How to know if your PC is hacked? Suspicious Network Activity 101
Вставка
- Опубліковано 2 сер 2022
- How do you know if your PC is hacked or compromised or infected by malware? In this video we will introduce you to the field of digital forensics looking at suspicious network activity and guide you through autoruns, sysinternals and more, with the example of a live cryptominer.
There will be a live discord workshop after this event which you can join at discord.tpsc.tech/
Sponsored by: analyze.intezer.com/
Get TCPView: docs.microsoft.com/en-us/sysi...
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact - Наука та технологія
"Sometimes, these hackers can be so clever that they stop the malware from running when task manager is running"
*Leaves task manager running 24/7, disconnecting from the internet when done*
Hacker: "You werent suppose to do that"
Big brain plays
Outplayed
turn off auto reconnect, make sure bios settings reflect said off state as some settings put it in a waiting for "wake" signal as a default.
I would just have done a clean install of Windows depending on how much junk I may have on it. That gets all of the malware unless it is Logofail. Also in that command was the wallet address the crypto miner was using. I don't like crypto mining but I do know that much anyhow. Unless it is gone from the computer it will just run again next time Windows starts. More advanced versions might check it to see if it is running and restart it. This not only steals from you but you might notice the CPU or graphics card running hotter if you monitor or you may notice your fans running louder than usual, even when the system is supposedly idle.
@@Myself-yh9rr Thats smart. Personally I would arduiously skim system32 and probe the whole windows file system, while letting some random indian guy on youtube guide me through it. And then pretend im smart after lol.
Basically Microsoft lets Windows be so buggy, that actual malicious activity can appear normal.
Microsoft never said they were doing it right lol 😂
That's because modern window *is* malicious spyware
@@kristopherleslie8343 No one brought up what Microsoft did or didn't say pea brain... lol 😂
Yeah, and the svchost in windows is like xinetd in linux. The difference being the latter is far easier and you can tell exactly what it does or what you let it do, based on easy and simple text configs, so it's much much safer. Windows svchost... I have no idea what it executes or if there is a way to manage it.
@@stan22677 Wrong. After Windows 7 there has not been a new operating system by Microsoft. Windows 8, 8.1, 10, and 11 are not operating systems, they are apps built on the Windows Mobile platform. Microsoft has preprogrammed backdoors into every one of their operating systems and apps to allow hackers, advertisers, and government agencies to use. Sure the hackers side wasn't intentional, but having 1 open backdoor into the system invites them in. The security updates you speak of block the old holes and open new holes. It takes the average malicious user roughly 1 hour to rewrite their code after an update is released to use the new holes. All they do is open up the security update files and locate the new holes.
So before trying to belittle someone, maybe you should get your facts straight. Nothing Microsoft has made since Windows XP is safe and secure for the average consumer.
Yep. Pls. Much more if this. I stopped disinfecting people's systems etc. I actually stopped all my IT related work some time ago but there is a severe lack of this particular type of knowledge so anyone picking up these skills are highly valuable to many people. Including themselves since this gives people more to explore and expand their skills even further. Very good channel. Keep it up!!
Subbed, liked, shared!
Me is a targeted induvidual. The government is following me.
You think glasswire firewall prevents stuff like this? It stops bs microsoft apps from connecting.
I’m bored. What’s your IP?
@@johnmadsen37 You're asking the wrong question. Millennial. If you're bored and want something to do, you should give me your IP.
Are you 100% sure you want my IP?
highly recommended Man even for average user
What I don't understand is why Microsoft doesn't make service names excluisve and especially the company name. It should be forbidden from anyone to set the company to Microsoft if it wasn't actually made by Microsoft.
You can see the company name in task manager, by right clicking on the process type on the top and clicking “Publisher”. But that won’t matter if a hacker hijacks an official process.
@@memememeson3994 funny tangential fact. when microsoft finds an exploitable bug in windows, they report to NSA first instead of fixing it.
@@udittlamba why would they do that? This doesn't seem like correct information. Microsoft discovers a vulnerability they are going to fix it asap. Why tell the NSA? It's not like they can weaponize the vulnerability. It will be patched.
"Finds" is an interesting verb to use in that sentence. Unless by finds you meant 'implements' and keeps them in place for half decades until they become a mainstream exploit.@@udittlamba
It's kinda like saying "Criminals don't have access to guns" And then be shocked when a Felon pulls a glock on someone. Criminals don't give a shit about who forbids what xD They'll do whatever it takes to steal your stuff.
