Kaspersky
Question

Intelligent Hacker Bots

  • 20 January 2021
  • 22 replies
  • 211 views

  • Theorist
  • 11 replies

I have seen hackers in my computer when I had AVG FREE. Then I purchased Kaspersky Total Security with VPN and Password Manager. I also purchased a new computer and re-formatted it about 2-3 times now. Everytime I run Kaspersky Scan, even with boot disk.
I still have these issues and they are like fleas in my computer. I can’t use my computer for the last 8 or so months.
The main issue is: I have subprograms which I observe when I go to “Application Manager” section…

They are 0KB and all created at the same date 01/01/0001 (or 2001 before, if I remember right). They nest inside other legitimage programs and carry names that make sense.

I just observed 50 of them. I manually blocked them from starting.
When I restarted my computer, I noticed they dropped down to 17.

And interestingly, (or sarcastically, as I’m like a rat in this computer chasing these flies) I saw a program (which is not the first time I see it) called IGOR PAVLOV with about 10 zip applications with same characteristics. And I blocked them from starting.

As I started to check out other programs one by one (as if I have all the time on earth to do this) …  I noticed something very interesting. First I thought it was my perception, that I saw it such in error but, when it repeated I realized something horrendous: As I move my mouse over these programs/applications, the initial description box bubble gave the 0KB etc info and it immediately switched to something more legitimate with some KBs in it.

I have been noticing the same thing about the Kill Switch. It looks green on the task bar, meaning it is active but, as I click on it, the animation of “just turning on” occurs… I was thinking it must be as such and trying to suppress my suspition.
 

But a similar thing has been happening with my Available Networks: Before I reformatted my computer, even when the VPN was active the network icon on taskbar (right side) would be square and correlated with my actions/responses there would occur another network, which looked as it is far away. But, I don’t live in a city and it is highly unlikely that somebody keeps turning on and off their network so much in synchrony with my connecting or disconnecting from my network.

Finally, I am becoming quite convinced that this “Hacker/Virus/whatever” is acting intelligently and in response to my actions, constantly evolving it’s camuflage as I discover.
Am I being paranoid…? I don’t think so! these are OBSERVATIONS for the last 8-9 months.

Any help will be much appreciated… I can’t use my computer. I need my computer fully functional so I can get to work… I’m wasting enormous amount of time chasing fleas here!

I opened an incident with number

INC000011888975

 

(another thing I believe may have something to do with this issue is , I seem to get more of these hackbugs after I upload video to YouTube… Just a feeling… can’t say for sure)

(obviously Cortana is blocked too because I hate nosy windows as much as hackers)


22 replies

Userlevel 7
Badge +9

Hello @Nil

Welcome!

It’s very good you’ve logged an INC, the Kaspersky Technical Team are the appropriate team to help you; they may ask for Traces, logs & other system data, they may even request remote access to the machine to assist you with trouble shooting:ok_hand_tone3:

  1. In Manage applications, have you run the Clean up option → do the  10 7z.exe (Igor Pavlov) entries remain? 
  2. Have you run the Clean & Optimize options? If no, before doing so, for all browsers: Chrome, Edge Chromium & Firefox - export Bookmarks
  3. Have you exported KTS Settings, then reset KTS to default &  rechecked? 
  4. We’re not really clear what the concerns are with KVPN, however, when the VPN is active, it uses a virtual Kaspersky Data Security Adaptor, is that the “other” network you’re concerned about? 

 

 

 

 

 

Please let us know?

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +4

Hi @Nil , 

We will check your incident and get back to you. Hang on. 

Hello Flood and Igor,
Thank you for your responses, it is good to know that I have some help from the experts :) .            I’m sorry for not answering earlier. As I was writing an answer things started going haywire and I had to re-format my computer again.


