cancel
Showing results for 
Search instead for 
Did you mean: 

What could cause the Caution.Rootkit virus to return a day later?

SOLVED
New Voice

What could cause the Caution.Rootkit virus to return a day later?

My only online activities were to check mail and google one topic, yet the Caution.Rootkit virus returned one day after removal.  Any ideas on how to permanently remove/prevent it from coming back?

 

Here is the log...

Starting Routine> Removing System\CurrentControlSet\Services\MessagingService_48db9a\...#(PX5:  - MD5: )...
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\MessagingService_48db9a\
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\MessagingService_48db9a\
Starting Routine> Removing System\CurrentControlSet\Services\OneSyncSvc_48db9a\...#(PX5:  - MD5: )...
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\OneSyncSvc_48db9a\
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\OneSyncSvc_48db9a\
Starting Routine> Removing System\CurrentControlSet\Services\PimIndexMaintenanceSvc_48db9a\...#(PX5:  - MD5: )...
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_48db9a\
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_48db9a\
Starting Routine> Removing System\CurrentControlSet\Services\UnistoreSvc_48db9a\...#(PX5:  - MD5: )...
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\UnistoreSvc_48db9a\
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\UnistoreSvc_48db9a\
Starting Routine> Removing System\CurrentControlSet\Services\UserDataSvc_48db9a\...#(PX5:  - MD5: )...
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\UserDataSvc_48db9a\
Deleting Registry Key> HKLM\System\CurrentControlSet\Services\UserDataSvc_48db9a\
Starting Routine> Removing threats - Please wait...#...

20 REPLIES
Gold VIP
Computers
Webroot

Re: What could cause the Caution.Rootkit virus to return a day later?

Hello mikew

 

Welcome to the Webroot Community.

 

My Best advice would be to Submit a Support Ticket so that they can assist you with the informatioin that you have provided. This is a free service with a Webroot subscription.


Sherry




original.png Microsoft® Windows Insider MVP - Windows Security



Helpful Webroot Links:

Download (PC) | Download (Best Buy Subscription) | Submit Trouble Ticket | Account Console | User_Guides | BrightCloud URL lookup

Register
and Introduce yourself to The Community!

ALIENWARE 17R4 Win 10 Pro x64 / Mac OS X El Capitan (10.11.6), IPad's, PCs,W 10 & W 8.1 R Pro. W 7 Pro ..Lenovo (VM:10) & Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Note 4) Beta Tester,Windows Insider Builds
Gold VIP

Re: What could cause the Caution.Rootkit virus to return a day later?

Hi mikew

 

Welcome to the Community Forums.

 

If I may add to what Sherry has very correctly advised...rootkits, by their nature (you can see the level to which the infection can and does often go down to) can be very hard to remove automatically due to how deeply they infect the target system.

 

Now, given that the Registry is a delicate thing, whilst automatic disnfection is tried it may sometime not work successfully because of the possibility of further damaging the Registry, hence why the recommendation by Sherry is the best one...it has come back and so most likely needs manual clearing out of anything left over once the automatic process has been run again by Support.

 

Hope this fuirther information is of assistance?

 

Regards, Baldrick

 

       Untitled-1.png


Webroot SecureAnywhere Complete Beta Tester v9.0.18.44, imaged by Macrium Reflect v7.1

New Voice

Re: What could cause the Caution.Rootkit virus to return a day later?

Hello everyone,

 

Support helped me resolve the issue... at least for two days.

 

There are several things that seem to be true:

 

1.  Something creates a duplicate registry entry for messagingservice (and four other registry entries).  I was told it is Windows Update doing it.  To verify, I checked and Windows 10 did check for updates a few minutes before the virus scan.

 

2.  Webroot reports a virus is found when there is more than one duplicate of the messagingservice registry entry.

 

3. Webroot claims it removes the offending registry entry, but it is sill there.  I have to manually remove the duplicate entry. 

 

4.  A rescan with Webroot tells me the offending entry is still there, even though I just manually removed it.

 

Any clues as to what is going on?  Support did say to remove these extra registry entries andreinstall the program to get a clean WRData folder, but I don't want to have to do this every other day.

 

Thanks,

Mike

Gold VIP

Re: What could cause the Caution.Rootkit virus to return a day later?

Hi mikew

 

I would follow Support's advice and give that a go...to see if it definitively resolves the issues. If it reoccurs even after that then you should contact Support to let them know so that they can rethink the advoce/what you should do.

 

Let us know what you decide and what the result is.

 

Regards, Baldrick

       Untitled-1.png


Webroot SecureAnywhere Complete Beta Tester v9.0.18.44, imaged by Macrium Reflect v7.1

New Voice

Re: What could cause the Caution.Rootkit virus to return a day later?

Thanks, Baldrick.

 

I did follow Support's advice, even allowed remote access, but the problem keeps coming back.  I contacted Support again.

 

The confusing part is I scanned with online scanners from Kaspersky, F-Secure, and BitDefender, and none of them found a virus.  Online scanners may not be that good, though.

 

I just really need to know if this is a virus.

Gold VIP

Re: What could cause the Caution.Rootkit virus to return a day later?

Well, I am not really sure what to suggest in the circumstances. I will have a think and if I come up with anything I will let you know.

       Untitled-1.png


Webroot SecureAnywhere Complete Beta Tester v9.0.18.44, imaged by Macrium Reflect v7.1

New Voice

Re: What could cause the Caution.Rootkit virus to return a day later?

An update for all,

 

Support had me reinstall WRSA again.  I assume that is because the WRData folder remembers the virus pattern from the false positve it found before, but just guessing.

 

Support told me to not remove those extra registry keys that they themselves said were the cause of the problem, and they removed while I watched.  Confusing.

 

Support also told me to not use Maximum Heuristics with Windows 10.  Apparently, they don't play well together.

 

I did notice one other thing.  When it found what it thought was a virus, Notifications was in Quiet Hours mode.  It appears that Quiet Hours seems to turn itself on and off at will.  I never touch it.  Is that the issue?

 

Still unsure if there is a hidden virus everyone is missing or not.  Trying to help, but losing confidence in the program.

 

Thanks,

mikew

Gold VIP

Re: What could cause the Caution.Rootkit virus to return a day later?

Hi mikew

 

Not sure what you mean by way of "Quiet Hours" mode?

 

Plus I believe that there may be other 'residue' left over when WSA is uninstalled and so am looking to see if there may be something therein that is affecting your system.

 

Regards, Baldrick

       Untitled-1.png


Webroot SecureAnywhere Complete Beta Tester v9.0.18.44, imaged by Macrium Reflect v7.1

New Voice

Re: What could cause the Caution.Rootkit virus to return a day later?

Hello Baldrick,

 

If you have Windows 10, there is a little outlined Notifications box on the bottom right in the taskbar.  It normally looks like this:

 

notifications awake.PNG

 

You can tell Notifications not to bother you by right-clicking on it and selecting "Turn on quiet hours".

 

notifications asleep.PNG

 

Apparenlty, it can turn itself on and off randomly.

 

Support has told me the issue with the false positives is related to using Maximum Heuristics in Windows 10.  I assumed using it would also give maximum protection, but it must cause an issue.

 

I'll keep researching this, too.

 

Thanks,

mikew