To Customer Support To Customer Support
Solved

Infection?

M
Rank
Hi,
 
I started a ticket with Malwarebytes (stupid me forgot to check here first). They have me running Combofix which requires my AV to be shut down. WRA doesn't seem to shut down. How can I go about doing so. And I cannot get Combofix to shut down either (I tried X-ing out but it pushed on ahead stating it will go ahead and run "at my own risk!"
 
I'd started the ticket there because my computer has been running sluggish but MBAM and WRA don't detect anything. I've worked with tech support on a previous computer and went there first (again, stupid me, forgetting the tech support here). They walked me through several steps and now we're looking at ComboFix.
 
When I open Web Console, I notice that an  infection popped up yesterday LPPLUGIN.DLL with W32.InfoStealer.Zeus (probably during this process). Now when I click on support from my computer, I get sent to a blank browser page.
 
Help.

 
If I try to open a support ticket, I'm asked for e-mail address which I provide then a password, which I don't have (and the passwords I type in for forum and for web console don't seem to work either).

 
Thanks.
icon

Best answer by Rakanisheu Retired 29 July 2013, 12:18

View original

18 replies

RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Hello MDYoung and Welcome to the Webroot Community Forums.


 
If you think you have any infection it is always best to Submit a Support Ticket and start a new ticket if you can't get access to the old one as Webroot have there own Malware Removers and it's free with a paid subscription and if you use other tools like MBAM or Combofix it could do more damage and if necessary they will connect to your system remotely and remove any infection themselves. Also this is one important thing you need to see: http://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202#.UfVIhm3Nnns
 
HTH,
 
Daniel
shorTcircuiT
Rank
Userlevel 7
Hello MDYoung and welcome to the Webroot Community!
 
As to how to shut Webroot down, of course that is generally not advised.  But... I do realize sometimes it needs to be done.  Right click on the Webroot systray icon and choose Shut down Protection.  Note: Webroot will also warn you that it is at your own risk.. all security software will do that when you try to shut it down :)
 
As for the password for your trouble ticket, you should have that in the reply to your first Trouble Ticket.  Check your email for the reply made when you first opened a ticket, the password will be in there.  (It WILL be different than what you use for the Community, your Console, or any other password you have assisnged.)
 
 
M
Rank
Thanks for the reply.
I did figure out how to submit a support ticket a couple of hours ago and did so. Hopefully I'll get a response soon.
I had checked out that video a couple of months back and re-rechecking it now (and walking through the steps) I find no unknown file or anything of that sort listed for LPPLUGIN.DLL with W32.InfoStealer.Zeus in the scan log (which comes up clean as it had previously).
Just quite frustrating. Sluggish computer, DOS-boxes popping up at times (and unsure what they are doing) combining to make me pull out my hair (and there's not much to begin with :D).
 
Thanks again.
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
LPPLUGIN.DLL is part of the Webroot Password Manager in WSA-ISP & Complete versions in the Hidden Folder (ProgramData) as you can see in my picture so what is detecting it as W32.InfoStealer.Zeus? And also another one for 64bit systems.
 
TH

 
 

M
Rank
Well, webconsole was detecting it, but when I just reran it, I'm getting a "protected" indication:
 


 
But as you'll notice, it did find an infection yesterday, then came back protected, then found the infected file again later. Here's what comes up when I open Scan Results:
 


 
Soooo, rather confused here. There does seem to be an infection but exactly what it is and what it's doing . . . .
 
Thanks again.
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Please continue with the Webroot Support inbox and they will look after you! ;)
 
Daniel
shorTcircuiT
Rank
Userlevel 7
The "virus name" being infostealer makes a lot of sense if one of those other programs is what is detecting that Webroot Password Manager dll file: while it is fully safe and secure it is essentially capturing what you enter for a username and password.

Is that possibly a generic virus name that particular program uses for any file it detects with that kind of behavior for which it has no set definition file for?

If that is the case, of course Webroot support can help verify this as well as help make sure your system is clean. A request to the company detecting the dll in question to whitelist it as a false positive might also be in order.
M
Rank
The thing is that Secure Anywhere Webconsole is detecting this, not one of the other programs I've been fiddling with.
 
Still haven't heard back from Support. Are they only available during the week? I've seldom dealt with support for Webroot (and the first/last time was just to log in to webconsole).
 
Thanks.
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
@DavidP wrote:
The "virus name" being infostealer makes a lot of sense if one of those other programs is what is detecting that Webroot Password Manager dll file: while it is fully safe and secure it is essentially capturing what you enter for a username and password.

Is that possibly a generic virus name that particular program uses for any file it detects with that kind of behavior for which it has no set definition file for?

If that is the case, of course Webroot support can help verify this as well as help make sure your system is clean. A request to the company detecting the dll in question to whitelist it as a false positive might also be in order.
Also David don't forget what the ID Shied can do to protect you even if he was infected.
 
Daniel
shorTcircuiT
Rank
Userlevel 7
I belive support is staffed, but replies can be a little slower if they are particulalry busy. Forgive me for not understanding it was the Webroot Console showing it: I am away from computer and just reading things on my tiny Android so I miss things here and there. 🙂
Rakanisheu Retired
Userlevel 7
I highly doubt its Zeus, thats neither the filename,path or file type that it normally is. If you create a troubleshooting ticket or post the MD5 of said detection I can check it out when I get into the office in a few hours. Without any info I cant be 100% sure but I`d guess this is a FP.
M
Rank
Rakenisheu,
 
Thanks for the reply. I have created a ticket, I think. I clicked the open a support case link off the Individuals &  Families page of the Community, entered e-mail address and problem. Haven't heard anything back. No e-mail response. Nothing so far except the assistance that Triple Helix and DavidP have offered.
 
If you could look into it, I'd appreciate it. Thanks again.
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Is it the same link as this? https://www.webrootanywhere.com/servicetalk.asp?
 
If it is your fine!
 
Daniel
M
Rank
Yes, that's the page I'm taken to and that asks for e-mail address.
Rakanisheu Retired
Userlevel 7
I have taken a look at the ticket you submited. I can see no mention of Zeus or any related infection in the logs, I can see nothing apart from once piece of adware in the KC. This may be an issue with the console, I am not sure as Its not my area of expertiece. I have asked one my colleagues to take a look at this. Do you have more that one PC activated on that KC? I can only see the scan logs on the PC that created that submitted the ticket.
 
 
Rakanisheu Retired
Userlevel 7
Ingore the above it was a FP just confirmed it
M
Rank
FP? False Positive?
OK, thanks, for the note on Zeus.
But anything else to track down on the sluggishness? The DOS boxes popping up as indicated in the ticket? And I regularly CClean and defrag the harddrive.
 
Thanks.
Rakanisheu Retired
Userlevel 7
I dont see any mention of Dosbox`s in the ticket. I see mention of Combofix/MBAM and roguekiller. Is this a dosbox popping up on startup? If it is its probably a startup program configuring itself. I would check your startup items in MSconfig for anything unusual. We can collect some logs if you want?

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.