Webroot Removal Tool - Anyone have a tool or script for it?

YeOldeStonecat

Well-Known Member
Reaction score
6,286
Location
Southeast Connecticut
So taking over a client from another IT company, they used CentraStage for their RMM.
They have Webroot SecureAnywhere installed on all the rigs.

Thursday night I asked the prior tech to uninstall Webroot....and I'd get our N-Able AV-Defender pushed out after that. Already got my agents pushed out from the server, N-Ables Bitdefender has a lot of built in competitor removal/registry removal scripts built in....but apparently not for webroot...as each workstations gives an error about current antivirus install needing removal...and won't install AV-D.

Apparently CentraStages own removal process won't pull it either.

On Webroots website, I found one cleanup tool..but it appears only for older versions, and running it doesn't remove what is installed....have tried it.

The tech sent me this...I've tried it but WR tends to reinstall after the first reboot, I find it still running in the systray after that first reboot, and the registry entries are back.

Reaching out to you guys...especially if there are any CentraStage users here...to see if you have any removal tools or better steps than below.

*********************************************************************
Run regedit.exe:

Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete WRSVC
Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WRUNINST
Delete HKLM\SOFTWARE\WRData
Delete HKLM\SYSTEM\ControlSet001\services\WRSVC
Delete HKLM\SYSTEM\ControlSet002\services\WRSVC
Delete HKLM\SYSTEM\CurrentControlSet\services\WRSVC


From the command prompt:

sc.exe \\%hostname% delete WRSVC


Reboot the desktop


After the reboot, log in and:

Webroot should not be in the system tray.

Delete C:\ProgramData\WRData
Delete C:\Program Files\Webroot
Delete C:\Program Files (x86)\Webroot
*********************************************
 
I know with N-Able, we have maintenance windows which ensure apps (like AV-D and patch manager) are installed on clients rigs....if a client removes them, it shoves them back in. I asked the tech to double check that....he said that once the workstations are removed from their Webroot control panel, it should not do that. Myself not knowing CentraStage at all....just wondering if any CS users here know that he is being accurate, or perhaps forgetting a setting or not knowing about some other enforcement setting.
 
Before trying to uninstall or run the removal tool have you tried deactivating the computer in the MyWebroot Account Console?

Go to the PC Security tab.
Click on the computer if it is listed.
Go to the Advanced Options tab.
Click Deactivate Computer.

After you Deactivate the the computer then reboot, it is supposed to send an uninstall code to remove Webroot SecureAnywhere.

Found this pic of the Advanced Options tab online:
large



Also can they not use a third party uninstaller like Revo Uninstaller or GeekUninstaller to remove everything Webroot SecureAnywhere related?
 
I had a consumer machine like this. I ended up having to boot to parted magic, delete the web root folder out of program files, then disable it's startup entries. Not a clean way but effective.
 
A program known as AppRemover will do it, but here's the hitch: they were bought by a company known as Gears. The AppRemover product will still work, but you can't automate it -- unless you buy the pro version. I think your current script should work, but if you'd like to explore AppRemover/Gears: http://www.appremover.com/
 
Must be 6/7 months since I had to remove Webroot, if I remember correctly I had to search for WRSVC & Webroot in the Registry to remove it. There were other names to search for, can't remember them now but I got clues from the webroot entries. It never came back.

It might be worth running Eset AV Remover also, it's part of Windows Repair Toolbox.

NB: This was on a residential machine.
 
Last edited:
Are these two files getting uninstalled:

1. C:\Windows\System32\Drivers\WRKrn.sys
This is the driver that does all the file filtering, system monitoring, etc.

2. C:\Windows\System32\WRusr.dll or C:\Windows\SysWow64\WRusr.dll
This loads for user mode analysis. It's responsible for WRSA running as a user mode service. WRSA will be loaded equally proportionately to the number of user profiles that are loaded because of this file.