First let me start with Flood’s suggestions:

  1. As you got my attention to this “cleanup” option, I did that and it cleaned many. But, the 7z s were gone before I even did the cleanup (because they were fake to begin with /lol)
  2. I did all of those “cleanup options which you showed.
  3. I had just cleared the KTS settings when I have opened up this topic. So, I didn’t go through it again. But, eventually, I had to as I just reformatted my computer.
  4. The KVPN and Wifi issue is just like this:
    1. When I have the VPN on, sometimes have a “circular” wifi icon and most of the time a square which looks like a monitor with a plug. And it says “unidentified network”. My question is which one of these is the correct one when I have the VPN on?

Unfortunately, the computer still has problems and I’ll write down on the next ‘reply’ what I did and what happened.

Userlevel 7
Badge +9
  1. The KVPN and Wifi issue is just like this: when I have the VPN on, sometimes have a “circular” wifi icon and most of the time a square which looks like a monitor with a plug. And it says “unidentified network”. My question is which one of these is the correct one when I have the VPN on?
  2. Unfortunately, the computer still has problems and I’ll write down on the next ‘reply’ what I did and what happened.

Hello @Nil

You’re most welcome:relaxed: !

Thank you for the update & the additional information:ok_hand_tone3: 

  1. When KVPN is active, you should see a square/rectangular icon which looks like a monitor with a plug; labelled “unidentified network” & the KVPN icon (green) → image 1
  2. When KVPN is active, in Windows Network status, you should see Ethernet x → image 2
  3. When KVPN is active, in Control Panel\All Control Panel Items\Network and Sharing Centre, you should see Unidentified network & Ethernet x & if you’re connected to the internet via Wifi, the Wifi connection → image 3
  4. When KVPN is active, in Control Panel\Network and Internet\Network Connections, you should see Ethernet x → Kaspersky Security Data Escort Adapter, Connectivity: Internet access → image 4
  5. When KVPN is inactive and if you’re connected to the internet via Wifi, you should see the Wifi icon → image 5

 

 

 

 

 

 

  • When you have time, please let us know how Kaspersky Technical Support have helped you resolve the  problems please? 

Thank you:pray_tone3:

Flood:whale: +:whale2:

Ok, let me start with what I did after the computer got all haywire…:thinking:

 

I formatted my computer, deleted partitions, wiped data clear with Gutmann ? (35 times rewrite) reinstalled windows; each time paying more attention to have it all clean… very clean. And I did this  many, many, many times. I’m starting to worry that my SSD is going to get old very soooon. :laughing:

Right now, I have only windows 10, kaspersky total security, KVPN,  Firefox and that’s it… (and a small folder of files and programs which are not touched yet)

Of course the drivers and windows updates are there too…

I haven’t visited any weird websites or such. I have checked my email, looked at youtube and msi website etc.

    KVPN icon: When I first had the computer setup, the KVPN button was showing the circular icon even with VPN on. Yesterday and today, it switched to the box icon.
    I don’t seem to have the “ghost available network” anymore. It had showed up only once in one of my re-formats. Since then, I haven’t seen it.


It has been only couple of days since I had this clean reinstall/format of my computer.

Today, I decided to have a look at the running programs. I have counted and disallowed 52 programs with 0 bytes and created on 01/01/0001 or some date like that.

 

    After I did a “cleanup” only two of them remained. More interestingly, when i checked the contents of those programs, they were now filled with regular dates and bytes...:

1_29_21__6   The 2 remaining from 52 of 0byte programs filling up after being disallowed and “cleanup”

    

     Please check out the file path of one of these programs. (I’m sorry this is not in English, somehow Kaspersky downloaded the Turkish language version)

 

  • Do you see the file path??? I don’t.

Translation of the definition : Unknown creation date and edition date. But, it says the reason for moving to the group is the digital signature which is missing.

  • You see the “kzf8q….” that is going to be the code that is going to be used later on. Before I reformatted my computer, that was the other sign of the bots.

 

Again, I thank you many times for helping me out. This thing has taken months of workdays and I’m starting to become quite an non-volunteer expert in hacker stuff… :sweat_smile::joy::angry:

I swear they are “ghosting” my computer and they are using the standart, what is it called… like torrent style… :thinking:   :joy: …. no expertise claimed :joy:

Many thanks again

 

This is what I’m talking about the WIFI icon.

