KAVICHS streams attached to everything

Paul

I did try Unhackme trial. I only ran it ca couple times but when I tried to run it again it just comes up as trial expired. The version I was using is suppose to give 10 uses but guess I got cut short this time.
Otherwise I sure would give it a try again. I did send one of the files. I sent the file in exe form and I RAR'ed it. LWM says if you use Winzip the stream doesn't get included with a file.

Bruce

 

Yes I suppose so lol

Thing is I have those same DLLS on another machine and RKDetector does not flag them as suspicious other then the same hooked DLLS.
How does KAV mask the file while it is running?
I have lpk,usp10 on both computers and only one has those dlls flagged as suspicious
both show the hooked dlls the same.

Why would KAV only tag one video file out of many before I uninstalled it?
Does not make any sense.

But instead of taking anymore of this thread I will just go ahead and reformat.



*SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
-------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\program files\webroot\spy sweeper\sis.dll
-------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\oleaut32.dll SEEMS TO BE HOOKED
-------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\ole32.dll SEEMS TO BE HOOKED

Bruce

 

Have you ever tried removing a million streams with Hijackthis?

Um does anybody else think you need a select all button?

Bruce

 

Hi Bruce

An "easy" option is NTFS Streams Eraser from Excessive software, it's fast.

 

Thanks everybody for helping me along with this problem.

No wonder it takes KAV so long and KAV is a system hog lol
Adding all those streams to every file on your hard drive has to take a while.

Special thanks to DCS for TDS-3 and Don for the fast removal tool.

I dought I will ever tough a Kaspersky product again


Bruce

 

Wow....i THINK i like it .....can not get this site to load Smilies...that may change with reboot.....that scanner has been running for 15 mins now........ok...i should have waited to post, but i was so happy watching it eat Kav and being Christmas Eve and being well along with some fine beer......well you understand...
so i will go out on that limb a bit and say thank you Don for a super Christmas present......................and a HUGE MERRY CHRISTMAS TO ALL AND TO ALL A GOODNIGHT

 

But KProcCheck can at least show show you a bit more than most. This was done during PG beta test requested by Jason

C:\Documents and Settings\*\Desktop\kproccheck\KProcCheck>kproccheck -t
KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2

Checks SDT for Hooked Native APIs

KeServiceDescriptorTable 80559B80
KeServiceDescriptorTable.ServiceTable E17A0B58
KeServiceDescriptorTable.ServiceLimit 297

ZwClose 19 \SystemRoot\System32\drivers\klif.sys [F6EA6C00]
ZwCreateFile 25 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
C8E]
ZwCreateKey 29 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB7
768]
ZwCreateProcess 2F \SystemRoot\System32\drivers\klif.sys [F6EA6920]
ZwCreateProcessEx 30 \SystemRoot\System32\drivers\klif.sys [F6EA6A90]
ZwCreateSection 32 \SystemRoot\System32\drivers\klif.sys [F6EA6D40]
ZwCreateSymbolicLinkObject 34 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB
836C]
ZwCreateThread 35 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
6DC]
ZwFsControlFile 54 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
DD8]
ZwOpenFile 74 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
AD6]
ZwOpenKey 77 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB7
6BE]
ZwOpenProcess 7A \SystemRoot\System32\drivers\klif.sys [F6EA6720]
ZwOpenSection 7D \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
1A6]
ZwProtectVirtualMemory 89 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
140]
ZwQueryInformationFile 97 \SystemRoot\System32\drivers\klif.sys [F6EA722E]
ZwReadVirtualMemory BA \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
10C]
ZwRequestWaitReplyPort C8 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB5
CAA]
ZwSetContextThread D5 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
9DC]
ZwSetInformationProcess E4 \SystemRoot\System32\drivers\klif.sys [F6EA8DF0]
ZwSetSystemInformation F0 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB9
7A0]
ZwSetValueKey F7 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB7
AFA]
ZwSuspendThread FE \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
A30]
ZwTerminateProcess 101 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
0E2]
ZwTerminateThread 102 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
A06]
ZwWriteVirtualMemory 115 \??\C:\WINNT\system32\drivers\procguard.sys [F8AB8
006]
Unknown API 11C \SystemRoot\System32\drivers\klif.sys [F6EA5C50]
Unknown API 11D \SystemRoot\System32\drivers\klif.sys [F6EA5C60]
Unknown API 11E \SystemRoot\System32\drivers\klif.sys [F6EA5C70]
Unknown API 11F \SystemRoot\System32\drivers\klif.sys [F6EA5C90]
Unknown API 120 \SystemRoot\System32\drivers\klif.sys [F6EA5CB0]
Unknown API 121 \SystemRoot\System32\drivers\klif.sys [F6EA5CE0]
Unknown API 122 \SystemRoot\System32\drivers\klif.sys [F6EA5CF0]
Unknown API 123 \SystemRoot\System32\drivers\klif.sys [F6EA5D10]
Unknown API 124 \SystemRoot\System32\drivers\klif.sys [F6EA5D20]
Unknown API 125 \SystemRoot\System32\drivers\klif.sys [F6EA5D40]
Unknown API 126 \SystemRoot\System32\drivers\klif.sys [F6EA5D60]
Unknown API 127 \SystemRoot\System32\drivers\klif.sys [F6EA5DA0]
Unknown API 128 \SystemRoot\System32\drivers\klif.sys [F6EA5DE0]

