Solved

WSA missed a trojan

  • 1 November 2012
  • 39 replies
  • 587 views

I've been a dedicated Webroot user for 3 years... until now. I downloaded the SecureAnywhere update a few weeks ago, and since then the service has basically stopped working. SecureAnywhere never found any viruses, spyware, or malware, despite repeated and regular scans. This would be great if I didn't know for a fact that my computer was infected. In the last few days it has gotten to the point that every other time I click on a search result from Google, I am taken to a completely unrelated website.
 
Since my subscription ends in a couple days, I decided to download the free trail for AVG Internet Security and see if it would help. As soon as I started the program, it detected and removed a trojan, which Webroot hadn't detected during the scan a few hours ago. I hadn't even run a scan yet! As soon as AVG removed the trojan, the problem stopped.
 
I was a huge fan of Spy Sweeper, but SecureAnywhere turned out to be a waste of my time (and money). I used to be a huge Webroot fan and recommended it to many others who had issues, but now I'll be recommending for everyone using it to switch.
icon

Best answer by gpb500 5 November 2012, 01:54

View original

39 replies

Userlevel 7
It's a pity you gave a farewell to WSA in favour of AVG :(
 
However what is more sad is that you didn't give Webroot a chance to clean your PC. They do that for paid users free of charge. Once you had any signs that something malicious is occupying your PC you should have contact them instantly and they would be very happy to help you out.

Well, there is literally no security solution which is 100% successful. It could have been a case that WSA wasn't working correctly in your environment and hence failing to catch a trojan. Nevertheless if you had contacted Webroot support you could end up in having your PC clean. Sorry but I cannot understand why you killed WSA so quickly without even asking them to help you. You was singing the praises on Webroot but you gave up in a way like Webroot was your first enemy instead.

Though if you would be willing to return to WSA and contact the support you can trust all your issues will be addressed. If not wishing you all the best with AVG.
Hey, give the chap a chance. He says he downloaded the Webroot WSA update just a few weeks ago and then encountered problems. At this point, he wasn’t sure if it was a virus or not but understandably felt somewhat dubious about WSA, the problem having started upon installation of same. What is more, he claims that as soon as he installed a trial version of AVG, a Trojan was detected and cleaned and the problem immediately stopped. (Btw, it’s possible he didn’t know that free malware removal is included in Webroot’s services, in case of infection.)
 
If I was him, I can well imagine I might have reacted similarly. As it is, given my knowledge of WSA I wouldn’t. I have known WSA AV and its predecessor (I was previously a 5-year long customer of Prevx on which WSA is based) for six years, and have found it to be superior to any other AV I have tried. So if this happened to me, I would be persuaded that this was an exceptional case.
 
But the poor chap, you are immediately “trolling” him (imho), when he has perhaps just had a once-off nasty experience—instead of gently advising him. My two cents’ worth…
 
Having said that, I concur with your advice 😉
Userlevel 7
@ wrote:
Hey, give the chap a chance. He says he downloaded the Webroot WSA update just a few weeks ago and then encountered problems. At this point, he wasn’t sure if it was a virus or not but understandably felt somewhat dubious about WSA, the problem having started upon installation of same. What is more, he claims that as soon as he installed a trial version of AVG, a Trojan was detected and cleaned and the problem immediately stopped. (Btw, it’s possible he didn’t know that free malware removal is included in Webroot’s services, in case of infection.)
 
If I was him, I can well imagine I might have reacted similarly. As it is, given my knowledge of WSA I wouldn’t. I have known WSA AV and its predecessor (I was previously a 5-year long customer of Prevx on which WSA is based) for six years, and have found it to be superior to any other AV I have tried. So if this happened to me, I would be persuaded that this was an exceptional case.
 
But the poor chap, you are immediately “trolling” him (imho), when he has perhaps just had a once-off nasty experience—instead of gently advising him. My two cents’ worth…
 
Having said that, I concur with your advice ;)
Just to clarify ... I wasn't trolling him at all. I was quite gentle considering the armed last sentence of the post. It doesn't sound nicely or friendly, doesn't it? OK, peace :D
Userlevel 7
I am sorry to hear your negative experience and I apologize for the frustration.
 
