PDA

View Full Version : Kaspersky rootkit????



rdomingu
2013-03-12, 20:55
Hello,
New to the forum. I have some kind of infection on my XP Pro SP3 system whereby I am told by scans by Kaspersky and SuperAntiSpyware that my home page has been changed. Kaspersky Vulnerability Scan set it back to "Blank" and SuperAntiSpyware tells me it was changed and asks if I want to set it back to it's original state which I answer yes. My Security Center buttons become greyed out and I have to make registry changes to re-enable them to set auto update and at what time to perform it. Running a manual Windows Update will take a LONG time to run/complete. System performance also slowly degrades. I have thrown many things at this with no changes. After a reboot, system runs better but the greyed out buttons return. I ran the "RootAlyzer" and below is the log.

// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP13\Report:kavextended:$DATA"


I suspect that the above results are due to having Kaspersky loaded and running (paid version). If this is the case, can you suggest to me what I should do next to find and remove this infection? Thanks in advance for all your help!!!

Ray
PS Attached please find a screenshot of the completed Kaspersky Vulnerability Scan.

spybotsandra
2013-03-13, 12:36
Hello,

That is no Rootkit, just a file that is belonging to Kaspersky.

Malware sometimes uses rootkit technology to hide itself at system level.
This makes it undetectable by standard tools. Our plugins help Spybot – Search & Destroy to detect this form of malware.
Our Rootkit Scanner tool shows anything that uses certain rootkit technologies. But items with rootkit properties detected here are not necessarily malware. Sometimes, legit software uses rootkit technologies to hide registration data or other things it does not want the user to see in any case. So please keep in mind that the Rootkit Scanner only flags suspicious stuff, not identifying just bad stuff.

Best regards
Sandra
Team Spybot

rdomingu
2013-03-13, 18:39
Thank you Sandra for such a quick response. I figured that result would be safe seeing that I am running Kaspersky's Anti-Virus 2013. However, I am infected with something which I cannot seem to find. I am hoping you can assist me with your detection experience in locating infections. I am running Win XP SP3 and current on all patches. I have run Kaspersky scans (full, vulnerability, critical area and root kit), Sophos stand alone (Sav32cli), SB Search n Destroy 2, RootAlyzer, SuperAntiSpyware, HijackThis, Combofix and MalwareBytes....all with current updates....with no significant results, to maybe my untrained eye. I have run these all under normal boot and some under safe mode with no difference in results. After a boot-up, box runs good but eventually slows to a crawl with CPU usage at 100%. I am a desktop support analyst and am used to disinfecting box on almost a daily basis but this one is on my own personal box. I have backups, but they are infected as well so I can't just restore. At work, this would be a simple re-image but I can't do that here....much too much stuff on this box. I would greatly appreciate your assistance. This one is REALLY making me feel incompetent!!! Thanks in advance for your hopeful assistance.

Thank you,
Ray

tashi
2013-03-13, 18:49
Hello,

At work, this would be a simple re-image but I can't do that here....much too much stuff on this box. I would greatly appreciate your assistance. This one is REALLY making me feel incompetent!!! Thanks in advance for your hopeful assistance.

Thank you,
Ray
Is this a personal computer? :)

Best regards,

rdomingu
2013-03-13, 18:57
Yes, regretfully I am now unemployed and this is my own personal computer....:red:

tashi
2013-03-13, 19:58
Hello domingu,

For someone to take a look at the system please start a topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer analyst will advise when available.

First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS and aswMBR logs, which are used in the preliminary analysis.
http://forums.spybot.info/showthread.php?t=288

Best regards. :)