Link to home
Start Free TrialLog in
Avatar of Robert Ehinger
Robert EhingerFlag for United States of America

asked on

Webroot and Trend Micro Conflict

Everyhting was running fine on my Windows XP system until my webroot subscription expired and I renewed it. After installing the latest version of webroot I began getting Spysweeper UI errors on start up, my desktop has changed, I can't start is safe mode. Has something been done in webroot that causing it to conflict with my Trend Micro Antivirus? I am pasting the hijackthis log below.  I just paid for two more years of webroot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:15 PM, on 1/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe"  /startintray
O4 - HKLM\..\Run: [kagiyokeh] Rundll32.exe "c:\windows\system32\lazahuji.dll",a
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O20 - AppInit_DLLs: wenukize.dll c:\windows\system32\robobipe.dll c:\windows\system32\lazahuji.dll
O21 - SSODL: zepelevej - {99387e39-040b-4eaf-ac4c-d8d8fa89d3a0} - c:\windows\system32\lazahuji.dll
O22 - SharedTaskScheduler: mujuzedij - {99387e39-040b-4eaf-ac4c-d8d8fa89d3a0} - c:\windows\system32\lazahuji.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc.  - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 4297 bytesLogfile of Trend Micro HijackThis v2.0.2

Thank you!

Robert
Avatar of geowrian
geowrian
Flag of United States of America image

I've seen this on a number of computers (we use Trend Micro on campus and some people use Webroot). We disabled Webroot it on startup and ran it manually after startup and the errors went away. We never found a real cause or solution, only this workaround. Maybe a script can be created to run it x minutes after startup, but it's still not a long-term solution.
Could you run:
Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25

Malwarebytes http://www.malwarebytes.org/mbam-download.php
Eset online scan http://www.eset.com/onlinescan/

After scans rerun Hijackthis

Attach all scanners logfiles here + new Hijackthis logfile
(C:\Program Files\EsetOnlineScanner\log.txt)
Avatar of Robert Ehinger

ASKER

I had already tried to run Malwarebytes but it would download and not update or run.
Did you get it installed?
If not, redownload it but rename Mbam.exe to bm.exe prior to saving it to machine.

You may also have to rename Mbam.exe in its program directory once installed
C:\Program Files\Malwarebytes' Anti-Malware\Mbam.exe
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I am not sure which infections you are referring to but everything that I have tried to remove reappears in the next scan.
These entries below are bad, but Hijackthis can't clean up these infections when they are still active specially these nasties load up very early at startup, so you need to run the tools or you can try fixing them first then run the tool.

O4 - HKLM\..\Run: [kagiyokeh] Rundll32.exe "c:\windows\system32\lazahuji.dll",aO20 - AppInit_DLLs: wenukize.dll c:\windows\system32\robobipe.dll c:\windows\system32\lazahuji.dll  O21 - SSODL: zepelevej - {99387e39-040b-4eaf-ac4c-d8d8fa89d3a0} - c:\windows\system32\lazahuji.dll  O22 - SharedTaskScheduler: mujuzedij - {99387e39-040b-4eaf-ac4c-d8d8fa89d3a0} - c:\windows\system32\lazahuji.dll


If security tools won't run rename them prior to saving the files to the desktop, or check out the link below for other renaming options.
https://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
Try ComboFix... it is a very powerful tool, I'm fairly sure it will get rid of these.... anything leftover if any can be removed using its script function.
We do need to see the combofix.txt
I am attaching the combofix log.
ComboFix.txt
The bad entries in hijackthis are now gone
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So which antivirus are you using? Avast or TrendMicro?
There also Webroot Antivirus , you need to uninstall the others and only leave one installed.

Having more than one antivirus always cause conflicts and inefficiency in protection.
Avast and Webroot have been uninstalled.
Avast and Webroot have been uninstalled after you run Combofix or before?
Their files are still showing in the Combofix log that's why I asked. If it was uninstalled before the combofix scan then we need to let CF remove those leftover antivirus files.
When you've run those script please post the result.
They were removed after combofix was run.
Oh okay....can you attach the result of the script run?
will do after I run it. I am not with that computer right now.
Here is the log.
combofixlog.txt
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK, performed scan as instructed. I am attaching the results. The system seems to be running fine now.

Where can I learn about analyzing the ComboFix logs and writing the scripts?

Thank you!!

Robert
DeQuarantine.txt
Thanks for the log, looks good!

To give suggestions on what you asked for would involved an advice that is a breach to one of EE's Membership Agreement sorry.

Glad to know that the system is running fine now.










To uninstall Combofix:
Go to Start > Run > then 'copy and paste' next command in the field:

ComboFix /Uninstall

Thank you for using Experts-Exchange!