What's the beef with Webroot

[howiem]

Looks like the folks at Javacoolsoftware.com need to do some talking to the people at webroot.com. After installing WebRoot'as Spysweeper 4.5 it detected
the EULAlyzer uninstall (unins000.exe) program as a System Monitor (read Keylogger) written by Golden Eye Software - see http://www.webroot.com/php/spysweeper_spydesc.php.

But that's not all, it also detected SpywareBlaster as a problem : IE Security Shield: found: G:\PROGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE -- IE Security modification allowed at user request

[javacool]

Quote:

Originally Posted by howiem

Looks like the folks at Javacoolsoftware.com need to do some talking to the people at webroot.com. After installing WebRoot'as Spysweeper 4.5 it detected
the EULAlyzer uninstall (unins000.exe) program as a System Monitor (read Keylogger) written by Golden Eye Software - see http://www.webroot.com/php/spysweeper_spydesc.php.

The unins000.exe file is a standard uninstaller for the installer engine we use. (InnoSetup) Any program that uses that installer may end up having that file falsely detected by Webroot, so it's definitely something they need to fix.

Quote:

But that's not all, it also detected SpywareBlaster as a problem : IE Security Shield: found: G:\PROGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE -- IE Security modification allowed at user request

You might want to check out this thread in the SpywareBlaster support forum: http://www.wilderssecurity.com/showthread.php?t=102176

Could you please contact Webroot and report these problems? Thanks!

Best regards,

-Javacool

[howiem]

I have reported these problems to Webroot. You might also want to look at my post at http://www.wilderssecurity.com/showt...488#post593488

[beetlejuice69]

I had a problem yesterday with Spy Sweeper flaging unins000.exe. I sent in a report and got a reply back that they would check it out and fix if need be. They said it might take up to 5 days.

I also was told I had Goldeneye on my system -- can it be loaded remotely -- is this something I need to worry about, or, is it just Spysweeper making a mistake?

[howiem]

"I also was told I had Goldeneye on my system "

It depends on what it thinks Goldeneye is. In Spysweeper, go to Results (left hand menu) and session log tab and look through the entries to see what it detected as Goldeneye. If it relates to a known good program (like EULAlyzer in my case), it is probably a false positive. If you are not sure, go to the Options page and click the button "Report Spyware" and let Webroot sort it out. They will open a support ticket for you and advise you what to do.

Thank you for the help.

This is what the session said:

9:29 PM: Found System Monitor: golden eye
9:29 PM: unins000.exe (ID = 18119
9:29 PM: File Sweep Complete, Elapsed Time: 00:07:56
9:29 PM: Full Sweep has completed. Elapsed time 00:10:32
9:29 PM: Traces Found: 1
9:49 PM: Removal process initiated

I did go ahead and send them an e-mail.

I still don't understand how something like this could be installed as I am the only one who uses this computer. Can it be installed remotely?

I really, really don't want to have to change all my passwords, change my bank account, etc.

[howiem]

That's the same entry I had. But I am not getting that detection any more since reporting it and updating Spysweeper 4.5.5. Have you recently updated Spysweeper and run a scan? If not try it and see if it is still being detected. After updating, go to safe mode and run a complete scan, then boot into Windows and run the scan. If nothing is detected then Webroot has fixed the problem.

You asked,
"I still don't understand how something like this could be installed as I am the only one who uses this computer."
Spyware can get installed through going to web pages that put spyware on your computer by downloading it. Spyware can get on your PC by clicking on email attachments that contain spyware programs. Spyware can get on your PC by downloading and installing programs that come bundled with spyware...mainly free programs. So the answer to your question, "Can it be installed remotely?" is definitely YES.
Time for some sleep. Good luck.

Howie,

Thank you for the input.

Do you feel that you had Golden Eye on your computer or that it was indeed a false positive?

It was only detected on mine "after" I upgraded Spy Sweeper.

Yes, I understand how spyware gets on my machine, but everything I have read about Golden Eye makes it sound like it has to be physically installed using their software. I may be mistaken.