Back in the good old days, hackers would actually let you know when you got GOT through some type of taunt message etc. Now, actual software gives you taunts and nag screen and hackers stay on the down low.
I had windows installations trash itself on my desktop for no reason and can't tell if it's windows or a virus at this point.
Even work laptops with fresh Windows installs gets bugged out at times.
Pd: Tried several virus scans in the past (Kaspersky rescue disk, emsisoft emergency kit, malwarebytes to name a few) but nothing comes out of it.
@@zNoah Something similar happened to me, in my case it was the keyboard, the delete key became defective to the point that it would activate by itself, so anything that i had selected at the time would get deleted, to "solve" this i disabled the key using a program that made the key useless.
Yup I remember the time I got my friends PC hacked when I was 12 like it was yesterday. Had to have the diablo II maphack so of course I downloaded it, the screen turned blue then someone typed "Hello, how's your day going?"
@@James-uk4xiah hell naw💀… what happened after that ?
@@youngjrr I said "Hey Deven, I think your computer just got hacked." He came over, took one look and hit the power button. I left to go do something else, then came back a couple days later and he had installed a virus free maphack for me.
Just getting back into the PC for fun world after 10 years hiatus, really appreciate this video man. Picked up sysinternal (thanks for sharing about that, didn't even know) and have been playing around with couple of the tools you used here. Definitely need to learn more about network security, looking forward to your other videos
As someone who's PC has been getting frequent CPU spikes, I'm definitely using this video in the (probably near) future.
How old is your pc btw? If it's more than 2+ yrs old, and there's no malware, it might be just be your PC getting close to warranty.
@@R.K_Chalkboard omg, imagine a pc with 2 years already dieing lol
Are your graphics drivers updated?
my pc is 7 years old it has a 9 year old proccesor its i3-4130 and i have my old nvidia gt 640 2gb vram edition installed btw my thermal paste has not been changed since when i had my pc the proccesor was plugged in my pc since when it came and my cpu is acting strange i am getting glitchy screens at a rare case anyone know what i have to do i do not want to spend any money to upgrade it should i install another os? right now i have windows 10 which os should i install then?
@@MLPFAN_isLost First thing to do imo is open task manager when it happens, if anything is at 100% usage then that's where your issue is from(alot of causes for high usage of X)
Videos like these are so important it's almost a crime you don't have more views and subs, if I were a boss at UA-cam I would be pushing content like this like crazy.
These videos are just great. I really enjoy the way you present this information. This is such a nonintuitive subject for most people, and yet it's so critical to learn the fundamentals... Thank you :)
Live workshop right after the video premiers, sign up here: discord.gg/tgeTFAqk?event=1003367587763208293
Too easy! Recently found multiple signed & undetected malware on my Mom’s PC. She’s always downloading random stuff lol
Take her pc away
@@Emily_Bondevik_Official Yeah right
@@Emily_Bondevik_Official the ultimate uno reverse card
Create another account for her with limited access.
Buy her a Mac , windows is trash
Very nice, well edited, good composure. You got a sub from me 👍
Honestly, thank you so much for this video. It really helped me to not only remove the xmrig file from my computer, but also confront the attacker themselves. Thank you so much
Amazing video! Never saw a content like this, very interesting and important! Thank you!
Will defo use this as my network has been quite strange
I recently helped a friend figure this out and this video really helped explain what we found!
This video is priceless, thank you so much.
I usually have encrypted backups on a separate disk but this is good knowledge to have. Some people don't want to wipe.
Don't give up mate, that was my first day to use soft soft and i will work on it for a long ti!
I think I speak for everyone when I say…. that You Sir are hands down some of the absolute best value of our time spent watching online content! Thank you for your incredible devotion to others.
did you found the program he's using to monitor the processes?
Very good content, I learned a lot! Thank you!
Thanks dude this really helped me a lot I did the steps that's you did thanks man!
2:00 process explorer rather than process monitor, maybe the priogram changed name in his more recent vid
2:30 sudeenly taking alot of cpu
4:50 making sure miner goes away
5:38 how to know which of these is legitmate or not
7:10 miners canbe smart drop processes when u opne task mangaer
8:20 terminating process tree
then summary of above
"If you open up something like Task Manager, they just drop all of their resource usage"
I guess good thing I have Task Manager always open?
XD
Thats smart af
Clever
Great video! lots of info! Lots to follow. but good stuff. Thanks! Also, What is that on your wallpaper? I like it!
