Page 1 / 2
For example, DLL Preloading, which is about as fun as it sounds
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
Yeah, computer security is really, really, really hard or impossible once you have something malicious on your PC. In the corporate world, if you get a virus the entire computer gets rebuilt, end of discussion (unless there's an internal department that can handle forensic investigation, but the employee is still getting another computer.) That's why Webroot's journaling tech is such a good solution; it can pretty reliably remove every trace of something trying to hide in most situations. It's good stuff. If it was crappy - trust me - I wouldn't be here.
Well I'm expressed just the same...administrator of 1400+ computers! Really? Nice to have you on board with Webroot..
You are welcome.
Another last-ditch approach is to remove the System Analyzer registry keys to see if anything in there is triggering it to leave a driver behind. It's been awhile, and I don't have my VMs handy to test it out, but I think I remember it leaving keys behind somewhere under SOFTWARE in HKLM or HKCU.
This is totally an out-there idea, and wouldn't be something I would use since I'm pretty good at ferreting out autoruns, but hey, that's what I specialize in at work. Stupid ideas that solve things all the smart ideas didn't. 😃
Another last-ditch approach is to remove the System Analyzer registry keys to see if anything in there is triggering it to leave a driver behind. It's been awhile, and I don't have my VMs handy to test it out, but I think I remember it leaving keys behind somewhere under SOFTWARE in HKLM or HKCU.
This is totally an out-there idea, and wouldn't be something I would use since I'm pretty good at ferreting out autoruns, but hey, that's what I specialize in at work. Stupid ideas that solve things all the smart ideas didn't. 😃
Great information. ..i haven't used Sysinternals in a long time..Thanks TH and explanoit. ..
Side note: If the executable is located in a hidden directory, I do not think whole computer search will show it unless you have showing hidden directories enabled. For example, C:Users<Username>AppData is hidden, and that's where your temporary internet files are stored.
I recommend you use Sysinternals Autoruns then go to Files > Run as Administrator to find where the Webroot component is loading. It does load a driver, which is what may be bootstrapping the EXE at startup.
Those are my only suggestions outside of what has been recommended.
I recommend you use Sysinternals Autoruns then go to Files > Run as Administrator to find where the Webroot component is loading. It does load a driver, which is what may be bootstrapping the EXE at startup.
Those are my only suggestions outside of what has been recommended.
:8 Well I wouldnt of thought of that but it sounds possible doesn't it, DavidP1970, need to check that out on my systems because I've always started the analyzer manually.
You want to hear a funny story!! System Analyzer Standalone does not even install it just runs from the user space I just tried on one of my VM's then decided to go to the Download page and it explains it doesn't install so I don't what you have? Have you seen this Web Page before? http://www.webroot.com/ca/en/business/resources/analyzer
And here is the Direct Download link:
Webroot System Analyzer Standalone Download Link:
http://anywhere.webrootcloudav.com/zerol/syswranalyzer.exe
TH
And here is the Direct Download link:
Webroot System Analyzer Standalone Download Link:
http://anywhere.webrootcloudav.com/zerol/syswranalyzer.exe
TH
It is indeed very very curious... as your case is the only one documented that I am aware of that the Analyzer was running automatically. I certainly look forward to seeing your post Friday!
Actually I submitted a problem report/support ticket before posting anything to the forum. They asked me to run their log gathering utility and submit those. I did. Their reply was there was nothing wrong and the System Analyzer could not start by itself. They suggested uninstalling and reinstalling the WebRoot SecureAnywhere AntiVirus. Ultimately that is what I did, and it does appear to have ended the automatic starts. I will wait a week to be sure though.
Even if this does resolve the problem, the solution is not very satisfying in that it does not explain why it suddenly started running once a week, where is came from or how it was being started. And yes it was the "System Analyzer" not the "System Optimizer". The registry had an entry for "SystemAnalyzerScore", and still does.
If it does not start again by next Friday, I will come back here and mark this as the accepted solution.
Even if this does resolve the problem, the solution is not very satisfying in that it does not explain why it suddenly started running once a week, where is came from or how it was being started. And yes it was the "System Analyzer" not the "System Optimizer". The registry had an entry for "SystemAnalyzerScore", and still does.
If it does not start again by next Friday, I will come back here and mark this as the accepted solution.
Well this is very strange indeed can you please Submit a Support Ticket so they can look at your scan log and they will for sure know if you have System Analyzer also please let us know the outcome as this is very interesting!
Thanks,
Daniel 😉
Thanks,
Daniel 😉
It does not say "Complete".
