Troubleshooting help with KIS

Discussion in 'other anti-virus software' started by candes, May 15, 2010.

Thread Status:
Not open for further replies.
  1. candes

    candes Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    28
    Troubleshooting help with KIS--- Update---It was KIS all along

    Ok now the other issue is done with... What ever... LOL..

    My XP media editon computer has extreme difficulty shutting down. By running the hive user profile cleanup service, I was able to reduce the severity of the issue. And I was able to trace the problem to the file klwtblfs.exe, and am intent on disabling it. In teh meanwhile, I also had a new problem develop likely from a Windows update, and IE8 had great difficulty retaining cookies.

    I was able to get the cookie issue resolved (I think) by disabling the 2 "check url" boxes under the web protection settings. I also previously unchecked the phishing box.

    My next step was to disable the KIS IE add-on. But when I opened the add-on configuration box, I could not view the add-ons. I later realized that the add-ons were there, but the area to view them was less than a millimeter. With some ingenuity and persistance, I was able to use my keyboard down arrow and hit enter every time until I got to the KIS item I was looking for. At this point, I disabled both KIS add-ons including the virtual keyboard I do not use.

    The hive error in my event viewer is now gone. But the shut down problem still exists. I get a box telling me that rundll32.exe is not responding. Before you tell me all the reasons for this happening, I have looked into this already. And believe it is linked to KIS.

    The rundll32.exe does not start running until I shut down IE. Could this be related to IE clearing my temp files on shutdown? Which does bring something to mind... The KIS sandbox function. Just a thought....

    Upon further inspection after I shut down IE, AVP.exe and rundll32.exe both rev up together. AVP.exe hits about 50% CPU, and Rundll32.exe hits about 5%. This persists until I try to shut down windows, and the rundll32.exe stops responding.

    Another question is can I remove reference to the 2, KIS IE add-ons via hijack this?

    I could really use some help here. Thanx folks! :)
     
    Last edited: May 18, 2010
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    just disable web protection module (and any other module apart from AV and FW) in KIS if it causes issues on your config. Your machine is always protected by real-time scanner
     
  3. candes

    candes Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    28
    If I understand you correctly, you saying the whole "web protection" deal. Correct? Right now I have block dangerous scripts and med heuristics enabled. I will try it BRB.

    Thanx :)
     
  4. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    If you disable the web protection, you'll lose the check against dangerous scripts as well.

    You can make this change more permenant if you so wish, by changing what has been installed. The installer will allow you to uninstall any of the main functions, and this avoid the constant nag message that your system isn't fully protected.
     
  5. candes

    candes Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    28
    My DH was hungry, and we went out to dinner. Anyways, it didn't fix the issue. Well, since it didn't fix anything, I will enable protection against dangerouse scripts and med heuristics again.

    I also failed to mention that my processor gets worked out big time by AVP.exe when IE is being used.

    Update----Instead of double posting, I will just edit this.

    HOLY COW!!!! I just fixed it! Although once windows closes down it still takes longer than I feel it should to complete the shutdown process. And my computer no longer sounds like a huge jet taking off.

    The problem is that my fix can't stay. Major security issue if I did. But it does give us a major clue as to where to be looking. I added rundll32.exe to the exclusions, and ticked every box. I guess I can add each one back one by one to see if I can minimize the threat to my system. Off to tinker. :)

    Thanx folks! :)
     
    Last edited: May 15, 2010
  6. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Yes. If you were running MD, you would be prompted every time for a command something like "rundll32.exe C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess". Just another reason I like using a HIPS so much. You can really use it to learn what is going on "behind the scenes".

    I think you're seeing the CPU spikes in AVP.EXE because it is scanning your cache files as they are deleted.

    Perhaps there is a file in your cache that rundll32.exe is having a hard time deleting. Have you checked the cache folder to make sure that it is empty?

    P.S. - What is a DH?
     
  7. candes

    candes Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    28
    Ok I found which box needs to be ticked off for the exclusions. My procesor is running a lot heavier with just the one box ticked, but not as bad as before. And windows logs off ok. And of course the exclusion I need for rundll32.exe is to "not scan open files". LOL... So anyone have a clue as what to do next? Obviously rundll32.exe and AVP.exe do not get along.

    DH means dear husband. Yes I feel deleting those files on IE shutdown is causing issues. Although there are IE issues while running too, and not just closing. (Computer sounding like a jet plane while IE runs with KIS running is the tipoff. LOL...)

    Anyways, I clean my cache out manually on a daily basis. To make sure nothing is left behind. I suppose I could uncheck that option from IE to see what happens. Since a windows update, it does take longer to empty with KIS running.

    Sometimes I get the feeling like this just isn't a good product anymore. And I can just keep tearing it apart piece by picece until nothing is left of my protection. LOL... And just change my whole life around to suit it too. Like a cranky baby. I paid for 3 computers and have a long time to go. Sigh..

    Update.... Had to tick all the boxes again. It still runs way too hard on my processor. My processor deserves a break. I was backing up daily figuring on KIS killing my computer.
     
    Last edited: May 15, 2010
  8. candes

    candes Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    28
    Well, I checked on my rundll32.exe and it is strictly associated with windows files. I am debugging it, never did that before. I guess this is a learning experience.