 

Sorry Flood, I didn’t see your response before I uploaded mine… Having problems with not only the internet but also the electiricty :thinking::joy::confounded:


With your permission, I will respond to your answer soon. I have to run now.

Meanwhile, unaware of your answer I’ve uploaded the image of what I’m talking about.


Many thanks

WIFI ICON  & KILL SWITCH ISSUE

 

Ok, Flood, I just checked it out.

When my computer woke up, I had to exit VPN so that I’d get the internet.

I clicked on VPN when the internet got connected.

VPN turned green and the Wifi icon was still circular.

I was monitoring the network at the same time. Initially there came like 52 “host processes for windows services”.

Soon the icon turned to the box and the 52 processes dropped to 1.

The settings “unidentified network” and such are like you described. So, when it is set, it seems to be working.

What I don’t understand is why I very rarely am able to connect to the internet while the kill switch is on and why I always get a lot of windows host processes even before kaspersky programs start working. Because when it works right, I see that first Kaspersky programs start to work and then other stuff start working.

Also, can you please tell me why is that when I click on “block all network activity” I still see the “network activity” flowing while the “network traffic” stops. I appreciate that.

 

About what the Kaspersky Tech Support… they requested a bunch of diagnostics, which I’ll have to work on later. I’ll let you guys know how that goes.
 

 

INTELLIGENT ?!? BOT ISSUE:

 

Hi Flood,

Remember, above I mentioned about 52 “host processes for windows services” starting up before Kaspersky even got initiated in the Network Monitor activities…

I checked on the running apps… Guess what, a bunch of those again. I don’t have time to handpick and eliminate but here I post some pictures which I believe shows at least a part of the process well

sample hacker bot
Sample hacker bot’s non-existend address

Here is the list of today’s (actually, this hour’s) bots deactivated:

List of this hour’s bots deactivated

Below is the list of the bots after ‘cleanup’. Only one got cleaned and the interesting points are:

  1. Now these are filled with legitimate date and size
  2. Their addresses are all windows apps. As I’ve posted on the picture above there does NOT exist a folder with the address C/programfiles/windowsApps.
  3. Except the two tmp’s from the bottom all have the “__8weky...” which I picked up as another sign indicating they are bots.

 

 I need to please ask you guys to let me know if I’m doing anything out of ignorance which either turns out to be a ‘false alarm’ or damaging to either to the functionality or hardware of my computer.

My observation has been that these bots replicate and simulate the ‘official’ apps like “your phone” or “photos”. Last time, when I blocked them from startup, it finally came to a point where I’ve blocked everything from paint to who knows which important programs.  So, I had to re-format the computer. (I don’t know if I can unblock them when they seem to have turned back to their ‘normal-selves’ /lol

When I was re-formatting (I used AOMEI flashdisk for) I noticed changing values of missing disk space, extra partitions (like it said “Rufus had to create another partition”, but all those times, only one time it needed this???), Of course, I did many scans for surface etc. It has never been stable and explainable, but random. 

Right now, the computer doesn’t boot into Windows directly. I have to “reset the bios to the suggested settings” and then I can get into it. Strangely, the bios program I downloaded comes with both part1 and part2… It wasn’t like that about a month ago, when I upgraded it. So, I haven’t been able to flash the bios yet. It shouldn’t have needed this. But, sounds like a reasonable step to take.

 

So I’m like WTF ??? :rolling_eyes::astonished: (pardon my french)

 

Userlevel 7
Badge +9

Hello @Nil

Thank you for the updates & additional information:ok_hand_tone3:

  1. If you wish to use KTS English, download & install from Kaspersky Global www - image 1, our recommendation, {a} Reset KTS to Default, {b} uninstall KTS, save LICENSE information ONLY, do not check any other option, {c} shutdown computer using Shutdown, not Restart, {d} power on, {e} login, {f} download & install English KTS, {g} shutdown computer using Shutdown, not Restart, {h} power on, {i} login, {j} run a manual Database update, allow it to complete, {k} run a Full Scan, allow it to complete - then follow step 6 below. 
  2. Re  “ There does not exist a folder with the address C/programfiles/windowsApps ”, in Windows File manager, is Hidden files checked → image 2 ?

