infected, but not found by webroot

i have been infected on my laptop, kept getting pop ups and although webroot did warn about them it never cleaned them , i had to run malwarebytes, here is my malwarebytes log
Folders Detected: 4
C:\Users\Ebony\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.

Files Detected: 7
C:\Users\Ebony\Downloads\SoftonicDownloader_for_folderico.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.
C:\Users\Ebony\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.

 

They are all PUP (potentially unwanted application) detections so they are not really harmful, but can be very annoying as you say seeing pop-ups, and they can add toolbars in the browser and so forth..... and they are unwanted hence the detection name. And should be detected!

I see softonic in the log file, so I assume you have downloaded something from softonic that was bundled with a PUP that got past WSA.

And also the Babylon PUP that we see a lot of.

In the future stay away from C-Net, Softonic, and use other download source like... Majorgeeks, Softpedia... or go to the vendor site directly.

 

doesn't surprise me at all

 

what do you mean?

 

Not all PUA's & PUP's are detected by WSA for reason as SweX said (Potentially Unwanted Application or Potentially Unwanted Program) detections so they are not really harmful so the user has to take the time looking when installing software as PUA's & PUP's are usually Pre-Checked! You want to see a nice list of programs with PUA's & PUP's: http://www.calendarofupdates.com/up...ndar&section=view&do=showevent&event_id=44514

Definition of PUP: http://www.techterms.com/definition/pup

Don't blame WSA for what the user should know and if it turns out to be malicious then that is when WSA will jump in and remove it.

TH

 

What 'doesn't surprise me at all' is guest's comment previously...

We are trying to help users of WSA here....

 

Back when I first started using it, I had a .exe that was some type of virus, been a while back and a nasty one at that because it locked up my system, don't really remember where I got it at, I just knew it got past wrsa, but to give credit it was not long after they first came out with it, maybe it needed some work at that time, anyhow I just put the best antivirus program you can get to work on it, which is a clean image and had it fixed in just a few minutes, since then I now just run lets say a harden version of windows and so far never had another problem

 

no AV can claim to be 100% effective and webroot certainly do not claim that, but the support and help from webroot is 2nd to none, i post this thread for advice and it was answered, i am more than happy with webroot, and this is the only problem i have had for over 8 months.

 

The detection is down as evidenced by the latest AV-Test. Webroot doesn't participate in many tests anymore, so a mediocre result is noticed. I would be interested in knowing why detection dropped significantly from the previous AV-test tests and why so many false positives occurred during May.
I don't see such a significant drop off in detection among the highly rated AV products from test to test, so I believe it is a reasonable question.

 

It was already given in the AV-Test thread so let's leave it there. Also:

TH

 

I think there has been far too much criticism of webroot on this forum and i feel it should stop here.

No security solution is 100% effective and the developers of webroot have been more than helpful in relation to the product.

 

I respectfully disagree. A product which was able to score well with AV-Test's
methodology is now no longer able to. Why is the test methodology now an issue?
Why are FPs still an issue?

 

Basically the Journalling, Monitoring of unknown processes and Rollback features. https://community.webroot.com/t5/We...t-Misses-quot-a-Virus/ta-p/10202#.UfmI3W3Nnns

TH

 

What am I supposed to do with malware which appeared on my computer saying it was from the FBI, locking up my computer? Am I supposed to wait for WSA to recognize it as malware? My computer was completely locked up.
Too late. Rolling back is worthless.

 

Do you see any complaints of WSA users having this issue in here? There is no sense continuing this conversation as you are always going to be negative at what ever I say.

Cheers,

TH

 

If you say so. A real cop out.

 

Yes. This happened to me. I am a WSA user.
If the test doesn't represent the capabilities of WSA,they should not be in the test.
Webroot shouldn't pat themselves on the back when they score 5/6 in detection and run away from the results when they score 3/6 in detection.

 

OP: Non-threat PUP's (Which means PWPs) detected by something else. What would you do if you wanted them and you had them ripped out? That would be considered an FP.

Then...

AV testing: "Does the installer package for this FBI infection get detected? No. FAIL! Does it run? Yes, its code is allowed to load into a process. FAIL AGAIN! The test must have ended in an infection."

