Kaspersky
Question

Unusual Activity on multiple platforms/devices


Hello Guys!

Thanks for having me here!
I`m looking for some help, advice, or anything which can help me sort out my problems, across all of my devices.
i believe all my devices been infected., 1 PC, 2 Laptop, 2 iOS and 2 Android device.
Not to mention, i got few HDD-s, loads of USB Sticks, few External HDD-s....

Lets begin with the PC/Laptops.

PC:
Only an SSD drive in it, all other HDD has been removed by me.
Fresh install of Win10 Pro ( Genuine ) - the SSD been erased via Win10 installer- latest Kaspersky Total Security Trial version -My Kaspersky connected
No problems appear, till i connect to the internet the PC via WIFI.
All Windows 10 updates been installed immediately, Kaspersky Total Security as well.
Unusual activity on the PC, loading way too much from the SSD even when the PC is Idle.
I ran from command the netstat -ano, and i notice some weird things there:





I use Nord VPN, and when i install the app, after the first run, the KTS give this notfication:


When i log into my account in NordVPN, and i try to connect to ANY VPN server, comes up this:

I`m not an expert, but seems to me pretty weird stuff so far.
Kaspersky Total Securty been updated, sometimes i got server connection error.

And the list just goes on and on.

My Anrdoid and iOS devices using Kaspersky Security Cloud - everything fine, but the same unusual things.
One example:
From the APP store i cant access certain apps via Search.
Certification problems on websites via Browser etc...
on iOS iCloud activation messages daily few times...

My online Bank Account is safe, my money is still there ( so far )...

Any idea guys ?!?

Thanks!

12 replies

Userlevel 7
Badge +11
👍😊, We actually didn't do anything, other than try to guide you to provide relevant, organised data.
Hello FLOOD!

Fresh install, same everything like before.
Win10 updates installed, Kaspersky Total Security installed,My kasperky connected, updated database.
Few restarts, netstat -ano shown the same like before.
After i decided to contact the support, ticket submitted, GSI created via the Support Tool, sent.

In the Support Description - i place the link for this topic as well.

I do not do anything else, add more info or observations, modifications, just wait!

Nothing gonna change in this PC, because i just gonna turn it off right now, and wait till i receive some info from the support!

Thanks for your patience & help!

Regards
Userlevel 7
Badge +11
Hello Csaszykj,
You need to organise your data.

Upload suspect PIDs ONLY
IF there's PIDs that can be matched with verified processes do NOT report them.
The list SHOULD be a set of PID numbers ONLY.

If you've added / installed ANY software & or made ANY changes AFTER doing the data collection/GSI, Windows logs you need to generate & upload a new GSI/Windows logs.

Random ghost events without a movie capture cannot be diagnosed.
Set up the phone to record the PC, everytime the ghost visits the events will be captured.
We cannot diagnose "weird - random - stuffs like that."

Checkpoint - from the point you make & upload the new GSI/logs - do NOT modify/add/change any software/anything at all.
Don't make any changes!

From this point forward - do not add any information, statements, questions, observations UNLESS it is for devices/software/s Kaspersky has documented that Kaspersky software is compatible with/that Kaspersky supports.

Thanks!
Hello Guys!

Update:
Fresh install of Win10 again, same symptoms.
I contacted the support, ticket submitted, hope soon it get sorted!

Thanks!

Regards: Csaszykj
Hello!

By mistake, i deleted from the Cloud storage my uploads.
Netstat -ano Spreadsheet No Network
GSI + KL Log

Thanks!
Hello FLOOD!

GSI + KL file from my PC

Encrypted, ill send the password via PM.

Thanks!
Hello FLOOD!

Network disconnected, Netstat -ano :


Spreadsheet with the netstat -ano + PID-s matched with the Task Manager / Services:

https://mega.nz/#!AapljapK!_2XbT_yKu2HwuVWgmpdBgDWEv4fCMVbdNliyn13cvLM

"""" To start:
  • Everything has a name, "app store" is not a name.
  • Kaspersky does not support DuckDuckGo.
  • Kaspersky does not support Opera in the PC/Windows environment, I'm currently reasearching if Opera is supported in either iOs & or Android ( almost 100% sure it isn't, but?) """"
  • iOS App Store has another name ?!?
  • iOS DuckDuckGo not supported in iOS - i know
  • Instead of Opera, Firefox 67.0.1 ( 64-bit ) intalled with Kaspersky Extension
"""" My suggestion: create a spreadsheet - list every:
  • device matched with software
&
  • every event/issue matched with supporting evidence
Then match the two data sets together.

