Yesterday, when using my laptop, I have a WSA mesage: "this site is not secure".
Then I saw on the security bookmark: "1 threat has been elimanted".
Is it possible to see what was this threat?
Best answer by Rakanisheu Retired
View originalA threat has been eliminated
Userlevel 6
Good morning USA;)
Yesterday, when using my laptop, I have a WSA mesage: "this site is not secure".
Then I saw on the security bookmark: "1 threat has been elimanted".
Is it possible to see what was this threat?
Yesterday, when using my laptop, I have a WSA mesage: "this site is not secure".
Then I saw on the security bookmark: "1 threat has been elimanted".
Is it possible to see what was this threat?
Page 1 / 2
Userlevel 7
It shouldnt be removing it, unless something weird is going on. I will need support logs at this stage.
Userlevel 6
Hello Roy,@ wrote:
I think we have got mixed up that screenshot is related to the file that I have already whitelisted. That message from Windows is due to the fact that you are downloading a .exe. Its normal and isnt anything to do with Webroot. That file is good in our database.
You are right, the first message is from Windows but after downloading this .exe Webroot deleted it and moved it in quarantine:@
Userlevel 7
I think we have got mixed up that screenshot is related to the file that I have already whitelisted. That message from Windows is due to the fact that you are downloading a .exe. Its normal and isnt anything to do with Webroot. That file is good in our database.
Userlevel 6
That's the analyse.logs:
30-06-2013 17:43:10.0985 Begin passive write scan (1 file(s)) 30-06-2013 17:43:12.0420 End passive write scan (1 file(s)) 30-06-2013 17:44:00.0405 Begin passive write scan (1 file(s)) 30-06-2013 17:44:01.0404 End passive write scan (1 file(s)) 30-06-2013 17:57:14.0822 Begin passive write scan (1 file(s)) 30-06-2013 17:57:16.0350 End passive write scan (1 file(s)) 30-06-2013 18:04:39.0009 Begin passive write scan (1 file(s)) 30-06-2013 18:04:40.0238 End passive write scan (1 file(s)) 30-06-2013 18:04:48.0014 Begin passive write scan (1 file(s)) 30-06-2013 18:04:48.0943 End passive write scan (1 file(s)) 30-06-2013 18:05:01.0000 A suspicious file was detected: c:users
obertdesktoplanguagepack_french.exe - D2AFB7BBE8DDF4C4BD05537BD1598870 - 00080801 30-06-2013 18:05:01.0000 File blocked in realtime: c:users
obertdesktoplanguagepack_french.exe [MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes] [526337/00000020] [(null)] 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 3 (4666) 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 4 (4666) 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 5 (4666) 30-06-2013 18:05:01.0003 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 8 (4666) 30-06-2013 18:05:01.0125 A suspicious file was detected: c:users
obertdesktoplanguagepack_french.exe - D2AFB7BBE8DDF4C4BD05537BD1598870 - 00080801 30-06-2013 18:05:01.0125 File blocked in realtime: c:users
obertdesktoplanguagepack_french.exe [MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes] [526337/00000020] [(null)] 30-06-2013 18:05:13.0984 Determination flags modified: c:users
obertdesktoplanguagepack_french.exe - MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes, Flags: 00000020 30-06-2013 18:05:42.0475 Performing cleanup entry: 1 30-06-2013 18:05:43.0276 Scan Started: [ID: 37 - Flags: 551/128] 30-06-2013 18:06:50.0337 Connected to B5 30-06-2013 18:06:54.0338 Scan Results: Files Scanned: 38408, Duration: 1m 10s, Malicious Files: 0 30-06-2013 18:06:54.0348 Scan Finished: [ID: 37 - Seq: 70992414]
