steve_paul_quinn

A quick update I wanted a fool proof KART uninstall from a working or recently fixed machine, just in case the KART uninstaller failed. This is such an ugly issue, I don't want to take any chances. From what I found The anti_ransom_gui.exe task can easily be stopped The AntiRansom4 Service CANNOT be set to manual or disabled without further investigation Even sc config AntiRansom4 start=disabled fails Manually attempting to change Start in Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiRansom4 appears protected I resorted to using Kaspersky's own tool kavremvr.exe https://support.kaspersky.com/common/uninstall/1464 It's fun to get in Canada, I need to use TOR Browser, YMMV It worked great, doing more tests Ugly notes here https://docs.google.com/document/d/1gDzDaWPk4s8L2eqP6qERVojFXUtevCaca2G7SmO0wK8/edit

My Bad. I did not see your comment Aylo. I only saw the screen shot. It looks like you caught it in an interesting state. What an interesting problem this is. Gotta put a positive spin on it as we are all learning quite a bit here. Albeit with less sleep :-)

Alyo. Is that the state of one one your machines? No UpperFilters yet System Protection appears? If so, my advice is wrong There might be a less lazy way to query the state of VSS but I use the Free Macrium Reflect The GUI has a convenient View VSS Events and Fix VSS Problems It would be interesting to see if your VSS is happy or not.

Thanks PDWK. My concern is locking myself out of helping my customer remotely. Guiding them to restore a normal msconfig would be hard blind. I’m going to experiment with KART on a VM. I know TeamViewer has a Safe Mode boot that obviously includes the Safe Mode with Networking option. It sometimes works which is cool. I hope to find the minimal adjustments required to prevent KART from starting.

The bus quote was because Intrepid misquoted your comment as mine. I did not mean to offend if I did. Interestingly my daily drive laptop has many other UpperFiler entries. It’s a popular place for other applications it seems mrcbt appears to be Macrium eudcpepm appears to be EaseUS To answer your question about renaming/uninstalling KART, it depends on where I am If I’m in a CATRoot DriverStore recovery process, I will be in the Macrium Reflect PE environment. It’s easy to rename/delete it there :-) Thanks for the VSS restart info, it will save me time trying The perfect storm is my current customers machine. Windows is working, I’m logged in with TeamViewer ! UpperFilter was gone and is now fixed VSS was failing for x days and there are no current Macrium backups KART is installed, I have uninstalled it. CatRoot is ok DriverStore is ok I’d really like to do a Macrium backup but I cannot without VSS To be super duper safe, I hope some startup management, safe mode, msconfig Kung Fu can at least prevent the next reboot from using KART if for whatever reason it’s still present Some of my customer are a 100 KM return trip ! Hope that makes sense

Hi folks Intrepid, not to throw PDWK under the bus but you misquoted me. It easy to do with the layout of forum posts. In terms of accountability, you may want to first review the KART EULA. It may in fact absolve Kaspersky from any damage. Just being honest. Back to the solution ... I’ve spent much of yesterday running around cleaning up from the mess this caused so I’ve had little time to troubleshoot. I have now seen 3 computers with a missing UpperFilter Registry entry in the following. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} These computers were still working but without UpperFilter and the volsnap entry, VSS is silently failing. Automated Macrium backups are thus failing and soon I think CatRoot and DriverStore will be wacked on a future reboot. I have 1 workstation with proof this happened. I have a customer now who has yet to reboot in this exact state. I cannot rename C:\Program Files (x86)\Kaspersky Lab as they are in use. I think I’ll visit using msconfig to manually disable the software so at least it’s not running on the next reboot. I think I’ve got 10 very unhappy customers now who are afraid of Kaspersky. I’ve got a bunch more ticking time bombs out there as we speak. What a nightmare. Folks even if you have a fixed or working machine, please double check VSS is happy. An easy way I found is to try to open the System Properties thingy. It normally look something like this. A Happy System Protection If UpperFilter/volsnap missing from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} opening System Protection reveals this; A Sad System Protection FYI I believe fixing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} requires a reboot. This adds to the fun of this issue. I’ll try to find a way around that if needed.

Sorry folks. I cannot find any support process for the free KART. I only hope Kaspersky see this thread and reaches out. I’ve got to reach out to multiple customers to uninstall it for now.

Thanks PDWK. Honestly my first exposure to this issue was VSS failure. I was making careful notes when I discovered this (your) excellent post in relation to CatRoot and DriverStore. I’ve shared my notes below for anyone to read. They start nice and clean and slowly get messy as I learn more. I’ll clean it up once things settle. I have a suspicion this issue came up when the KART application version automatically upgraded to 3.0.1.3660. I say this because I have compared application versions of working and dead machines. I’ve got screen shots in my messy notes to exemplify. The Product Version of anti_ransom_gui.exe is helpful to query on dead machines. https://docs.google.com/document/d/1gDzDaWPk4s8L2eqP6qERVojFXUtevCaca2G7SmO0wK8/edit Regarding reaching out to Kaspersky Support, I am struggling to find a Support URL for the Free KART, but I’ll keep looking. I’d bet the non-free KART has this same issue so I might try that. It’s kinda sad Kaspersky has said nothing here. Hey Kaspersky, who cares if we are dealing with a free product? It’s possibly implicated in wacking computers. These free KART customers of mine and now afraid of Kaspersky. If the purpose of your free software is to transform them into paying customers, you had better act quick if you want to save mine.

I’m not ready yet to throw Kaspersky under the bus. This issue may be in combination with a faulty Microsoft KB Patch which we all know have been terrible for years. IE https://www.askwoody.com/ms-defcon-system/ I am a paying Kaspersky customer and I will reach out to their support channels regarding this issue. My priority is to communicate to my customers to remove KART (for now) and establish a working recovery process. I’ll post whatever new and helpful information I can here.

Hi Folks I'm experiencing this issue as well. First it was from a friend/customer. Then I had it myself. I'm most grateful for the helpful hints in this thread. I use Macrium Reflect so recovery was not that painful for us. I've intentionally recreated the issue on another laptop to learn recovery without the benefit of backups. I believe a third step is necessary. I can replicate the need for this 3rd step repeatedly. If the files in C:\Program Files (x86)\Kaspersky Lab are not dealt with, the repaired CatRoot and DriverStore may be impacted on the next reboot. I think the KART application directory needs to be renamed so it’s files are not found upon the next boot. I rename them rather than delete them, just in case. C:\Program Files (x86)\Kaspersky Lab C:\Program Files (x86)\Kaspersky Lab Old After a successful boot, I then delete KART I hope this helps 😎 Take care Steve