steve_paul_quinn
-
Posts
35 -
Joined
-
Last visited
Never
Posts posted by steve_paul_quinn
-
-
My Bad. I did not see your comment Aylo. I only saw the screen shot. It looks like you caught it in an interesting state. What an interesting problem this is. Gotta put a positive spin on it as we are all learning quite a bit here. Albeit with less sleep :-)
-
Alyo. Is that the state of one one your machines?
No UpperFilters yet System Protection appears? If so, my advice is wrong
There might be a less lazy way to query the state of VSS but I use the Free Macrium Reflect
The GUI has a convenient View VSS Events and Fix VSS Problems
It would be interesting to see if your VSS is happy or not.
-
Thanks PDWK. My concern is locking myself out of helping my customer remotely.
Guiding them to restore a normal msconfig would be hard blind.
I’m going to experiment with KART on a VM. I know TeamViewer has a Safe Mode boot that obviously includes the Safe Mode with Networking option. It sometimes works which is cool.
I hope to find the minimal adjustments required to prevent KART from starting.
-
The bus quote was because Intrepid misquoted your comment as mine. I did not mean to offend if I did.
Interestingly my daily drive laptop has many other UpperFiler entries. It’s a popular place for other applications it seems
mrcbt appears to be Macrium
eudcpepm appears to be EaseUS
To answer your question about renaming/uninstalling KART, it depends on where I am
If I’m in a CATRoot DriverStore recovery process, I will be in the Macrium Reflect PE environment. It’s easy to rename/delete it there :-)
Thanks for the VSS restart info, it will save me time trying
The perfect storm is my current customers machine.
Windows is working, I’m logged in with TeamViewer !
UpperFilter was gone and is now fixed
VSS was failing for x days and there are no current Macrium backups
KART is installed, I have uninstalled it.
CatRoot is ok
DriverStore is ok
I’d really like to do a Macrium backup but I cannot without VSS
To be super duper safe, I hope some startup management, safe mode, msconfig Kung Fu can at least prevent the next reboot from using KART if for whatever reason it’s still present
Some of my customer are a 100 KM return trip !
Hope that makes sense
-
Hi folks
Intrepid, not to throw PDWK under the bus but you misquoted me. It easy to do with the layout of forum posts. In terms of accountability, you may want to first review the KART EULA. It may in fact absolve Kaspersky from any damage. Just being honest.
Back to the solution ...
I’ve spent much of yesterday running around cleaning up from the mess this caused so I’ve had little time to troubleshoot.
I have now seen 3 computers with a missing UpperFilter Registry entry in the following.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
These computers were still working but without UpperFilter and the volsnap entry, VSS is silently failing. Automated Macrium backups are thus failing and soon I think CatRoot and DriverStore will be wacked on a future reboot. I have 1 workstation with proof this happened.
I have a customer now who has yet to reboot in this exact state. I cannot rename C:\Program Files (x86)\Kaspersky Lab as they are in use. I think I’ll visit using msconfig to manually disable the software so at least it’s not running on the next reboot.
I think I’ve got 10 very unhappy customers now who are afraid of Kaspersky. I’ve got a bunch more ticking time bombs out there as we speak. What a nightmare.
Folks even if you have a fixed or working machine, please double check VSS is happy. An easy way I found is to try to open the System Properties thingy. It normally look something like this.
A Happy System Protection
If UpperFilter/volsnap missing from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} opening System Protection reveals this;
A Sad System Protection FYI I believe fixing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} requires a reboot. This adds to the fun of this issue. I’ll try to find a way around that if needed.
-
Sorry folks. I cannot find any support process for the free KART. I only hope Kaspersky see this thread and reaches out. I’ve got to reach out to multiple customers to uninstall it for now.
-
Thanks PDWK. Honestly my first exposure to this issue was VSS failure. I was making careful notes when I discovered this (your) excellent post in relation to CatRoot and DriverStore.
I’ve shared my notes below for anyone to read. They start nice and clean and slowly get messy as I learn more. I’ll clean it up once things settle.
I have a suspicion this issue came up when the KART application version automatically upgraded to 3.0.1.3660. I say this because I have compared application versions of working and dead machines. I’ve got screen shots in my messy notes to exemplify. The Product Version of anti_ransom_gui.exe is helpful to query on dead machines.
https://docs.google.com/document/d/1gDzDaWPk4s8L2eqP6qERVojFXUtevCaca2G7SmO0wK8/edit
Regarding reaching out to Kaspersky Support, I am struggling to find a Support URL for the Free KART, but I’ll keep looking. I’d bet the non-free KART has this same issue so I might try that. It’s kinda sad Kaspersky has said nothing here.
Hey Kaspersky, who cares if we are dealing with a free product? It’s possibly implicated in wacking computers. These free KART customers of mine and now afraid of Kaspersky. If the purpose of your free software is to transform them into paying customers, you had better act quick if you want to save mine.
-
I’m not ready yet to throw Kaspersky under the bus. This issue may be in combination with a faulty Microsoft KB Patch which we all know have been terrible for years. IE https://www.askwoody.com/ms-defcon-system/
I am a paying Kaspersky customer and I will reach out to their support channels regarding this issue. My priority is to communicate to my customers to remove KART (for now) and establish a working recovery process.
I’ll post whatever new and helpful information I can here.
-
Hi Folks
I'm experiencing this issue as well. First it was from a friend/customer. Then I had it myself.
I'm most grateful for the helpful hints in this thread.I use Macrium Reflect so recovery was not that painful for us.
I've intentionally recreated the issue on another laptop to learn recovery without the benefit of backups.I believe a third step is necessary. I can replicate the need for this 3rd step repeatedly.
If the files in C:\Program Files (x86)\Kaspersky Lab are not dealt with, the repaired CatRoot and DriverStore may be impacted on the next reboot.
I think the KART application directory needs to be renamed so it’s files are not found upon the next boot.
I rename them rather than delete them, just in case.
C:\Program Files (x86)\Kaspersky Lab
C:\Program Files (x86)\Kaspersky Lab OldAfter a successful boot, I then delete KART
I hope this helps 😎
Take care
Steve
Any connection between KART 5 (3660) and BSOD Critical Service Failed
in Kaspersky Anti-Ransomware Tool
Posted
A quick update
I wanted a fool proof KART uninstall from a working or recently fixed machine, just in case the KART uninstaller failed. This is such an ugly issue, I don't want to take any chances.
From what I found
The anti_ransom_gui.exe task can easily be stopped
The AntiRansom4 Service CANNOT be set to manual or disabled without further investigation
Even sc config AntiRansom4 start=disabled fails
Manually attempting to change Start in Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiRansom4 appears protected
I resorted to using Kaspersky's own tool kavremvr.exe
https://support.kaspersky.com/common/uninstall/1464
It's fun to get in Canada, I need to use TOR Browser, YMMV
It worked great, doing more tests
Ugly notes here
https://docs.google.com/document/d/1gDzDaWPk4s8L2eqP6qERVojFXUtevCaca2G7SmO0wK8/edit