Recurring rootkit after reboot.

I keep getting a rootkit detected. 7 Threats detected and upon rebooting the rootkits reappear. Webroot doesn't seem to be cleaning up these threats permanently, any help on further assistance??

I also try sending webroot a message but the 'send submission' button takes me to the webroot homepage. Not sure if the message went through or not so I am posting here.

Here is the threat log:

Automated Cleanup Engine

Starting Cleanup at 13/11/2016 - 18:30:46 GMT

Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_120926...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_120926

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_120926

Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_120926...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_120926

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_120926

Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_120926...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_120926

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_120926

Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926

Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_120926...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_120926

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_120926

Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_120926...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_120926

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_120926

Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_120926...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_120926

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_120926

Starting Routine> Removing threats - Please wait...#...

Automated Cleanup Engine

Starting Cleanup at 04/12/2016 - 18:52:26 GMT

Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_443c3...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_443c3

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_443c3

Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_443c3...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_443c3

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_443c3

Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_443c3...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_443c3

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_443c3

Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3

Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_443c3...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_443c3

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_443c3

Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_443c3...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_443c3

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_443c3

Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_443c3...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_443c3

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_443c3

Starting Routine> Removing threats - Please wait...#...

Automated Cleanup Engine

Starting Cleanup at 04/12/2016 - 18:56:40 GMT

Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_4c961...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4c961

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4c961

Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_4c961...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4c961

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4c961

Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_4c961...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4c961

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4c961

Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961

Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_4c961...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4c961

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4c961

Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_4c961...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4c961

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4c961

Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_4c961...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4c961

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4c961

Starting Routine> Removing threats - Please wait...#...

Automated Cleanup Engine

Starting Cleanup at 04/12/2016 - 19:08:24 GMT

Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_49eac...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_49eac

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_49eac

Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_49eac...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_49eac

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_49eac

Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_49eac...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_49eac

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_49eac

Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac

Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_49eac...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_49eac

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_49eac

Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_49eac...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_49eac

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_49eac

Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_49eac...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_49eac

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_49eac

Starting Routine> Removing threats - Please wait...#...

Automated Cleanup Engine

Starting Cleanup at 04/12/2016 - 19:12:19 GMT

Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_4608d...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4608d

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4608d

Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_4608d...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4608d

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4608d

Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_4608d...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4608d

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4608d

Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d

Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_4608d...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4608d

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4608d

Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_4608d...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4608d

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4608d

Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_4608d...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4608d

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4608d

Starting Routine> Removing c:windowssysnativeackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...

Deleting File> c:windowssysnativeackgroundtaskhost.exe

Starting Routine> Removing c:windowssystem32ackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...

Deleting File> c:windowssystem32ackgroundtaskhost.exe

Starting Routine> Removing c:windowswinsxsamd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.14393.0_none_9e674bcd7fcd70e8ackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...

Deleting File> c:windowswinsxsamd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.14393.0_none_9e674bcd7fcd70e8ackgroundtaskhost.exe

Starting Routine> Removing threats - Please wait...#...

Automated Cleanup Engine

Starting Cleanup at 04/12/2016 - 19:16:42 GMT

Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0

Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0

Starting Routine> Removing threats - Please wait...#...

Automated Cleanup Engine

Starting Cleanup at 04/12/2016 - 19:18:07 GMT

Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0

Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0

Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_461f0...#(PX5: - MD5: )...

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0

Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0

Starting Routine> Removing threats - Please wait...#...

/END Threat log

Page 1 / 1

Hi cmdkeen

In these circumstances I would Open a Support Ticket, providing the information that you have provided in the post so that the Support Team can investigate/help with the definitive removal of any remnants of the rootkit that persist.

I am afraid that I am at a loss to u nderstand where the the 'send submission' button is. Could you precise its location so that we can check out its functioning?

Regards, Baldrick

Hey Baldrick,

I meant the button called "Send to Webroot Support", my apologies. Its on the screen titled: Talk to Webroot support

I sent webroot a message but was unable to copy and paste my threat log so I pasted the thread link for them to check out the threat log here.

Thank you. I hope there is a fix for this!

Hi cmdkeen

Including a link to the thread is even better. :D

With that information they should be able to sort you out.

Regards, Baldrick

@ wrote:

Hey Baldrick,

I meant the button called "Send to Webroot Support", my apologies. Its on the screen titled: Talk to Webroot support

Apologies but exactly where are you access the "Talk to Webroot Support"...is this from within the WSA client or the Webroot Site?

Regards, Baldrick

This is from the Webroot website.

( URL: https://www.webrootanywhere.com/servicetalk.asp?source= )

I realize this only happens when going here and you are not prompted with email address + password login.

Thanks, but when I click on that link I get into the ticketing system and it shows me the latest exchanges I have had with the Webroot Support Team...but I suppose that only happens if you have opened a ticket previously. If you are still having issues when using that link then I would report it to them whilst you are speaking with them in relation to the stubborn rootkit.

Baldrick

@ wrote:

This is from the Webroot website.

( URL: https://www.webrootanywhere.com/servicetalk.asp?source= )

I realize this only happens when going here and you are not prompted with email address + password login.

You can always contact us by Phone for immediate assistance: Support Number: 1-866-612-4227 M-F 7am?6pm MT

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded