Kaspersky
Question

KIS 2020 was not able to stop a malware attack


I have been using Kaspersky Internet Security (KIS) for the last 6 years. But Today something unexpectedly happened. Today I noticed that my KIS got uninstalled without my knowledge. When i was searching for KIS on ‘search bar’ it showed the icon and when I clicked on it, it showed the shortcut is not found. What the hell?? I was shocked. I did not uninstalled it, did not do anything with it. But happened to my KIS. I tried to reinstall using the setup downloaded form Kaspersky website. The installation was not also not successful. It showed some error. Later i came to know that my computer has been infected with virus. Then I downloaded Kaspersky Virus removal tool from the website and tried disinfection. I was bit skeptical the KIS itself was failed to stop the attack and utterly failed from virus infection, how could KVR will  remove the virus?  But It was successful and finally I managed to reinstall KIS. My doubts are

  1. How KIS was failed to stop malware attack and how it got uninstalled without my knowledge?
  2. What is the use of KIS when It fails when a virus attacks?

41 replies

Userlevel 7
Badge +3

Hi,

Welcome.

Where you tried found kaspersky?? Go to Control panel / install uninstall program and search here.

Error???please specify which type of error.

And also kaspersky can not uninstall (you must confirm that). And kaspersky have a great protection against malware.

Thank you for your response. I just tried to open KIS. But did not open, it was not there in my computer. When I searched C drive, no installation files were there. It was quite obvious that my computer has been infected with virus though it had KIS (with valid license, 399 days remaining). I did not remember the error, but some error it showed. The word ‘UNINSTALL’ may be wrong in my case. May be it stopped functioning. But it crashed, I don’t have proof to substantiate my arguments. But kaspersky poorly failed.

Userlevel 7
Badge +3

Have you access to your PC? 

In Program files does not exists Kaspersky folder??

Userlevel 7
Badge +4

Also, plus nexon above, 

 

Please contact Tech Support for this issue, too.

Link to Tech Support is located at upper left of this web page. 

Userlevel 7
Badge +5

Hello, @john2020 

May I ask you a question: What KIS build do you use before? 2019?

If yes, There is one reason which could explain this behavior “KIS has gone” is that KIS do auto remove old build and auto upgrade to the newest build 2020.

Another question: Why auto install KIS failed? Please use this tool to do a full uninstallation again. After reboot PC, Please reinstall the product (KIS 2020) again. Let us know the result.

If no,  We should analyse which program could delete KIS. KIS product has self-denfense function, As we expected, It couldn’t be deleted by other application because it works at a higher privilege level unless there is a program to load a valid digitally signed driver to delete it. I think this is not necessarily caused by malicious programs. It may be caused by potentially unsafe application (PUA) . In order to investigate this situtaion, We need GSI or AVZ report. After receiving your feedback, we will give you further advise.

Follow richbuf said, If you contace KL support, You also post what they said here. This will help other people in the future. We will appreciate you.

Best regards.

Userlevel 1
  • You should check KIS database should be upto date because out of date signature updates will no more work. On the other hand, you may disable it for installing some program for a while. At the final stage, some hacker infect your PC through internet and uninstall it remotely.
  • It is not the fault of KIS because it is still ranked on top than competitors. Double check the exact reson behind the failure than share it with us.

 

Interesting that I just found this out recently that my KTS suddenly wasn’t working anymore and same as my Windows Defender.  I also notice when when I go Windows Security its EMPTY!  Same issue when I try to restart KTS it says that it can’t be found.

I tried to reinstall KTS and nothing happens, tried quickly another AV quickly but a free check, couldn’t find it. 

Been using Kaspersky for maybe 10yrs I think, never failed me. 

 

I am not sure how long was my laptop infected.  Took out the SSD and is will be scanned by another laptop with KTS, we’ll see if it will find it.

Userlevel 7
Badge +4

Welcome. 

There are two possible courses of action. One is to post your GetSystemInfo report here, so forum users can help, or the other is to Contact Tech Support. 

