Wesly.Zhang

Hello, Please try to add “telematics.net/*” to the Trusted URL in Web-Antivirus , Any better after that? Regards.

Hello, @CJL from ATL In additional to what @FLOOD said, Do you try to add the site domain name ( not the detail url ) to the Trusted URL ? For example: You want to exclude the detection for this topic https://community.kaspersky.com/kaspersky-internet-security-13/how-to-add-web-url-to-trusted-zone-blocked-as-heuristic-analysis-6769 You try to add “ community.kaspersky.com/* ” without quote to the Trusted URL. Regards.

我感觉我叙述一下详细过程比截图更能说明问题：毕竟截图就是一句话：请误操作system。而且截图涉及我个人信息，所以不方便截图，谢谢！ 加密视频，自动以管理员权限运行，在系统目录下生成三个dll（目测是用于播放的：ai65mplaydk.dll、ai65mplayds.dll、ai65mplaydd.dll）。 打开后使用自己的真实姓名和机器码（抱歉，上述有误，是机器码，而且windows大版本升级会导致机器码变化的那种机器码）登陆，然后播放。 视频应该是使用屏幕录像专家录制的（因为我买教程的卖方是注册了公司的，所以它们两方都不给我提供具体的技术支持）。它会检测是否运行在虚拟机、是否有sandboxie、是否正在下载（如迅雷，它这个应该是检测的svchost.exe）等等，哪怕是频繁失去焦点都不行（比如切换到txt记个笔记啥的）。 根据卖方的说法，是我的电脑可能是中了system病毒。 目前我已经使用如火绒剑、Process Explorer、ProcessMonitor等等检测工具执行检测，并使用卡巴斯基、火绒进行过全盘杀毒，未发现有异常行为（个人认为的异常行为：我不认识的进程以及没有签名信息的进程）。 Hello, 我不知道你这个 “请勿操作 system”是谁提示您的，是一个怎样的窗口，所以我需要你截图给出具体弹窗的样式。另外，请您使用微软sysinternals process explorer 程序，请根据截图的有关说明操作给出具体是哪个程序给出的弹窗，谢谢！ 我们这里需要根据截图信息来查看具体问题。没有截图只有你知道问题，我们不知道发生什么，因为你也不知道，所以我们更不知道。 如果弹窗是这个视频软件的，很明显，其会检测自身是否被 inline hook，也就是进程被注入，在您退出卡巴斯基程序后，如果进程注入行为未停止，那么请您关闭其他进程包括非必要的系统进程来检查或者使用其他工具，如 PC Hunter 或者 GMER 检查 inline hook 的模块是什么。你不清楚里面这些东西是什么，请您截图给出让我们来看。 此外，请您提供一份 GSI 6.2 报告供分析。你可以通过此社区短消息发送报告给到我。

Hello， 此贴将于本贴发布后的5个自然日后被关闭，如果您还有需要反馈的问题，请跟帖反馈。

Hello， 本问题将会在本贴发布之后的5个自然日后被关闭，如果您还需要反馈跟进问题，请跟帖回复。

Hello, 能否截图发生了什么问题？ 谢谢！

Hello， 从 viruslab 得到消息，这是一个错误检测，将会被修正。技术支持将会通过 INC000011173299 回复您有关情况。请您根据实际情况跟帖反馈此问题有没有得到解决。

Add info: INC000011173299

Hello， 但是我从其他提供给我 traces 追踪记录的用户那里分析获得如下信息： 我想问下，你是 迅雷 下载软件的程序吗？能否将这个进程文件以及它加载的自身Dll文件打包发送到网盘在本贴恢复下载地址，我想确认下这个情况。 其实不光是 搜狗输入法 促成这个问题。 Mod note: traces deleted.

Hello， 有分析指出是 搜狗输入法 的问题：https://bbs.kafan.cn/thread-2169610-1-1.html 你可以参考一下，目前此问题还没有得到确认。

Hello, @Ylive 过来看看。

Hello， 这个问题从技术支持那里得到一些信息，请您提交一下信息文件： GSI 6.2 报告： 下载地址：http://media.kaspersky.com/utilities/ConsumerUtilities/GetSystemInfo6.2.zip 工具使用方法： 1.双击运行下载的 GetSysteminfo6.2 中的 exe 程序。 2. 点击界面右下角的英文“Accept”。 3. 软件运行后勾选 include system event。 4. 点击 start 按钮。 5. 待扫描完成后桌面上会生成一个名为 Getsysteminfo 开头的压缩包文件，将其上传到网盘 KVRT_FULL 下载地址：https://box.kaspersky.com/f/cc1df9d9d12e4515b59d/?dl=1 工具使用方法： 1.双击运行下载的工具-KVRT_FULL。 2.点击界面右下角的英文“Accept”。 3.软件主界面打开后，先点击中间蓝色英文-Change parameters。 4.查看里面的选项是否都已勾选，如未勾选请选中所有后点击OK。 5.点击Start scan开始进行扫描工作。 6.扫描需要一些时间，请您耐心等待一下。 7.扫描工作结束后，请打开计算机的C盘，找到KVRT_Data文件夹。 8.请直接右键点击KVRT_Data文件夹，将其压缩成一个压缩包后上传网盘然后伴随上面的 getsysteminfo 报告一同给出下载地址。

After checking, update the source include KPM f and g patches now. After reinstalling the KPM, the problem no longer occurs when closing and reopening the KPM. This issue has gone. Let it go ~

Hello, Trojan-Spy.Win64.Lotus.mem found in system memory, right? Regards.