I had that XMR miner, and he's right, sometimes they can't be detected. Windows Defender and the full version of Malwarebytes didn't see it. I ran a tool called AdwCleaner and it was able to find it. It's a free tool made by Malwarebytes, but it's a separate download.
I just wanna say buddy I love your channel. Thank you for your work.
Wonderful! Great job and thankyou very much!❤
Great work 🥳 Thank you 💜
man, thank you for making videos, very helpful
The dead giveway in the Task manager is the process has no name. SVCHost is a legit process that runs on Windows, but it would list itself as SVCHost in the Task manager, so the fact it doesn't show a name is a huge sign, not to mention the high resource usage as you mentioned. Monitoring your overall system usage is a good way to determine if something suspicious is going on. Of course if you're running programs or doing something, then this will sort of muddy the information but if you're computer isn't doing anything and no programs are open but you ahve high usage, chances are you PC is hacked (there is a slightly delay though when you close programs, as some programs do have to do some clean up tasks behind the scenes, but say after a minute, if the resource usage doesn't settle down after closing all programs, then you may have a problem).
thank you my man for learning me something new :)😍
HOLYY SHIITTT I LOVE YOU ❤❤❤ I'VE BEEN SEARCHING AROUND THE INTERNET FOR 5 HOURS AND THEN NOW IT'S OVER FINALLY I LOVE YOU MAAN
The comnt section is very positive and downright encouraging! Love it!
Valuable information. Awesome.
very nice how the logo brightens up when you say Subscribe.
You are the boss bro!!! Thank you a lot!
Hi Leo, excellent video. This is a wake-up call to action to understand the art of network security and how easily you can be hacked into by anybody who is trying to do harm to you on the Internet. There's more concern for people attempting to exploit you in many ways. Is encrypting your browser the best way of blocking information? Is encrypting your protected folders the best way to protect you from would-be attackers?
Your browser traffic is already encrypted.
Well probably the best move you can make is by switching to either MacOS or Linux
@@seansingh4421even a chromebook and chromebox would be better. Using any of the above would be the #1 thing.
@@seansingh4421 “singh”
Go back to India 😂
Omg I think this random video solved exactly the issue u have been having for a few months now
Hello, nice video. Once thing though, you didn't tell your viewers how to find the actual EXE on the Windows system and how to do a VirusTotal scan. Also, you didn't mention how to find and remove the autostart entry and all mention of the EXE in the Registry. Finally, it should be possible to block the in/outgoing traffic using Windows Firewall.
Great info, wish I had known this stuff years ago
Everything you have explained seems very legitimate and logical to my understanding to my knowledge. Thank you for this video. Didnt hear you mention any, but are there any recommended Anti-Malware systems that you would recommend, (if any) to prevent or minimize these so one doesn't have to always have to manually remove them?
Had an issue at work years ago, back when we still had Windows XP on the machines (late to move to Windows 7). Task Manager would show explorer at 50% and would freeze for ages. Eventually I was actually given time to investigate (managers deciding just wiping the laptops is quicker have no idea. It wasn't quicker). Used Process Explorer and could see one .dll in Explorer was causing explorer to run at 50%. Turned out it was a pgp dll that just scanned the network for files that were encrypted so it could change the display icon. We never encrypted files just used PGP for whole drive encryption. I disabled the .dll and it fixed the issue in under a min, compared to wiping the laptops and starting again.
Do you think that completely deleting Windows and reinstalling it will remove any viruses?
@@User-jr7vf Yes. Although as Mark Russinovich said in one of his malware talks. You shouldn't have to. You can clean a system without wiping Windows.
Absolutely interesting video and just made me think if my old PC had CryptoMiner on it because the CPU usage went up randomly alot and the system was using all of it,
Deserved Sub and Like.
depends how much if its only bump up to 20% or less its normal
@@ivo3598 It bumps up to 80-90% very often and system is using all of it
Do you have a link to the part 1 video that this video mentions? Or have I just missed it somewhere in the notes?
Great tutorial - But what I am missing here is how you determined that it was a threat and will the tool help in color-coding these threats so they can be visually ID'ed? My list of processes is very long and from the Icons I can determine what, but without some kind of indication I am afraid it is hard to identify - Can you also tell me where I can download the graphical toll "United Graph"...Please advise, Thanks!
I was hoping to learn how to know if my PC is hacked by watching this video, but instead all I learned is that I have no idea how networking works.
Thanks for this resourceful tool.
Wow thank you so much that really helped
Hi, great video. Would you please consider linking to the videos you reference in your videos? You say "in the previous video we did such and such" but it's hard to know what that video is. Thanks! Great work by the way!
