What's the beef with Webroot

Discussion in 'EULAlyzer Forum' started by howiem, Oct 28, 2005.

Thread Status:
Not open for further replies.
  1. howiem
    Offline

    howiem Registered Member

    Looks like the folks at Javacoolsoftware.com need to do some talking to the people at webroot.com. After installing WebRoot'as Spysweeper 4.5 it detected
    the EULAlyzer uninstall (unins000.exe) program as a System Monitor (read Keylogger) written by Golden Eye Software - see http://www.webroot.com/php/spysweeper_spydesc.php.

    But that's not all, it also detected SpywareBlaster as a problem : IE Security Shield: found: G:\PROGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE -- IE Security modification allowed at user request
  2. javacool
    Offline

    javacool BrightFort Moderator

    The unins000.exe file is a standard uninstaller for the installer engine we use. (InnoSetup) Any program that uses that installer may end up having that file falsely detected by Webroot, so it's definitely something they need to fix.

    You might want to check out this thread in the SpywareBlaster support forum: http://www.wilderssecurity.com/showthread.php?t=102176

    Could you please contact Webroot and report these problems? Thanks! :)

    Best regards,

    -Javacool
  3. howiem
    Offline

    howiem Registered Member

  4. beetlejuice69
    Offline

    beetlejuice69 Registered Member

    I had a problem yesterday with Spy Sweeper flaging unins000.exe. I sent in a report and got a reply back that they would check it out and fix if need be. They said it might take up to 5 days.
  5. VCC
    Offline

    VCC Guest

    I also was told I had Goldeneye on my system -- can it be loaded remotely -- is this something I need to worry about, or, is it just Spysweeper making a mistake?
  6. howiem
    Offline

    howiem Registered Member

    "I also was told I had Goldeneye on my system "

    It depends on what it thinks Goldeneye is. In Spysweeper, go to Results (left hand menu) and session log tab and look through the entries to see what it detected as Goldeneye. If it relates to a known good program (like EULAlyzer in my case), it is probably a false positive. If you are not sure, go to the Options page and click the button "Report Spyware" and let Webroot sort it out. They will open a support ticket for you and advise you what to do.
  7. VCC
    Offline

    VCC Guest

    Thank you for the help.

    This is what the session said:

    9:29 PM: Found System Monitor: golden eye
    9:29 PM: unins000.exe (ID = 18119:cool:
    9:29 PM: File Sweep Complete, Elapsed Time: 00:07:56
    9:29 PM: Full Sweep has completed. Elapsed time 00:10:32
    9:29 PM: Traces Found: 1
    9:49 PM: Removal process initiated

    I did go ahead and send them an e-mail.

    I still don't understand how something like this could be installed as I am the only one who uses this computer. Can it be installed remotely?

    I really, really don't want to have to change all my passwords, change my bank account, etc.
  8. howiem
    Offline

    howiem Registered Member

    That's the same entry I had. But I am not getting that detection any more since reporting it and updating Spysweeper 4.5.5. Have you recently updated Spysweeper and run a scan? If not try it and see if it is still being detected. After updating, go to safe mode and run a complete scan, then boot into Windows and run the scan. If nothing is detected then Webroot has fixed the problem.

    You asked,
    "I still don't understand how something like this could be installed as I am the only one who uses this computer."
    Spyware can get installed through going to web pages that put spyware on your computer by downloading it. Spyware can get on your PC by clicking on email attachments that contain spyware programs. Spyware can get on your PC by downloading and installing programs that come bundled with spyware...mainly free programs. So the answer to your question, "Can it be installed remotely?" is definitely YES.
    Time for some sleep. Good luck.
  9. VCC
    Offline

    VCC Guest

    Howie,

    Thank you for the input.

    Do you feel that you had Golden Eye on your computer or that it was indeed a false positive?

    It was only detected on mine "after" I upgraded Spy Sweeper.

    Yes, I understand how spyware gets on my machine, but everything I have read about Golden Eye makes it sound like it has to be physically installed using their software. I may be mistaken.

    So, because we both had the same message, are you going to change all your passwords, bank account, etc?

    I really don't mean to be a pain!

    Thanks for your help.

    V
  10. howiem
    Offline

    howiem Registered Member

    I am convinced it is a false positive after checking all the programs that have unins000.exe that I have on my PC (about 43 of them), and the fact that it was not detected after Webroot issued an update following a number of complaints about false positives.
    "You said,
    "It was only detected on mine "after" I upgraded Spy Sweeper".
    The same here, but now you need to update definitions(not upgrade) and scan - the latest update should have gotten rid of the false positive. It did for me.
    "everything I have read about Golden Eye makes it sound like it has to be physically installed using their software."
    According to http://securityresponse.symantec.com/avcenter/venc/data/spyware.goldeneye.html that is correct, but it might get onto a PC by being bundled with another program.
    To feel more confident that you do not have it, search your PC for the following files:
    1. AGSeyApp.exe: This is the main spyware file.
    2. GEHP.dll: This is the Spyware.GoldenEye helper .dll file.
    3. BMPtoJPG.dll
    4. KBHOOK.dll
    5. MSCOMCTL.OCX
    6. OLEAUT32.DLL
    7. PICCLP32.OCX
    8. TabCtl32.ocx
    I do not have any of them, and you probably don't either.
    "So, because we both had the same message, are you going to change all your passwords, bank account, etc?"
    No I am not, but I can't advise you not to until you have updated the Spysweeper definitions and run scans in normal and safe mode to see if it is still detected.
    No, you are not a pain. You are right to be cautious. But get those definitions updated and the scan done - I doubt if it will be detected with the latest spyware definitions installed. Updating definitions and running scans is the key to getting something out of the anti-spyware program. There are new spyware programs and varriants coming out all the time, so you should update and scan at least weekly, but more frequently if time permits. In Spysweeper go to options and program options and make sure you check the box for automatic updates, then all you need to remember is to scan a couple of times a week or if you think something has gotten in your PC. Also use other anti-spyware programs like the free Spybot Search & Destroy, free AdAware SE Personal Edition, free Microsoft Antispyware, and any others you can afford - like Spyware Doctor, Counterspy and SpySubtract. You do not need to run all of them at startup, but you do need to keep them updated. No single antispyware program will detect, clean all spyware.
    BTW, I also recommend you get the program called "Process Guard" from www.DiamondCS.au. It will tell you when any program wants to start and you can easily block or allow it. Hope this helps.
  11. Jack D. Browser
    Offline