1. Please post your GetSystemInfo report link, instructions: https://support.kaspersky.com/common/diagnostics/3632
  Please upload the GetSystemInfo zip folder that is inside the larger GSI zip to the GSI parser site http://www.getsysteminfo.com/ and post the url to the parsed report here, in your next post.

2. Or, please contact Tech Support: https://my.kaspersky.com/support/

Please attach the following items to your Tech Support request: 

a. Description of the issue.
b. Screenshot, as needed.
c. GSI

Hi

It finished scanning the SSD and it found the virus.

 

Here is the txt report :(

 

25.06.2020 22.33.33    External Device Scan    Task started    Removable drive: E:\    Time: Yesterday, 6/25/2020 10:33 PM
26.06.2020 09.42.50    External Device Scan    Task completed    Removable drive: E:\    Completion time: Today, 6/26/2020 9:42 AM
26.06.2020 09.42.50    Detected object (file) deleted    E:\Windows\System32\Tasks\Microsoft\Windows\Wininet\Winlogui    File: E:\Windows\System32\Tasks\Microsoft\Windows\Wininet\Winlogui    Object name: Trojan.Multi.GenAutorunTaskFile.a
26.06.2020 09.42.50    Detected object (file) moved to Quarantine    E:\Windows\System32\Tasks\Microsoft\Windows\Wininet\Winlogui    File: E:\Windows\System32\Tasks\Microsoft\Windows\Wininet\Winlogui    Object name: Trojan.Multi.GenAutorunTaskFile.a
26.06.2020 09.42.49    Detected object (file) deleted    E:\Windows\System32\winscomrssrv.dll    File: E:\Windows\System32\winscomrssrv.dll    Object name: HEUR:Backdoor.Win64.Agent.gen
26.06.2020 09.42.49    Detected object (file) moved to Quarantine    E:\Windows\System32\winscomrssrv.dll    File: E:\Windows\System32\winscomrssrv.dll    Object name: HEUR:Backdoor.Win64.Agent.gen
26.06.2020 09.42.48    Detected object (file) deleted    E:\Windows\System32\winrmsrv.exe    File: E:\Windows\System32\winrmsrv.exe    Object name: UDS:DangerousObject.Multi.Generic
26.06.2020 09.42.48    Detected object (file) moved to Quarantine    E:\Windows\System32\winrmsrv.exe    File: E:\Windows\System32\winrmsrv.exe    Object name: UDS:DangerousObject.Multi.Generic
26.06.2020 09.42.47    Object (file) not processed    E:\Windows\System32\winrmsrv.exe    File: E:\Windows\System32\winrmsrv.exe    Object name: not-a-virus:HEUR:RiskTool.Win32.Generic    Reason: Allowed by user
26.06.2020 09.42.46    Detected object (file) deleted    E:\Windows\System32\winlogui.exe    File: E:\Windows\System32\winlogui.exe    Object name: HEUR:Trojan.Win32.Miner.gen
26.06.2020 09.42.46    Detected object (file) moved to Quarantine    E:\Windows\System32\winlogui.exe    File: E:\Windows\System32\winlogui.exe    Object name: HEUR:Trojan.Win32.Miner.gen
26.06.2020 09.42.43    Detected object (file) deleted    E:\Windows\System32\StartupCheckLibrary.dll    File: E:\Windows\System32\StartupCheckLibrary.dll    Object name: HEUR:Backdoor.Win64.Agent.gen
26.06.2020 09.42.43    Detected object (file) moved to Quarantine    E:\Windows\System32\StartupCheckLibrary.dll    File: E:\Windows\System32\StartupCheckLibrary.dll    Object name: HEUR:Backdoor.Win64.Agent.gen
26.06.2020 09.32.59    Object (file) not processed    E:\Windows\System32\Tasks\Microsoft\Windows\Wininet\Winlogui    File: E:\Windows\System32\Tasks\Microsoft\Windows\Wininet\Winlogui    Object name: Trojan.Multi.GenAutorunTaskFile.a    Reason: Postponed
26.06.2020 09.32.59    Object (file) detected    E:\Windows\System32\Tasks\Microsoft\Windows\Wininet\Winlogui    File: E:\Windows\System32\Tasks\Microsoft\Windows\Wininet\Winlogui    Object name: Trojan.Multi.GenAutorunTaskFile.a
26.06.2020 09.30.17    Object (file) not processed    E:\Windows\System32\winscomrssrv.dll    File: E:\Windows\System32\winscomrssrv.dll    Object name: HEUR:Backdoor.Win64.Agent.gen    Reason: Postponed
26.06.2020 09.30.17    Object (file) detected    E:\Windows\System32\winscomrssrv.dll    File: E:\Windows\System32\winscomrssrv.dll    Object name: HEUR:Backdoor.Win64.Agent.gen
26.06.2020 09.30.17    Object (file) not processed    E:\Windows\System32\winrmsrv.exe    File: E:\Windows\System32\winrmsrv.exe    Object name: UDS:DangerousObject.Multi.Generic    Reason: Postponed
26.06.2020 09.30.17    Object (file) not processed    E:\Windows\System32\winrmsrv.exe    File: E:\Windows\System32\winrmsrv.exe    Object name: not-a-virus:HEUR:RiskTool.Win32.Generic    Reason: Postponed
26.06.2020 09.30.17    Object (file) detected    E:\Windows\System32\winrmsrv.exe    File: E:\Windows\System32\winrmsrv.exe    Object name: not-a-virus:HEUR:RiskTool.Win32.Generic
26.06.2020 09.30.16    Object (file) not processed    E:\Windows\System32\winlogui.exe    File: E:\Windows\System32\winlogui.exe    Object name: HEUR:Trojan.Win32.Miner.gen    Reason: Postponed
26.06.2020 09.30.16    Object (file) detected    E:\Windows\System32\winlogui.exe    File: E:\Windows\System32\winlogui.exe    Object name: HEUR:Trojan.Win32.Miner.gen
26.06.2020 09.29.49    Object (file) not processed    E:\Windows\System32\StartupCheckLibrary.dll    File: E:\Windows\System32\StartupCheckLibrary.dll    Object name: HEUR:Backdoor.Win64.Agent.gen    Reason: Postponed
26.06.2020 09.29.49    Object (file) detected    E:\Windows\System32\StartupCheckLibrary.dll    File: E:\Windows\System32\StartupCheckLibrary.dll    Object name: HEUR:Backdoor.Win64.Agent.gen

