Weird occurrences in Intrusion Prevention after Malware Infection. Am I still infected?

[Tudor]

My Windows 10 laptop got recently infected with Malware. For the past year I had Kaspersky Premium on it, and at the beginning of this month (June 2024) it flagged a program as "AdWare". I thought that was it, but after using KVRT, as someone from Kaspersky instructed me on email -> it found another executable. This was a big problem because I used my laptop in the meanwhile as I thought Kaspersky removed the threat.

I saved all my data and reinstalled Windows from scratch only to find my laptop infected again as I used this time multiple tools to scan it, such as: Norton Power Eraser, KVRT, MalwareBytes, HitmanPro, and RogueKiller from Adlice Software. I think I removed all the Malware by using these and other command (sfc /scannow, chkdsk,etc), but now unfortunately as I tried to install Google Chrome these executables appeared in Kaspersky's Intrusion prevention (it scared me because it is similar to the behavior I observed after I found Malware the second time, before reinstalling Windows). Is this all right, is it normal for these programs to appear in Intrusion Prevention after installing Chrome, or is this still unusual behavior?

During this whole process I corresponded with a Kaspersky official on Mail, but they responded in around 4 days for each message which is a lot considering the situation I am in.

*The screenshots with Kaspersky - Intrusion Prevention in dark mode are from before reinstalling Windows and there were over 100 of these type of files.

I will put screenshots below with the current situation in Intrusion Prevention, as well as a few of the results I got from scans after reinstalling Windows. The file appear twice because I tried to install Intrusion Prevention twice.

[Tudor]

At the end I meant to say: “I tried to install Google Chrome twice”*

Edit: Also in the meanwhile more executables appeared in the list after I uninstalled Google Chrome. I will disconnect my laptop from the internet for the moment. Waiting for your response 👍🏻

Edited Sunday at 11:36 PM by Tudor

[harlan4096]

Welcome to Kaspersky Community.

 

In Intrusion Prevention -> Manage Applications, click on Clean up, and check again.

 

Delete files in Temporal folders C:\Windows\Temp and C:\Users\<Your account user>\AppData\Local\Temp.

 

Some files look like a malicious patch, just remove it manually.

 

Download AdwCleaner tools and run it, post here the log result of detections.

[Tudor]

Followed the steps you required. After cleaning up Intrusion Prevention only the Google Chrome Installer remained with a low popularity score.

The thing is with these files that I cannot delete them manually, because when I try to follow the path, the folder they are in doesn't appear (I have show hidden files turned on, and tried running File Explorer as admin and other solutions I found online). When I right click on them in Kaspersky and select open folder location it just opens up to the "This PC" section. When I check their history in the Kaspersky app each has been run about 2 times, some more.

I already had AdwCleaner installed but forgot to mention it.

I added images with the txt file from AdwCleaner, because it did not allow me to attach it to this reply, and one with the Intrusion Prevention page after the clean up.

If you think I should do further scans or anything else please let me know, I am very committed to get rid of this, and make sure everything is fine.

[harlan4096]

Can you collect those leftovers files, compress them, and upload to a free cloud service, and send me via personal message of the community, the link to download?

 

After that, just remove manually all those leftovers.

 

Added: unhide files and system folders in Your Windows folder options.

[Xzz123]

from the beginning

I do not believe you had actually infected with real malware...

And I do not see any further malware detection.

There is no report from scanner that indicate you are infected

be relax and just delete those useless scanner. (especially NPE and hitmanPro....)

 

[Tudor]

The only file that I can access even with these settings is the Google Chrome Installer, I can send it to you if you want. The RogueKiller app is part of the RogueKiller antivirus.

I will add a screenshot with what appears when I try to follow the path of one of the files that appeared before the clean up.

Xzz123

I will attach here the first detection I got from Kaspersky. And the error I got afterwards. Tell me your thoughts.

[Xzz123]

as far as I can see from the first screenshot. there is nothing to worry

the third screenshot shows that there is a potential unwanted software detected. the risk is low from my understanding.

may I ask if there is still symptom you doubt to be malware presence?

(please~i am not expert from kaspersky. my point of view could be wrong)

[Tudor]

@Xzz123

Yes, this is how it went:

I have seen the first detection and I didn't think much of it, prompted a disinfection and that's that.

I reported the issue to Kaspersky and the fact that my SSD was running hotter than normal. They sent me KVRT on mail and told me to do a scan (this was a week later from the first detection) and it got another detection, a different executable this time. That's where I began to be worried, did a clean reinstall of Windows only to find other suspicious files and here we are today trying to figure out what to do next.

[Xzz123]

next time you can use KRD when you worry too much

that way any rootkit will reveal itself

[Tudor]

Thank you, that is great info!

[harlan4096]

https://support.kaspersky.com/krd18/new/14220

 

A new beta is currently being tested...