&
  • for all the ghost behaviour, I suggest you capture all of those scenarios with a movie app & post back with the devices/software/issues spreadsheet, the PID spreadsheet, the logs - refer to the end of this post.
  • Do you have Kaspersky software installed and active on every one of your devices that you are concerned about?
  1. IF yes, have full scans been run on those devices?
  2. IF yes, is the Kaspersky software updating automatically?
  • The iOs msg, is it your understanding Kaspersky software has something to do with those alerts or do you think those alerts are due to virus/malware/contamination?
https://discussions.apple.com/thread/250377354
https://discussions.apple.com/thread/7373922
""""

  • I`m not too sure, what should i do, where to start with your suggestion at all / "device matched with software "
  • As i mentioned before, i cannot capture these ghost behaviour, events, happening random.
  • Yes, all devices has active Kaspersky software installed, full scan ran few times, updates runing well, but leave these for now, I`m concerned about my PC first. If i can get off this from my PC, after i can reflash all my mobile device/erase, and will see how things after.
  • Thanks for the links for the apple forum, copule of months ago wasnt any issues at all like these
Main focus now on my PC, leave the rest for later/future.

Current Apps on my PC now:
Opera, Firefox, Microsoft Office 2016 Plus, Daemon Tools Lite, Malwarebytes, Nord VPN

Now i will remove Opera, NordVPN, Daemon Tools Lite, and i create GSI log.

Many Thanks for your help so far!!!

Regards
Hello FLOOD!

I have to admit, there is nothing like how you wish to capture, all events is it happening random.

Will do everything as you suggested.

Thanks!
Userlevel 7
Badge +11
Hello Csaszykj,
  • The PID process was provided.
  • Posting back an image ?
  • Are those PIDs NOT visible in taskmanager?
  • Did you match up the PIDS with the Task Manager processes?
  • To guide you back - PID 4 = a normal system process, port allocations do not get released just bc wifi is not active.
To start:
  • Everything has a name, "app store" is not a name.
  • Kaspersky does not support DuckDuckGo.
  • Kaspersky does not support Opera in the PC/Windows environment, I'm currently reasearching if Opera is supported in either iOs & or Android ( almost 100% sure it isn't, but?)
My suggestion: create a spreadsheet - list every:
  • device matched with software
&
  • every event/issue matched with supporting evidence
Then match the two data sets together.

&
  • for all the ghost behaviour, I suggest you capture all of those scenarios with a movie app & post back with the devices/software/issues spreadsheet, the PID spreadsheet, the logs - refer to the end of this post.
  • Do you have Kaspersky software installed and active on every one of your devices that you are concerned about?
  1. IF yes, have full scans been run on those devices?
  2. IF yes, is the Kaspersky software updating automatically?
  • The iOs msg, is it your understanding Kaspersky software has something to do with those alerts or do you think those alerts are due to virus/malware/contamination?
https://discussions.apple.com/thread/250377354
https://discussions.apple.com/thread/7373922

Please also generate:
GSI & Windows logs (for each impacted PC) ?
https://support.kaspersky.com/common/diagnostics/3632#block7
&
KL logs (for any iOs devices please?)
https://support.kaspersky.com/common/macos/10909 - please read my note at the bottom of this post before collecting KL logs.

  • When capturing GSI & KL logs please synchronize the capture as the events are happening.
  • When you've collated ALL the information, create a .zip folder & upload the full folder to cloud storage of your choice and please post back the link?
  • With the information collected by the GSI/KL/logs, spreadsheets & screen images and your replies, we'll be more able to provide advice addressing your concerns.
  • Please note: we cannot provide any analysis or guidance for devices that Kaspersky is not supported on, not installed on.
  • If such devices exist, please remove them from any submitted data.
Thanks so much!
Hello guys!

Wifi disabled, so there is no live network connection:


Also, here is the message from me iOS device, what pop ups daily multiple times:


Cheers
Good Morning Flood!

Thanks for getting back to me!

I try to focus for now, on my main PC, after if we sure - its clean, can comes the rest of my devices.
Headache to not have a "uninfected" device in a household.

