Webroot Found A Virus/Maleware But Only blocked It !

  • 12 October 2013
  • 21 replies
  • 116 views

Webroot found: C:program fileswrapper_instservice.exe   It blocked it but, didn't remove it. Please help! Thanks! margaret

21 replies

Userlevel 7
Hello ragweed and welcome to the Webroot Community!

 

You are safe, as WSA IS blocking it from harming the computer, but yes, you do want to get it out!  Webroot Support might be the best way to go on helping to get this removed, so you might want to submit a Trouble Ticket (Link below in my signature area).  It is the weekend, so I don't know how fast the response times are, but again, until you DO get a response you are protected from it so you should be in good shape!
Thanks! I did a restart & get no more blocked messages. I guess Webroot removed it during restart?
Userlevel 7
@ wrote:

Thanks! I did a restart & get no more blocked messages. I guess Webroot removed it during restart?

That is very possible, but you can check:  Open WSA, Click the 'gear tool' next to PC Security, and then click the Quarantine tab to see if it is listed there.   🙂
Userlevel 7
And if it's listed in the Quarantine, just click on Delete Permanently.;)
Its still in Blocked items & not in quarintene. At least its not running! Webroot is the Best!
I have 3 items in the Blocked section. I just noticed there is a REMOVE ALL BUTTON. Should I just hit remove all in Blocked items to get rid of them? Thanks!!
Userlevel 7
@ wrote:

I have 3 items in the Blocked section. I just noticed there is a REMOVE ALL BUTTON. Should I just hit remove all in Blocked items to get rid of them? Thanks!!

That is hard to say: in my experience that is usually safe to do, but if you have any questions at all about removing the files you may want to do that trouble ticket first.  Sometimes plain removing the files is not the right thing to do and may cause additional problems, even though the file was blocked to begin with by WSA.
OK.......Thanks again for your help!! I will wait & write a trouble ticket next week...!!!!!!
Userlevel 7
Badge +56
@ wrote:

I have 3 items in the Blocked section. I just noticed there is a REMOVE ALL BUTTON. Should I just hit remove all in Blocked items to get rid of them? Thanks!!

I would remove all the Blocked files and run another scan to see if anything is detected again in which I doubt also after the scan go to the Webroot Tray Icon and Right Click on it and Click Save a Scan Log and have a look near the Bottom and it should say that it was blocked hence it means it never got into your system if it's not in Quarantine also it would say if Webroot cleaned it but again it would be in your Quarantine so have a look and let us know what it says then we can further Guide you!

 

Thanks,



TH
Userlevel 7
TH: Thank You!!  I have quite a bit of experience in some areas of WSA but handling infections is NOT one of them as I so very rarely actually manage to get one or even an item Blocked.  :)
Userlevel 7
@ wrote:

I have 3 items in the Blocked section. I just noticed there is a REMOVE ALL BUTTON. Should I just hit remove all in Blocked items to get rid of them? Thanks!!

Clicking on 'Remove All' button will only remove all determination overrides. Not the actual files. If you go ahead and click on it, you'll be back to square one with WSA looking at the files like a best man at the bridemaids. WSA will scan and block them again.
Userlevel 7
Badge +56
@DavidP1970 wrote:

TH: Thank You!!  I have quite a bit of experience in some areas of WSA but handling infections is NOT one of them as I so very rarely actually manage to get one or even an item Blocked.  :)

Yeppers that's why we have a Tag Team to back up one and another! :D

 

Daniel 😉
Userlevel 7
@PIInfinity wrote:

@ wrote:

I have 3 items in the Blocked section. I just noticed there is a REMOVE ALL BUTTON. Should I just hit remove all in Blocked items to get rid of them? Thanks!!

Clicking on 'Remove All' button will only remove all determination overrides. Not the actual files. If you go ahead and click on it, you'll be back to square one with WSA looking at the files like a best man at the bridemaids. WSA will scan and block them again.

