My only online activities were to check mail and google one topic, yet the Caution.Rootkit virus returned one day after removal. Any ideas on how to permanently remove/prevent it from coming back?
Here is the log...
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_48db9a
Starting Routine> Removing threats - Please wait...#...
Solved
What could cause the Caution.Rootkit virus to return a day later?
Best answer by RetiredTripleHelix
Hello,@ wrote:
So i have this according to WEBROOT . it foudn the virus and removed. Ok it did not remove and i am not able to access anything. It is part of teh rtansom ware HD@aolonline. This is a nasty piece of something. It removed any thing i cna try to do to get the REG or control panel ETC....
Please contact Webroot support and they will help you with your issues!
Thanks,
Daniel ;)
Technical Support
Submit a Support Ticket
or Call 1-866-612-4227
+62Hello mikew
Welcome to the Webroot Community.
My Best advice would be to Submit a Support Ticket so that they can assist you with the informatioin that you have provided. This is a free service with a Webroot subscription.
Welcome to the Webroot Community.
My Best advice would be to Submit a Support Ticket so that they can assist you with the informatioin that you have provided. This is a free service with a Webroot subscription.
IMac 2021 27 in i5 Retina 5, iMac OS Sequoia (15.7.3), Security: iPads, ALIENWARE 15 R6, W11 Microsoft Windows Workstation, x64, Webroot® SecureAnywhere™ Internet Security Complete, Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester
Hi mikew
Welcome to the Community Forums.
If I may add to what Sherry has very correctly advised...rootkits, by their nature (you can see the level to which the infection can and does often go down to) can be very hard to remove automatically due to how deeply they infect the target system.
Now, given that the Registry is a delicate thing, whilst automatic disnfection is tried it may sometime not work successfully because of the possibility of further damaging the Registry, hence why the recommendation by Sherry is the best one...it has come back and so most likely needs manual clearing out of anything left over once the automatic process has been run again by Support.
Hope this fuirther information is of assistance?
Regards, Baldrick
Welcome to the Community Forums.
If I may add to what Sherry has very correctly advised...rootkits, by their nature (you can see the level to which the infection can and does often go down to) can be very hard to remove automatically due to how deeply they infect the target system.
Now, given that the Registry is a delicate thing, whilst automatic disnfection is tried it may sometime not work successfully because of the possibility of further damaging the Registry, hence why the recommendation by Sherry is the best one...it has come back and so most likely needs manual clearing out of anything left over once the automatic process has been run again by Support.
Hope this fuirther information is of assistance?
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
Hello everyone,
Support helped me resolve the issue... at least for two days.
There are several things that seem to be true:
1. Something creates a duplicate registry entry for messagingservice (and four other registry entries). I was told it is Windows Update doing it. To verify, I checked and Windows 10 did check for updates a few minutes before the virus scan.
2. Webroot reports a virus is found when there is more than one duplicate of the messagingservice registry entry.
3. Webroot claims it removes the offending registry entry, but it is sill there. I have to manually remove the duplicate entry.
4. A rescan with Webroot tells me the offending entry is still there, even though I just manually removed it.
Any clues as to what is going on? Support did say to remove these extra registry entries andreinstall the program to get a clean WRData folder, but I don't want to have to do this every other day.
Thanks,
Mike
Support helped me resolve the issue... at least for two days.
There are several things that seem to be true:
1. Something creates a duplicate registry entry for messagingservice (and four other registry entries). I was told it is Windows Update doing it. To verify, I checked and Windows 10 did check for updates a few minutes before the virus scan.
2. Webroot reports a virus is found when there is more than one duplicate of the messagingservice registry entry.
3. Webroot claims it removes the offending registry entry, but it is sill there. I have to manually remove the duplicate entry.
4. A rescan with Webroot tells me the offending entry is still there, even though I just manually removed it.
Any clues as to what is going on? Support did say to remove these extra registry entries andreinstall the program to get a clean WRData folder, but I don't want to have to do this every other day.
