Solved

Webroot not working properly - Help for noob.

  • 22 December 2012
  • 4 replies
  • 68 views

On 12/15 webroot found the following:
c:usersqikappdatalocal emp1o97yghh.exe
c:usersqikappdatalocallowsunjavadeploymentcache6.021136e2495-1818bcf0
 
I couldn't duplicate it, and checked with support who had me click on "help and support" link within webroot to send them a log.  It wouldn't (and still won't) finish generating a report.  They had me download and run from a save boot a tool to extract info to send them, and then promptly told me there was nothing on my system.
 
Webroot has not shown a problem since, but the following was pulled by super antispyware:
 
SUPERAntiSpyware Scan Log http://www.superantispyware.com
Generated 12/21/2012 at 07:51 AM
Application Version : 5.6.1014
Core Rules Database Version : 9775 Trace Rules Database Version: 7587
Scan type       : Complete Scan Total Scan Time : 00:50:33
Operating System Information Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601) UAC On - Limited User
Memory items scanned      : 645 Memory threats detected   : 0 Registry items scanned    : 73658 Registry threats detected : 0 File items scanned        : 71506 File threats detected     : 4
Trace.Known Threat Sources  C:USERSQIKAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5PZFHB5SYindex[1].xml [ cache:webfile ]  C:USERSQIKLocal SettingsTemporary Internet FilesContent.IE5PZFHB5SYindex[1].xml [ cache:webfile ]
Trojan.Agent/Gen-Downloader  C:PROGRAM FILES (X86)GOOGLECHROMEAPPLICATION23.0.1271.97AVFORMAT-54.DLL
Trojan.Agent/Gen-AgentSmall  C:PROGRAM FILES (X86)GOOGLECHROMEAPPLICATION23.0.1271.97AVUTIL-51.DLL
 
I have run multiple (read non-stop panic stricken scans) scans with everything at my disposal:
 
Webroot over and over
Superantispyware
Malwarebytes
Lavasoft's Adaware
Microsoft safety scanner.
 
It seems my system has (see above results) downgraded my user account to a limited account, but I can't find any indication that i cant use the account fully... anyone smarter than me (okay, admittedly, that's almost all of you) that can help diagnose/repair?
 
Radiohawk
icon

Best answer by Kit 22 December 2012, 22:36

View original

4 replies

Userlevel 7
Without having access myself to tickets over the holiday weekend, I can't give a definite answer. I do have good news, however.
 
The XML file (listed twice) is not executable code. It is in the temporary internet files and is nothing but a trace.  Literally that's like a security system for a store ringing an alarm because the video from the parking lot saw a guy in a mask walk by on the sidewalk. Not dangerous, but the security system likes to say its doing something, so it points it out.
 
I personally cannot give a direct result from the DLL files, but two factors: When our threat research teams say something is okay, I've never known them to be wrong, and Google searching shows SuperAntiSpyware to very frequently trigger false positives on those two files. Chances are pretty god they are fine, however a support ticket is the best way to find out. The program they had you run gathers the Webroot logs also and threat research can see precisely what the files do on your system to determine whether they are dangerous or not.
 
UAC automatically creates limited account status, which is the alert that asks you whether you want to really run the program and allow it to make changes to your computer.
Thanks so much, Kit. Might I ask... what is UAC (noob status again showing it's ugly head).

The thing that I am not sure of that got me all twitter-pated is that Webroot is not working properly, when I clik on the icon, in that menu is a link (help and support) that's supposed to gather info for support, but it doesn't work, which makes me think a virus/trojan of other is preventing it from working, thoughts?

thanks again,

radiohawk
Userlevel 7
Badge +56
Hello Radiohawk and Welcome to the Webroot Community Forums. And it's best to keep in contact with Support as they can continue to help you as Kit said he can't see your support ticket as I'm assuming he is at home and not in the office.
 
User Account Control & more info: User Account Control Step-by-Step Guide
 
TH
Userlevel 7
Looks like Triple Helix got the UAC information.
 
The portion about automatically gathering information for support is as follows:
 
If a support ticket is opened from a supported browser, when the support ticket is submitted, Webroot SecureAnywhere knows about it and also automatically sends a basic set of SecureAnywhere diagnostic data to the server at the same time that is linked to the ticket you just opened.
 
If a different computer is used to submit the ticket, or if a non-supported browser is used, or if a firewall is blocking things, or if the browser is sandboxed, or if another security program blocks us from accessing the network or the browser or our data, or if the server the data is sent to is down, it's completely normal for the logs to not be sent.
 
More importantly, if there is more data we need than the basic logs provide, we use the other utility.  It gathers a substantially larger amount of general diagnostic information for looking at the computer as a whole rather than just the SecureAnywhere agent's view of things. 
 
Unless Threat Research didn't take a look for some reason, if they decreed your system is clean, chances are that it's good and you're more likely to get hit by lightning within the next five minutes than have a threat on the system.

Reply