So, because we both had the same message, are you going to change all your passwords, bank account, etc?

I really don't mean to be a pain!

Thanks for your help.

V

[howiem]

I am convinced it is a false positive after checking all the programs that have unins000.exe that I have on my PC (about 43 of them), and the fact that it was not detected after Webroot issued an update following a number of complaints about false positives.
"You said,
"It was only detected on mine "after" I upgraded Spy Sweeper".
The same here, but now you need to update definitions(not upgrade) and scan - the latest update should have gotten rid of the false positive. It did for me.
"everything I have read about Golden Eye makes it sound like it has to be physically installed using their software."
According to http://securityresponse.symantec.com...goldeneye.html that is correct, but it might get onto a PC by being bundled with another program.
To feel more confident that you do not have it, search your PC for the following files:
1. AGSeyApp.exe: This is the main spyware file.
2. GEHP.dll: This is the Spyware.GoldenEye helper .dll file.
3. BMPtoJPG.dll
4. KBHOOK.dll
5. MSCOMCTL.OCX
6. OLEAUT32.DLL
7. PICCLP32.OCX
8. TabCtl32.ocx
I do not have any of them, and you probably don't either.
"So, because we both had the same message, are you going to change all your passwords, bank account, etc?"
No I am not, but I can't advise you not to until you have updated the Spysweeper definitions and run scans in normal and safe mode to see if it is still detected.
No, you are not a pain. You are right to be cautious. But get those definitions updated and the scan done - I doubt if it will be detected with the latest spyware definitions installed. Updating definitions and running scans is the key to getting something out of the anti-spyware program. There are new spyware programs and varriants coming out all the time, so you should update and scan at least weekly, but more frequently if time permits. In Spysweeper go to options and program options and make sure you check the box for automatic updates, then all you need to remember is to scan a couple of times a week or if you think something has gotten in your PC. Also use other anti-spyware programs like the free Spybot Search & Destroy, free AdAware SE Personal Edition, free Microsoft Antispyware, and any others you can afford - like Spyware Doctor, Counterspy and SpySubtract. You do not need to run all of them at startup, but you do need to keep them updated. No single antispyware program will detect, clean all spyware.
BTW, I also recommend you get the program called "Process Guard" from www.DiamondCS.au. It will tell you when any program wants to start and you can easily block or allow it. Hope this helps.

[Jack D. Browser]

All these posts ring a bell, because I'd had the same thing happen with Spy Sweeper findinding a false positive for GoldenEye, but I did not have EULAlyzer at that time, which was around Oct.-Nov. '05. However, I got & installed EULAlyzer shortly after that time, and I also updated my version of Spy Sweeper to 4.5.7(Build 656) a few weeks ago, and updated my definitions today, 1/11/06, to v 599, then, ran a scan right afterwards, and low & behold--GoldenEye! Though, I don't recall where GoldenEye was found last time, though, it was some temp file, I do remember that, this time it was claimed to be "unins000.exe" from the EULAlyzer program file! Am I living in the past, or is Webroot? This is all too weird! I will get with Webroot about it, but if anyone else has this recent version of Spy Sweeper, with the same def files-v 599-and you're running EULAlyzer, I'd like to know if you too are pulling in GoldenEye on a sweep. Also, anyone else getting rootkit hits by Spy Sweeper, and it's ID'ing the quarantine libraries & hidden files, and executables in Tenebril's Spy Catcher? (That Spy Catcher is another entire story about false positives, then, not correctly restoring the files when commanded to! I'll save that story, and the one of their lame excuse of a support service--live from India no less--for another post!)
Ya all come back now, ya hear?! Later, Jack D. Browser, Tanger, Maroc

[zapjb]

I do not respect spysweeper. To ignore privacy software that is out there for all as FREEWARE. And with as stalwart a reputation as Javacool is disgusting.