     

     

     

     

     

  3. Re “kzf8q”, normal → image 3
  4. Re “8weky”, normal → image 4
  5. If you’re blocking/controlling a whole heap of Windows processes, Windows will resume them or try to. 
  6. You must provide the requested diagnostic data to Kaspersky Technical Support: 1. They have the resources to assist. 2. The diagnostic data cannot be shared here in Community; without it, we only can see a portion of what you’re reporting. 3. Your subscription pays for Technical Support. 
  7. The network icons (you’ve shown) are normal. 

Thank you:pray_tone3:

Flood:whale: +:whale2:

How to remove a Kaspersky application

How to install Kaspersky Total Security

Post-installation recommendations

Hi Flood,

Re “8weky”, Yep, I noticed that it was among the hidden files. :flushed:  I’m ashamed to have a false alarm here but, it’s easy to get paranaoid when all act up weird. It helps to hear that something is in fact “normal”. Thank you.

I’ve done their diagnostics. But, Kaspersky is not finding anything weird. So, I don’t know how much it will help. But, they’re (you guys are) the experts… so, I’ve done what they asked and sent them. They may need to reopen another incident, as it was closed due to inactivity. (well, it’s hard to respond to emails especially when your computer is messed up. I’ll make a suggestion to have a diagnostic help through a medium like this. It is easier to track and also load files)

 

Userlevel 7
Badge +9

Hello @Nil

You’re most welcome:relaxed: !

Thank you for the update:ok_hand_tone3:

  • There’s absolutely no reason to be ashamed, when things are not working properly or there appears to be an “infection”, everything can start to look weird & there’s nothing wrong with a little bit of paranoia, especially if there’s been there’s been past problems. 
  • In reality, Kaspersky Technical Support are the experts, and they will help; a closed incident is not a problem, a new one can be opened & associated with the original INC, just make sure you let @Igor Kurzin know the new INC # please? 
  • As far as loading files for the INC, thru your MyKaspersky account, upload any Logs, Traces, data to a cloud service of your choice e.g. MegaDrive, IceDrive, Google Drive, etc, create a share link, add the share link to the INC (in your MyKaspersky account) or send the share link in a reply INC email → if you need help with those processes → please let us know, we will assist. 
  • Our objective is to help you get to the point where you’re confident the machine is clean and your concerns are alleviated. 

Please keep us posted? 

Thank you:pray_tone3:

Flood:whale: +:whale2:

I want to jot down what happened today (I’ve told the tech support that I’ll do, may be they can utilize it)

 

I started the computer, (with bios needing a refresh in order to enter windows)

I checked out the running programs. I blocked about 10 of them with 0 file size.

Hit clear. Some were gone and none were active.

I downloaded Rufus.

I plugged in the external harddrive to retrieve AOMEI and checked out few folders. Carried few songs and such to this computer.

I checked out the running programs and voila… there were many applications with 0 bytes.

 

I didn’t even move this program’s installation file. I don’t even remember clicking on it. But, it was among the files in the folder which I looked into.


 

Rufus was showing 0 kb too… I just downloaded it. Didn’t even touch it.

I ignored them and took the time to respond to the tech support.

As I returned back to the running apps list. I saw only one:

I blocked it and hit clear and it was gone.