    Turning off the "empty temp internet files", did squat. Was worth a shot though.

    Please correct me if I am wrong, since I don't know anything compared to you folks. But is this pointing to an outright conflict with KIS, IE8, and the OS?

    Hey I just want to thank you folks for helping. You really got the wheels spinning in my head and helped make things happen. :) I feel like I am almost there in solving my issue! :)
     
  9. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    could you check your event viewer logs?
    http://support.microsoft.com/kb/308427

    you are looking for errors/warnings. Just to see if there is an explanation why your comp is running so hard
     
  10. candes

    candes Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    28
    My event logs are better than ever now. I would have to say that with the last days tinkering with KIS, there are no events. Previously I had regular KIS errors associated with klwtblfs.exe And also the associated registry write errors.

    Event Type: Information
    Event Source: UPHClean
    Event Category: None
    Event ID: 1401
    Date: 5/6/2010
    Time: 6:49:16 PM
    User: xxxxxx\xxxxx
    Computer: xxxxxx
    Description:
    The following handles in user profile hive xxxxx\xxxxxx (S-1-5-21-606747145-1343024091-725345543-1004) have been remapped because they were preventing the profile from unloading successfully:

    klwtblfs.exe (3552)
    HKCU\Software\Classes (0x60)
    HKCU\Software\Classes (0xd4)
    HKCU\Software\Classes (0xf4)
    HKCU (0x134)
    HKCU\Software\Classes (0x13c)
    HKCU\Software\Classes (0x15:cool:
    HKCU\Software\Classes (0x174)
    HKCU\Software\Classes (0x18:cool:


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
     
  11. candes

    candes Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    28
    I am soo sorry for double posting so much. But systematically writing things out here is really helping.

    Another light bulb just went off. I was exploring the rundll32.exe process and found something majorly big. I saw that DEP was on for IE8.

    KIS has always had major problems running with Windows DEP. So I always run with the noexecute=optin.

    Was not aware that there were 2 seperate DEP's to shut off. That could be the problem right there! Oh my goodness... Could it just be one simple check box? LOL.... Will update you all.

    Update... So far it is a go! I disbled DEP in IE8 and unchecked the boxes for the run32dll.exe exclusions. I got right out of windows. But my computer still sounds like a jet. I am halfway there.

    Updated yet again..... I thought I had it. My first 3 log-out attmpts went smoothly. The 4th failed. I can usually solve most computer problems. But not this one. LOL....

    Is it safe to add rundll32.exe to the "threat and exclusions", "trust applications" folder and check all 4 bozes? Only fix I can find... Then all will be well. :)
     
    Last edited: May 16, 2010
  12. candes

    candes Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    28
    Well, it looks like I have finally found many answers. The last one (#5) is a whopper. Knowing what I know now, I should have saved my time and bought new software from another company.

    1. Windows DEP has always been an issue with KIS and it operates better with it disabled. It is in IE8 too now. (Yes 2 places.) And I disabled the 2nd instance for safe measure. It did help a little.

    2. I had to run the user profile hive to even get windows to close. At the very least the file klwtblfs.exe (I suspect more KIS files.) needed help shutting down. I disabled it.

    3. If you pause protection for say 3 minutes (to get your cookies to work.), you will not be able to enable it before the 3 minutes are up. Kis will stay in starting mode until you close down your browser windows. Then it will enable itself.

    4. KIS froze up my IE add-ons box in a small unusable and unadjustable size. I recall it being like this the day I reinstalled KIS after a reformat. I just never bothered with it. Once I temporarily (for troubleshooting) added rundll32.exe to the KIS trusted section, I was able to adjust the size. And it stayed that way!

    5. KIS file antivirus is the main problem here. Most notibly "on access" and "smart mode" scanning. Use strictly "on execution", and it works fine. (Not suggested.) But this is all related to the next paragraph.

    The file antivirus portion of KIS is very picky about when you open your IE8 browser. (Not sure about other IE versions.) For example, I have my IE start up automatically with windows. Once this is done, KIS is upset and will open many instances of rundll32.exe (inetcpl.cpl) , and keep them running during your entire browsing session. And they won't unload with the closing of your IE browsers either. Thus rundll32.exe will not respond on windows exit. I am not a computer brainiac, but would it be safe to assume that KIS is not hooking the OS properly? And is conflicting with IE? Anyways, don't load IE with windows start up, and you won't have those problems.

    The file antivirus also doesn't like it when you "clear your browser history on exit". Once again affecting rundll32.exe So this needs to be unchecked. I also have empty temp files unchecked for safe measure.

    There is more to be done. But this software has sucked the like out of me. I was determined since I have nearly 2 years left for 3 computers. But I could have worked 2 hours of overtime at work and bought 3 years of coverage with another Internet security provider. I was stupid. The KIS cookie problem still mildly persists. (Facebook sweepstakes are a big problem though.) But I will save that for tomorrow. I figure I have invested this much time already.... Oh, and I almost forgot. Kis prefers that you use your computer while standing on your head too. (Just kidding) LOL...
     
    Last edited: May 18, 2010
Loading...
Similar Threads
  1. Rico
    Replies:
    3
    Views:
    402
  2. JerryM
    Replies:
    7
    Views:
    599
Thread Status:
Not open for further replies.