Kaspersky
Question

Kaspersky free unable to remove a rootkit

  • 6 June 2019
  • 6 replies
  • 2719 views

Hi everyone

I am using windows 7 and I noticed a month ago that the system is out of date and the system time is also wrong. I was using avast with malwarebytes. Sometimes I found the antivirus protection disabled. I was suspicious about all of this but avast and malwarebytes were unable to detect anything.
So I erased my system and I installed win7 again (my hard disk was divised into three partition I only erased the system partition).

But the problem persisted! So I installed Kaspersky free and one day it detected a rootkit and it says object not disinfected. I can also see in the detailed reports section that the rootkit scan was canceled!!
Today I found the Kaspersky disabled. I tried the TDSSKiller but it was unable to find anything.
I think I am in a big trouble with this rootkit and I need your help people.

Thanks for any proposal.

6 replies

Userlevel 7
Badge +4
Welcome. There are two courses of action. One is to post your GetSystemInfo report and full detection report here, so forum users can help, and the other is to Contact Tech Support.

1. Please post your GetSystemInfo report link, instructions: https://support.kaspersky.com/common/diagnostics/3632
Please upload the GetSystemInfo zip folder that is inside the larger GSI zip to the GSI parser site http://www.getsysteminfo.com/ and post the url to the parsed report here, in your next post.

Please post the full, complete detection details. Full file name, full path, full location, detection verdict. Post screenshot of Reports > Detailed reports > Detected objects.

2. Please contact Tech Support: https://my.kaspersky.com/support/

Please attach the following items to your Tech Support request:

a. Description of the issue.
b. Screenshot, as needed.
c. GSI
Thank you for answering.

Here the URL of the GSI parsed report:
GSI parser report

I will attach the detailed report of the rootkit scan when Kaspersky detected a threat and did not achieve disinfection.
report1
report2

Thank you for your help.
Userlevel 3
I would suggest using an "offline scanner" as often rootkits are able to hide in Windows processes.
Link to Kaspersky Rescue Disk:
https://support.kaspersky.com/14226
Userlevel 4
Badge +3
Hey KimiKimi,
welcome to the family of Kaspersky!😉

What is a rootkit?

I don't know if you're directly interested in what a rootkit is, but I'm sure it's interesting for many others. Therefore a short overview in (hopefully) easy to understand language.

First of all you have to distinguish the type of rootkit, there are six basic types:
  • User-mode rootkits / application rootkits,
  • Kernel-mode rootkits,
  • Memory-based rootkits,
  • Hypervisor rootkits,
  • Bootkits and
  • Hardware / firmware rootkits.
Rootkits are, in my opinion, one of the most disgusting types of malware you can ever get. This is because of the way they work.

User-mode rootkits
run like normal user programs in user mode, the lowest permission level (ring 3) of the CPU. This prevents them from directly intervening in the memory area of other applications.
Memory-based rootkits are working in the main memory (RAM) of a computer and therefore do not survive a reboot.

Kernel mode rootkits run even at the highest permission level. They can write to all areas of main memory (RAM), including the memory areas of other programs. So kernel rootkits are able to intercept calls to certain operating system functions and filter their results against the calling programs. This leads, for example, to suspicious files and processes not being displayed in the Explorer or Task Manager.

Bootloader rootkits / Bootkits target the foundation of the computer by attacking the master boot record. The MBR is an important part of the computer because it contains instructions on how to boot the operating system. Also, these rootkits are hard to get rid of. If the boot loader was infiltrated into the MBR code, removing the computers could damage it.

Unlike other types, memory-based rootkits do not remain permanently stored on the machine. By resetting the RAM when you restart your computer, the Rootkit is also deleted.

Instead of targeting the OS, firmware/hardware rootkits go after the software that runs certain hardware components.

Hypervisor rootkits are rootkits that move an existing realy operating system into a virtual environment. The virtual environment is therefore a software layer under the operating system, which makes it very difficult to detect the VMBR.

Why doesn't my antivirus tool work against rootkits?

Antivirus software is of course designed to find as much malicious software as possible. However, these beasts are often extremely well hidden, the system often continues to work as before and rarely shows any obvious behavior. Even though Kaspersky's products stand out from the competition in an extremely positive way, no antivirus software has a 100% detection rate, especially not for malware that is not known to the general public (such as 0-day exploits). Of course, cloud technology (Kaspersky Security Network) and machine learning often help to identify strange software as malware. But even the best software can be deceived.

Why didn't TDSSKiller find anything?

The problem with TDSSKiller is that it specializes in a limited number of rootkits and sometimes provides some unclear scan results. However, the TDSSKiller is definitely a good tool.

What should I do now?

Be careful when you're trying to remove rootkits. There are plenty of tools available (like GMER or aswMBR) but these tools are either intended for professional users, provide meter-long logfiles or delete unintentionally needed system files and make the operating system unusable later.

Therefore, please contact Kaspersky Support, they will be happy to assist you.

The safest way is to have the operating system reinstalled if you have made a backup of your personal data. If not, remember that for the future. Don't visit weird websites, use a purchased antivirus solution like Kaspersky Internet Security and use an adblocker.

I hope I was able to help you and wish you the best.
Good luck!

Image source:
User:Sven, original Author User:Cljk This file was made by User:Sven Translation If this image contains text, it can be translated easily into your language. If you need help, contact me Flexible licenses If you want to use this picture with another license than stated below, contact me Contact the author If you need a really fast answer, mail me. If you need only a fast answer, write me here. [CC BY-SA 3.0]
I think the Kaspersky Rescue Disk worked!! The system date and time are now correct.
Thanks for you all, I am really very grateful for your help 😄
Userlevel 3
I think the Kaspersky Rescue Disk worked!! The system date and time are now correct.
Thanks for you all, I am really very grateful for your help 😄

On the behalf of the Kaspersky Community, I would like to say your welcome!

Reply