Solved

What could cause the Caution.Rootkit virus to return a day later?


Userlevel 3
My only online activities were to check mail and google one topic, yet the Caution.Rootkit virus returned one day after removal.  Any ideas on how to permanently remove/prevent it from coming back?
 
Here is the log...
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_48db9a...#(PX5:  - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_48db9a...#(PX5:  - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a...#(PX5:  - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_48db9a...#(PX5:  - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_48db9a...#(PX5:  - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_48db9a
Starting Routine> Removing threats - Please wait...#...
icon

Best answer by RetiredTripleHelix 17 August 2017, 17:55

View original

20 replies

Userlevel 7
Badge +62
Hello mikew
 
Welcome to the Webroot Community.
 
My Best advice would be to Submit a Support Ticket so that they can assist you with the informatioin that you have provided. This is a free service with a Webroot subscription.
Userlevel 7
Hi mikew
 
Welcome to the Community Forums.
 
If I may add to what Sherry has very correctly advised...rootkits, by their nature (you can see the level to which the infection can and does often go down to) can be very hard to remove automatically due to how deeply they infect the target system.
 
Now, given that the Registry is a delicate thing, whilst automatic disnfection is tried it may sometime not work successfully because of the possibility of further damaging the Registry, hence why the recommendation by Sherry is the best one...it has come back and so most likely needs manual clearing out of anything left over once the automatic process has been run again by Support.
 
Hope this fuirther information is of assistance?
 
Regards, Baldrick
 
Userlevel 3
Hello everyone,
 
Support helped me resolve the issue... at least for two days.
 
There are several things that seem to be true:
 
1.  Something creates a duplicate registry entry for messagingservice (and four other registry entries).  I was told it is Windows Update doing it.  To verify, I checked and Windows 10 did check for updates a few minutes before the virus scan.
 
2.  Webroot reports a virus is found when there is more than one duplicate of the messagingservice registry entry.
 
3. Webroot claims it removes the offending registry entry, but it is sill there.  I have to manually remove the duplicate entry. 
 
4.  A rescan with Webroot tells me the offending entry is still there, even though I just manually removed it.
 
Any clues as to what is going on?  Support did say to remove these extra registry entries andreinstall the program to get a clean WRData folder, but I don't want to have to do this every other day.
 
Thanks,
Mike
Userlevel 7
Hi mikew
 
I would follow Support's advice and give that a go...to see if it definitively resolves the issues. If it reoccurs even after that then you should contact Support to let them know so that they can rethink the advoce/what you should do.
 
Let us know what you decide and what the result is.
 
Regards, Baldrick
Userlevel 3
Thanks, Baldrick.
 
I did follow Support's advice, even allowed remote access, but the problem keeps coming back.  I contacted Support again.
 
The confusing part is I scanned with online scanners from Kaspersky, F-Secure, and BitDefender, and none of them found a virus.  Online scanners may not be that good, though.
 
I just really need to know if this is a virus.
Userlevel 7
Well, I am not really sure what to suggest in the circumstances. I will have a think and if I come up with anything I will let you know.
Userlevel 3
An update for all,
 
Support had me reinstall WRSA again.  I assume that is because the WRData folder remembers the virus pattern from the false positve it found before, but just guessing.
 
Support told me to not remove those extra registry keys that they themselves said were the cause of the problem, and they removed while I watched.  Confusing.
 
Support also told me to not use Maximum Heuristics with Windows 10.  Apparently, they don't play well together.
 
I did notice one other thing.  When it found what it thought was a virus, Notifications was in Quiet Hours mode.  It appears that Quiet Hours seems to turn itself on and off at will.  I never touch it.  Is that the issue?
 
Still unsure if there is a hidden virus everyone is missing or not.  Trying to help, but losing confidence in the program.
 
Thanks,
mikew
Userlevel 7
Hi mikew
 
Not sure what you mean by way of "Quiet Hours" mode?
 
Plus I believe that there may be other 'residue' left over when WSA is uninstalled and so am looking to see if there may be something therein that is affecting your system.
 
Regards, Baldrick
Userlevel 3
Hello Baldrick,
 
If you have Windows 10, there is a little outlined Notifications box on the bottom right in the taskbar.  It normally looks like this:
 


 
You can tell Notifications not to bother you by right-clicking on it and selecting "Turn on quiet hours".
 


 
Apparenlty, it can turn itself on and off randomly.
 
Support has told me the issue with the false positives is related to using Maximum Heuristics in Windows 10.  I assumed using it would also give maximum protection, but it must cause an issue.
 
I'll keep researching this, too.
 
Thanks,
mikew
 
 
Userlevel 7
Hi mikew
 
Thanks ffor the information on 'Quiet Hours'...I tthought that you were referring to something in WSA that I was not aware of...but as it turns out I was not aware of it in Windows 10...so something new learned...:D
 
I will have to try it out.
 
Regards, Baldrick
Userlevel 7
Badge +56
@ wrote:
My only online activities were to check mail and google one topic, yet the Caution.Rootkit virus returned one day after removal. Any ideas on how to permanently remove/prevent it from coming back?

Here is the log...
Starting Routine> Removing SystemCurrentControlSetServicesMessagingService_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesMessagingService_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesOneSyncSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesOneSyncSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesPimIndexMaintenanceSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesUnistoreSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUnistoreSvc_48db9a
Starting Routine> Removing SystemCurrentControlSetServicesUserDataSvc_48db9a...#(PX5: - MD5: )...
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_48db9a
Deleting Registry Key> HKLMSystemCurrentControlSetServicesUserDataSvc_48db9a
Starting Routine> Removing threats - Please wait...#...

