ekrn.exe resource usage

Discussion in 'ESET Smart Security v3 Beta Forum' started by peterbra, Oct 5, 2007.

Thread Status:
Not open for further replies.
  1. peterbra

    peterbra Registered Member

    Joined:
    Jul 3, 2007
    Posts:
    8
    Hi,

    just share with you something I've noticed.
    ESS is running GREAT on my machine. Really haven't any problems except few issues when I had to reinstall ESS to Beta 2 (but more or less everybody here had those issues :D )

    What i saw is:
    SOMETIMES ekrn.exe is using 100% of resources when I open Task Manager. THIS DOESN'T HAPPEN ALL THE TIME. I think this happens every second time I turn on comp, but although it is using 100% resources - I really don't have any "freezings" or "stopping" nor my applications run slower than usual.

    I am fighting with thought that it actually doesn't uses that much resources, but TM sees that it does o_O

    Does this have any sense o_O

    EDIT:

    I just did some investigation on this... and I'm NOT EXPERT, but after I killed ekrn.exe TCP connection to mail2.nextdaypc.com the CPU usage went back to 0% o_O

    Is this ESS in any way connected to that mail2.nextdaypc.com o_O If not why is my ekrn.exe communicating with this o_O
     
    Last edited: Oct 5, 2007
  2. freesurfer

    freesurfer Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    57
    I'm guessing its not NOD32 that's connecting to mail2.nextdaypc.com. Here's what's probably happening: another program is connecting to that address and ESS' firewall or web access protection is analyzing the connection or the data being exchanged. Terminating ekrn and noticing that the connection to the mentioned address makes sense since w/o "interference" (more like w/o protection) from ESS, the actual program connected to the address terminates as it probably has finished doing what it is doing.

    Here's something you could do to investigate "who" is really connected to mail2.nextdaypc.com. You must do this when you are encountering what you have mentioned, before you terminate ekrn.exe:
    - Start -> Run.
    - Type "cmd" and click OK. Console will appear.
    - Type "netstat -ao" and press Enter.
    It will list all the connections (listening, connecting, connected, etc), ports, addresses, protocols, and PIDs (process id) (If you want IP addresses and don't want to resolve the name, type "netstat -ano"). Look for the address in the Foreign address and note the PID. Using the task manager, and make sure the PID field is showing, check the name of the program. Again, You must do this when you are encountering what you have mentioned, before you terminate ekrn.exe.

    Good luck and happy hunting :)

    regards.
     
  3. peterbra

    peterbra Registered Member

    Joined:
    Jul 3, 2007
    Posts:
    8
    thanks freesurfer.

    I was using TCP View for that purpose :)

    There stated that ekrn.exe is connected to that site. WHY? I just re-booted comp, with no opened browsers. I just turn on computer and connected to the net and I was looking what was happening - the ekrn.exe was comunicating with that address. I scaned for maleware or trojans - none was found. (I used one more Anti virus except NOD - just to be sure).

    So those two questions are really bothering me: what is happening and why?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Something else must have connected to that site, hence you see ekrn.exe connected.
     
  5. peterbra

    peterbra Registered Member

    Joined:
    Jul 3, 2007
    Posts:
    8
    Yea, I figured that out, but I'm in a big trouble now - WHAT o_O

    I'm carefully monitoring all traffic now - I'll let you know why is this happening. The biggest worry is why it was using 100% resources while conected to THAT PARTICULAR address. I see now in TCP View several ekrn connections to addresses opened in FFOX, but resource usage is below 2%.

    I'm waiting that address to pop-up one more time to see what is it about - I'll let you know.

    thanks for help!
     
Thread Status:
Not open for further replies.