This should be mandatory to teach in high school. It boggles my mind how O was never taught any of this and told to simply mindlessly trust the security software.
you can make the text bigger or drop resolution - only in HD res can anyone read the text on screen
This is good, but omg I was looking all over the Process Explorer App for "TCP View", I even looked in the view menu but couldn't see it and then at the end when I seen you switch to it I realise it was another program hahaha!
VERY interesting! ...I was wondering why my windows units were using so much power ...my DAW desk needs new thermal paste after just one year! ...with electricity prices I can only power them up for short sessions now anyway... - but NICE HEADS UP!!!
Some malwares stops when you open Process Explorer too. I discovered I had a Crypto Mining Malware thanks to Nvidia GPU Activity.
In case you're wondering, that's a monero cryptominer. You can probably even see the wallet id number on the first app.
Nice presentation!
Hi! Thanks so much for this video and tools. Great! What to do when a URL is offline? Intezer Analytics is not supporting this. The program calls URL's like that highly suspicious. What would be the best approach?
Is there a way to track how the malware ended up on your pc?
Thanks again
I've noticed unusual disk activity along with slow running app(s), and then when I go to task manager it takes a while to start, and once it starts the disk activity stops. Sometimes the hard drive light is still and on and task manager says there is no activity and shortly afterwards the light goes off. I often wonder if some kind of malware is stalling the task manager until it can hide.
Thanks for this information. It will be useful and I will be looking into more content on your channel. Thanks again.👍
How do I add the operations column?
I can't seem to find it.
So uh, you said some tricky hackers will hide their cpu usage.. I notice when I open task manager for a split second my cpu usage is 50 something percent, then drops right down to 1 or 2% Am I hacked or does it ramp up for a second just opening task manager? Also most of my games crash as soon as I open them lately, trying to figure that out... IF I do have a hacker, I've already reinstalled windows 10 and I ran that tron script from reddit I saw in a different video for good measure. Shouldn't that have taken care of it?
Thank you!
I'm late to the party here. Thanks for once for the algorithm working. Preparing for a deep dive into your channel
Thanks!
Damn this guy was really thankful.
My laptop had basically this exact thing happening, when I left my laptop idle for a significant amount of time an instance of svchost would start using about 50% of my cpu, I had suspected it might be a crypto miner but I didn't know what to do about it other than terminating the process which I had to be very quick to do after I started moving my mouse before it would terminate itself
So how do you combat this because if it’s impersonated programs just closing the process tree isn’t enough
Does formatting/fresh install windows get rid of malware etc?
Thx alot 🙏 , question where i can report the ip?
👍Thanks!
OMG, thank you!!!!
Hey, thanks for the info bro…
checked this out for myself, turns out my computer is just ass slow
good video anyways sure to be helpful for others
07:09 : This scenario you describe could have never happened if MS hadn't removed useful utilities that they used to have until windows 7.
Spesifically , until windows 7 you could always have enabled a gadget which was monitoring the CPU and RAM usage of the system !!
No matter how smart a malware is , *if you can monitor the CPU/RAM all the time(like you could back then) ,then it can not hide from you* .
I always had this gadget enabled , until MS removed it from windows 10 and later . Such a useful monitor utility , windows are going backwards instead of going forward ....
-- P.S. This utility had helped me to find that something was wrong in a PC in my work enviroment and ultimately this helped me to spot a malware and clean that PC .
Or you just fully move to Linux, where no system process can run without a root password.
There is a thing called Resource Manager,
@@Mario583a what you are saying exists in all of windows versions(you could see a version of a recource manager in windows 7 as well ) , but do you know anyone who would have such a huge bulky thing *always enabled* on their monitor ??? that's what i argued in what PC Securiy channel said , *he said that a sophisticated malware can recognise whenever the resource manager is being opened , so it hides itself when that happens* .
What i'm saying is about a very small (takes very little space on the top-corner of the monitor) but super-useful gadget that existed until windows 7 , which anyone could afford to have it *ALWAYS-ON* ,and it could be used for a very quick glimpse to check if everything is normal in your system recources .
You had the option to have that gadget always on ,permanent , while what you say has to be re-activated with every PC-restart , besides the fact that it's not practical to have it always on (very bulky as i said ,i don't know many people who would chose to have something like that always enabled on their monitor ... do you have that always on ? *that's what i argued in the first place* ... the always-on part ... )
It doesn't come with Windows, so this isn't a direct answer, but Process Explorer effectively serves that purpose (at least the way I use it); I have it auto-load into the taskbar tray on boot and sit there showing system resource graphs all the time.