Um... I think that is correct... I told you I am not as good with infections as I don't have to handle them very often!  And I am still getting used to the new interface as well 🙂
Userlevel 7
@DavidP1970 wrote:
Um... I think that is correct... I told you I am not as good with infections as I don't have to handle them very often!  And I am still getting used to the new interface as well :)

 

It's very easy to check. In the 'Block/Allow Files' tab from 'PC Security gear, click on 'Add file'. Select any executable file and block it. Then click 'Remove all' and see what happens.;)
Userlevel 7
@PIInfinity wrote:

@DavidP1970 wrote:
Um... I think that is correct... I told you I am not as good with infections as I don't have to handle them very often!  And I am still getting used to the new interface as well :)

 

It's very easy to check. In the 'Block/Allow Files' tab from 'PC Security gear, click on 'Add file'. Select any executable file and block it. Then click 'Remove all' and see what happens.;)

Yeah.. I just did.. and you seem to be correct 🙂
Userlevel 7
Badge +56
Use the Great Tools my Tag Team Friends. LOL

 

Blocking/Allowing files

If you want to control scanning and shielding behavior related to specific files, you can use the Block/Allow Files tab to specify one of the following actions:


  • Allow. Ignore a file during scans and shielding.
  • Block. Stop a file from executing or being written to your computer.
  • Monitor. Watch the program to determine if it is legitimate or related to malware.
Block/Allow Files settings override SecureAnywhere’s default scanning and shielding behavior.

 

http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C5_Quarantine/CH5b_BlockingAllowingFiles.htm

 

Daniel 😉
Userlevel 7
@

 

Hi Margaret,



 

So far what I've understood is you got a WSA red colored pop-up saying C:program fileswrapper_instservice.exe has been blocked. It's listed in 'Block/Allow Files' tab as blocked. You're afraid WSA did not remove it.



 

If your situation is the same as my understanding then this is what you have to do.



 

First click 'Scan my Computer' on the main interface of WSA.



 





 

Select the file and click Continue.



 





 

Select 'Remove' and click 'Next'.



 





 

Click 'Begin Threat Removal'.



 





 

After the re-scan has completed go to Quarantine. Select the file and click on 'Delete Permanently'. After deleting go to 'Block/Allow Files' and click on 'Remove All'. Click Yes.



 

You're done.;)



 

Points to be considered.



 

If the initial scan shows no threats, go to 'Block/Allow Files' and click on 'Remove All'. Click Yes. This is because the file may have already been removed. And the entry could have been left behind.



 

 

 

 
Userlevel 7
Badge +56
Amit I think your getting it wrong but not fully sure?

 

This could be the possible Pop-up she saw? I got this when I unzipped this malware file into my downloads folder and the realtime shield blocked it.

 

Daniel

 

Sat 12-10-2013 14:41:41.0901    Begin passive write scan (1 file(s))

Sat 12-10-2013 14:41:43.0352    Infection detected: c:usersdanieldownloadswin32killfiles.ncfwin32killfiles.ncf.exe [MD5: B6B8F6D287890D857DD15D0FA48C98B3] [3/00080000] [W32.Trojan.Trojan.gen]

Sat 12-10-2013 14:41:43.0352    Infection found in realtime: c:usersdanieldownloadswin32killfiles.ncfwin32killfiles.ncf.exe [MD5: B6B8F6D287890D857DD15D0FA48C98B3, Size: 13824 bytes] [524288/00000003] [W32.Trojan.Trojan.gen]

Sat 12-10-2013 14:41:43.0680    End passive write scan (1 file(s))

 

Userlevel 7
I think the original post had the file path as C:/Program Files/etc etc  which might mean that the detected file is already installed in the computer though.. that changes things a little bit on how to handle I think, but I am not sure.
Userlevel 7
@DavidP1970



You're correct.

 

 

 

@ 

Yes I understand that.

When the red colored pop-up shows up, WSA  automatically qurantines the threat, putting the rollback feature in place and scans for any threat remaining to remove it as described in my last post. The problem here is Margaret got the pop-up but didn't find the threat in the 'Quarantine'.

 

Hence I've asked her to manually scan in order to remove the file determined by WSA as blocked in the 'Block/Allow Files' tab. Followed by the removal of the entry from 'Block/Allow Files' tab.

 

I've also mentioned that if the inital scan does not find any threats she has to remove the entry from 'Block/Allow Files' tab as the threat could have already been removed only leaving the entry behind.

 

 

 

 
Userlevel 7
@

 

Hi Margaret,

 

Pleae see if this setting is checked.



 





 

Then follow this https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Webroot-Found-A-Virus-Maleware-But-Only-blocked-It/m-p/61101#M3134

Reply