Thanks pegas and Muddy7 for both of your input. You both had valuable responses and thank you for being such loyal fans of a truly exceptional product. :D
 
Our journaling and rollback technology is one of the reasons why we are the best. This video explains it all if you are curious.
 
[b]ptp405 if you did not know of our free malware removal and if SecureAnywhere wasn't working properly on your system. I wish you the best with AVG.
 
 
 
 
Thanks for your thanks 😉.
 
Just a small point: your free malware removal service does not seem to be as blatantly clear on your Website as the same service is on Prevx's (see point 3)? Not only from our (customers) point of view but also from yours—seeing that this is a USP—would it not be an idea to more strongly highlight this on your Website??
 
Just a suggestion...
Userlevel 7
I completely agreee and have thought about this in the past. Want to submit a new idea in our Ideas Exchange for this implementation and see if we can start creating a buzz around it?
 
 
A whole system scan by AVG turned up 3 more trojans... 3! AVG was simple to install and worked fine on the first try. I simply chose to go with th program that works on its own rather than renew a subscription to a program where I am forced to contact customer service to get threats removed.
I'm no specialist on computers, but one thing that I do understand is that WSA works very differently from traditional AVs. Traditional AVs look for any files on your computer that may contain viruses or Trojans even if they are just lying there in some obscure email message attachment from for example x years ago and will never ever pose a threat to you. WSA couldn't care about dormant AVs or Trojans that will probably never activate. But it is incredibly effective against any active threats. Did you try opening the files that contained those three Trojans to see how WSA reacts then??? If your other AV doesn't detect the malware first (WSA will always cede to another AV if it discovers the malware first so it can live in harmony with any other AV—and it's the only AV I know that does this), it will step in with a vengeance.
 
But Mike R will explain this much better than I ever possibly could.
 
Of course, if you want an AV that will clean up inactive threats, WSA is not the programme for you.
 
And btw in the six years I have been with Prevx/WSA I have never had to ask them to get rid of a malware their programme couldn't clean up by itself, nor have I yet heard of someone finding themselves in such a situation. Except, unfortunately, you :8
Userlevel 7
Muddy7 wrote:
Of course, if you want an AV that will clean up inactive threats, WSA is not the programme for you.

Or you could run a Full Scan instead of a Deep Scan.  Not that it's necessary since WSA scans on-execute if you ever go back to that inactive threat that's been sitting around untouched on your hard drive for who-knows-how-long, and catch the threat anyway. 😉
Badge +3
Interesting thread here.  I've been using Webroot Essentials for the past couple months coming from MSE and Avira prior.  Never really had any problems with malware or viruses.  I have a buddy who likes to tinker with computers (we do our own builds) and we share information on new software and what not.  So yesterday he calls and says he has a problem...when he was running quicken and viewed an attachment he would get a notice that windows encountered an error and would be restarted within a minute (attachment is a PDF so thinking adobe exploit).  I believe the exact text is "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now."
 
He uses Agnitum Outpost firewall and MSE.  I told him to install Webroot and perform a scan to see if it would find anything.  It did not.  We also tried two other scanning tools and they found nothing.  Finally we used Malwarebytes and it found two threats...file name was _isdel.exe (trojan zbot).  Once the two files were quarantined, the problem disappeared.  I was disappointed that the spyware function in Outpost missed it as well as all the others...including Webroot.  So I'm wondering how common this really is?
 
His computer configuration is the same as mine, W7x64 with all current patches.  Would appreciate any comments.  I think he still has the files quarantined.  He's trialing webroot (15-day) at the moment...and has uninstalled MSE.
 
Thanks!
 
PS - I just upgraded to W8...for better or worse.
Userlevel 7
Somewhat a two-part bit of fun.
 
Part 1:  That which gets first gets best.  No matter what AV you use, if the infection gets in first, it can very often hide extremely effectively.  If Webroot is installed first, it catches the infection TRYING to install itself and blocks it.  If the infection gets in first, it sees the AV working to get scan and hunkers down to evade. 
 
MBAM has a hyper-sensitive detection set for zbot.  Somewhat good, since it can catch more copies of that when they are hunkered down, but also means it FPs on things more oftent that it should (it called a quick litle automation program I wrote myself a zbot infection.  XD)
 
Part 2:  Best way to figure out what's up is to get a scan log to us, or get even just the keycode to us from the WSA install that didn't detect the threat. 
 