Thanks,
Mike
Hi mikew
I would follow Support's advice and give that a go...to see if it definitively resolves the issues. If it reoccurs even after that then you should contact Support to let them know so that they can rethink the advoce/what you should do.
Let us know what you decide and what the result is.
Regards, Baldrick
I would follow Support's advice and give that a go...to see if it definitively resolves the issues. If it reoccurs even after that then you should contact Support to let them know so that they can rethink the advoce/what you should do.
Let us know what you decide and what the result is.
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
Thanks, Baldrick.
I did follow Support's advice, even allowed remote access, but the problem keeps coming back. I contacted Support again.
The confusing part is I scanned with online scanners from Kaspersky, F-Secure, and BitDefender, and none of them found a virus. Online scanners may not be that good, though.
I just really need to know if this is a virus.
I did follow Support's advice, even allowed remote access, but the problem keeps coming back. I contacted Support again.
The confusing part is I scanned with online scanners from Kaspersky, F-Secure, and BitDefender, and none of them found a virus. Online scanners may not be that good, though.
I just really need to know if this is a virus.
Well, I am not really sure what to suggest in the circumstances. I will have a think and if I come up with anything I will let you know.
An update for all,
Support had me reinstall WRSA again. I assume that is because the WRData folder remembers the virus pattern from the false positve it found before, but just guessing.
Support told me to not remove those extra registry keys that they themselves said were the cause of the problem, and they removed while I watched. Confusing.
Support also told me to not use Maximum Heuristics with Windows 10. Apparently, they don't play well together.
I did notice one other thing. When it found what it thought was a virus, Notifications was in Quiet Hours mode. It appears that Quiet Hours seems to turn itself on and off at will. I never touch it. Is that the issue?
Still unsure if there is a hidden virus everyone is missing or not. Trying to help, but losing confidence in the program.
Thanks,
mikew
Support had me reinstall WRSA again. I assume that is because the WRData folder remembers the virus pattern from the false positve it found before, but just guessing.
Support told me to not remove those extra registry keys that they themselves said were the cause of the problem, and they removed while I watched. Confusing.
Support also told me to not use Maximum Heuristics with Windows 10. Apparently, they don't play well together.
I did notice one other thing. When it found what it thought was a virus, Notifications was in Quiet Hours mode. It appears that Quiet Hours seems to turn itself on and off at will. I never touch it. Is that the issue?
Still unsure if there is a hidden virus everyone is missing or not. Trying to help, but losing confidence in the program.
Thanks,
mikew
Hi mikew
Not sure what you mean by way of "Quiet Hours" mode?
Plus I believe that there may be other 'residue' left over when WSA is uninstalled and so am looking to see if there may be something therein that is affecting your system.
Regards, Baldrick
Not sure what you mean by way of "Quiet Hours" mode?
Plus I believe that there may be other 'residue' left over when WSA is uninstalled and so am looking to see if there may be something therein that is affecting your system.
Regards, Baldrick
Hello Baldrick,
If you have Windows 10, there is a little outlined Notifications box on the bottom right in the taskbar. It normally looks like this:
You can tell Notifications not to bother you by right-clicking on it and selecting "Turn on quiet hours".
Apparenlty, it can turn itself on and off randomly.
Support has told me the issue with the false positives is related to using Maximum Heuristics in Windows 10. I assumed using it would also give maximum protection, but it must cause an issue.
I'll keep researching this, too.
Thanks,
mikew
If you have Windows 10, there is a little outlined Notifications box on the bottom right in the taskbar. It normally looks like this:
You can tell Notifications not to bother you by right-clicking on it and selecting "Turn on quiet hours".
Apparenlty, it can turn itself on and off randomly.
Support has told me the issue with the false positives is related to using Maximum Heuristics in Windows 10. I assumed using it would also give maximum protection, but it must cause an issue.
I'll keep researching this, too.
Thanks,
mikew
Hi mikew
Thanks ffor the information on 'Quiet Hours'...I tthought that you were referring to something in WSA that I was not aware of...but as it turns out I was not aware of it in Windows 10...so something new learned...:D
I will have to try it out.
