Robert Ehinger
asked on
Webroot and Trend Micro Conflict
Everyhting was running fine on my Windows XP system until my webroot subscription expired and I renewed it. After installing the latest version of webroot I began getting Spysweeper UI errors on start up, my desktop has changed, I can't start is safe mode. Has something been done in webroot that causing it to conflict with my Trend Micro Antivirus? I am pasting the hijackthis log below. I just paid for two more years of webroot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:15 PM, on 1/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Java\jre6\bin\jqs.ex e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\hpz tsb09.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Java\jre6\bin\jusche d.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E ABFE594F69 C} - C:\Program Files\Java\jre6\lib\deploy \jqs\ie\jq s_plugin.d ll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-D FEE4931A4A A} - C:\Program Files\AskSBar\bar\1.bin\AS KSBAR.DLL
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool \drivers\w 32x86\3\hp ztsb09.exe "
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dum prep" 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [kagiyokeh] Rundll32.exe "c:\windows\system32\lazah uji.dll",a
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORG A~1\bin/mo dule.main/ favorites\ ie_add_to. html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1 \Office10\ EXCEL.EXE/ 3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi n2.dll
O20 - AppInit_DLLs: wenukize.dll c:\windows\system32\robobi pe.dll c:\windows\system32\lazahu ji.dll
O21 - SSODL: zepelevej - {99387e39-040b-4eaf-ac4c-d 8d8fa89d3a 0} - c:\windows\system32\lazahu ji.dll
O22 - SharedTaskScheduler: mujuzedij - {99387e39-040b-4eaf-ac4c-d 8d8fa89d3a 0} - c:\windows\system32\lazahu ji.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex e
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService. exe
--
End of file - 4297 bytesLogfile of Trend Micro HijackThis v2.0.2
Thank you!
Robert
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:15 PM, on 1/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\Program Files\Java\jre6\bin\jqs.ex
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchos
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Java\jre6\bin\jusche
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-D
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dum
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [kagiyokeh] Rundll32.exe "c:\windows\system32\lazah
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORG
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi
O20 - AppInit_DLLs: wenukize.dll c:\windows\system32\robobi
O21 - SSODL: zepelevej - {99387e39-040b-4eaf-ac4c-d
O22 - SharedTaskScheduler: mujuzedij - {99387e39-040b-4eaf-ac4c-d
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.
--
End of file - 4297 bytesLogfile of Trend Micro HijackThis v2.0.2
Thank you!
Robert
I've seen this on a number of computers (we use Trend Micro on campus and some people use Webroot). We disabled Webroot it on startup and ran it manually after startup and the errors went away. We never found a real cause or solution, only this workaround. Maybe a script can be created to run it x minutes after startup, but it's still not a long-term solution.
Could you run:
Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
Malwarebytes http://www.malwarebytes.org/mbam-download.php
Eset online scan http://www.eset.com/onlinescan/
After scans rerun Hijackthis
Attach all scanners logfiles here + new Hijackthis logfile
(C:\Program Files\EsetOnlineScanner\lo g.txt)
Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
Malwarebytes http://www.malwarebytes.org/mbam-download.php
Eset online scan http://www.eset.com/onlinescan/
After scans rerun Hijackthis
Attach all scanners logfiles here + new Hijackthis logfile
(C:\Program Files\EsetOnlineScanner\lo
ASKER
I had already tried to run Malwarebytes but it would download and not update or run.
Did you get it installed?
If not, redownload it but rename Mbam.exe to bm.exe prior to saving it to machine.
You may also have to rename Mbam.exe in its program directory once installed
C:\Program Files\Malwarebytes' Anti-Malware\Mbam.exe
If not, redownload it but rename Mbam.exe to bm.exe prior to saving it to machine.
You may also have to rename Mbam.exe in its program directory once installed
C:\Program Files\Malwarebytes' Anti-Malware\Mbam.exe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am not sure which infections you are referring to but everything that I have tried to remove reappears in the next scan.
These entries below are bad, but Hijackthis can't clean up these infections when they are still active specially these nasties load up very early at startup, so you need to run the tools or you can try fixing them first then run the tool.
O4 - HKLM\..\Run: [kagiyokeh] Rundll32.exe "c:\windows\system32\lazah uji.dll",a O20 - AppInit_DLLs: wenukize.dll c:\windows\system32\robobi pe.dll c:\windows\system32\lazahu ji.dll O21 - SSODL: zepelevej - {99387e39-040b-4eaf-ac4c-d 8d8fa89d3a 0} - c:\windows\system32\lazahu ji.dll O22 - SharedTaskScheduler: mujuzedij - {99387e39-040b-4eaf-ac4c-d 8d8fa89d3a 0} - c:\windows\system32\lazahu ji.dll
If security tools won't run rename them prior to saving the files to the desktop, or check out the link below for other renaming options.
https://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
O4 - HKLM\..\Run: [kagiyokeh] Rundll32.exe "c:\windows\system32\lazah
If security tools won't run rename them prior to saving the files to the desktop, or check out the link below for other renaming options.
https://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
Try ComboFix... it is a very powerful tool, I'm fairly sure it will get rid of these.... anything leftover if any can be removed using its script function.
We do need to see the combofix.txt
We do need to see the combofix.txt
ASKER
I am attaching the combofix log.
ComboFix.txt
ComboFix.txt
ASKER
The bad entries in hijackthis are now gone
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So which antivirus are you using? Avast or TrendMicro?
There also Webroot Antivirus , you need to uninstall the others and only leave one installed.
Having more than one antivirus always cause conflicts and inefficiency in protection.
There also Webroot Antivirus , you need to uninstall the others and only leave one installed.
Having more than one antivirus always cause conflicts and inefficiency in protection.
ASKER
Avast and Webroot have been uninstalled.
Avast and Webroot have been uninstalled after you run Combofix or before?
Their files are still showing in the Combofix log that's why I asked. If it was uninstalled before the combofix scan then we need to let CF remove those leftover antivirus files.
When you've run those script please post the result.
Their files are still showing in the Combofix log that's why I asked. If it was uninstalled before the combofix scan then we need to let CF remove those leftover antivirus files.
When you've run those script please post the result.
ASKER
They were removed after combofix was run.
Oh okay....can you attach the result of the script run?
ASKER
will do after I run it. I am not with that computer right now.
ASKER
Here is the log.
combofixlog.txt
combofixlog.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, performed scan as instructed. I am attaching the results. The system seems to be running fine now.
Where can I learn about analyzing the ComboFix logs and writing the scripts?
Thank you!!
Robert
DeQuarantine.txt
Where can I learn about analyzing the ComboFix logs and writing the scripts?
Thank you!!
Robert
DeQuarantine.txt
Thanks for the log, looks good!
To give suggestions on what you asked for would involved an advice that is a breach to one of EE's Membership Agreement sorry.
Glad to know that the system is running fine now.
To give suggestions on what you asked for would involved an advice that is a breach to one of EE's Membership Agreement sorry.
Glad to know that the system is running fine now.
To uninstall Combofix:
Go to Start > Run > then 'copy and paste' next command in the field:
ComboFix /Uninstall
Thank you for using Experts-Exchange!
Go to Start > Run > then 'copy and paste' next command in the field:
ComboFix /Uninstall
Thank you for using Experts-Exchange!