Bonus parts...
- If WSA was installed and scanned, it wants to think the computer is clean when the person does the installation.  Therefore a pre-existing infection occasionally needs to actually DO something in order to be detected.  ZBot spends a lot of time idle.  It's a trade off there of course.  That means that definition-based stuff like MBAM will catch it faster if they have that specific signature in their definition set, but that also means that if MBAM doesn't know the definition of that specific ZBot yet, it could take weeks to be caught by them as compared to hours for WSA.
 
Unknown to Bad for WSA -> Usually a few hours at most.
Unknown to Bad for MBAM and others -> A few days or even weeks.
 
How long after WSA's scan did you scan with MBAM?  Minutes?  Hours?  Days?
 
- The answer that most AV companies give to people having an infection is mail support, run MBAM and ComboFix, do a bunch of stuff, and oh, sorry, if your computer got blown up by it, too bad, reinstall your OS.  The answer that Webroot gives to an infection is that we can generally just get a single ticket sent from the infected computer and take care of it without further work from the customer within an hour or less, and if the computer gets killed or it's more complex, we'll take care of it remotely for free, even if the computer won't boot.
 
Infection gets by with WSA -> Usually fixed before you even get a ticket in to us, but if not, we'll take care of it all for you.
Infection gets by other things -> Days of epic work, using other peoples' tools, and frequently need to reformat the computer.
 
How often does it happen?  Infections get past -everything- out there.  Look at any web site that offers assistance with malware removal.  It's huge.  Go to the geek squad or computer repair outfits.  HUGE.  But the ones that get past Webroot to start have no access to critical stuff and then are generally gone before people can get a ticket to us or take the computer to the shop. 
 
We know things can get past anything, even us, so we want to make sure that when (not if) they do, it's not a catastrophe or even a minor headache for more than a short time.
Badge +3
I see...thanks for taking the time to post that. Some of that I've read before here about WSA...didn't realize the details about MBAM and zbot. We spent about five hours on it yesterday with me remoting in to assist and see what was going on. He has no idea how long he's had it...but probably no more than a couple days unless it just sits there.  The work he was doing is something he does regularly.  Also he runs drive images daily and suspected he got it yesterday afternoon until he restored the prior day's image and still had it. So in fact it was lying idle.

Also I should have said we had some problems installing WSA at first...it seemed to install but then we couldn't find it, no icon in the task tray...but two active tasks both assigned to his user ID rather than one system and one user.  No obvious way to access the GUI (no start menu items...trying a reinstall did nothing). So was the malware fighting this or perhaps the system was just compromised.  So in the end removing those two files (I believe the file name signifies the install shield deleter file or look-alike...after googling it..."_ISDEL.exe") seems too simple...I mean there must be something else hooked via the registry or other hack somewhere...? Maybe this is all academic at this point and there are no certain answers without knowing more. In any case, thanks again.
Userlevel 7
ZBot is actually a pretty serious infection and stuff lately is explicitly built to work at blocking and evading us.  I've seen a number of cases where infections work very hard to prevent us from installing.  It sounds like the description you give definitely indicates something of that sort.
 
If there is a new version attacking us, then we'd want to take a look at that and see what we can do to kill it better when it's pre-installed.  Generally security-related fixes like that get in within a few days or weeks at most, which is not common in the industry.
 
I speak of MBAM from a personal viewpoint, by the way.  I work for Webroot, but I've done stuff with MBAM since way before that.  It's great at a lot of stuff, but I kind of feel like it's super-strong antibiotics:  Sometimes the side effects are pretty bad and some stuff still gets through in the long run.  (Excellent example: Before I knew how to remove -everything- Malware by hand, I'd trust MBAM to do it.  It bricked a lot of systems more than I liked and in the long run, when I learned how to do it all by hand, I found it also missed a lot of stuff.)
 
