Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Obsolete entries in registry - malware?


  • Please log in to reply
6 replies to this topic

#1 swedex

swedex

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 15 January 2018 - 12:23 PM

I have NO Kaspersky software installed om this machine, never had. However, I used their ONLINE SCANNER once for a while ago, and is now experiancing an array of problems ever since. Most noticeable is a significant drop in transfer speed, unexpected delays, 5-10 seconds long "black-outs" where the computer refuse to take input of any kind (including CTRL-ALT-DEL), and more. I have therefore good reason to suspect a malware  infection of some kind. All security software running in this machine, as well as Windows Update, are upp to date.

 

 

 

What I tried: full scan (both in Failsafe-mode and in Windows) with everything I've got - Malwarebytes Premium, Zone Alarm ES, HitmanPro, Win Defender and Eset (onlinescanner), and they all came up clean, as usual. Next I checked the registry and found tons of Kaspersky related entries under HKLM, but most of them are impossible to remove/edit! (I am relactant to use external registry editors). Also - the files that some of these entries refer to are not present/visible on this system (KL1.inf, KLHK.inf, KLIF.inf, KLTDI.inf, KNEPS.inf, and a few more), not even with an extensive search for hidden files in Failsafe Mode. I suspect that they are produced dinamically while the the unknown software is running and then they disappear.

 

 

 

There is also an uninvited, and checked, "Kaspersky Anti-Virus NDIS 6 Filter" installed as a Service in the network connection setting. Unchecking it results in a warning for BSOD and potentionally "catastrofic consequencies". Indeed, when I unchecked it and tried to reboot, the computer stopped to respond and power-off was the only remaining option. However, next time the computer started as usual and is seemingly back to "normal" - including the problems mentioned above. Whether checked or unchecked, choosing the available Uninstall button below it results in a message telling me that I first need to terminate "KAVDSK 8 Level 3 for Windows". There is no such service running, but KAVDSK appeared as an argument in the registry, so I removed it pronto. New uninstall attempt results in the same message, but NO mention of KAVDSK this time! The namn space is left empty...

 

 

 

To make things more complicted - there are TWO computers connected to this small home LAN, both have similar suspect Kaspersky entries in the registry, but only one have the "Kaspersky Anti-Virus NDIS 6 Filter" service present in its network propreties. The OS's are legal retail Swedish Win7/64 in both, but reinstalling Windows is not an option at this time. Installable DVD is availlable, however.

 

 

 

Would greatly appreciate any advise. Thanks!


Edited by hamluis, 15 January 2018 - 03:47 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 23,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 PM

Posted 15 January 2018 - 12:31 PM

Download and run Autoruns. Does it find KAVDSK 8 when you do a search? If it does then uncheck the box next to the entry. Reboot. After uninstalling in the Connection Settings you can go back and delete the entry by highlighting and clicking the red X.

 

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns



#3 swedex

swedex
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 16 January 2018 - 06:35 AM

Thank you, John! I have Autoruns and I did check for KAVDSK before. No sutch service or other kind of references to it, except for the line that I've allready removed in the registry.

 

Since then I managed to also delete some other Kaspersky AV related files and registry entries (in Failsafe mode), but to no avail - still unable to uninstall the Kaspersky AV filter in the network settings, and still experiancing the problems I mentioned before. Oddly enough, the CTRL-ALT-DEL combination is no longer neccessary before entering the Windows logon password. Yes,I know it's an optional setting, but it shows that some of these "obsolete" Kaspersky AV files/settings still have a deep impact on the system! It bothers me a lot!

 

 



#4 JohnC_21

JohnC_21

  • Members
  • 23,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 PM

Posted 16 January 2018 - 08:30 AM

I don't know if you will any luck using it but Kaspersky has a Removal Tool for their products.

 

https://support.kaspersky.com/common/service.aspx?el=1464



#5 swedex

swedex
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 16 January 2018 - 03:31 PM

John, I really appreciate you're trying to help - thank you!

 

I've never (knowingly) installed any Kaspersky software, so there shouldn't be anything to remove. In case there is, it's the result of a sneaky treatcherous action, in which case it is unlikely that Kaspersky Labs made a removal tool for it, right...? It's like letting the fox guard the chicken... Just like you - I doubt it would help.



#6 JohnC_21

JohnC_21

  • Members
  • 23,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 PM

Posted 16 January 2018 - 03:53 PM

The Removal Tool may not work after all. This person tried to remove the NDIS filter and the tool could not find Kaspersky.

 

https://forum.kaspersky.com/index.php?/topic/79743-how-to-uninstall-kaspersky-anti-virus-ndis-6-filter/

 

Using AutoRuns is there a KNDIS.sys driver?


Edited by JohnC_21, 16 January 2018 - 04:01 PM.


#7 swedex

swedex
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 16 January 2018 - 07:13 PM

The Kaspersky Forum discussion you refer to is from 2008, 10 years old. Drivers and services had other namnes back then. But I checked - no KNDIS driver anywhere. There is however a "KLIF" driver present in my system, a stubborn son of a b**ch that I can't get read of...

 

Well, I did download the Kaspersky remover after all (not from the link you provided though, but from the Downloads area here on BC) and ran it on one of the affected machines. Competley useless! You need to know exactly which program, version and variant of the software you want to uninstall,and choose from a long list. Since I don't have a clue to the origin of these "remnants", nor time to boot to safe mode, run the remover, reboot to Windows, see if it succeded, and then start it all over again, I'll just try to mess up things for these bloody files and settings as much as I can so they - hopefully - won't be able to run!

 

Any software that is *SO* keen to remain on an "abandoned" system and is making itself imposible to remove MUST have evil intentions - regardless of the fact that security programs accept its presence! Obviously, we have to live with certain insecurity, but then I prefer to be insecure towards NSA ruther than FSB... :o<  No more Kaspersky stuff for me, thank you!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users