PSA: Use Process Explorer. It's much more useful than Task Manager.
@@maynnemillareslinux is not beginner friendly
Oooh that reduction on power when task manager opens is nasty. I had one of those and I never was able to find it, so I reimaged my PC (after backing up my files)
How did you know your pc was infected in the first place then?
@@Adama.1 Performance dips while running games that did not dip before and lag on startup
I don't know for *certain* that's what it was, but it's the only explanation I've found that makes sense
I tried searching with TCPView, and found some processes with malicious links. But when I try to kill the processes, TCP won't let me. I tried scanning with Hitmanpro, NortonPowerEreaser, and Kaspersky but none of them came back with any results. What can I do to fix my problem aside from reinstalling windows?
I'd like to know where the executing code is stored. Since it survives a reboot, it has to persist somewhere. Isn't that something that can be deleted? Or where's the very first 'launch point" (my term), when, during the Windows startup process, the crypto miner becomes active? I may not have understood, but these vital issues seem unaddressed in this video. I'd even like to know why no antivirus scan can detect it, seems like it can be done given that you did it. And a remedy? What does one do to FIX this?
My main concern is that I must look at multiple attachments for my work. We know that there are several phishing attacks/malware that come through. As it is a remote job, I work on my personal Laptop. I have Windows 11 Home. I had a bitch of a time trying to get VMware and Virtual box for my VM, which failed...and now, I successfully activated Sandboxie. I followed all of these instructions, but am afraid I may still be vulnerable. Do you have any suggestions?
yes so get norton
@@A-hill-music-productionsJesus Christ, no. Stay away from anything other than malwarebytes' products and windows defender.
@@flyingspaghetti bro noooo what makes u say that
Thank you, I just subbed. I definitely would like to received new vids.
I had a problem with a bitcoiin miner about a year ago.
I noticed it was running my CPU insanely high for nothing. Used TM to suss it out and kill, but everytime I booted my PC, it kept coming back.
So basically, I just did a bunch of trail and error, referencing processes, scared out of my mind i'd accidentally delete my system32 folder or something stupid like that.
Turned out, the the process somehow got root level and I had to access my activation settings to figure out where it was really coming from, since the file came back whenever I rebooted. Once I killed the boot process, I was able to kill the process and finally delete the source file.
Felt like a super hacker at the time, but man, I coulda made it much easier, apparently.
2:57 lol, you made me just involuntarily open task manager just to check my cpu/gpu load... hehe,
Now, i will continue to see your clip. 😁
P.S.: Can you please put the link to the previous clip in this topic in the description or as a comment? It is so hard to look for specific clip on yt than we sometimes abandon that. Usually i go for specific date, but searching to the whole channel just for a date is tremendous and a few people will do it.
Yours, is only 4 month old now, so is not hard to reach, but later on it will be harder and harder.
So, if you can, just put the link to previous clip and keep retention more.
Thanks!
do you have this too
if Windows authentication is enabled, they also can
hack then?
What's the name of the Windows Service that runs quietly in the background that is like a remote desktop program?
Great video!
Hey are there any alternatives to process hacker cuz my bit coin miner does the same thing to Process hacker as task manager (terminate when its opened)
I'm getting several remote addresses on system idle process, is this normal?
can you checked mine too it is still available your live discord workshop? looking forward to your answer thanks
Good to know 👍🏻
where can I get sample of the Cryptomining malware?
You said that a cryptominer can lower the activity or shutdown its software so that you don't see it with task manager. In that case how do find it and deal with it?
Thanks Leo
When I want to see the TCP/IP menu it tells me that the outgoing packets (Remote) are from my ip and a port, and the incoming packets (Local) are also from my ip, but with another port. In short, no IP comes out, but it is connected to the internet... How does that work?
Exactly what i found today. It wasnt there for long but I noticed something was fishy. its well hidden behind other task names, saved deep in x32 and grabs hold of admin accesses.
If i can find it then its obv not that tricky but still clever enough to where I didn't notice it for a period of time
yes, i am grateful to tell them telling my ip password cuz i frequently forget
Didn’t watch it yet
But you get the like for being a hero
I had this same miner but it was a ETH Miner, I downloaded Rouge Killer and it got rid of it forever. Thank god cause I did not want to reformat.
all of this investigation requires you to connect unto internet?
Added to Favorites. Like and comment too.