Solved KVRT remnants

simmerskool

simmerskool

Level 50
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Apr 16, 2017
3,975
13,240
4,870
USA
whilst doing something else in my win10 (EOL + 0patch) I discovered that KVRT still had 2 active low level drivers (services) running, despite it not having run in many months and also being deleted. They also could not be stopped while win10 was running, I used powershell to remove them during reboot. I have no idea what they were doing, or perhaps this is just a red herring, but I understood KVRT to be a portable app, does not install, delete and its gone, but that was not the situation here. chatgpt said: "The more interesting finding from today's cleanup...It's that a supposedly portable scanner left behind several kernel-driver service registrations that required manual cleanup." 5 were leftovers, 2 were running with every reboot... :(
sc.exe query klupd_391aade8a_arkmon
sc.exe query klupd_391aade8a_klbg
 
  • Like
  • Wow
Reactions: Halp2001, lokamoka820, Jonny Quest and 4 others
if the drivers stay persistant you can find them via autoruns : Autoruns - Sysinternals
and under the " drivers "tab you can delete them manually.

if this method does not work , you can try this more rigorous approach :

first dowlnload voidtoold evrything :

voidtools

www.voidtools.com www.voidtools.com

and scan everything kaspersky and kvrt related , you can even jump to the locantion where drivers ere hiding and delete the from your pc .

if this dos not work download iobit unlocker : IObit Unlocker, Solution for "undelete files or folders" Problems on Windows 8, 7, Vista, XP, 10 - IObit
after install you can find the location of the drivers using everything. iobit unlocker is added to the context menu , so have to select FORCED MODE , and then from the dropdown menu select unlock and remove. this will delete both drivers for sure.
 
  • Like
Reactions: simmerskool, Halp2001, lokamoka820 and 5 others
When everything fails the "hard purge" approach of Nautilus should work, but have you tried installing again and check whether KVRT has a remove or de-install option?

I can understand when KVRT is able to remove rootkit's it should have same startup timing and permission to remove them. As posted by Harlan these temp drivers should be removed at restart.
 
Last edited by a moderator:
  • Like
Reactions: simmerskool, Halp2001, lokamoka820 and 3 others
simmerskool said:
whilst doing something else in my win10 (EOL + 0patch) I discovered that KVRT still had 2 active low level drivers (services) running, despite it not having run in many months and also being deleted. They also could not be stopped while win10 was running, I used powershell to remove them during reboot. I have no idea what they were doing, or perhaps this is just a red herring, but I understood KVRT to be a portable app, does not install, delete and its gone, but that was not the situation here. chatgpt said: "The more interesting finding from today's cleanup...It's that a supposedly portable scanner left behind several kernel-driver service registrations that required manual cleanup." 5 were leftovers, 2 were running with every reboot... :(
sc.exe query klupd_391aade8a_arkmon
sc.exe query klupd_391aade8a_klbg
Click to expand...
KVRT will indeed drop 2 sys files into the Drivers folder. However when KVRT is closed it will run a batch script that will delete these 2 files when the system is restarted (they won't be active in any way in the meantime). Note that you should be able to see this batch script for yourself in app data/local/temp as soon as you close KVRT.

However if these sys files are not being deleted on your system after restart, is it possible that whatever malware protection that you are using blocks (some, most, all) scripts from running?
 
  • Like
  • +Reputation
Reactions: Dave Russo, Zero Knowledge, Khushal and 8 others
harlan4096 said:
Are actually those drivers physically still in Your system? Try to find the folder.
Click to expand...
yes they were! but can no longer provide the the file path, (timeout...) I spent a while in powershell with chatgpt, and I had some temp notes, but after everything was gone settled down, I deleted the specifics, pretty sure there were in \drivers\ but not 100% sure now. BUT chatgpt pulled up our discussion > C:\KVRT2020_Data\Temp\34105D1614A078122BA1CE2FB62AD56C\klupd_391aade8a_arkmon.sys and active and running, as I said could not stop it with win10 running, they were deleted with ps cmd on reboot.
 
Last edited:
  • Like
Reactions: Halp2001, lokamoka820, Dave Russo and 2 others
Nautilus said:
if the drivers stay persistant you can find them via autoruns : Autoruns - Sysinternals
and under the " drivers "tab you can delete them manually.

if this method does not work , you can try this more rigorous approach :

first dowlnload voidtoold evrything :

voidtools

www.voidtools.com www.voidtools.com

and scan everything kaspersky and kvrt related , you can even jump to the locantion where drivers ere hiding and delete the from your pc .

if this dos not work download iobit unlocker : IObit Unlocker, Solution for "undelete files or folders" Problems on Windows 8, 7, Vista, XP, 10 - IObit
after install you can find the location of the drivers using everything. iobit unlocker is added to the context menu , so have to select FORCED MODE , and then from the dropdown menu select unlock and remove. this will delete both drivers for sure.
Click to expand...
yes, initial tool was autoruns, and then various powershell cmds assisted by chatgpt, and finally a reboot. I was using "everything" too..;
 
  • Like
Reactions: Halp2001, lokamoka820, Dave Russo and 2 others
cruelsister said:
KVRT will indeed drop 2 sys files into the Drivers folder. However when KVRT is closed it will run a batch script that will delete these 2 files when the system is restarted (they won't be active in any way in the meantime). Note that you should be able to see this batch script for yourself in app data/local/temp as soon as you close KVRT.

However if these sys files are not being deleted on your system after restart, is it possible that whatever malware protection that you are using blocks (some, most, all) scripts from running?
Click to expand...
possible, yes, MS Defender with DeepInstinct and Cyberlock in the background. Never seen them collide, but I know CL blocks some stuff without any notice (or maybe I have CL notices off or limited)
 
  • Like
Reactions: lokamoka820, Zero Knowledge, harlan4096 and 1 other person
I performed a malware scan yesterday using KVRT. Once the scan finished, I deleted the program normally, but the folder "C:\KVRT2020_Data" refused to be deleted. After rebooting the next day, the folder deleted successfully. I don't believe it was running in the background since I was monitoring it with "System Informer," and the process disappeared immediately from the screen when I closed KVRT. However, I previously read that the "C:\KVRT2020_Data" folder requires a reboot to be deleted, so I believe that is how it works.
 
  • Like
  • +Reputation
Reactions: simmerskool, Halp2001 and Khushal
Halp2001 said:
What @lokamoka820 mentioned is accurate: KVRT installs temporary drivers (klupd_...) that may remain after closing the tool, but according to Kaspersky’s official documentation they are unloaded and removed after a system reboot.Official source: Kaspersky Support – Known issues in KVRT 2020 🔄🖥️
Click to expand...
@Halp2001 -- not disputing that, but in my case they weren't deleted and remained active, also note this was not one contemporaneous event, ie, scan with kvrt, close, and then delete kvrt, the scan was done some months ago, and most likely I did not delete kvrt when the boot finished, and my win10 had been rebooted regularly (but not every day) over that period of months. I just discovered the running "temp" drivers with autoruns just a few days ago. so in my case, they were NOT removed kvrt scan & reboot, until I was able to stop them with a powershell reboot, and then deleted them with another powershell reboot.
 
  • Wow
  • Like
Reactions: Halp2001 and lokamoka820
@simmerskool Thanks for clearing that up! I just wanted to complement what @lokamoka820 said with Kaspersky's official stance, where those temp drivers should ideally delete themselves. Clearly, something glitched out or got blocked in your case. Glad you managed to hard-purge them with PowerShell, that's what matters in the end! 👍
 
  • Like
  • Hundred Points
Reactions: simmerskool and lokamoka820

You may also like...