mbam-clean.exe

Run this MBAM clean tool and reboot

Try to disable Comodo before installing MBAM, or put it in install mode.

I will try again using the MBAM clean up tool Chewie but I use Revo Uninstaller to unistall everything now and it should take out everything. I can't see it is a Comodo problem either as I had the same problem when I was using Windows Firewall and Avira Antivir. I always put Comodo in installation mode when installing programs. I can't remember now but was sure I had posted in the general forum at MBAM. Again thanks for the replies and suggestions. I ran a Rootkit Revealer scan this morning and it found three discrepencies which I have written below. What do I do with these results, Is it ok to delete these entries?.

Path. Timestamp Size. Description.
HKLM\SECURITY\Policy\Secrets\SAC* 19/05/09 15:49 0 bytes Key name contains embedded Nulls [*]
HKLM\SECURITY\Policy\Secrets\SAI* 19/05/09 15:49 0 bytes Key name contains embedded Nulls [*]
HKLM\Software\microsoft\MediaPlayer
\UIPlugins\99DB05E3-F81E-4C8A-A252-
F396306AB6DE. 19/05/09 15:35 0 bytes Hidden from Windows API.

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Download process explorer and create a log to paste here

Here is the process explorer log you asked for.

Process PID CPU Description Company Name
System Idle Process 0 98.44
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 600 Windows NT Session Manager Microsoft Corporation
csrss.exe 672 Client Server Runtime Process Microsoft Corporation
winlogon.exe 700 Windows NT Logon Application Microsoft Corporation
services.exe 744 Services and Controller app Microsoft Corporation
ati2evxx.exe 932 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 948 Generic Host Process for Win32 Services Microsoft Corporation
wmiprvse.exe 4108 WMI Microsoft Corporation
svchost.exe 1056 Generic Host Process for Win32 Services Microsoft Corporation
cmdagent.exe 1172 COMODO Internet Security COMODO
svchost.exe 1236 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1376 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1508 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1584 Spooler SubSystem App Microsoft Corporation
sched.exe 1632 Antivirus Scheduler Avira GmbH
svchost.exe 1748 Generic Host Process for Win32 Services Microsoft Corporation
avguard.exe 1788 Antivirus On-Access Service Avira GmbH
svchost.exe 1880 Generic Host Process for Win32 Services Microsoft Corporation
uphclean.exe 176 User Profile Hive Cleanup Service Microsoft Corporation
alg.exe 892 Application Layer Gateway Service Microsoft Corporation
lsass.exe 780 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 5152 ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 1296 Windows Explorer Microsoft Corporation
QveCplSk.exe 5596 Philips Sound Agent 2 QSound Labs, Inc.
cfp.exe 5604 COMODO Internet Security COMODO
avgnt.exe 3648 Antivirus System Tray Tool Avira GmbH
firefox.exe 2780 Firefox Mozilla Corporation
procexp.exe 4968 1.56 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

Let's uninstall uphclean.exe , your other glitches seem related to that

Looks like what RKR found is normal--Windows does hide stuff too:
http://forum.sysinternals.com/forum_posts....D=8881&PN=1

I am posting because I am experiencing some of the same symptoms you are describing and have yet to figure it out--mostly because I don't use SAS and MBAM very often. But my symptoms are as follows (BTW, I don't have UPHClean installed--it had been a long time ago but didn't help with the problem it was designed for):

1. SAS is very slow to open.
2. When I try to open MBAM I get Error 707 (2). I just discovered this because rarely is a better description of how often I run MBAM.
3. Occasionally (now) when I log into my account, I get the Default Account settings for my Desktop. It's not permanent tho because if I immediately reboot, my account returns to the way it was. This was happening fairly often along with another problem. I have GFI Backup (formerly Titan Backup) installed and for every job I had it set to repeat the backup/sync task if it was missed. So every time I rebooted or logged into my account when it came up as the Default (and sometimes with my normal desktop) backup jobs would run when they weren't scheduled to. I fixed that by disabling the setting to repeat the job/Task if missed, which also has reduced the instances of the Default Desktop coming up. But the latter hasn't gone away completely.

There is still some sort of conflict somewhere for me as well. I haven't looked into it further as I have some other more important projects going. But it may be helpful to both of us to compare which programs we both have installed to see where there is commonality. If you still have a copy of HijackThis, open it to the Misc Tools section, click Open Uninstall Manager, then Open Add/Remvoe software list. Paste the contents of the file that opens into your next reply. Don't worry, there is no danger in doing this as it is just a list of what is installed.

BTW...

bluesjunior, on Aug 23 2009, 06:39 AM, said:

You can save yourself some time--CWShredder has been useless for about four years now--the specific infections it treated no longer exist and before that it wasn't effective with the more advanced CWS infections anyway. Just thought you would like to know there is no point in running it as a routine scanner.

Quote

http://www.malwarebytes.org/forums/index.php?showtopic=10138

Chewie,
I will uninstall UPHClean and see how that goes with the account default settings problem but it has no bearing on the MBAM thing as it was happening prior to installing UPHClean.

Papakid,
Here is a copy of the A/R list you requested.

Adobe Flash Player 10 Plugin
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
BestPractice (remove only)
Choice Guard
COMODO Internet Security
Critical Update for Windows Media Player 11 (KB959772)
EPSON Printer Software
ESC79_D78 User's Guide
EVEREST Home Edition v2.20
FileHippo.com Update Checker
Foxit PDF IFilter
Foxit Reader
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
ImgBurn
Intel® 536EP Modem
Java™ 6 Update 16
Logitech iTouch Software
Logitech User's Guide
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft DirectX Transform optional components
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MouseWare 9.51
Mozilla Firefox (3.5.2)
MSVCRT
MSXML 6 Service Pack 2 (KB954459)
nLite 1.4.9.1
OpenOffice.org 3.1
Philips Sound Agent 2
PSC Audio Driver
Revo Uninstaller 1.83
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Segoe UI
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
User Profile Hive Cleanup Service
VLC media player 1.0.1
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
winLAME 2009 beta 1

Even tho you have turned off CIS, it was installed and evidently corrupted?

Did you slipstream that OS disk? Unless Papakid sees something I would suggest running it as a repair disk.

I am wondering about your cd burning reliability also?

I don't see anything that stands out--not sure if a repair is needed tho.

About all we have in common as far as installed programs is AntiVir, SAS and MBAM. I would guess it is a conflict among those for some odd reason. If not a Windows update or .Net framework problem.

Can you confirm that you only have the firewall part of Comodo installed? After your initial problem with Comodo, have you only run AntiVir as your antivirus? If you have tried other AV's or firewalls let me know--every time I try out Online Armor firewall I get strange problems.

Quote

If I read the original post correctly, the download was corrupt so it didn't install at all--is that correct. If you can give more detail about that it might help. If you did uninstall Comodo did you use a removal tool?

Are you running version 9 of AntiVir? Had any problems with it at all? If you've tried reinstalling any of these apps let us know that too and how it went. I've had to reinstall AntiVir because of problems with the updater. Reinstalling SAS had no effect on slow opening at all for me.

I'll reinstall MBAM and see if that helps me. May be late today before I can get to it. As mentioned earlier, this is a hard problem to pin down--I haven't looked into my own because of that and I don't think it's malware related so isn't just real critical--more of an annoyance.