Intelligent Hacker Bots

Hi @Nil , 

We will check your incident and get back to you. Hang on. 

Hello @Nil, 

You’re most welcome !

Thank you for the update & the additional information 

1. When KVPN is active, you should see a square/rectangular icon which looks like a monitor with a plug; labelled “unidentified network” & the KVPN icon (green) → image 1
2. When KVPN is active, in Windows Network status, you should see Ethernet x → image 2
3. When KVPN is active, in Control Panel\All Control Panel Items\Network and Sharing Centre, you should see Unidentified network & Ethernet x & if you’re connected to the internet via Wifi, the Wifi connection → image 3
4. When KVPN is active, in Control Panel\Network and Internet\Network Connections, you should see Ethernet x → Kaspersky Security Data Escort Adapter, Connectivity: Internet access → image 4
5. When KVPN is inactive and if you’re connected to the internet via Wifi, you should see the Wifi icon → image 5

• When you have time, please let us know how Kaspersky Technical Support have helped you resolve the  problems please? 

Thank you

Flood +

WIFI ICON  & KILL SWITCH ISSUE

Ok, Flood, I just checked it out.

When my computer woke up, I had to exit VPN so that I’d get the internet.

I clicked on VPN when the internet got connected.

VPN turned green and the Wifi icon was still circular.

I was monitoring the network at the same time. Initially there came like 52 “host processes for windows services”.

Soon the icon turned to the box and the 52 processes dropped to 1.

The settings “unidentified network” and such are like you described. So, when it is set, it seems to be working.

What I don’t understand is why I very rarely am able to connect to the internet while the kill switch is on and why I always get a lot of windows host processes even before kaspersky programs start working. Because when it works right, I see that first Kaspersky programs start to work and then other stuff start working.

Also, can you please tell me why is that when I click on “block all network activity” I still see the “network activity” flowing while the “network traffic” stops. I appreciate that.

About what the Kaspersky Tech Support… they requested a bunch of diagnostics, which I’ll have to work on later. I’ll let you guys know how that goes.
 

​

 I need to please ask you guys to let me know if I’m doing anything out of ignorance which either turns out to be a ‘false alarm’ or damaging to either to the functionality or hardware of my computer.

My observation has been that these bots replicate and simulate the ‘official’ apps like “your phone” or “photos”. Last time, when I blocked them from startup, it finally came to a point where I’ve blocked everything from paint to who knows which important programs.  So, I had to re-format the computer. (I don’t know if I can unblock them when they seem to have turned back to their ‘normal-selves’ /lol

When I was re-formatting (I used AOMEI flashdisk for) I noticed changing values of missing disk space, extra partitions (like it said “Rufus had to create another partition”, but all those times, only one time it needed this???), Of course, I did many scans for surface etc. It has never been stable and explainable, but random. 

Right now, the computer doesn’t boot into Windows directly. I have to “reset the bios to the suggested settings” and then I can get into it. Strangely, the bios program I downloaded comes with both part1 and part2… It wasn’t like that about a month ago, when I upgraded it. So, I haven’t been able to flash the bios yet. It shouldn’t have needed this. But, sounds like a reasonable step to take.

So I’m like WTF ??? (pardon my french)

​

Hi Flood,

Re “8weky”, Yep, I noticed that it was among the hidden files.   I’m ashamed to have a false alarm here but, it’s easy to get paranaoid when all act up weird. It helps to hear that something is in fact “normal”. Thank you.

I’ve done their diagnostics. But, Kaspersky is not finding anything weird. So, I don’t know how much it will help. But, they’re (you guys are) the experts… so, I’ve done what they asked and sent them. They may need to reopen another incident, as it was closed due to inactivity. (well, it’s hard to respond to emails especially when your computer is messed up. I’ll make a suggestion to have a diagnostic help through a medium like this. It is easier to track and also load files)

I want to jot down what happened today (I’ve told the tech support that I’ll do, may be they can utilize it)

I started the computer, (with bios needing a refresh in order to enter windows)

I checked out the running programs. I blocked about 10 of them with 0 file size.

Hit clear. Some were gone and none were active.

I downloaded Rufus.

I plugged in the external harddrive to retrieve AOMEI and checked out few folders. Carried few songs and such to this computer.

I checked out the running programs and voila… there were many applications with 0 bytes.

I ignored them and took the time to respond to the tech support.

As I returned back to the running apps list. I saw only one:

I blocked it and hit clear and it was gone.

*******

Can you please tell me…

1. Is this 0 kb normal ?
2. If not, can I make Kaspersky clean them automatically ? (I can’t always check dozens of applications one by one)
3. Once they are filled with regular bytes and some normal looking info, does that mean:
   1. They are back to normal, so I can unblock them ?
   2. they are carrying my information to be transmitted over the internet ?
4. If not, does this mean what I think it is: they are being used as a carrier to ghost my computer ?
5. I’ve done dozens of scans with Kaspersky. It never found a problem. If these are hacker tools, what is my solution?
6. Does my inability to connect to the internet with the KillSwitch is a sign of this problem?
   1. I noticed when the kill switch is on when the internet starts, the programs first starting off are of Kaspersky. If KillSwitch is off, I have many “host processes for windows”
7. I can’t remember which one but, when I “block all network activity” I see either the network traffic or the network activity still having some activity. Is this normal?
8. Right now, the kill switch is on and the wifi icon is circular. (it was square before I woke up the computer)… seriously, how much should I freak out from these things?)

Thank you Flood, Igor and the tech support people.

Hello @Nil, 

You’re most welcome !