@ for CurrentControlSet detection's like this it's recommended to do a clean reinstall of WSA as those shouldn't be detected as I came across this issue a few times and this is the fix for this! Also WSA can't remove them so the reason they keep showing up but a clean reinstall will solve this. @ @ @ @

Please follow the steps closely!

  • Make sure you have a copy of your 20 Character Alphanumeric Keycode! Example: SA69-AAAA-A783-DE78-XXXX
  • KEEP the computer online for Uninstall and Reinstall to make sure it works correctly
  • Download a Copy Here (Best Buy Subscription PC users click HERE) Let us know if it is the Mac version you need.
  • Uninstall WSA and Reboot
  • Install with the new installer, enter your Keycode and don't import any settings if asked to as you can set it up as you like once it's done
  • Let it finish it's install scan
  • Reboot once again
Please let us know if that resolves your issue?

Thanks,

Daniel 😉
Userlevel 7
Badge +62
Thanks  for the heads up Daniel!:D
Userlevel 3
Yes, thank you Daniel.
 
That is what Support told me to do, and also to not use Maximum Heuristics.
 
I am still curious as to what is causing all those registry key duplicates to be created?  I had 10 duplicates of MessagingService, and a friend says she has 3 duplicates.  I found someone in a google search complaining he had 4,000 duplicates.  But, not a concern for this forum as long as they are safe duplicates.
 
mikew
Userlevel 7
Badge +56
@ wrote:
Yes, thank you Daniel.
 
That is what Support told me to do, and also to not use Maximum Heuristics.
 
I am still curious as to what is causing all those registry key duplicates to be created?  I had 10 duplicates of MessagingService, and a friend says she has 3 duplicates.  I found someone in a google search complaining he had 4,000 duplicates.  But, not a concern for this forum as long as they are safe duplicates.
 
mikew
You can use Maximum Heuristics as I always do but if you come across this issue again just post back to let us know and go back to:
 


 
They are not duplicates as they shouldn't be detected by WSA and even WSA will not even remove those detections but we will keep an eye on it as I haven't seen it for quite awhile.
 
Thanks,
 
Daniel 😉
Userlevel 3
Hi Daniel,
 
That is interesting.  To quote Support from two days ago:
 
Hello,

We do not recommend configuring Webroot to have maximum heuristics on Windows 10.

Can you uninstall and reinstall with the mentioned steps before?

The registry keys do not need to be removed, please do not enable maximum heuristics.

Regards,
Webroot Advanced Malware Removal Team
 
I was seeing 11 extra registry keys created by something.
 


They each had a different hex number to identify them.  Who or what created them, I don't know, but WRSA was thinking they were threats only when I used max heuristics.  Maybe they are not copies, but other instances of some program using the dll.
 
The first step Support did was to delete all but the original unnumbered key.
 
I was just upgraded automatically to version 9.0.10.17 today.  Maybe that fixed the issue.
 
Thanks,
mikew
 
 
Userlevel 7
Badge +56
Hi Mike,
 
Yes support would suggest that but I have been using Max Heuristics on all versions of Windows since early 2011 for the release of WSA 2012, and continue to Beta Test even on Windows 10 and it's Previews but if you have an issue just go back to http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C13_Settings/CH13d_AdjustingHeuristics.htm
 
"Default; recommended setting."
"Enable enhanced heuristics based on the behavior, origin, age, and popularity of files"
 
But feel to do what you like! Also if you want a Security Check just Submit a Support Ticket and ask them about those extra Reg Keys as you say and they will let you know!

 
Cheers,
 
Daniel 😉
Userlevel 7
Badge +56
? I just got the same detections from one of my Win 10 Pro x86 VM's at Max Heuristics so I set it back to default Heuristics and all is fine!
 
Daniel ;)
 
Some legitimate files are not included in this log
[r] SystemCurrentControlSetServicesMessagingService_373f8
[r] SYSTEMControlSet001ServicesMessagingService_373f8ImagePath
[r] SystemCurrentControlSetServicesOneSyncSvc_373f8
[r] SYSTEMControlSet001ServicesOneSyncSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesPimIndexMaintenanceSvc_373f8
[r] SYSTEMControlSet001ServicesPimIndexMaintenanceSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesUnistoreSvc_373f8
[r] SYSTEMControlSet001ServicesUnistoreSvc_373f8ImagePath
[r] SystemCurrentControlSetServicesUserDataSvc_373f8
[r] SYSTEMControlSet001ServicesUserDataSvc_373f8ImagePath
 

Userlevel 3
Hi Daniel,
 
I guess it's good to know I am not alone in seeing this apparent false detection.  I did ask the Support team what caused this, and they believed it was related Windows updates.
 
Thanks,
mikew
So i have this according to WEBROOT . it foudn the virus and removed. Ok it did not remove and i am not able to access anything. It is part of teh rtansom ware HD@aolonline. This is a nasty piece of something. It removed any thing i cna try to do to get the REG or control panel ETC....
Userlevel 7
Badge +56
@ wrote:
So i have this according to WEBROOT . it foudn the virus and removed. Ok it did not remove and i am not able to access anything. It is part of teh rtansom ware HD@aolonline. This is a nasty piece of something. It removed any thing i cna try to do to get the REG or control panel ETC....
Hello,
 
Please contact Webroot support and they will help you with your issues!
 
Thanks,
 
Daniel ;)
 
Technical Support
Submit a Support Ticket
or Call 1-866-612-4227

Reply