Solved

Recurring rootkit after reboot.

  • 4 December 2016
  • 8 replies
  • 74 views

Userlevel 2
I keep getting a rootkit detected. 7 Threats detected and upon rebooting the rootkits reappear. Webroot doesn't seem to be cleaning up these threats permanently, any help on further assistance??
 
I also try sending webroot a message but the 'send submission' button takes me to the webroot homepage. Not sure if the message went through or not so I am posting here.
 
Here is the threat log:

Automated Cleanup Engine
Starting Cleanup at 13/11/2016 - 18:30:46 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_120926
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_120926
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_120926...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_120926
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_120926
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 18:52:26 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_443c3
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_443c3
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_443c3...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_443c3
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_443c3
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 18:56:40 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4c961
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4c961
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_4c961...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4c961
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4c961
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 19:08:24 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_49eac
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_49eac
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_49eac...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_49eac
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_49eac
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 19:12:19 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_4608d
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_4608d
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_4608d...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4608d
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_4608d
Starting Routine> Removing c:windowssysnativeackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...
Deleting File> c:windowssysnativeackgroundtaskhost.exe
Starting Routine> Removing c:windowssystem32ackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...
Deleting File> c:windowssystem32ackgroundtaskhost.exe
Starting Routine> Removing c:windowswinsxsamd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.14393.0_none_9e674bcd7fcd70e8ackgroundtaskhost.exe...#(PX5: AFC04E3A60F71B344DAB007B034E00006BCAC9E0 - MD5: 0601F285DCFF75E679BD91E39B6EBDBF)...
Deleting File> c:windowswinsxsamd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.14393.0_none_9e674bcd7fcd70e8ackgroundtaskhost.exe
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 19:16:42 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0
Starting Routine> Removing threats - Please wait...#...
Automated Cleanup Engine
Starting Cleanup at 04/12/2016 - 19:18:07 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_461f0
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_461f0
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_461f0...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_461f0
Starting Routine> Removing threats - Please wait...#...

/END Threat log
icon

Best answer by Baldrick 4 December 2016, 20:55

View original

8 replies

Userlevel 7
Hi cmdkeen
 
In these circumstances I would Open a Support Ticket, providing the information that you have provided in the post so that the Support Team can investigate/help with the definitive removal of any remnants of the rootkit that persist.
 
I am afraid that I am at a loss to u nderstand where the the 'send submission' button is. Could you precise its location so that we can check out its functioning?
 
Regards, Baldrick
Userlevel 2
Hey Baldrick,
 
I meant the button called "Send to Webroot Support", my apologies. Its on the screen titled: Talk to Webroot support
Userlevel 2
I sent webroot a message but was unable to copy and paste my threat log so I pasted the thread link for them to check out the threat log here.
 
Thank you. I hope there is a fix for this! 
Userlevel 7
Hi cmdkeen
 
Including a link to the thread is even better. :D
 
With that information they should be able to sort you out.
 
Regards, Baldrick
Userlevel 7
@ wrote:
Hey Baldrick,
 
I meant the button called "Send to Webroot Support", my apologies. Its on the screen titled: Talk to Webroot support
Apologies but exactly where are you access the "Talk to Webroot Support"...is this from within the WSA client or the Webroot Site?
 
Regards, Baldrick
Userlevel 2
This is from the Webroot website.
( URL:  https://www.webrootanywhere.com/servicetalk.asp?source= )
 
I realize this only happens when going here and you are not prompted with email address + password login. 
Userlevel 7
Thanks, but when I click on that link I get into the ticketing system and it shows me the latest exchanges I have had with the Webroot Support Team...but I suppose that only happens if you have opened a ticket previously. If you are still having issues when using that link then I would report it to them whilst you are speaking with them in relation to the stubborn rootkit.
 
Baldrick
Userlevel 7
@ wrote:
This is from the Webroot website.
( URL:  https://www.webrootanywhere.com/servicetalk.asp?source= )
 
I realize this only happens when going here and you are not prompted with email address + password login. 
You can always contact us by Phone for immediate assistance: Support Number: 1-866-612-4227 M-F 7am?6pm MT

Reply