Solved

False positive


Webroot Secure Anywhere v9.0.14.58 on a win10 desktop
 
Webroot Secure Anywhere reports 7 instances as rootkits. However when I restart my computer to finish cleaning they appear all over again. Please help.
 
SystemCurrentControlSetServicesCDPUserSvc_41236
SystemCurrentControlSetServicesMessagingService_41236
SystemCurrentControlSetServicesOneSyncSvc_41236
SystemCurrentControlSetServicesPimIndexMaintenanceSvc_41236
SystemCurrentControlSetServicesUnistoreSvc_41236
SystemCurrentControlSetServicesUserDataSvc_41236
SystemCurrentControlSetServicesWpnUserService_41236
icon

Best answer by RetiredTripleHelix 5 January 2017, 22:08

View original

10 replies

Userlevel 7
Hello sanyos, Welcome to the Webroot Community Forum.:D
 
Please submit a Support Ticket or Contact Webroot Support to sort this problem. This service is FREE with a Paid Subscription.
Support Ticket System is Open 24/7
 
HTH,
Dave.;)
Hi sanyos,
 
Welcome to the Webroot Community.
 
Thanks very much for posting this. I had this same thing happen over the weekend to me. Same scenario, 7 rootkits, same files and location of files as you  have posted. I had to reboot 6 times before Webroot was able to completely remove this. Scans with other AV scanners produced no reports of malware.
I would suggest that you submit a trouble ticket to Webroot Support. Perhaps they can whitelist these files. I am going to submit a ticket as well. Please post back when you hear from support.
 
Glad to know this wasn't an isolated incident. Hopefully support can determine the cause of this FP.
 
Thanks,
BD
Userlevel 7
Badge +52
@ wrote:
Same scenario, 7 rootkits, same files and location of files as you  have posted. I had to reboot 6 times before Webroot was able to completely remove this.
it`s not needed to remove
 
1 - save a threat log | how to: http://live.webrootanywhere.com/content/843/Saving-Threat-Logs
 
2 - Find [e] characters in to saved file
for example
[e] d:soft rashreg rashregx64full.exe [MD5: 2B3742E423AC0C5B7326E84B8FD58D72] [Flags: 40080100.6112] [Threat: W32.Trojan.GenKD]
 
3 - send this string(-s) and description of the problem to support: https://www.webrootanywhere.com/servicewelcome.asp
@ wrote:
@ wrote:
Same scenario, 7 rootkits, same files and location of files as you  have posted. I had to reboot 6 times before Webroot was able to completely remove this.
it`s not needed to remove
 
1 - save a threat log | how to: http://live.webrootanywhere.com/content/843/Saving-Threat-Logs
 
2 - Find [e] characters in to saved file
for example
[e] d:soft rashreg rashregx64full.exe [MD5: 2B3742E423AC0C5B7326E84B8FD58D72] [Flags: 40080100.6112] [Threat: W32.Trojan.GenKD]
 
3 - send this string(-s) and description of the problem to support: https://www.webrootanywhere.com/servicewelcome.asp
Thanks, Petr...
My threat log doesn't look like that, there are no MD5 hashes. Here is what I have.
 
Automated Cleanup Engine
Starting Cleanup at 31/12/2016 - 21:29:44 GMT
Starting Routine> Removing SystemCurrentControlSetServicesCDPUserSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesCDPUserSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_34955
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_34955
Starting Routine> Removing SystemCurrentControlSetServicesWpnUserService_34955...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_34955
Deleting Registry Key> HKLMSystemCurrentControlSetServicesWpnUserService_34955
Starting Routine> Removing threats - Please wait...#...
 
This happened on 2 PCs running WSA, both WIN10 Pro. Freaked me out until i determined that it was a FP.
 
Will submit a ticket and see what the experts at Webroot have to say. ;)
 
BD
 
 
Userlevel 7
Badge +56
When you get these types of detections SystemCurrentControlSetServices it means your heuristics are set above default so in most cases you need to do a clean reinstall of WSA then you can set your heuristics above default again. I had these detections many times because I run my heuristics at Maximum. http://live.webrootanywhere.com/content/680/Adjusting-Heuristics
 
Please follow the steps closely!
 
  • Make sure you have a copy of your 20 Character Alphanumeric Keycode! Example: SA69-AAAA-A783-DE78-XXXX
  • KEEP the computer online for Uninstall and Reinstall to make sure it works correctly
  • Download a Copy Here (Best Buy Geek Squad Subscription PC users click HERE) Let us know if it is the Mac version you need.
  • Uninstall WSA and Reboot
  • Install with the new installer, enter your Keycode and do NOT import any settings if offered by the installer as you can set it up as you like once it's done
  • Let it finish it's install scan
  • Reboot once again
Please let us know if that resolves your issue?
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +56
Also if you let WSA clean them up they will be detected again untill a reinstall can be done so you don't have to worry as WSA doesn't really remove them.
 
Thanks,
 
Daniel ;)
 

@ wrote:
When you get these types of detections SystemCurrentControlSetServices it means your heuristics are set above default so in most cases you need to do a clean reinstall of WSA then you can set your heuristics above default again. I had these detections many times because I run my heuristics at Maximum. http://live.webrootanywhere.com/content/680/Adjusting-Heuristics
 

Thanks for the info, Daniel. That makes sense. I do have my heuristics set to maximum, too. Will do a clean install and most-likely just keep the default heuristics. 😉 I thought it was odd that the infected files never showed up in quarantine, now I know why.
 
BD
Userlevel 7
Badge +56
@ wrote:
@ wrote:
When you get these types of detections SystemCurrentControlSetServices it means your heuristics are set above default so in most cases you need to do a clean reinstall of WSA then you can set your heuristics above default again. I had these detections many times because I run my heuristics at Maximum. http://live.webrootanywhere.com/content/680/Adjusting-Heuristics
 

Thanks for the info, Daniel. That makes sense. I do have my heuristics set to maximum, too. Will do a clean install and most-likely just keep the default heuristics. 😉 I thought it was odd that the infected files never showed up in quarantine, now I know why.
 
BD
Right and your Welcome! 😉
What all of this means to me, I won't be renewing with Webroot next year. I've used Webroot for close to 15 years. This will be the last year. As a customer, we shouldn't have to go through any of the steps that you mention above as in uninstalling and reinstalling. Its a problem with Webroot not our computers or systems. Webroot needs to correct the issue.
Userlevel 7
Badge +56
wrote:
What all of this means to me, I won't be renewing with Webroot next year. I've used Webroot for close to 15 years. This will be the last year. As a customer, we shouldn't have to go through any of the steps that you mention above as in uninstalling and reinstalling. Its a problem with Webroot not our computers or systems. Webroot needs to correct the issue.
Are you having this detection SystemCurrentControlSetServices ? As far as I know it's been fixed since this thread was last posted to in May 2017. If you like Submit a Support Ticket and ask them.
 
EDIT: It looks like the Bug is back as a couple others are reporting the same but don't worry as WSA cannot remove these detections.

Reply