Skip to main content
Customer Support Customer Support
Solved

Recurring rootkit after reboot.

  • December 4, 2016
  • 8 replies
  • 83 views
C
New Voice
I keep getting a rootkit detected. 7 Threats detected and upon rebooting the rootkits reappear. Webroot doesn't seem to be cleaning up these threats permanently, any help on further assistance??
 
I also try sending webroot a message but the 'send submission' button takes me to the webroot homepage. Not sure if the message went through or not so I am posting here.
 
Here is the threat log:

Automated Cleanup Engine
Starting Cleanup at 13/11/2016 - 18:30:46 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_120926
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_120926
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 18:52:26 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_443c3
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_443c3
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 18:56:40 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4c961
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4c961
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 19:08:24 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_49eac
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_49eac
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 19:12:19 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4608d
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4608d
Starting Routine> Removing c:windowssysnativeackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...
Deleting File> c:windowssysnativeackgroundtaskhost.exe
Starting Routine> Removing c:windowssystem32ackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...
Deleting File> c:windowssystem32ackgroundtaskhost.exe
Starting Routine> Removing c:windowswinsxsamd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.14393.0_none_9e674bcd7fcd70e8ackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...
Deleting File> c:windowswinsxsamd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.14393.0_none_9e674bcd7fcd70e8ackgroundtaskhost.exe
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 19:16:42 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 19:18:07 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0
Starting Routine> Removing threats - Please wait...#...

/END Threat log

Best answer by Baldrick

Hi cmdkeen
 
In these circumstances I would Open a Support Ticket, providing the information that you have provided in the post so that the Support Team can investigate/help with the definitive removal of any remnants of the rootkit that persist.
 
I am afraid that I am at a loss to u nderstand where the the 'send submission' button is. Could you precise its location so that we can check out its functioning?
 
Regards, Baldrick

8 replies

Baldrick
Gold VIP
  • Baldrick
  • Gold VIP
  • Answer
  • December 4, 2016
Hi cmdkeen
 
In these circumstances I would Open a Support Ticket, providing the information that you have provided in the post so that the Support Team can investigate/help with the definitive removal of any remnants of the rootkit that persist.
 
I am afraid that I am at a loss to u nderstand where the the 'send submission' button is. Could you precise its location so that we can check out its functioning?
 
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
ProTruckDriver
B
J
C
New Voice
  • cmdkeen
  • Author
  • New Voice
  • December 4, 2016
Hey Baldrick,
 
I meant the button called "Send to Webroot Support", my apologies. Its on the screen titled: Talk to Webroot support
Baldrick
J
C
New Voice
  • cmdkeen
  • Author
  • New Voice
  • December 4, 2016
I sent webroot a message but was unable to copy and paste my threat log so I pasted the thread link for them to check out the threat log here.
 
Thank you. I hope there is a fix for this! 
Baldrick
Jasper_The_Rasper
J
Baldrick
Gold VIP
  • Baldrick
  • Gold VIP
  • December 4, 2016
Hi cmdkeen
 
Including a link to the thread is even better. :D
 
With that information they should be able to sort you out.
 
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
ProTruckDriver
Jasper_The_Rasper
B
Baldrick
Gold VIP
  • Baldrick
  • Gold VIP
  • December 4, 2016
@ wrote:
Hey Baldrick,
 
I meant the button called "Send to Webroot Support", my apologies. Its on the screen titled: Talk to Webroot support
Apologies but exactly where are you access the "Talk to Webroot Support"...is this from within the WSA client or the Webroot Site?
 
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
Jasper_The_Rasper
B
Ssherjj
C
New Voice
  • cmdkeen
  • Author
  • New Voice
  • December 4, 2016
This is from the Webroot website.
( URL:  https://www.webrootanywhere.com/servicetalk.asp?source= )
 
I realize this only happens when going here and you are not prompted with email address + password login. 
Baldrick
Jasper_The_Rasper
Ssherjj
Baldrick
Gold VIP
  • Baldrick
  • Gold VIP
  • December 4, 2016
Thanks, but when I click on that link I get into the ticketing system and it shows me the latest exchanges I have had with the Webroot Support Team...but I suppose that only happens if you have opened a ticket previously. If you are still having issues when using that link then I would report it to them whilst you are speaking with them in relation to the stubborn rootkit.
 
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
Jasper_The_Rasper
B
Ssherjj
J
  • JP_
  • Retired Webrooter
  • December 5, 2016
@ wrote:
This is from the Webroot website.
( URL:  https://www.webrootanywhere.com/servicetalk.asp?source= )
 
I realize this only happens when going here and you are not prompted with email address + password login. 
You can always contact us by Phone for immediate assistance: Support Number: 1-866-612-4227 M-F 7am?6pm MT
ProTruckDriver
Baldrick
B
Terms & ConditionsAccessibility statement