ZBot works by hooking code into some pretty deep places and hiding relatively well.  Honestly, I'd put in a support ticket from his machine (Suspected Infection) with WSA properly installed and after a scan just to get our Threat Researchers to take a look and give it a double-check.  It's probably clean, but a second highly-trained human eye never hurts, right?
Badge +3
Interesting.  I'll point him to this thread and see if he's up for it.  What is the protocol for Webroot support "looking" at his computer?  Just a remoting in with/without phone?  Or does this include running diagnostics and emailing, etc?  
 
Thanks.
Userlevel 7
Just file a support ticket from the computer when Webroot is installed properly and it will automatically add its ID token to the support ticket on our side.  With that ID, we can look up the basic scan information in the cloud system.  There is a possibility for something further being needed (for example, if the system has certain MBR or full boot infections, there is no way for anything to see them, and that infection may have downloaded and installed ZBot), but in those cases we'll respond to the ticket with that info. 
 
We cannot remote in randomly, so if we do see a need for remote work, we'd request contact information and a time to reach him.  But usually it can be fixed just with the cloud view of the computer.
Badge +3
Much appreciated and apologies for hijacking this thread...wasn't my intent.
Userlevel 7
No problem. 🙂 Not like there are too many threads about infections on the forum anyway. XD
Badge +3
One clarification, the files are quarantined in MBAM's quarantine, so not sure how you'd be able to see them via cloud method you mention.
 
And second, just googling a bit more, today someone reported the same files MBAM flagged on friend's PC yesterday.  See here, top post:
 
http://forums.majorgeeks.com/showthread.php?p=1782021
 
So perhaps this is something new?  On friend's PC, the first folder flagged didn't even exist prior to quarantine, perhaps hidden/system attribute set...not sure if he shows those or not...didn't think to ask at the time.
 
 
Userlevel 7
We don't actually send the files to the cloud.  The cloud has a list of the fingerprints of everything that is/was running or would be very likely to run though, as well as its genericized behavior, state, and current determination information.  We can also look that up by the keycode, as I mentioned earlier.   If the threat was running, we'd likely have it in the cloud information.  If it wasn't running... well, bear in mind that other products do find dormant and non-code things (like a log file that says "01001" but HAPPENS to be in a directory created by a threat) that we don't waste the user's time looking for.
 
Now, on that thread, this is interesting...  I'm trying to take a look in the cloud back end based on the filename, but that is usually a futile effort.  From the very surface, that looks like a false positive.  At the same time, a good infection will try to make sure it looks legitimate.  You could take a look at the scan logs to see if it lists that file anywhere in it as well, though a scan run after MBAM quarantined it would not see it.  Buuuuuuut...
 
On a 64-bit windows system, the location you're seeking is actually in c:windowsSysWOW64, not REALLY in system32.  And sure enough, that _isdel.exe shows up here with a file date of 6/10/2009.
 
Scan log shows it as:
[g] c:windowssyswow64installshield_isdel.exe [MD5: 9D4EC4B71FD189A0B2C4DBD6AADE16BF] [Flags: 00000000.0]

So it's NORMALLY a legitimate file.
 
Hmmm...  So a quick check on Google for "malwarebytes _isdel.exe"...  and suddenly it screams False Positive. :/  People with clean Windows 8 installs, multiple reports on the Norton forums 22 hours ago, etc...
 
One wonders whether the _isdel.exe is now completely missing from the SysWOW64InstallShield folder, in which case the computer will be slightly broken, as there SHOULD be a legitimate version of it there normally.
 
This is all just a casual inspection, mind you, and could easily warrant further investigation.  Depending on how brave you are, you could even poke at it more deeply if you wanted to.  Restoring the _isdel.exe from MBAM quarantine would not cause it to run unless MBAM didn't do a proper cleanup job, so it wouldn't "reinfect" until it did run.  Then scan it with MBAM again after updating the definitions and see if it's detected again.  Or run a scan on just that file with Webroot, save the logs when the scan is completed, and look for the line similar to what I pasted above.  If it says [u], we may have something Very Interesting™ to poke at.  If it matches the line above, or otherwise says [g], then it's legit and almost invariably a false positive by MBAM, though we can definitely investigate more deeply with the info in that line alone.
Badge +3
So he could restore those files safely, then immediately move them over to his desktop and perhaps go back to his image library from a few months ago and compare those files with these current ones to see if they are a match or changed...?  If changed, he could submit them to you folks for analysis and get it added to the database as needed?
 