 

 

 

*******

Can you please tell me…

  1. Is this 0 kb normal ?
  2. If not, can I make Kaspersky clean them automatically ? (I can’t always check dozens of applications one by one)
  3. Once they are filled with regular bytes and some normal looking info, does that mean:
    1. They are back to normal, so I can unblock them ?
    2. they are carrying my information to be transmitted over the internet ?
  4. If not, does this mean what I think it is: they are being used as a carrier to ghost my computer ?
  5. I’ve done dozens of scans with Kaspersky. It never found a problem. If these are hacker tools, what is my solution?
  6. Does my inability to connect to the internet with the KillSwitch is a sign of this problem?
    1. I noticed when the kill switch is on when the internet starts, the programs first starting off are of Kaspersky. If KillSwitch is off, I have many “host processes for windows”
  7. I can’t remember which one but, when I “block all network activity” I see either the network traffic or the network activity still having some activity. Is this normal?
  8. Right now, the kill switch is on and the wifi icon is circular. (it was square before I woke up the computer)… seriously, how much should I freak out from these things?)

 

Thank you Flood, Igor and the tech support people.

 

 

Dear Flood,

 

I’m so sorry… My brain is about to melt with the melting computer :joy:

I haven’t seen your response before I posted mine (again…  :rolling_eyes: ) Because, this thing is like chasing chicken or fleas… I want to jot down what I see right away before it gets too complicated to have a clear,  truthful document.

I totally appreciate your response, time and attention. :heart_eyes:

Thank you all for sticking with me until this (and other computer too hopefully) are hacker-free. Honestly… I think some people can have better things to do than sticking their noses in other people’s lives.

And yes, I’ll add Igor into the incident.

 

Thank you very very much

Userlevel 7
Badge +9

Hello @Nil

You’re most welcome:relaxed: !

Thank you for the update:ok_hand_tone3:

  1. Have you shared all of your last reply (with images & 8 questions) with the Kaspersky Technical Team? Remember, they will not be retrieving data from your Community topic. 
  2. Genuinely & honestly, we cannot answer your questions, we do not have access to your data, that is absolutely required to troubleshoot issues of this kind. 
  3. @Igor Kurzin has reached out to you, he will participate in the process, please allow him some time to do so. 
  4. Just for our understanding, may we have an image of the  circular wifi icon - is it a full circle? 
  5. By Kill switch, you’re referring to the KVPN or something else → please show us an image? 

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +4

Hi Flood, 

If I correctly understand, the kill switch is this: 
 

Hi @Nil , 

Since the INC000011888975 has been closed due to inactivity, please proceed with the advice from support team in the INC000011888975 and submit a new ticket to provide the responses. You are welcome to include all your questions + images, as per advice from Flood. 

Thank you

Hi Flood,

 

I opened the incident with # INC000012418131 but….   oops! I didn’t write the questions or more details. I gave an overview and directed them here for more detailed description of the situation. Added a scan.

I also asked for Igor to be included into the conversation because I don’t know how to cc him. May be when we start emailing, it will be possible.

Thank you for these tips. I’ll add the questions to the incident

About the KVPN and the KillSwitch:

I use the KVPN with the KillSwitch always. And I can hardly ever get into the Internet while KVPN is active. I always assumed it is because of the KillSwitch. I never tested it separately.

Here I’m pasting the circular wifi icon. This morning it was square. After I woke the computer up in the afternoon, it became circular. I have no idea what to think now! Is it safe? Is it not?

This is the “Circular wifi icon”

 

Somehow though, this afternoon, there are no more 0kb apps running.

I’ll keep you guys updated.

Thank you so much for everything

Userlevel 7
Badge +9

Hi Flood, 

If I correctly understand, the kill switch is this: 
 

​​​​​​

Hello Igor,

  • KILL switch

 

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +9

Hi Flood,

I opened the incident with # INC000012418131 but….   oops! I didn’t write the questions or more details. I gave an overview and directed them here for more detailed description of the situation. Added a scan.

I also asked for Igor to be included into the conversation because I don’t know how to cc him. May be when we start emailing, it will be possible.

Thank you for these tips. I’ll add the questions to the incident

About the KVPN and the KillSwitch:

I use the KVPN with the KillSwitch always. And I can hardly ever get into the Internet while KVPN is active. I always assumed it is because of the KillSwitch. I never tested it separately.