Also I didn't see these two listed in your post above:

1. C:\Users\*User Account Name*\AppData\Local\Webroot
Backup & Sync

2. C:\Users\*User Account Name*\AppData\Roaming\Mozilla\Firefox\Profiles\*Your Profile*\extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda}
Firefox toolbar


Has he tried uninstalling WRSA in safe mode withOUT networking?

Have you tried using Process Explorer to suspend and/or kill WRSA?

Have you used Autoruns to see if WRSA is re-loading anywhere else?

Have you tried running RKILL before uninstalling WRSA?
 
Went onsite today, yeah safe mode, logging in as local admin, bang the registry, bounce into safe mode again, bounce...then run a WMI cleanup tool that N-Able has to get the WMI entries out....BitDefender still detects stuff and doesn't like to install via the "cleanup/remove" push install. It however install with "no removal" option selected. But I don't like that.

Turned into a pissing contest with the outgoing IT people today...what a tennis match of e-mails. It's only professional if you're the exiting IT people to remove all of your RMM tools and services, clean it all up. Their contract ends July 31...and they're saying they're going to charge the client for removing their stuff. LOL.
 
  • Like
Reactions: CLC
I know this is late but all the previous IT company had to do was trigger an uninstall from their Webroot console then deactivate in the console. Deactivate does not uninstall. It simply makes it not count against a license in the console. Strange but true. There is currently no integration between Centrastage and Webroot. It's coming but as of now Webroot is managed separately.
 
I know this thread is a bit old, but I just wasted an hour trying to get rid of SecureAnywhere. I too took over an account, and the previous company was completely unresponsive. I found the solution:
-- Boot into Safe Mode (w/ Networking is ok).
-- Open admin cmd.
-- "C:\Program Files (x86)\Webroot\WRSA.exe" -uninstall

You have to be in safe mode for that to work - executing from normal mode results in a message stating that "SecureAnywhere is currently managed by the web console."

Hope this helps someone else! What a frustrating situation...
 
Serious thread necro, but I felt having an actual support response on this topic may help someone:

Hello,

Thank you for contacting Webroot Business Support.

Unfortunately, we don't have an uninstall utility.

There are two ways to uninstall the Endpoint agent.

-- Option 1: Uninstall from the console using Agent Commands --

1. Sign into your Webroot console.
2. Select the Group Management tab followed by the endpoint(S) you'd like to uninstall
3. Open the Agent Commands menu and select Agent > Uninstall

As you said this will be executed with the next polling interval. However, if you would like to expedite the process, go to the machine locally and right click on the Webroot system tray icon. Select "Refresh Configuration" and click "OK". This will force a polling interval

** Note: by selecting Uninstall, the SecureAnywhere agent will be removed; however the listing for the workstation will remain. We recommend you create a group called "Uninstalled Clients" into which these can be moved. If you prefer to completely remove a listing, you can select the red "Do not enter" button for "Deactivate." This endpoint will no longer check in with your console unless you request we reactivate it in the cloud.

-- Option 2: Uninstall on the endpoint in Safe Mode with Networking --

***For instructions on starting in Safe Mode with Networking click here.***

1. After Booting into SafeMode with Networking, open the Command Prompt.
2. Type in "C:\Program Files\Webroot\WRSA.exe" -uninstall

***(You may need to adjust the file path if you've changed the install directory)***

3. Enter in the CAPTCHA puzzle.
4. Reboot into normal Windows mode and test.

Let us know if we can assist further.

Regards,
Josko
Webroot Business Support

Oh, and if anyone runs into an MSP that wants to charge to remove their junk, tell them they can pound sand. Because removing Webroot from a client is a simple matter of ticking the select all box, and clicking deactivate.
 
Last edited:
i know this is an old post but just thought id share my recent experience and how i got it to remove. I took over this new client 14 workstations, 2 servers. They all on Webroot and ScreenConnect....which i also use same solution lol - anyways the previous IT didnt remove any of their apps so i easily uninstalled Screen Connect and then installed my version. Webroot however didnt play nice but what did work in the end was Screen Connects Backstage - i went in there and navigated to the webroot folder - entered the WRSA.exe - uninstall and it removed straight away
 
Back
Top