Trouble with Hitman Pro and WSA complete

Discussion in 'Prevx Releases' started by BonskY, Jan 17, 2013.

Thread Status:
Not open for further replies.
  1. BonskY

    BonskY Registered Member

    Joined:
    Jul 4, 2011
    Posts:
    69
    Location:
    Longueuil, Canada
    Hi guys !

    I got a trouble...I run my regular scan with Hitman Pro (3.7.0 built 185) and surprise, he got a false positive as WRSA.exe is suspect...I click ignore and I close this second opinion scanner...

    Open my WSA complete (8.0.2.96) and run a scan...it always stop at 3% and it start again a scan like a loop...the only way to stop this is to reboot my PC...

    I uninstall and reinstall WSA...and on the first initial scan (you know when WSA configure his protection for this PC) I got a memory error (sorry , I don't have the error message but it's the style "memory could not read")

    I take a deep breath and reboot my PC...and after WSA is able to scan until 98% and the scan freeze...(stuck at 98%)

    I don't know what to do at this point :(

    Thanks for your help

    Sad Bonsky
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I have Hitman Pro same version but 64bit and my scan comes up clean with no detection of WRSA.exe o_O and if it continues to be detected you should contact SurfRight support@hitmanpro.com Since you already tried a clean reinstall I would suggest you contact the WSA support inbox for further diagnoses and help: https://www.webrootanywhere.com/servicewelcome.asp?

    HTH,

    TH
     
  3. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    same here no false positive for me either
     
  4. BonskY

    BonskY Registered Member

    Joined:
    Jul 4, 2011
    Posts:
    69
    Location:
    Longueuil, Canada
    Thanks guys for your quick reply...it weird that my Hitman Pro took it as suspect files... I will make a look with Webroot Costumer support

    Have a nice evening !

    Bonsky
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Are you running Hitman Pro with Early Warning Scoring (EWS)? I tried EWS and it picked up:
    Early Warning Scoring _______________________________________________________

    C:\ProgramData\WRData\pkg\LPBar.dll
    Size . . . . . . . : 319,160 bytes
    Age . . . . . . . : 2.0 days (2013-01-16 00:00:31)
    Entropy . . . . . : 7.5
    SHA-256 . . . . . : 9B60A9CC8964AFEF51E7A9A129A64BBE867CE37CA07D56D987F31F9EAA8D0001
    Product . . . . . : Webroot Toolbar
    Description . . . : Webroot Toolbar
    Version . . . . . : 2.00.0.0
    Copyright . . . . : Copyright (C) 2012
    RSA Key Size . . . : 2048
    Authenticode . . . : Valid
    Fuzzy . . . . . . : 13.0
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    Program starts automatically without user intervention.
    Loads when Internet Explorer starts and runs in the same memory context as the browser.
    Time indicates that the file appeared recently on this computer.
    Authors name is missing in version info. This is not common to most programs.
    Program is code signed with a valid Authenticode certificate.
    Startup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{97ab88ef-346b-4179-a0b1-7445896547a5}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504}\
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504}\
    References
    HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{97ab88ef-346b-4179-a0b1-7445896547a5}\
    HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504}\
    HKLM\SOFTWARE\Wow6432Node\Classes\LPToolbar.LPToolbarBand.1\
    HKLM\SOFTWARE\Wow6432Node\Classes\LPToolbar.LPToolbarBand\
    HKLM\SOFTWARE\Wow6432Node\Classes\LPToolbar.LPToolbarBHO.1\
    HKLM\SOFTWARE\Wow6432Node\Classes\LPToolbar.LPToolbarBHO\
    HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{8d64eb0c-ab9c-48cc-93a7-66b5225cc06d}\
    HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{dcc01ba4-c265-4939-9476-c0228e9c0586}\
    HKU\S-1-5-21-149993088-3781266058-4127136620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{97ab88ef-346b-4179-a0b1-7445896547a5}\
    HKU\S-1-5-21-149993088-3781266058-4127136620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504}\


    TH

    18-01-2013 12-15-00 AM.png
     
    Last edited: Jan 18, 2013
  6. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    ahh yup just tried this and same for me. i dont use the ews normally though so for me it was not detected. and it seems to be the last pass toolbar that is actually being detected.
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Yes but not WRSA.exe ;)

    TH
     
  8. BonskY

    BonskY Registered Member

    Joined:
    Jul 4, 2011
    Posts:
    69
    Location:
    Longueuil, Canada
    Hi guys,

    Yes EWS was enable...but it still weird that from my side HPM took WRSA.exe as suspect...

    But this morning WSA seem to running good...I will keep a eye for this weekend before send a request to the costumer service

    Thanks and have a nice weekend !

    Bonsky
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Our support team won't be able to do anything with this - you would need to contact HMP.
     
  10. BonskY

    BonskY Registered Member

    Joined:
    Jul 4, 2011
    Posts:
    69
    Location:
    Longueuil, Canada
    Good day Joe,

    Yes, I agree, it's a Hitman Pro false positive problem and an email was already send to Surfright...

    But after this event...WSA wasn't reinstall smoothly and a got somes issues...(Crash by a memory error on the first initial scan when WSA configure the security need for my PC and scan stuck at 98%) so I simply tought if Webroot can help me to reinstall smoothly WSA...

    But that's okays...too bad for me...I will be more careful with a second opinion scanner...

    *Edit*

    For who is interesting...I didn't make a screenshot of the false positive, but here's in attachment the HPM logs...

    Have a nice weekend !

    BonskY
     

    Attached Files:

    Last edited: Jan 18, 2013
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Our support team might be able to help you, but I suspect you may have more luck yourself if you just uninstall HMP, uninstall any remnant of WSA, then reboot, then try reinstalling. Hopefully they don't have any logic preventing WSA from reinstalling via some system policy, but you should be able to get back by just starting with that at least.
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    It would help if you'd post this in the HitmanPro thread as well. I'd might have missed this.
    https://www.wilderssecurity.com/showthread.php?p=2170347

    About the FP, seems really weird. Looks like, on your system, WSA is doing weird stuff.
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    All of the attributes listed in the log are consistent with what WSA does by default for self protection.
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Thanks for clarifying. But there is one rule that is only triggered at that persons computer which I am very sure is not part of WSA. We have this in investigation.
     
Thread Status:
Not open for further replies.