Here I’m pasting the circular wifi icon. This morning it was square. After I woke the computer up in the afternoon, it became circular. I have no idea what to think now! Is it safe? Is it not?

This is the “Circular wifi icon”

 

Somehow though, this afternoon, there are no more 0kb apps running. ’ll keep you guys updated. Thank you so much for everything

Hello @Nil

  1. The WIFI icon is normal. As is the (Kaspersky Security Data Escort Adaptor) ETHERNET icon, we discussed earlier.
  2. It cannot beoops! I didn’t write the questions or more details”, Technical Support will not be coming to your community Topic to try & assess the issue. 
  3. You need to be very clear, provide everything the Technical Team request and work with them to sort this out. 
  4. You don’t need to cc @Igor Kurzin, the new INC000012418131 is all that is required, as long as it is an accurate reflection of your concerns & has supporting data. 

 Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +9

Hello @Nil

Additional information, as FYI:

The KVPN Kill Switch is designed to block (your) Internet access IF (your) KVPN secure connection is interrupted/lost.

The Kill Switch is not designed to block all network activity.

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +4

Hello,

Q1:Is this 0 kb normal ?

A: It seems OK. If the related object have been deleted or moved by OS or you. The object rule will leftover information in the application control application rule list.

 

Q: If not, can I make Kaspersky clean them automatically ? (I can’t always check dozens of applications one by one)

A: You can press clean up button to clean all vaild rule manually. There is no function to automatically clean up application control rules.

 

Q: Once they are filled with regular bytes and some normal looking info, does that mean:

They are back to normal, so I can unblock them ?

A: Normally, you don't need to perform special startup management for each application. If you want to manage them, you can set it according to your own needs, but be careful not to cause some application exceptions.

 

Q: they are carrying my information to be transmitted over the internet ?

A: If a program load WS2_32.dll into its memory. It will definitely operate on the network, but whether it sends your private data is not a simple question that can be answered. It requires a long period of monitoring and analysis, such as using some tools, but I think you may not have this time and ability to complete this work, so I hope you can prohibit some programs you don’t know to access network, which it is a good choice. But be careful, please do not prohibit the core system program from accessing the network, such as this program: svchost.exe. Some system host programs are the basis for the entire system to provide network services. If you prohibit it from accessing the network, it will cause network disconnection.

 

Q: If not, does this mean what I think it is: they are being used as a carrier to ghost my computer ?

A: This cannot be answered because there is no obvious sign.

 

Q: I’ve done dozens of scans with Kaspersky. It never found a problem. If these are hacker tools, what is my solution?

A: It is impossible to determine whether there is a problem with your computer, even if the Kaspersky scan did not find the problem. In fact, you need an ART tool such as “PCHunter” or “AVZ” to check some main parts of the system to see if there are abnormal hooks or abnormal places in some places. But this kind of issue cannot be discussed in this community, so I cannot discuss this issue further.

 

Q: Does my inability to connect to the internet with the KillSwitch is a sign of this problem?

A: Possiblly.

 

Q: I noticed when the kill switch is on when the internet starts, the programs first starting off are of Kaspersky. If KillSwitch is off, I have many “host processes for windows”

A: host processes for windows, Do you mean svchost.exe? Please open task manager and right-click on the menu and chosse “command line”, Please tell us which svchost.exes and its command line. We can provide additional information to you if we know more detail information related to “host processes for windows”.

 

 

Q: I can’t remember which one but, when I “block all network activity” I see either the network traffic or the network activity still having some activity. Is this normal?

A: I think you encounter this behavior,right? The network has been blocked, why it have network traffic activity volum? It‘s KL product itself network traffic and some os kernel process network traffic. it is not a problem.

 

 

Q: Right now, the kill switch is on and the wifi icon is circular. (it was square before I woke up the computer)… seriously, how much should I freak out from these things?)

A: Above post has tell you how to turn off kill switch.

Regards.

Reply / Ответить