It says:
Product AntiVirus
Version 8.0.4.68
Under Advanced Settings -> Scheduler There is only one tab "Scan Schedule"
It says:
Product AntiVirus
Version 8.0.4.68
Under Advanced Settings -> Scheduler There is only one tab "Scan Schedule"
Well, I uninstalled WebRoot Secure AnyWhere AntiVirus at 3:30pm today. The System Analyzer, that had been starting at 5:30pm on Thursdays did NOT start today, and had not as of 9:00pm this evening. So it appears that WebRoot itself is the culprit and not a hidden installation of the System Analyzer.
I have reinstalled WebRoot. If the problem reoccurs, I will post back here again.
Thanks everyone.
I have reinstalled WebRoot. If the problem reoccurs, I will post back here again.
Thanks everyone.
TH
That is quite interesting, to say the very least. Please let us know what happens Thursday!
The product shows just as "Antivirus". I have not intentionally installed a standalone version of the System Analyzer.
The scan of my system for items installed just from just before this started to just after the first occurance reminded me of one other change to the system. On February 20, the first date of the occurance, I replaced my failed Canon MX700 with a new Canon MX922. That installed a bunch of new software for the scanner. I don't see how that should cause this, but that is just a bit too coincidental.
Since I now have a repeating time frame for this, perhaps the best course of action would be to uninstall Webroot next Thursday before 5:30pm and see if the Analyzer still runs. If it does, then there must be a standalone copy hidden somewhere.
The scan of my system for items installed just from just before this started to just after the first occurance reminded me of one other change to the system. On February 20, the first date of the occurance, I replaced my failed Canon MX700 with a new Canon MX922. That installed a bunch of new software for the scanner. I don't see how that should cause this, but that is just a bit too coincidental.
Since I now have a repeating time frame for this, perhaps the best course of action would be to uninstall Webroot next Thursday before 5:30pm and see if the Analyzer still runs. If it does, then there must be a standalone copy hidden somewhere.
Can you tell us what product you have is it the AV only? Please see here to find out as is says on there Complete? http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C12_MyAccount/CH11a_ViewingAccount.htm
Thanks,
TH
Thanks,
TH
I did a search of my entire system for "Analyzer" and did not find any .exe files that appear to be the Webroot System Analyzer. I did find the output logs from the analyzer runs. It is not as random as I thought and is occurring once a week on Thursdays at about 5:30pm, give or take a few minutes. The first log is dated February 20. The first line of that log reads:
"Thu 2014-02-20 16:29:25 System Analysis completed in 93 seconds (v8.0.4.57)"
The only maintenance done to the system has been done by me. That consisted of installing Microsoft critical/security patches. I do this manually every couple of weeks. I do not allow automatic updates to any of my systems.
I am going to search my system for anything that that was added between 2/12 and 2/21. Since it did not run on 2/13 perhaps I can find what is triggering it that way.
"Thu 2014-02-20 16:29:25 System Analysis completed in 93 seconds (v8.0.4.57)"
The only maintenance done to the system has been done by me. That consisted of installing Microsoft critical/security patches. I do this manually every couple of weeks. I do not allow automatic updates to any of my systems.
I am going to search my system for anything that that was added between 2/12 and 2/21. Since it did not run on 2/13 perhaps I can find what is triggering it that way.
This is the AV only forum so you would not have System Analyzer or System Optimizer unless you have the Gamer version then that has System Optimizer but like David said it could be the stand alone System Analyzer here: http://www.webroot.com/ca/en/business/resources/analyzer so can you confirm that you have any of these two?
Thanks,
TH
Thanks,
TH
The Analyzer does not normally start by itself, nor is there a scheduler for it. I have a question or two though:
When did this first start happening?
There is a standalone download of the Analyzer, would perhaps this have been placed onto the computer?
Have you had the computer serviced in any way, in person or remotely, during which a standalone version of the Analyzer might have been used?
When did this first start happening?
There is a standalone download of the Analyzer, would perhaps this have been placed onto the computer?
Have you had the computer serviced in any way, in person or remotely, during which a standalone version of the Analyzer might have been used?
apparently I do not understand your question and answered about system optimizer
System Analyzer can only be started manually.
Using the System Analyzer
http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C10_SystemControl/CH10a_UsingSystemAnalyzer.htm
Have you tried reinstall of WSA?
System Analyzer can only be started manually.
Using the System Analyzer
http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C10_SystemControl/CH10a_UsingSystemAnalyzer.htm
Have you tried reinstall of WSA?
Page 1 / 2
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.