 

Userlevel 7
Badge +4

If this issue can not be easily and quickly solved, please contact Tech Support. 

https://my.kaspersky.com/support/

Please attach the following items to your Tech Support request: 

a. Description of the issue.
b. Screenshot, as needed.
c. GSI

  1. Detailed detection log. 

I have been using Kaspersky Internet Security (KIS) for the last 6 years. But Today something unexpectedly happened. Today I noticed that my KIS got uninstalled without my knowledge. When i was searching for KIS on ‘search bar’ it showed the icon and when I clicked on it, it showed the shortcut is not found. What the hell?? I was shocked. I did not uninstalled it, did not do anything with it. But happened to my KIS. I tried to reinstall using the setup downloaded form Kaspersky website. The installation was not also not successful. It showed some error. Later i came to know that my computer has been infected with virus. Then I downloaded Kaspersky Virus removal tool from the website and tried disinfection. I was bit skeptical the KIS itself was failed to stop the attack and utterly failed from virus infection, how could KVR will  remove the virus?  But It was successful and finally I managed to reinstall KIS. My doubts are

  1. How KIS was failed to stop malware attack and how it got uninstalled without my knowledge?
  2. What is the use of KIS when It fails when a virus attacks?


Exact same thing happened to me twice now. Did you and Kaspersky support managed to solve it?

Same happened to me like 6 or 5 times. Please, for the love of God fix this it’s getting annoying at this point.