Well, I just installed MBAM and ran and came up with two files identified as trojan.agent.  They are:
 
Files Detected: 2
C:WindowsInfafw.inf (Trojan.Agent) -> No action taken.
C:WindowsInfafwmp.inf (Trojan.Agent) -> No action taken.
 
A google finds false positive reported on mbam's forums...though the google link doesn't take me to the actual post...so unsure.  BUT...when MBAM was installed, right clicking on the file in Windows Explorer and invoking Scan with Webroot no longer worked (WSA didn't pop up as normal).  Closing MBAM didn't help...somehow the context menu was broken.  Uninstalling MBAM and rebooting fixed that, then I had my first blue screen (frowny face) in Win8...oh joy...not webroot's fault...was browsing at the time...probably Outpost Firewall if I had to guess.  Just an FYI.  Thx.
Userlevel 7
POTENTIALLY safely.  In my position, I would be comfortable taking the risk on my computer, but it's up to you.  After all, if it's a threat and does go active agan somehow, MBAM removed it once, so should be able to again, right?
 
Even just scanning it with SecureAnywhere gets all the data we need from the file into the cloud, so generally it doesn't need to be "submitted".  the scan line, like I showed above, contains the information key for us to look it up on the cloud, and then changing determinations is a 12-second process. :D  We'd want to evaluate it first though, bu the scan does the raw evaluation and sends that data to the cloud so we can look at it.
 
inf files are a type of installer script that is processed by WIndows.  They are not machine code and in and of themselves cannot be threats.  They can be USED by threats to install themselves though in a manner that bypasses detection by a lot of security software.
 
MBAM's forums appear to be down, according to numerous posts about MBAM FPs on other forums.. :/
 
As to the right-click scan not working, that is something I am trying to get greater attention on.  It occurs when the system service for SecureAnywhere crashes and restarts.  Focus thus far has been on preventing the crashes, but I am concerned that there are thousands of things that can crash software, and faulty hardware would be outside out control for example, so it should recover gracefully.   You can find the line about 'teminated unexpectedly' in the WRSA logs prior to the context menu stopping working.
 
You can recover it by rebooting, as you noted, but also by simply shutting down and restarting SecureAnywhere itself.
Badge +3
Well after all that, it turns out the _isdel.exe file was a false positive.  MBAM fixed the FP on their end and now it looks like the inf files that were being flagged are also FPs.  I did submit one file for review via the WSA client software.  Not sure how this exercise fixed my buddy's problem but it seems to have nothing to do with that file...and now restored.  Thanks for all the help...it was an interesting effort...and the remaining mystery apparently won't be solved.  Cheers!
Userlevel 7
Glad to hear it wasn't a problem going on there.  There is a potential that MBAM was interfering with the normal operation of the OS while it had some issues there.  The shutdown you described is caused when a program that is invisible but critical to the system operating shuts down or crashes.  There are so many potential causes that it's nearly impossible to narrow down from the information provided and not really our position to try to determine on that, but it doesn't sound like a malware issue.  You might want to do a full disk check including checking for bad sectors just in case.
 
 
Userlevel 4
😛 I have to put my 2 cent worth in,  I have paid webroot.  I have Superantispiware that caught a malaware where Webroot did not. 
Userlevel 7
And Norton has caught stuff that AVG missed. But AVG also caught stuff Norton missed. And Webroot has caught more stuff that SAS missed than SAS caught that Webroot missed. And if SAS/AVG/Norton miss something, you're completely 100% out of luck because they will do nothing to fix it until they get a definition update. By comparison, Webroot can still remove it on your instructions even if it doesn't detect it. Or get free help from support to remove it, not costing you a penny extra.

Also notably, if you have another AV installed and both it and Webroot would catch the same Malware, only the Non-Webroot one will catch it, because if they both caught it, they'd get into a fight over it, so Webroot will always allow another installed program to catch it if it can. Mind you if you "get something" and then install SAS and it catches it, that's a different thing. But also the nature of what SAS "caught" is up for consideration. SAS will say "OMG, a text file that could have been created by Trojan.ADHD! I caught it!". So without knowing precisely what it "caught", there's no way to say anything.

Thank you for your input though. 🙂

Reply