30-06-2013 17:43:10.0985 Begin passive write scan (1 file(s)) 30-06-2013 17:43:12.0420 End passive write scan (1 file(s)) 30-06-2013 17:44:00.0405 Begin passive write scan (1 file(s)) 30-06-2013 17:44:01.0404 End passive write scan (1 file(s)) 30-06-2013 17:57:14.0822 Begin passive write scan (1 file(s)) 30-06-2013 17:57:16.0350 End passive write scan (1 file(s)) 30-06-2013 18:04:39.0009 Begin passive write scan (1 file(s)) 30-06-2013 18:04:40.0238 End passive write scan (1 file(s)) 30-06-2013 18:04:48.0014 Begin passive write scan (1 file(s)) 30-06-2013 18:04:48.0943 End passive write scan (1 file(s)) 30-06-2013 18:05:01.0000 A suspicious file was detected: c:users
obertdesktoplanguagepack_french.exe - D2AFB7BBE8DDF4C4BD05537BD1598870 - 00080801 30-06-2013 18:05:01.0000 File blocked in realtime: c:users
obertdesktoplanguagepack_french.exe [MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes] [526337/00000020] [(null)] 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 3 (4666) 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 4 (4666) 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 5 (4666) 30-06-2013 18:05:01.0003 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 8 (4666) 30-06-2013 18:05:01.0125 A suspicious file was detected: c:users
obertdesktoplanguagepack_french.exe - D2AFB7BBE8DDF4C4BD05537BD1598870 - 00080801 30-06-2013 18:05:01.0125 File blocked in realtime: c:users
obertdesktoplanguagepack_french.exe [MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes] [526337/00000020] [(null)] 30-06-2013 18:05:13.0984 Determination flags modified: c:users
obertdesktoplanguagepack_french.exe - MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes, Flags: 00000020 30-06-2013 18:05:42.0475 Performing cleanup entry: 1 30-06-2013 18:05:43.0276 Scan Started: [ID: 37 - Flags: 551/128] 30-06-2013 18:06:50.0337 Connected to B5 30-06-2013 18:06:54.0338 Scan Results: Files Scanned: 38408, Duration: 1m 10s, Malicious Files: 0 30-06-2013 18:06:54.0348 Scan Finished: [ID: 37 - Seq: 70992414]
Userlevel 7
Hmm I cant find the info on that file, can you post the cleanup logs or MD5?
Userlevel 7
Ah ok that is different, let me see If I can fix that.
Userlevel 6
No it says that this file was rarely downloaded and should be insecure.
The file was deleted by WSA-C after I have accepted to download it......
The file was deleted by WSA-C after I have accepted to download it......
Userlevel 7
That doesnt look like it was us that removed that! My french is rusty is that saying that the file was not downloaded to your PC as it may cause damage?
Userlevel 6
Hello Roy,
Thanks for whitelisting this file.
I don't know if this can help you but when I download this file with IE9 (Vista pro) I get the following error message and then WSA-C deleted the file:
I think it might be interesting to try to download "Sapnish pack" and "German pack";)
Thanks for whitelisting this file.
I don't know if this can help you but when I download this file with IE9 (Vista pro) I get the following error message and then WSA-C deleted the file:
I think it might be interesting to try to download "Sapnish pack" and "German pack";)
Userlevel 7
Not sure why that file was removed on your PC, its not bad in our database. I have whitelisted the file in anycase, its not behaviour is not malicious and its associated files/processes are good. WSA not being on VT doesnt really bother me too much, VT is only a rough guide and should never be taken as gospel.
Userlevel 6
Hi@ wrote:
Hello Robert I can't tell for sure but to me it looks like an FP and I did a Search on VT using your MD5 Hash File D2AFB7BBE8DDF4C4BD05537BD1598870 as only Symantec came up with some kind of detection so it's best to wait for a conformation from Roy or another Threat Researcher. I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold. http://community.webroot.com/t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idi-p/7462#.UdBubW2DmJO :D
HTH,
Daniel ;)
Thanks Daniel!
Idea kudoed;)
Now I wait the Roy's answer.
Userlevel 7
I agree Daniel. If I could cheat and Triple Kudo it, I would. 😃@ wrote:
I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold.
