Webroot Secure Anywhere v9.0.14.58 on a win10 desktop
Webroot Secure Anywhere reports 7 instances as rootkits. However when I restart my computer to finish cleaning they appear all over again. Please help.
SystemCurrentControlSetServicesCDPUserSvc_41236
SystemCurrentControlSetServicesMessagingService_41236
SystemCurrentControlSetServicesOneSyncSvc_41236
SystemCurrentControlSetServicesPimIndexMaintenanceSvc_41236
SystemCurrentControlSetServicesUnistoreSvc_41236
SystemCurrentControlSetServicesUserDataSvc_41236
SystemCurrentControlSetServicesWpnUserService_41236
Page 1 / 1
Hello sanyos, Welcome to the Webroot Community Forum.:D
Please submit a Support Ticket or Contact Webroot Support to sort this problem. This service is FREE with a Paid Subscription.
Support Ticket System is Open 24/7
HTH,
Dave.;)
Please submit a Support Ticket or Contact Webroot Support to sort this problem. This service is FREE with a Paid Subscription.
Support Ticket System is Open 24/7
HTH,
Dave.;)
Hi sanyos,
Welcome to the Webroot Community.
Thanks very much for posting this. I had this same thing happen over the weekend to me. Same scenario, 7 rootkits, same files and location of files as you have posted. I had to reboot 6 times before Webroot was able to completely remove this. Scans with other AV scanners produced no reports of malware.
I would suggest that you submit a trouble ticket to Webroot Support. Perhaps they can whitelist these files. I am going to submit a ticket as well. Please post back when you hear from support.
Glad to know this wasn't an isolated incident. Hopefully support can determine the cause of this FP.
Thanks,
BD
Welcome to the Webroot Community.
Thanks very much for posting this. I had this same thing happen over the weekend to me. Same scenario, 7 rootkits, same files and location of files as you have posted. I had to reboot 6 times before Webroot was able to completely remove this. Scans with other AV scanners produced no reports of malware.
I would suggest that you submit a trouble ticket to Webroot Support. Perhaps they can whitelist these files. I am going to submit a ticket as well. Please post back when you hear from support.
Glad to know this wasn't an isolated incident. Hopefully support can determine the cause of this FP.
Thanks,
BD
it`s not needed to remove@ wrote:
Same scenario, 7 rootkits, same files and location of files as you have posted. I had to reboot 6 times before Webroot was able to completely remove this.
1 - save a threat log | how to: http://live.webrootanywhere.com/content/843/Saving-Threat-Logs
2 - Find [e] characters in to saved file
for example
[e] d:soft rashreg rashregx64full.exe [MD5: 2B3742E423AC0C5B7326E84B8FD58D72] [Flags: 40080100.6112] [Threat: W32.Trojan.GenKD]
3 - send this string(-s) and description of the problem to support: https://www.webrootanywhere.com/servicewelcome.asp
My threat log doesn't look like that, there are no MD5 hashes. Here is what I have.@ wrote:
it`s not needed to remove@ wrote:
Same scenario, 7 rootkits, same files and location of files as you have posted. I had to reboot 6 times before Webroot was able to completely remove this.
1 - save a threat log | how to: http://live.webrootanywhere.com/content/843/Saving-Threat-Logs
2 - Find [e] characters in to saved file
for example
[e] d:soft rashreg rashregx64full.exe [MD5: 2B3742E423AC0C5B7326E84B8FD58D72] [Flags: 40080100.6112] [Threat: W32.Trojan.GenKD]
3 - send this string(-s) and description of the problem to support: https://www.webrootanywhere.com/servicewelcome.asp
Thanks, Petr...
Automated Cleanup Engine
Starting Cleanup at 31/12/2016 - 21:29:44 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_34955
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_34955
Starting Routine> Removing threats - Please wait...#...
This happened on 2 PCs running WSA, both WIN10 Pro. Freaked me out until i determined that it was a FP.
Will submit a ticket and see what the experts at Webroot have to say. ;)
BD
When you get these types of detections SystemCurrentControlSetServices it means your heuristics are set above default so in most cases you need to do a clean reinstall of WSA then you can set your heuristics above default again. I had these detections many times because I run my heuristics at Maximum. http://live.webrootanywhere.com/content/680/Adjusting-Heuristics
Please follow the steps closely!
Thanks,
Daniel 😉
Please follow the steps closely!
- Make sure you have a copy of your 20 Character Alphanumeric Keycode! Example: SA69-AAAA-A783-DE78-XXXX
- KEEP the computer online for Uninstall and Reinstall to make sure it works correctly
- Download a Copy Here (Best Buy Geek Squad Subscription PC users click HERE) Let us know if it is the Mac version you need.
- Uninstall WSA and Reboot
- Install with the new installer, enter your Keycode and do NOT import any settings if offered by the installer as you can set it up as you like once it's done
- Let it finish it's install scan
- Reboot once again
Thanks,
Daniel 😉
Also if you let WSA clean them up they will be detected again untill a reinstall can be done so you don't have to worry as WSA doesn't really remove them.
Thanks,
Daniel ;)
Thanks,
Daniel ;)
Thanks for the info, Daniel. That makes sense. I do have my heuristics set to maximum, too. Will do a clean install and most-likely just keep the default heuristics. 😉 I thought it was odd that the infected files never showed up in quarantine, now I know why.@ wrote:
When you get these types of detections SystemCurrentControlSetServices it means your heuristics are set above default so in most cases you need to do a clean reinstall of WSA then you can set your heuristics above default again. I had these detections many times because I run my heuristics at Maximum. http://live.webrootanywhere.com/content/680/Adjusting-Heuristics
BD
Right and your Welcome! 😉@ wrote:
Thanks for the info, Daniel. That makes sense. I do have my heuristics set to maximum, too. Will do a clean install and most-likely just keep the default heuristics. 😉 I thought it was odd that the infected files never showed up in quarantine, now I know why.@ wrote:
When you get these types of detections SystemCurrentControlSetServices it means your heuristics are set above default so in most cases you need to do a clean reinstall of WSA then you can set your heuristics above default again. I had these detections many times because I run my heuristics at Maximum. http://live.webrootanywhere.com/content/680/Adjusting-Heuristics
BD
What all of this means to me, I won't be renewing with Webroot next year. I've used Webroot for close to 15 years. This will be the last year. As a customer, we shouldn't have to go through any of the steps that you mention above as in uninstalling and reinstalling. Its a problem with Webroot not our computers or systems. Webroot needs to correct the issue.
wrote:Are you having this detection SystemCurrentControlSetServices ? As far as I know it's been fixed since this thread was last posted to in May 2017. If you like Submit a Support Ticket and ask them.
What all of this means to me, I won't be renewing with Webroot next year. I've used Webroot for close to 15 years. This will be the last year. As a customer, we shouldn't have to go through any of the steps that you mention above as in uninstalling and reinstalling. Its a problem with Webroot not our computers or systems. Webroot needs to correct the issue.
EDIT: It looks like the Bug is back as a couple others are reporting the same but don't worry as WSA cannot remove these detections.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.