Vista - Antivirus Program Flawed?

Last night, when hibernating in front of this forum, I decided to do some research related to a post I had made earlier, and Googled for some pretty technical stuff. Suddenly I faced a page with an Aero looking desktop design. It had a progress bar running slowly, indicating it was scanning. A pop-up said something about "scan for mal-ware" (ever heard of this before?) and my hibernation ended abruptly. Cursing myself for not having set the Internet Security Options at High, as I usually do when browsing geek sites, I blocked my firewall. Checked if I could see any unfamiliar process running, but couldn't, and then pressed Alt-F4. A new pop-up suggesting to download some nice scanner was killed likewise. Two seconds later the first one came up again. I pressed Alt-F4 twice and closed the browser tab.

McAfee Internet Security said nothing and its Site Advisor did not worry.

I used the McAfee Tools Quick Clean Feature and had it clean recycle bin, temporary files, cash, cookies and browser history, then again temporary internet files from IE, and rund CCleaner files and Registry Scan, just to check. Cleaned out some more files. Checked for any new Add-ons and the run a full virus scan with McAfee. Run a log with HijackThis. Nothing found, but I am still slightly in chock. Anything else I should have done at that stage?

The EventLog recorded the following error 256 times during 2 seconds:

Log Name: System
Source: DitributedCOM
Event ID: 10016
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {B299BB78-EBBE-48F9-8725-E6A84C4E7C1D} to the user XPS720\Submarine SID (S-1-5-21-3333333333-2222222222-919095832-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Can I trust my McAfee installation? Why the errors?

I now suffer from FUD (thanks NC for this word, new to me), and wonder if it was me browsing to the site or something already in my machine sending me there.

Hi submarine,

Looks llike you almost got caught by one of the "drive By" attacks. you probably did enough but would suggest you do a full malwarebytes scan of your machine to be sure.

Malwarebytes.org

it may take a while to do full scan but have found it to be the best agaist the current set of nasties

I am afraid McAfee and Malwarebytes do not go along. I will ask Malwarebytes if they have convinced McAfee to leave them alone. If so, I will try it again. First attempt to install failed as McAfee removed it, then it was fixed, and then some weeks later, I had a new Mcafee attack against Malwarebytes which forced me to uninstall.

I should of course add that the COM Server application CLSID refers to McSurrogateHelper Class, which a piece of Mcafee Security Center.

Hi,

I came across the same thing a while back and deliberately went to the page and let it do it's fake scan for a few seconds.

It added this registry key , which I removed

HKEY_CLASSES_ROOT\CLSID\

{9afb8248-617f-460d-9366-d71cdeda3179}

(Adware.MyWebSearch) - no sign of it since.


You might paste that string into the Find function in Regedit and if it's there, delete it.


Malwarebytes is excellent - if you can't use that , suggest you try Spybot - ( uncheck the Teatimer during installation as to avoid interfering with other security ) , and do a full scan manually - might catch the nasties without you having to dig through the registry.

The home of Spybot-S&D!

Hope it helps

SIW2

I am happy to report no such value was found.

I am going to to some program re-installation this weekend, including McAfee, if just time allows. When McAfee is gone, I will the install Malwarebytes and run it. I know Malwarebytes are talking to McAffe, but it seems to be a slow process. Still worry over the error messages. Something was surely going on, maybe McAfee was trying to tell me or do something but did not have the proper permissions?

Ran Malwarebytes from both normal and safe mode, and Spybot from normal. No infection detected. Have, however, started to get bursts of the following Audit Failure in the Event viewer Security logs (ID5038):

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys

This started a half-hour after the nasty event, recurred ~25 hours later and then again ~21 hours later. I hope I will never see it again, but doubt it. Based on info in the EventID Net, it appears this may be a bug in Vista, and then maybe it is just a coincidence it happened, when it happened. So, maybe I am OK.

Hi,

Seems there may be a connection, according to this site

Windows Vista tcpip.sys Connection Limit Patch for Event ID 4226 » My Digital Life

Apparently in Windows Vista, Microsoft still enforce and hard-limit (hard coded in tcpip.sys) the maximum simultaneous half-open (incomplete) outbound TCP connection attempts per second that the system can make in order to protect the system from being used by malicious programs, such as viruses and worms.

Replacing the file through doesn't appear to be easy, as you need to get the right version.

If it's causing problems, you could try running SFC to see if that will fix it, or perhaps a repair install

http://www.vistax64.com/software-too...heck-tool.html

Repair Install For Vista

Hope it helps

SIW2

Actually, that sounds like a possible Windows Defender scan and would be normal for a late night schedule that Vista has defender running it's scan under. Check your scheduled tasks to see if a defender scan occurred on that night.
To view the Defender files, right click the Windows Defender folder in the left pane of Task Scheduler and select "view - show hidden tasks"

The second one tho, asking you to d'load some scanner...definitely is questionable and could mean the first one was also fake, but for some reason I think that first one could have been a defender scan.

IMO I would get rid of McAffey, and just use something like Avast antivirus a firewall of your choice, like comodo, vista firewall controll, A program named spywareblaster, and something like Spybot or superantispyware....

I personnaly dont think McAffey is that great,,

Also if you dont have it Use Firefox web browser and get the No script extension, this alone will help out alot as its way more secure than IE..


I like the Avast scanner alot as you can do a bootup scan...