    Jack D. Browser Registered Member

    All these posts ring a bell, because I'd had the same thing happen with Spy Sweeper findinding a false positive for GoldenEye, but I did not have EULAlyzer at that time, which was around Oct.-Nov. '05. However, I got & installed EULAlyzer shortly after that time, and I also updated my version of Spy Sweeper to 4.5.7(Build 656) a few weeks ago, and updated my definitions today, 1/11/06, to v 599, then, ran a scan right afterwards, and low & behold--GoldenEye! Though, I don't recall where GoldenEye was found last time, though, it was some temp file, I do remember that, this time it was claimed to be "unins000.exe" from the EULAlyzer program file! Am I living in the past, or is Webroot? This is all too weird! I will get with Webroot about it, but if anyone else has this recent version of Spy Sweeper, with the same def files-v 599-and you're running EULAlyzer, I'd like to know if you too are pulling in GoldenEye on a sweep. Also, anyone else getting rootkit hits by Spy Sweeper, and it's ID'ing the quarantine libraries & hidden files, and executables in Tenebril's Spy Catcher? (That Spy Catcher is another entire story about false positives, then, not correctly restoring the files when commanded to! I'll save that story, and the one of their lame excuse of a support service--live from India no less--for another post!)
    Ya all come back now, ya hear?! Later, Jack D. Browser, Tanger, Maroc
  12. zapjb
    Offline

    zapjb Registered Member

    I do not respect spysweeper. To ignore privacy software that is out there for all as FREEWARE. And with as stalwart a reputation as Javacool is disgusting.
  13. FanJ
    Offline

    FanJ Guest

    Hi howiem,

    I just noticed this thread :oops:
    Please allow me to make a few (off-topic) side-notes about those files:

    I understand that those files are listed on that Symantec site.
    Several of them might be malicious, but maybe not all of them....
    Of course it all depends on what exactly those files are.
    (checksums might serve here well !)

    My attention was caught by those files:
    MSCOMCTL.OCX
    OLEAUT32.DLL
    TabCtl32.ocx

    I have those three files on my W98SE system.
    All three files were once listed in the list of Required System Files for (my much beloved) TDS-3.

    Sorry for going maybe a little too far off-topic.
  14. howiem
    Offline

    howiem Registered Member

    I've removed Spysweeper for the time being. In fact I have removed it twice in the past two weeks, but that was caused by some corruption in my Zone Alarm Pro settings that I reinstalled (twice) which somehow caused Spysweeper to go haywire. On the latest ZAP reinstall I did not restore the settings and that's working fine.....next is to try Spysweeper again. But I am sure I will get the same detections even after the first update, because that is what happened the other day. For FanJ...I think I recall those files also...maybe from WinME, but then again it depends on where they areas well as what they are called, or so I am told. Sometimes I think I'd rather have spyware than false positives. At least the time spent sorting out the real thing would be better used. :ouch:
  15. Bubba
    Offline

    Bubba Updates Team

    I have def files 599 and EULAlyzer....nothing was found during the scan.
  16. Hard Rocker
    Offline

    Hard Rocker Registered Member


    Hi FanJ :D

    Thanks for those " Off-Topic Side Notes " ( lol ) .

    I'm using Windows XP Home .... Version 2002 .... SP2 and I also have those 3 files on my PC. Until I noticed your post, I was " sweating bullets " after finding all 3 and thinking I was infected. :eek: :eek: :rolleyes: :rolleyes:

    As well, I have several antispyware programs and none of them have ever detected any of these files as malware.

    Take it easy !!
    HR:cool:
  17. FanJ
    Offline

    FanJ Guest

    Hi Hard Rocker,

    You're welcome ! :D

    In general:
    if in doubt you can always scan those files at Jotti and VirusTotal, so you know what a lot of scanners do tell about those files.

    Now going even more off-topic (sorry):
    It is useless to talk anymore about TDS-3 (sigh), but the old thread about the Required System Files is here:
    http://www.wilderssecurity.com/showthread.php?t=13794
    You might say: hey, I don't see OLEAUT32.DLL listed there.
    That's right, but long ago there was a contradiction on that TDS-site, and at that time you did get that file when you downloaded the whole package of system-files in the file system.zip from that old TDS-site.
    But that is all now history.

    Cheers, Jan.
  18. Hard Rocker
    Offline

    Hard Rocker Registered Member

    FanJ :D

    Once again thanks .... for the link .... and all the info you have provided.

    It's members like yourself that make Wilders the great & friendly forum that it is !! :D

    Regards,
    HR :cool:
Thread Status:
Not open for further replies.