Question

Bizarre

  • 1 November 2020
  • 1 reply
  • 75 views

Badge +2

Yesterday I noticed that, unusually, windows asked if Webroot could have access; I agreed and thought nothing of it. The same happened this morning - this time there was a Webroot icon on my taskbar telling me a scan was overdue; my settings allow a scan overnight or, if missed, when the system is next switched on, I could not understand how it could be overdue. I clicked the icon, a black Webroot control panel came on. I tried to start a scan, Captcha appears but wouldn’t let me click the continue button, in the background all of my settings were now off and I could not change them. It also showed zero scan history but the correct subscription remaining details. Webroot was not on my apps list but task manager showed Webroot was consuming 88% of my CPU resources. Windows security centre did not show an alert as it had reverted to Microsoft Defender 

I thought I would uninstall and reinstall Webroot. I went to Windows control panel and found Webroot there and clicked uninstall. I then got a pop up telling me I had to login as an administrator first. I couldn’t get the Webroot control panel past captcha to do that so I closed that pop up - despite having not logged in as an administrator, it appeared to go through an uninstall process. I went off to the Webroot website, deactivated the uninstalled app and downloaded the windows installation package - nothing happened after the download finished. I found the download and clicked it, instantly the black Webroot control panel popped up with the same corrupted behaviour 

I found the Webroot folder in my C Drive Programs folder and found I could delete it [not recycle]. I didn’t think that was possible whilst it was busy displaying an icon on my taskbar. Having deleted the program folder, I downloaded the installation package, clicked it  and it started an installation routine but then within a few seconds, without any keycodes, scans, form filling etc a more normal looking Webroot control panel arrived. I started a scan and it found 10 rootkits [I haven’t had a threat detection in years] some revolving around registry entries starting WR (Webroot?) . Webroot removed them and rescanned but, with such bizarre behaviour, I must admit my confidence is a little shaken

Is it possible to get a clean installation, if so how do you do it ? 

Logs

System\CurrentControlSet\Services\AarSvc_39a91\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…
System\CurrentControlSet\Services\cbdhsvc_39a91\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…System\CurrentControlSet\Services\ConsentUxUserSvc_39a91\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_39a91\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_39a91\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…System\CurrentControlSet\Services\UdkUserSvc_39a91\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…
System\CurrentControlSet\Services\WRCore\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…System\CurrentControlSet\Services\WRCoreService\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…System\CurrentControlSet\Services\WRSkyClient\...#(PX5:  - MD5:  - UniqueID: 040A47A0)…System\CurrentControlSet\Services\wrUrlFlt\...#(PX5:  - MD5:  - UniqueID: 040A47A0)...


1 reply

Userlevel 7
Badge +59

Hello @TimC 

 

System\CurrentControlSet  detection's are mostly caused by having your heuristics set to Max, but WSA can’t remove them so no worries there.

 

With all the issues your having it would be best to Submit a Support Ticket and they will get you sorted.

 

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue. A reply from Support should take from 24 to 48 hours but could take a little longer because of COVID 19 and the Webroot Employees are busy working from home.

 

Thanks,

Reply