Regards, Baldrick
Thanks ffor the information on 'Quiet Hours'...I tthought that you were referring to something in WSA that I was not aware of...but as it turns out I was not aware of it in Windows 10...so something new learned...:D
I will have to try it out.
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
+56@ wrote:
My only online activities were to check mail and google one topic, yet the Caution.Rootkit virus returned one day after removal. Any ideas on how to permanently remove/prevent it from coming back?
Here is the log...
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_48db9a
Starting Routine> Removing threats - Please wait...#...
Please follow the steps closely!
- Make sure you have a copy of your 20 Character Alphanumeric Keycode! Example: SA69-AAAA-A783-DE78-XXXX
- KEEP the computer online for Uninstall and Reinstall to make sure it works correctly
- Download a Copy Here (Best Buy Subscription PC users click HERE) Let us know if it is the Mac version you need.
- Uninstall WSA and Reboot
- Install with the new installer, enter your Keycode and don't import any settings if asked to as you can set it up as you like once it's done
- Let it finish it's install scan
- Reboot once again
Thanks,
Daniel 😉
+62Thanks for the heads up Daniel!:D
IMac 2021 27 in i5 Retina 5, iMac OS Sequoia (15.7.3), Security: iPads, ALIENWARE 15 R6, W11 Microsoft Windows Workstation, x64, Webroot® SecureAnywhere™ Internet Security Complete, Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester
Yes, thank you Daniel.
That is what Support told me to do, and also to not use Maximum Heuristics.
I am still curious as to what is causing all those registry key duplicates to be created? I had 10 duplicates of MessagingService, and a friend says she has 3 duplicates. I found someone in a google search complaining he had 4,000 duplicates. But, not a concern for this forum as long as they are safe duplicates.
mikew
That is what Support told me to do, and also to not use Maximum Heuristics.
I am still curious as to what is causing all those registry key duplicates to be created? I had 10 duplicates of MessagingService, and a friend says she has 3 duplicates. I found someone in a google search complaining he had 4,000 duplicates. But, not a concern for this forum as long as they are safe duplicates.
mikew
+56You can use Maximum Heuristics as I always do but if you come across this issue again just post back to let us know and go back to:@ wrote:
Yes, thank you Daniel.
That is what Support told me to do, and also to not use Maximum Heuristics.
I am still curious as to what is causing all those registry key duplicates to be created? I had 10 duplicates of MessagingService, and a friend says she has 3 duplicates. I found someone in a google search complaining he had 4,000 duplicates. But, not a concern for this forum as long as they are safe duplicates.
mikew
They are not duplicates as they shouldn't be detected by WSA and even WSA will not even remove those detections but we will keep an eye on it as I haven't seen it for quite awhile.
Thanks,
Daniel 😉
Hi Daniel,
That is interesting. To quote Support from two days ago:
Hello,
We do not recommend configuring Webroot to have maximum heuristics on Windows 10.
Can you uninstall and reinstall with the mentioned steps before?
The registry keys do not need to be removed, please do not enable maximum heuristics.
Regards,
Webroot Advanced Malware Removal Team
I was seeing 11 extra registry keys created by something.
They each had a different hex number to identify them. Who or what created them, I don't know, but WRSA was thinking they were threats only when I used max heuristics. Maybe they are not copies, but other instances of some program using the dll.
The first step Support did was to delete all but the original unnumbered key.
I was just upgraded automatically to version 9.0.10.17 today. Maybe that fixed the issue.
Thanks,
mikew
That is interesting. To quote Support from two days ago:
Hello,
We do not recommend configuring Webroot to have maximum heuristics on Windows 10.
Can you uninstall and reinstall with the mentioned steps before?
The registry keys do not need to be removed, please do not enable maximum heuristics.
Regards,
Webroot Advanced Malware Removal Team
I was seeing 11 extra registry keys created by something.