WARNING: KiServiceTable is located outside ntoskrnl.exe

Number of Service Table entries hooked = 38

 

Thank you pilli

ANother Christmas Present.

I wish I had one to give in return.

I am going to give this one a try

Bruce

 

Glad to have helped Controller.

The link for others that may be interested is here:
http://www.security.org.sg/code/kproccheck.html

Be aware that this is BETA software so all normal back up precautions should be taken. Please read the on site help file before using this utility.

Cheers. Pilli

 

Just an update........so far so good....everything seems ok and TDS no longer finds streams.............not sure how this will affect things like pics.....anyone with any thoughts on this

 

I have to say thanks as well, to Don for the link and Excessive-software for the NTFS Eraser. My story is that I tried the Kaspersky 'Online' scanner, ran it only once then left it installed. I then purchased Raxco's First Defense and found that about 55 jpg, gif and png files "were in use". I used TDS to scan, not specifically for the ADS, but the same number popped up, same names. I tried to clean the files with TDS3 but they became 'defaced' again shortly thereafter. After trying to clean these numerous times, I tried 'multiple cleans' with TDS and was successfull with some files (no reappearance of streams) but others seemed uncleanble. I just used the NTFS eraser, scanned with TDS and everything is gone. First Defense now reports no errors when backing up. What a relief. (This may be because MTFS Eraser cleaned the files in FD's $ISR\1 and \2 and \3, not just the active snapshot.
One last thing, NTFS Eraser showd MULTIPLE streams on some files, which TDS didn't.
Plus I'll tell Raxco in case anyone else has this problem.
Thanks, thanks, thanks!
Jim

 

I don't understand why that program flags something based on hooks alone?
There are alot of legit programs that create "Global Hooks" and need to in order to function properly ... correct?

 

Hi S!x, KAV 5 personal does create streams, it has nothing to do with cracked versions.

Pilli

 

Edited for stupidity ... wasnt anything left after that

 

Hi S!x, No need for a link, unfortunately those warez sites are all to easy to find

 

Remove KAV added streams by using Kaspersky's klstreamremover.exe tool :

http://www.kaspersky.com/faq?qid=156666512

MrC

 

Nice one MrC Thank you

Important: you need to make sure Kaspersky Anti-Virus is uninstalled prior to running of the utility

Pilli

 

Thanks, this is the best option.

 

go to kaspersky site, download tag stream remover... and that's done.
fully explained on kaspesky site.
here is the link:

http://www.kaspersky.com/faq?qid=156666512

 

The one thing that really cracks me up with people that think they know all about ADS streams is they think Kav put the streams there.. Kav does not put them there they just use the ones that windows already has there. They just put a check sum in the streams to check if anything has been changed. the info Kav puts there can be removed in a matter of minutes with NTFS streams eraser