Userlevel 7
Badge +9

Hello @Mandalorian & @Rosai

Welcome!

It’s very unlikely Kaspersky will fix anything without first analysing data:thinking:  

Have you logged a case, as suggested above by @richbuff? If “no”, please do so; Support will require Traces, logs & other data → they will guide you:

 

 

  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will be in touch, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.

Please share the outcome with the Community when it’s available? 

Thank you:pray_tone3:

Flood:whale:+:whale2:


I contacted Kaspersky already and talked with multiple agents, yet we couldn’t solve the issue because we couldn’t collect any data of the attack. After my Kaspersky Total Security “malfunctioned” and after removing it completely and then reinstalling it, it found  “ HEUR:Backdoor.Win64.Agent.gen “ and  “ winlogui.exe  “ viruses, meaning someone was logged on my computer, possibly stealing my data.

When Kaspersky tried to eliminate the threat, it could only stop “winlogui.exe “, but not the other process. Right after that my Windows started closing all the apps and everything started to malfunction. I had to hard reboot my system and after that everything looked fine.

What worries me this happened to me twice already. It wasn’t a simple software malfunction. Someone got through Kaspersky’s protection, made it malfunction by deleting everything in the Kaspersky folder, so it couldn’t start at the boot and able to protect my computer. This is a serious issue and Kaspersky team should look into it immediately because it poses a serious security threat.
 

Hello @Mandalorian & @Rosai

Welcome!

It’s very unlikely Kaspersky will fix anything without first analysing data:thinking:  

Have you logged a case, as suggested above by @richbuff? If “no”, please do so; Support will require Traces, logs & other data → they will guide you:

 

 

  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will be in touch, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.

Please share the outcome with the Community when it’s available? 

Thank you:pray_tone3:

Flood:whale:+:whale2:



 

The exact same thing happened to me, I don’t really keep that much sensitive files on my computer since I just use it for games. Kaspersky always fails to stop attacks and It’s getting annoying. Even if I try to reinstall Kaspersky it wont work. Only way to fix it for me is to use KRD. I’ll use Bitdefender for now and if it lasts for a month then I’ll cancel my subscription and switch. Also just curious, what were the time intervals when you were attacked by the malware and has it happened to you again ever since?

 

Userlevel 7
Badge +5


I contacted Kaspersky already and talked with multiple agents, yet we couldn’t solve the issue because we couldn’t collect any data of the attack. After my Kaspersky Total Security “malfunctioned” and after removing it completely and then reinstalling it, it found  “ HEUR:Backdoor.Win64.Agent.gen “ and  “ winlogui.exe  “ viruses, meaning someone was logged on my computer, possibly stealing my data.

When Kaspersky tried to eliminate the threat, it could only stop “winlogui.exe “, but not the other process. Right after that my Windows started closing all the apps and everything started to malfunction. I had to hard reboot my system and after that everything looked fine.

What worries me this happened to me twice already. It wasn’t a simple software malfunction. Someone got through Kaspersky’s protection, made it malfunction by deleting everything in the Kaspersky folder, so it couldn’t start at the boot and able to protect my computer. This is a serious issue and Kaspersky team should look into it immediately because it poses a serious security threat.
 

Hello @Mandalorian & @Rosai

Welcome!

It’s very unlikely Kaspersky will fix anything without first analysing data:thinking:  

Have you logged a case, as suggested above by @richbuff? If “no”, please do so; Support will require Traces, logs & other data → they will guide you:

 

 

  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will be in touch, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.

Please share the outcome with the Community when it’s available? 

Thank you:pray_tone3:

Flood:whale:+:whale2:



 


Hello,

If AV solution could not solved the problem related to malware. It could be faced three problem:

  1. No detection for main malware object, only process the malware dropped file. Reason for that behavior: AV solution didn’t detect the main malware object. No sign related to this object in its threats database. or the object do a obfuscate or pack operation.
  2. Because of some malwares self protection function, AV solution couldn’t deleted the malware successfully. Reason for that behavior: malware has a its driver or servies support.  Malicious programs fight against removal operation.
  3. The malware has hidden in a browser addon or a patched program, when you run those programs or it start itself via system boot. The infection envirement will happen again.