Userlevel 7
+56
Hello Robert I can't tell for sure but to me it looks like an FP and I did a Search on VT using your MD5 Hash File D2AFB7BBE8DDF4C4BD05537BD1598870 as only Symantec came up with some kind of detection so it's best to wait for a conformation from Roy or another Threat Researcher. I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold. http://community.webroot.com/t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idi-p/7462#.UdBubW2DmJO :D
HTH,
Daniel 😉
HTH,
Daniel 😉
Userlevel 6
Hi Roy,
I think that's WSA-C have blocked another sure file on my home PC this time:
Automated Cleanup Engine Starting Cleanup at 30/06/2013 - 16:05:42 GMT Starting Routine> Removing c:users
obertdesktoplanguagepack_french.exe...#(PX5: - MD5: D2AFB7BBE8DDF4C4BD05537BD1598870)... Deleting File> c:users
obertdesktoplanguagepack_french.exe
Is it this a false positive ?
I think that's WSA-C have blocked another sure file on my home PC this time:
Automated Cleanup Engine Starting Cleanup at 30/06/2013 - 16:05:42 GMT Starting Routine> Removing c:users
obertdesktoplanguagepack_french.exe...#(PX5: - MD5: D2AFB7BBE8DDF4C4BD05537BD1598870)... Deleting File> c:users
obertdesktoplanguagepack_french.exe
Is it this a false positive ?
Userlevel 6
Hi Roy,
Thanks for your help:D
I have restored the file, even if my laptop continued to works well without it.
Then I launched an analyse and the laptop is clean.
Good Sunday!
Robert
Thanks for your help:D
I have restored the file, even if my laptop continued to works well without it.
Then I launched an analyse and the laptop is clean.
Good Sunday!
Robert
Userlevel 7
Replied to the PM! The file is good and can be restored. The prevx information is out of date.
Userlevel 6
Thanks Daniel for the info;)@ wrote:
Hi Robert you can call him Roy if you like!
Daniel
Userlevel 6
Another think that I don't understand is that the page above reports always that the file hdctrlex.dll is a "fraudulent security program".@ wrote:
Thanks Rakanisheu:D@ wrote:
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work :)
But I don't understand the link given by Jim:@ :
http://www.prevx.com/filenames/X460799281356301372-X1/HDCTRLEX.DLL.html#nogo
Can you explain to me ?
Userlevel 7
+56
Hi Robert you can call him Roy if you like!
Daniel
Daniel
Userlevel 6
Hello Roy;)
I'm sorry to insist but I don't understand what I have to do.
Now I'm at home and I run my laptop, and I see that the suspicious file ("hdctrlex.dll") remains in the quarantine.
I don't know if I can restore it?
I'll send you a PM with the report of detection.
I'm sorry to insist but I don't understand what I have to do.
Now I'm at home and I run my laptop, and I see that the suspicious file ("hdctrlex.dll") remains in the quarantine.
I don't know if I can restore it?
I'll send you a PM with the report of detection.
Userlevel 6
Thanks Rakanisheu:D
Can you tell me if this file is really a file of my professional program ?
Can you tell me if this file is really a file of my professional program ?
Userlevel 7
That page is out of date since I just changed the database entry for that file. I assume it will autoupdate soon enough.
Userlevel 6
Thanks Rakanisheu:D@ wrote:
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work :)
But I don't understand the link given by Jim:@ :
http://www.prevx.com/filenames/X460799281356301372-X1/HDCTRLEX.DLL.html#nogo
Can you explain to me ?
Userlevel 7
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work 🙂
Userlevel 6
Thanks Jim@ wrote:
I don't see Rakanisheu online this morning, but I might be able to help.
It's hard to say just based on the file name. The file name alone doesn't tell us as much as the MD5 of the file would. The MD5 is submitted automatically when you contact us via the support system, which is why we suggest using that system in all cases of false positives or infections.
That said, I'm leaning more towards it being an infection, based on this. However, we won't really know for sure until we get a closer look, since file names alone can be misleading. If you update your support case, we can provide a better answer since we'll have more data to go on.
This thread was on my old laptop and I cannot access to it before Saturday evening or Sunday.
Page 1 / 2
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.