Reality: "Does the installer package get detected? No. Does it run? Yes. Does the thing it installs get detected? Yes. Does it run? No. Does the installer get seen as installing the infection and nothing else, and thus whacked for it? Yep. No infection in the end, no FBI warning popup, user never sees any infection, no data is captured, no threat occurs."

The tests have a very good habit of doing things that real users will never do and then making (inaccurate) assumptions based on detailed machine data. They don't have the extra three seconds to test to see that the payload gets whacked and no infection occurs.

A good way to think of it: Mortal Football (US style football). In every game before ever, if the ball makes it past the 50 yard line, the team that got it past the 50 yard line will get a touchdown. So when testing, they see the ball go past the 50 yard line and say "Ah, the bad guys will get a touchdown. We won't watch anymore."

Unfortunately they didn't account for the changes in the game. The good guys team has installed a minefield at the 30 yard line and a lava moat between the 20 yard line and the end zone. The tests only see "Got past the 50 yard line, bad guys must have succeeded." and don't take the delicious explosions in the minefield or the sizzle and crackle of fried flesh in the lava moat into account.

 

Techfox1976,
Thank you for responding. I appreciate it.
I did have the FBI warning appear on my computer and my computer did freeze up. There was no way of terminating the malware except for manually
turning off my computer by pressing the off button.
I agree with you that no damage was done to my computer, but the malware did run. If I'm misunderstanding you, I apologize.

 

No, because as we ascertained in another thread, most contact Support via the GUI, which is the correct and preferred method of communication.

 

And what did Joe say?

Daniel

 

Webroot could simply add an option in the GUI that users can enable if they would like PUPs/PUAs to be detected, unless Webroot chose to have it enabled by default.

And a PUP cannot be considered an FP, the PUP isn't a part of the software the user downloaded. It has been added to the package. So it is the PUP that is detected and not the actual software/program itself, if that were the case, yes then it would be an FP.

Edit: Example 1, I download webroot.exe it is bundled with a PUP and it is not detected as you would see that as an FP if it would have been "ripped out".

Example 2, I download the same webroot.exe this time it is bundled with a Trojan but this time it is detected and not seen as an FP, but it will still get ripped out even if it is the same file, only the payload is different.

Though, I don't know what you mean by "PWPs".

Wanted them....really. Are there any humans that actually like PUPs and want to have them and don't mind them at all? I doubt that very much

I guess Joe is having a well deserved summer vacation at the moment

 

Far from it he's to busy working on the 2014 product line.

Daniel

 

I don't think Joe goes on vacation. He always working improving WSA.

 

Yes, this is correct, but this is correct for every vendor. We have Wilders and our own Community forum and many users do go there - more go to our support directly but if someone has a problem with us or any vendor, I think it's common practice to complain publicly. We simply do not have any volume of users that get infected.

We are adding exactly this in the 2014 release. The definition of a Possibly Unwanted Program changes between vendors, and even within a single vendor over time. I suggest writing into our support inbox and seeing what our threat research team says.

Not exactly I've just been in meetings and working on 2014

We have made improvements for this infection specifically, and indeed, this infection was a different case than has existed in the past as it interrupts the boot process. We now have generic processes in place to prevent any infection from affecting the system in such a way that it can take over the PC.

To the point on testing not accurately reflecting the product when it previously has shown it as effective: we're working with testing firms but it is increasingly difficult to have the product correctly tested due to threats changing. Over time, the methods that we use to block threats are moving towards our more unique protection methodology rather than plain blacklisting, which is what most AV testing is. The FBI infection you encountered is a perfect case in point here: with the new method we've added, we will completely block the infection, but we would still "miss" it according to current testing methodologies.

As for false positives, the latest AV-Test result fell into the same condition as the Virus Bulletin test quite a long time ago. We would have still had a few false positives, but no where near the volume we saw. We finally managed to find what was causing this scenario and have corrected it - the false positives would have only existed for a nanosecond on files that were not executable (and within an archive) and the detection would be reverted instantly, not affecting any users. We explained this to AV-Test but they rightly kept our FPs counted as they were when they first tested due to the fact that we did find the files. Moving forward, we won't run into this scenario, but it just further shows how the differences between testing and normal users end up affecting perceptions.