Quick Answers:

  • From the APP store i cant access certain apps via Search - which apps, which store?
on iPhone 5S ( Model Number: NE432B/A ) running on iOS 12.2 - in the APP Store i try to search for "Malwarebytes App" - only relevant results comes up, but not the Malwarebytes app.
In DuckDuckGo browser i went to Malwarebytes homepage, i try to open the "App Store logo on the site" - and comes up this message:


  • Certification problems on websites via Browser etc., which websites? Which Browser? Which certificates?
Same iPhone 5S device - Kaspersky Safe Browser - like any kind of search, comes up this message:


  • on iOS iCloud activation messages daily few times.. what messages?
" if i can catch it, i will upload as well, but something similar message what i see:
"Your carrier may charge for activating icloud on this device" popup message


  • Name & version of Kaspersky software?
PC: Latest Kaspersky Total Security - version 19.0.0.1088 (f)

  • Name, version & build of Operating system?
Microsoft Windows 10 x64 build 17763 ( using a PRO license key )

  • Browser/s, version/s?
Opera Version:60.0.3255.135

  • Detail, description, steps, information: like: when the issue 1st started, does the issue happen at all times of the day, certains times, does any action ameliorate the issue/s, does the issue happen irrespective of the browser used?
The NORDVPN issue is seperate, have you granted access? & please read on:

I did not grant any access to NordVPN so far...

These are an example from this recent Windows installation::
  • When im was writing this comment, after couple of minutes the "insert image button" greyed out, so i had to refresh the page to use it
  • try to listen online radio stream, suddenly stops after 5-7 mins, i cant start it again via the button provided on the page, i need to reload, or reopen again
  • When i try to press CTRL+V, it does the job, but the screen scrolls up 1 page
  • Yesterday when i type my first message here, weird prompt comes up, and it was selecting "double characters" instead of a normal - i try to catch it again and save a screen from it
  • When the computer starts, and when i connect manual to my WIFI network, staight away comes up the NordVPN certificate problem message, if i ignore it, comes up 5-6times in 30 mins time, even if i not logged into my account in the NordVPN app
  • Its a fresh install of Win10, the following apps were installed: Kaspersky Total Security, Nord VPN, Malwarebytes and Opera, nothing else, and now i will install Microfost Office 2016 Plus
When i notice first time, something wrong?
Around 2 months ago, Im was using iTunes on the Same PC, and when i close the app, the DVD drive tray come out - Eject - for no reason.
Im was using cFos Speed, and i notice the same unusual network Activity - even when the PC was in Idle state.
Couple of Windows reinstalls, similar unusual things, weird search result in Firefox browser on eBay, Aliexpress did not want to connect behind VPN, connection errors when i try to load pages...
Sometimes, the Mouse Cursor jumping bigger when i try to move around on the screen, its like someone in my PC via Remote Desktop...
None of my PC/Laptops let me to access the router via 192.168.1.1 - website cant be reach something similar message
Mozilla firefox was doing some weird stuffs, i did remove it, after a quick clean in the registry reinstall, and "Dark Theme" was installed rather than a normal "Light Theme"

And the list just goes on and on....

On my other devices
Certain icons disappeard from Aliexpress app, and my Ebay app was producing weird search result.
Apps after just a start asking for "Rate our App" all the time


I do my best, i try to sort out the netstat -ano PID-s asap.

Many thanks!

Regards
Userlevel 7
Badge +11
Hello Csaszykj,
Welcome!
Your netstat -ano:
Check - PIDs, save the output as a .txt file, open as a spreadsheet, sort on PID column,
Check PIDs against Taskmanager Processes, PID

You should see the majority are the software, e.g. Kaspersky, Operating system provider, e.g, Microsoft, Nord, apps used, e.g. Google and so on, all those are safe...

If there's any suspect PIDs you'll see them & we can analsyse - please post back?
Note: If there's a 1000+++ entries please upload a .txt file or spreadsheet to a cloud storage of your choice & post the link please? (better than flooding your post😉)

The NORDVPN issue is seperate, have you granted access? & please read on:

Also:

  • From the APP store i cant access certain apps via Search - which apps, which store?
  • Certification problems on websites via Browser etc., which websites? Which Browser? Which certificates?
  • on iOS iCloud activation messages daily few times.. what messages?
What we need to help (if you need):

  • Name & version of Kaspersky software?
  • Name, version & build of Operating system?
  • Browser/s, version/s?
  • Screen prints (are great - we see what you see!)
  • Detail, description, steps, information: like: when the issue 1st started, does the issue happen at all times of the day, certains times, does any action ameliorate the issue/s, does the issue happen irrespective of the browser used?
All information is useful....

Please let us know?
Many thanks!

Reply