?
Solved

Webroot and Trend Micro Conflict

Posted on 2010-01-09
22
Medium Priority
?
1,412 Views
Last Modified: 2012-05-08
Everyhting was running fine on my Windows XP system until my webroot subscription expired and I renewed it. After installing the latest version of webroot I began getting Spysweeper UI errors on start up, my desktop has changed, I can't start is safe mode. Has something been done in webroot that causing it to conflict with my Trend Micro Antivirus? I am pasting the hijackthis log below.  I just paid for two more years of webroot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:15 PM, on 1/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe"  /startintray
O4 - HKLM\..\Run: [kagiyokeh] Rundll32.exe "c:\windows\system32\lazahuji.dll",a
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O20 - AppInit_DLLs: wenukize.dll c:\windows\system32\robobipe.dll c:\windows\system32\lazahuji.dll
O21 - SSODL: zepelevej - {99387e39-040b-4eaf-ac4c-d8d8fa89d3a0} - c:\windows\system32\lazahuji.dll
O22 - SharedTaskScheduler: mujuzedij - {99387e39-040b-4eaf-ac4c-d8d8fa89d3a0} - c:\windows\system32\lazahuji.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc.  - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 4297 bytesLogfile of Trend Micro HijackThis v2.0.2

Thank you!

Robert
0
Comment
Question by:Robert Ehinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 2
  • +1
22 Comments
 
LVL 12

Expert Comment

by:geowrian
ID: 26275636
I've seen this on a number of computers (we use Trend Micro on campus and some people use Webroot). We disabled Webroot it on startup and ran it manually after startup and the errors went away. We never found a real cause or solution, only this workaround. Maybe a script can be created to run it x minutes after startup, but it's still not a long-term solution.
0
 
LVL 22

Expert Comment

by:optoma
ID: 26275691
Could you run:
Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25

Malwarebytes http://www.malwarebytes.org/mbam-download.php
Eset online scan http://www.eset.com/onlinescan/

After scans rerun Hijackthis

Attach all scanners logfiles here + new Hijackthis logfile
(C:\Program Files\EsetOnlineScanner\log.txt)
0
 

Author Comment

by:Robert Ehinger
ID: 26275740
I had already tried to run Malwarebytes but it would download and not update or run.
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 22

Expert Comment

by:optoma
ID: 26275767
Did you get it installed?
If not, redownload it but rename Mbam.exe to bm.exe prior to saving it to machine.

You may also have to rename Mbam.exe in its program directory once installed
C:\Program Files\Malwarebytes' Anti-Malware\Mbam.exe
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 26276142
Your Hijackthis log shows infections... so you need to clean that up first then worry about the Trend-SpySweeper conflict later.

Show us the log so we can check to make sure it's clean.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop)


Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 

Author Comment

by:Robert Ehinger
ID: 26276152
I am not sure which infections you are referring to but everything that I have tried to remove reappears in the next scan.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26276156
These entries below are bad, but Hijackthis can't clean up these infections when they are still active specially these nasties load up very early at startup, so you need to run the tools or you can try fixing them first then run the tool.

O4 - HKLM\..\Run: [kagiyokeh] Rundll32.exe "c:\windows\system32\lazahuji.dll",aO20 - AppInit_DLLs: wenukize.dll c:\windows\system32\robobipe.dll c:\windows\system32\lazahuji.dll  O21 - SSODL: zepelevej - {99387e39-040b-4eaf-ac4c-d8d8fa89d3a0} - c:\windows\system32\lazahuji.dll  O22 - SharedTaskScheduler: mujuzedij - {99387e39-040b-4eaf-ac4c-d8d8fa89d3a0} - c:\windows\system32\lazahuji.dll


If security tools won't run rename them prior to saving the files to the desktop, or check out the link below for other renaming options.
http://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26276162
Try ComboFix... it is a very powerful tool, I'm fairly sure it will get rid of these.... anything leftover if any can be removed using its script function.
We do need to see the combofix.txt
0
 

Author Comment

by:Robert Ehinger
ID: 26284041
I am attaching the combofix log.
ComboFix.txt
0
 

Author Comment

by:Robert Ehinger
ID: 26288179
The bad entries in hijackthis are now gone
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 2000 total points
ID: 26291824
It looks like you have 3 antivirus there,you need to only have one installed.

ComboFix has deleted a lot of bad files there but still some leftovers we need to delete using CF script function.

wuauclt.exe is missing so we can let ComboFix replace it.


Run Combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::c:\windows\system32\IS15.exec:\windows\system32\winlogon32.exec:\windows\system32\smss32.exec:\windows\DCEBoot.exec:\windows\system32\41.exec:\windows\system32\helper32.dllc:\windows\system32\gegivube.dllc:\windows\system32\gilarube.dllc:\windows\system32\jegaroga.dllc:\windows\system32\jomineli.dllc:\windows\system32\lazahuji.dllc:\windows\system32\mapekezi.dllc:\windows\system32\peduzipe.dllc:\windows\system32\tinemono.dllc:\windows\system32\weseniha.dllc:\windows\system32\wozigiyu.dllc:\windows\system32\yogeledo.dllc:\windows\system32\zayofosi.dllc:\windows\system32\zokayoge.dllRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"smss32.exe"=-[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableTaskMgr"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Userinit"="c:\windows\system32\userinit.exe"FCopy:: c:\windows\system32\dllcache\wuauclt.exe | c:\windows\System32\wuauclt.exe
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26291881
So which antivirus are you using? Avast or TrendMicro?
There also Webroot Antivirus , you need to uninstall the others and only leave one installed.

Having more than one antivirus always cause conflicts and inefficiency in protection.
0
 

Author Comment

by:Robert Ehinger
ID: 26292069
Avast and Webroot have been uninstalled.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26292503
Avast and Webroot have been uninstalled after you run Combofix or before?
Their files are still showing in the Combofix log that's why I asked. If it was uninstalled before the combofix scan then we need to let CF remove those leftover antivirus files.
When you've run those script please post the result.
0
 

Author Comment

by:Robert Ehinger
ID: 26292537
They were removed after combofix was run.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26292565
Oh okay....can you attach the result of the script run?
0
 

Author Comment

by:Robert Ehinger
ID: 26292604
will do after I run it. I am not with that computer right now.
0
 

Author Comment

by:Robert Ehinger
ID: 26298735
Here is the log.
combofixlog.txt
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 2000 total points
ID: 26311486
Combofix is pulled temporarily, must be some bugs they're fixing.


Can you run this script please...

Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------

DeQuarantine::
C:\Qoobox\Quarantine\c\windows\$NtUninstallKB922582$
Quit::
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


0
 

Author Comment

by:Robert Ehinger
ID: 26324047
OK, performed scan as instructed. I am attaching the results. The system seems to be running fine now.

Where can I learn about analyzing the ComboFix logs and writing the scripts?

Thank you!!

Robert
DeQuarantine.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26334439
Thanks for the log, looks good!

To give suggestions on what you asked for would involved an advice that is a breach to one of EE's Membership Agreement sorry.

Glad to know that the system is running fine now.










0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26339295
To uninstall Combofix:
Go to Start > Run > then 'copy and paste' next command in the field:

ComboFix /Uninstall

Thank you for using Experts-Exchange!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question