Hello, According to information from support. They have fixed update source problem in chinese. This issue could be fixed. Can you try to check it? Regards.

Hi, FLOOD Now, I know the reason for this issue. I will share some information to our chinese technogly support engineer. Does KPM patch e also has a start problem in its history? Because I see a support article let the user who have this problem to uninstall the problem and download a newest installation file to install. Many thanks !

Hi, Flood Could you please help me check these files version on your side, These files are locate in ‘C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 9.0.2’ Are they the same to me? kpm.exe / kpm_service.exe / kpm_isolation.exe and please check the update files on the ‘https://s01.upd.kaspersky.com/updates/bin/kpm92p/’ also the same to me？ I think KL update sources in china doesn't have kpm patch f and g…...

Hi, Sure.

Hi, In my case, There is no kpm_isolation.exe in the process list. Intersting…...

Hello @Wesly.Zhang, You’re welcome! 2 KPM exes, my account name OK, Thanks. Now I contract with KL Chinese engineer to send a problem request. Let them to investigate this issue. If I have any information, I will post here.

​ ​ Hi, flood Thank you.😄 Now, I have a suspicious question for KL. What’s the problem on this case. 🤔 ​PS. What’s the process “kpm.exe” running as SYSTEM or your account username?

Hello， I know this issue. I have also encounter this in China. The process of this problem is that: start kpm.exe /start, two same name processes display and run in SYSTEM and your user account and kpm_services.exe with SYSTEM account user by KAV/KIS/KTS in its first start. it is OK Now. right-click its system tray icon and select quit and then kpm.exe with SYSTEM account doesn’t exit and leftover its process. You run its desktop icon shortcut and kpm.exe with “your accout user” will run and then it will be terminated by kpm_services.exe bacause there is another kpm.exe with “SYSTEM” account user is running. 22:54:47.880 0x1e00 ALW Register UI begin on session 1, pid 7708 22:54:47.880 0x1e00 DBG Purge unused sessions 22:54:47.880 0x1e00 ALW Process 7708 by session 1 is already registered 22:54:47.880 0x1e00 DBG rmt EKAConnection::SendReceive called, session 454059647203388 22:54:47.880 0x1e00 DBG Try to unregister process 7708 22:54:47.880 0x1e00 DBG Session of unregistered process 7708 is 1 22:54:47.880 0x1e00 DBG Try to unregister session 1 22:54:47.880 0x1e00 DBG Session 1 unregistered 22:54:47.880 0x1e00 DBG Unregister UI on session 1, pid 7708, result is 0x00000000 22:54:52.086 0x33b8 INF gt::common::ui::UiManager::WaitUiTerminationProcess is terminated with id 7708 exit code: 3221225477 After you terminate kpm.exe and kpm_services.exe, It is still be terminated by kpm_serives.exe when you run kpm, So you can not load KPM GUI. 09:43:24.582 0x2418 DBG gt::common::ui::UiManager::StartUiWithArgs Ready to start process: "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 9.0.2\kpm.exe" 09:43:24.592 0x2418 DBG gt::common::ui::UiManager::StartUiWithArgs CreateProcessAsUser - success 09:43:24.592 0x2418 DBG gt::common::ui::UiManager::StartUiWithArgs Add task to wait ui termination 09:43:24.592 0x3a44 DBG gt::common::ui::UiManager::WaitUiTermination Wait ui termination of process id: 14012 I analyze the traces for this issue. I don’t know WHY?????????????????????????????? But I am not sure the reason for leading this issue. There is a error in verifying dbghelp.prg. But I think it is not a main problem. But I want to know does someone could open KPM 9.0.2.1445 with g patch? How about the md5/SHA1 hash on dbghelp.prg 0x1e00 DBG gt::sign_checker::IsDskmSignCorrect 22:54:47.669 0x1e00 DBG gt::sign_checker::`anonymous-namespace'::HelperWithTracer::TryGetShortFileName 22:54:47.669 0x1e00 DBG gt::sign_checker::`anonymous-namespace'::ExtractorWithTracer::ExtractDskmKeys 22:54:47.669 0x1e00 INF File with signatures: "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 9.0.2\dbghelp.prg" 22:54:47.669 0x1e00 DBG gt::sign_checker::`anonymous-namespace'::HelperWithTracer::CheckDskmSignature 22:54:47.669 0x1e00 DBG gt::sign_checker::`anonymous-namespace'::HelperWithTracer::CheckDskmSignatureImpl 22:54:47.669 0x1e00 DBG gt::sign_checker::`anonymous-namespace'::HelperWithTracer::CreateKeyList 22:54:47.780 0x1e00 DBG Failed to check signature. Error 0xc58506ed In my side, md5:EAF821D2AC21576096D597208462D31B sha1:29A33339B75DABE57BCD0A63DA49F969F968A843 C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 9.0.2\dbghelp.prg

Yes, I know, I don’t think default virtual card will disappear if you change the network setting, My idea is ‘Is there have a solution that you can lock the ip address for virtual pc card or it could use bridge network’. Try to change your virtual pc network to bridge network and copy your local machine ip address. Any better after that? I think this video could help you: Link BTW, Does anyone here also use Hyper-V ? Have you encountered the same problem?

Hello, Why not use bridge for your Hyper-V network instead of NAT？I don‘t know Hyper-V, But there is a setting for network in vmware client named “Network Preference”. You can config and lock ip address for virtual PC network in it. Did Hyper-V also have a client and have a network settings place？ Regards.

Hello， Did you set Hyper-V network settings is NAT or other network type？You should lock the IP address of Hyper-V network card, It should be OK. Regards.