Sometimes we need analyse the system by manual and take a focus on finding some suspicious objects. Those objects may lead to the issue. So if convenience, Please send me avz report to here.

https://support.kaspersky.com/14612

Regards.

@Wesly.Zhang so how can I send you my report? Do I just attach it here in this thread? Also what should be the script I’m supposed to run?

Userlevel 7
Badge +5

Hello @Mandalorian 

You mention

When Kaspersky tried to eliminate the threat, it could only stop “winlogui.exe “, but not the other process. Right after that my Windows started closing all the apps and everything started to malfunction. I had to hard reboot my system and after that everything looked fine.

If I guess correctly. You use “Advanced Disinfection technology” to eliminate the treats, which cause this situation. It is a default settings in KL product. In this disinfection mode, You can not open new program or process, Some programs or system will abnormal or hang in order to block some os action behavior using by malware. After do a scan using advanced disinfection technology, a reboot is required. OS will reboot automatically after scan finished.

Regards.

Userlevel 7
Badge +5

@Wesly.Zhang so how can I send you my report? Do I just attach it here in this thread? Also what should be the script I’m supposed to run?


Hello @Rosai 

You can do the following step to create a avz report, we need virusinfo_syscheck.zip file in LOG folder which at the same location of avzrn.exe:

Regards.

Hi, where can I send you the log file?

 

Userlevel 7
Badge +5

Hi, I can’t attach the file for some reason so I’ll just add a link for the log file to google drive here.

 


Hello,

I analyse the avz report. There are three points I have notice:

  1. You have already installed bitdefender AV. Anything is OK after installing it?
  2. What’s it:
    C:\Program Files (x86)\Razer\
  3. Do you use the cracked steam and adobe reader dc?

Regards.

I don’t use cracked version of steam or adobe reader, but I do have a cracked photoshop 2020. And yes I am trying out Bitdefender in hopes that the same thing wont happen to me again for the 8th time. Also it’s like it happens almost monthly.

Userlevel 7
Badge +5

I don’t use cracked version of steam or adobe reader, but I do have a cracked photoshop 2020. And yes I am trying out Bitdefender in hopes that the same thing wont happen to me again for the 8th time. Also it’s like it happens almost monthly.


Hello,

Could you please answer my second point? what is it “Razer”? Do you know it? What’s the “ Synapse3” value of registry key in “ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”. There are suspicious values in avz log. Maybe it is a avz bug or ...

And d:\83280b899080454a159e577d\DW\DW20.exe, Can you access to this path?

Regards.

Hi sorry about that, Razer is just the software for my mouse which is a viper mini.

Userlevel 7
Badge +5

Hi sorry about that, Razer is just the software for my mouse which is a viper mini.


Hello,

OK, Goger that.

Let us run a avz script:

begin
QuarantineFile('%windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1','');
QuarantineFile('C:\Windows\system32\bootim.exe','');
QuarantineFile('d:\83280b899080454a159e577d\DW\DW20.exe','');
DeleteSchedulerTask('Microsoft\Windows\SMB\UninstallSMB1ClientTask');
DeleteSchedulerTask('Microsoft\Windows\SMB\UninstallSMB1ServerTask');
CreateQurantineArchive('C:\AVZ_Qurantine.zip');
SaveLog('C:\AVZ_Qurantine.log');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

This script will try to quarante three file  “%windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1”, “C:\Windows\system32\bootim.exe”, “d:\83280b899080454a159e577d\DW\DW20.exe” and delete supicious “Scheduler Task” using powershell. After execute this script, OS will reboot.

After reboot, Please send the quarante file and log file to me via google disk. The quarante file is at c:\AVZ_Qurantine.zip. The log file is at c:\AVZ_Qurantine.log.

Regards.

Reply