They each had a different hex number to identify them. Who or what created them, I don't know, but WRSA was thinking they were threats only when I used max heuristics. Maybe they are not copies, but other instances of some program using the dll.
The first step Support did was to delete all but the original unnumbered key.
I was just upgraded automatically to version 9.0.10.17 today. Maybe that fixed the issue.
Thanks,
mikew
+56Hi Mike,
Yes support would suggest that but I have been using Max Heuristics on all versions of Windows since early 2011 for the release of WSA 2012, and continue to Beta Test even on Windows 10 and it's Previews but if you have an issue just go back to http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C13_Settings/CH13d_AdjustingHeuristics.htm
"Default; recommended setting."
"Enable enhanced heuristics based on the behavior, origin, age, and popularity of files"
But feel to do what you like! Also if you want a Security Check just Submit a Support Ticket and ask them about those extra Reg Keys as you say and they will let you know!
Cheers,
Daniel 😉
Yes support would suggest that but I have been using Max Heuristics on all versions of Windows since early 2011 for the release of WSA 2012, and continue to Beta Test even on Windows 10 and it's Previews but if you have an issue just go back to http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C13_Settings/CH13d_AdjustingHeuristics.htm
"Default; recommended setting."
"Enable enhanced heuristics based on the behavior, origin, age, and popularity of files"
But feel to do what you like! Also if you want a Security Check just Submit a Support Ticket and ask them about those extra Reg Keys as you say and they will let you know!
Cheers,
Daniel 😉
+56? I just got the same detections from one of my Win 10 Pro x86 VM's at Max Heuristics so I set it back to default Heuristics and all is fine!
Daniel ;)
Some legitimate files are not included in this log
[r] SystemCurrentControlSetServicesMessagingService_373f8
[r] SYSTEMControlSet001ServicesMessagingService_373f8ImagePath
[r] SystemCurrentControlSetServicesOneSyncSvc_373f8
[r] SYSTEMControlSet001ServicesOneSyncSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesPimIndexMaintenanceSvc_373f8
[r] SYSTEMControlSet001ServicesPimIndexMaintenanceSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesUnistoreSvc_373f8
[r] SYSTEMControlSet001ServicesUnistoreSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesUserDataSvc_373f8
[r] SYSTEMControlSet001ServicesUserDataSvc_373f8ImagePath
Daniel ;)
Some legitimate files are not included in this log
[r] SystemCurrentControlSetServicesMessagingService_373f8
[r] SYSTEMControlSet001ServicesMessagingService_373f8ImagePath
[r] SystemCurrentControlSetServicesOneSyncSvc_373f8
[r] SYSTEMControlSet001ServicesOneSyncSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesPimIndexMaintenanceSvc_373f8
[r] SYSTEMControlSet001ServicesPimIndexMaintenanceSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesUnistoreSvc_373f8
[r] SYSTEMControlSet001ServicesUnistoreSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesUserDataSvc_373f8
[r] SYSTEMControlSet001ServicesUserDataSvc_373f8ImagePath
Hi Daniel,
I guess it's good to know I am not alone in seeing this apparent false detection. I did ask the Support team what caused this, and they believed it was related Windows updates.
Thanks,
mikew
I guess it's good to know I am not alone in seeing this apparent false detection. I did ask the Support team what caused this, and they believed it was related Windows updates.
Thanks,
mikew
So i have this according to WEBROOT . it foudn the virus and removed. Ok it did not remove and i am not able to access anything. It is part of teh rtansom ware HD@aolonline. This is a nasty piece of something. It removed any thing i cna try to do to get the REG or control panel ETC....
+56Hello,@ wrote:
So i have this according to WEBROOT . it foudn the virus and removed. Ok it did not remove and i am not able to access anything. It is part of teh rtansom ware HD@aolonline. This is a nasty piece of something. It removed any thing i cna try to do to get the REG or control panel ETC....
Please contact Webroot support and they will help you with your issues!
Thanks,
Daniel ;)
Technical Support
Submit a Support Ticket
or Call 1-866-612-4227
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.