Thank you for the update

1. Have you shared all of your last reply (with images & 8 questions) with the Kaspersky Technical Team? Remember, they will not be retrieving data from your Community topic. 
2. Genuinely & honestly, we cannot answer your questions, we do not have access to your data, that is absolutely required to troubleshoot issues of this kind. 
3. @Igor Kurzin has reached out to you, he will participate in the process, please allow him some time to do so. 
4. Just for our understanding, may we have an image of the  circular wifi icon - is it a full circle? 
5. By Kill switch, you’re referring to the KVPN or something else → please show us an image? 

Thank you

Flood +

Hi Flood,

I opened the incident with # INC000012418131 but….   oops! I didn’t write the questions or more details. I gave an overview and directed them here for more detailed description of the situation. Added a scan.

I also asked for Igor to be included into the conversation because I don’t know how to cc him. May be when we start emailing, it will be possible.

Thank you for these tips. I’ll add the questions to the incident

About the KVPN and the KillSwitch:

I use the KVPN with the KillSwitch always. And I can hardly ever get into the Internet while KVPN is active. I always assumed it is because of the KillSwitch. I never tested it separately.

Here I’m pasting the circular wifi icon. This morning it was square. After I woke the computer up in the afternoon, it became circular. I have no idea what to think now! Is it safe? Is it not?

Somehow though, this afternoon, there are no more 0kb apps running.

I’ll keep you guys updated.

Thank you so much for everything

Hi Flood,

I opened the incident with # INC000012418131 but….   oops! I didn’t write the questions or more details. I gave an overview and directed them here for more detailed description of the situation. Added a scan.

I also asked for Igor to be included into the conversation because I don’t know how to cc him. May be when we start emailing, it will be possible.

Thank you for these tips. I’ll add the questions to the incident

About the KVPN and the KillSwitch:

I use the KVPN with the KillSwitch always. And I can hardly ever get into the Internet while KVPN is active. I always assumed it is because of the KillSwitch. I never tested it separately.

Here I’m pasting the circular wifi icon. This morning it was square. After I woke the computer up in the afternoon, it became circular. I have no idea what to think now! Is it safe? Is it not?

 

Somehow though, this afternoon, there are no more 0kb apps running. ’ll keep you guys updated. Thank you so much for everything

Hello @Nil, 

1. The WIFI icon is normal. As is the (Kaspersky Security Data Escort Adaptor) ETHERNET icon, we discussed earlier.
2. It cannot be “ oops! I didn’t write the questions or more details”, Technical Support will not be coming to your community Topic to try & assess the issue. 
3. You need to be very clear, provide everything the Technical Team request and work with them to sort this out. 
4. You don’t need to cc @Igor Kurzin, the new INC000012418131 is all that is required, as long as it is an accurate reflection of your concerns & has supporting data. 

 Thank you

Flood +

Hello,

Q1:Is this 0 kb normal ?

A: It seems OK. If the related object have been deleted or moved by OS or you. The object rule will leftover information in the application control application rule list.

Q: If not, can I make Kaspersky clean them automatically ? (I can’t always check dozens of applications one by one)

A: You can press clean up button to clean all vaild rule manually. There is no function to automatically clean up application control rules.

Q: Once they are filled with regular bytes and some normal looking info, does that mean:

They are back to normal, so I can unblock them ?

A: Normally, you don't need to perform special startup management for each application. If you want to manage them, you can set it according to your own needs, but be careful not to cause some application exceptions.

Q: they are carrying my information to be transmitted over the internet ?

A: If a program load WS2_32.dll into its memory. It will definitely operate on the network, but whether it sends your private data is not a simple question that can be answered. It requires a long period of monitoring and analysis, such as using some tools, but I think you may not have this time and ability to complete this work, so I hope you can prohibit some programs you don’t know to access network, which it is a good choice. But be careful, please do not prohibit the core system program from accessing the network, such as this program: svchost.exe. Some system host programs are the basis for the entire system to provide network services. If you prohibit it from accessing the network, it will cause network disconnection.

Q: If not, does this mean what I think it is: they are being used as a carrier to ghost my computer ?

A: This cannot be answered because there is no obvious sign.

Q: I’ve done dozens of scans with Kaspersky. It never found a problem. If these are hacker tools, what is my solution?

A: It is impossible to determine whether there is a problem with your computer, even if the Kaspersky scan did not find the problem. In fact, you need an ART tool such as “PCHunter” or “AVZ” to check some main parts of the system to see if there are abnormal hooks or abnormal places in some places. But this kind of issue cannot be discussed in this community, so I cannot discuss this issue further.

Q: Does my inability to connect to the internet with the KillSwitch is a sign of this problem?

A: Possiblly.

Q: I noticed when the kill switch is on when the internet starts, the programs first starting off are of Kaspersky. If KillSwitch is off, I have many “host processes for windows”

A: host processes for windows, Do you mean svchost.exe? Please open task manager and right-click on the menu and chosse “command line”, Please tell us which svchost.exes and its command line. We can provide additional information to you if we know more detail information related to “host processes for windows”.

 

Q: I can’t remember which one but, when I “block all network activity” I see either the network traffic or the network activity still having some activity. Is this normal?

A: I think you encounter this behavior,right? The network has been blocked, why it have network traffic activity volum? It‘s KL product itself network traffic and some os kernel process network traffic. it is not a problem.

 

Q: Right now, the kill switch is on and the wifi icon is circular. (it was square before I woke up the computer)… seriously, how much should I freak out from these things?)

A: Above post has tell you how to turn off kill switch.

Regards.