Quote:

Originally Posted by howiem

- snip -

To feel more confident that you do not have it, search your PC for the following files:
1. AGSeyApp.exe: This is the main spyware file.
2. GEHP.dll: This is the Spyware.GoldenEye helper .dll file.
3. BMPtoJPG.dll
4. KBHOOK.dll
5. MSCOMCTL.OCX
6. OLEAUT32.DLL
7. PICCLP32.OCX
8. TabCtl32.ocx
I do not have any of them, and you probably don't either.

Hi howiem,

I just noticed this thread
Please allow me to make a few (off-topic) side-notes about those files:

I understand that those files are listed on that Symantec site.
Several of them might be malicious, but maybe not all of them....
Of course it all depends on what exactly those files are.
(checksums might serve here well !)

My attention was caught by those files:
MSCOMCTL.OCX
OLEAUT32.DLL
TabCtl32.ocx

I have those three files on my W98SE system.
All three files were once listed in the list of Required System Files for (my much beloved) TDS-3.

Sorry for going maybe a little too far off-topic.

[howiem]

I've removed Spysweeper for the time being. In fact I have removed it twice in the past two weeks, but that was caused by some corruption in my Zone Alarm Pro settings that I reinstalled (twice) which somehow caused Spysweeper to go haywire. On the latest ZAP reinstall I did not restore the settings and that's working fine.....next is to try Spysweeper again. But I am sure I will get the same detections even after the first update, because that is what happened the other day. For FanJ...I think I recall those files also...maybe from WinME, but then again it depends on where they areas well as what they are called, or so I am told. Sometimes I think I'd rather have spyware than false positives. At least the time spent sorting out the real thing would be better used.

[Bubba]

Quote:

Originally Posted by Jack D. Browser

if anyone else has this recent version of Spy Sweeper, with the same def files-v 599-and you're running EULAlyzer, I'd like to know if you too are pulling in GoldenEye on a sweep

I have def files 599 and EULAlyzer....nothing was found during the scan.

[Hard Rocker]

Quote:

Originally Posted by FanJ

Hi howiem,

I just noticed this thread
Please allow me to make a few (off-topic) side-notes about those files:

I understand that those files are listed on that Symantec site.
Several of them might be malicious, but maybe not all of them....
Of course it all depends on what exactly those files are.
(checksums might serve here well !)

My attention was caught by those files:
MSCOMCTL.OCX
OLEAUT32.DLL
TabCtl32.ocx

I have those three files on my W98SE system.
All three files were once listed in the list of Required System Files for (my much beloved) TDS-3.

Sorry for going maybe a little too far off-topic.

Hi FanJ

Thanks for those " Off-Topic Side Notes " ( lol ) .

I'm using Windows XP Home .... Version 2002 .... SP2 and I also have those 3 files on my PC. Until I noticed your post, I was " sweating bullets " after finding all 3 and thinking I was infected.

As well, I have several antispyware programs and none of them have ever detected any of these files as malware.

Take it easy !!
HR

Quote:

Originally Posted by Hard Rocker

Hi FanJ

Thanks for those " Off-Topic Side Notes " ( lol ) .

I'm using Windows XP Home .... Version 2002 .... SP2 and I also have those 3 files on my PC. Until I noticed your post, I was " sweating bullets " after finding all 3 and thinking I was infected.

As well, I have several antispyware programs and none of them have ever detected any of these files as malware.

Take it easy !!
HR

Hi Hard Rocker,

You're welcome !

In general:
if in doubt you can always scan those files at Jotti and VirusTotal, so you know what a lot of scanners do tell about those files.

Now going even more off-topic (sorry):
It is useless to talk anymore about TDS-3 (sigh), but the old thread about the Required System Files is here:
http://www.wilderssecurity.com/showthread.php?t=13794
You might say: hey, I don't see OLEAUT32.DLL listed there.
That's right, but long ago there was a contradiction on that TDS-site, and at that time you did get that file when you downloaded the whole package of system-files in the file system.zip from that old TDS-site.
But that is all now history.

Cheers, Jan.

[Hard Rocker]

FanJ

Once again thanks .... for the link .... and all the info you have provided.

It's members like yourself that make Wilders the great & friendly forum that it is !!

Regards,
HR