Task manager tries to connect to the internet |
Task manager tries to connect to the internet |
pandy |
Dec 24 2023, 07:40 PM
Post
#1
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Why?
I've used TinyWall for several years, but haven't really looked at all the features. I found it can show all connections it has blocked the last 5 minutes. Taskmgr.exe has been blocked more than a hundred times - in 5 minutes. Why does it try to get out at all? Obviously it doesn't hurt anything that it's blocked, not that I've noticed anyway. Note, TinyWall isn't a firewall in the usual sense. It sits on top Windows firewall and works by simply blocking all connections except those you OK. So when you first install it there's some fiddling. I think it's great, even if you have to remember to OK all new programs, but that's quickly done. I suppose it can be used as the only FW, but I keep the Windows one running. If anyone wants to try it, please note it doesn't work together with other firewall software, just the Windows one. This is only the top of the list. You can see it's just 2 or 3 seconds between tries. I don't know what the System process is about either. I didn't have to OK any system processes when I installed TinyWall, so it must have a built in whitelist. |
Christian J |
Dec 25 2023, 06:15 AM
Post
#2
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
Maybe its telemetry, but the IP 91.92.240.95 (91.92.240.0 - 91.92.240.255) seems to belong to the (hosting?) company Limenet, not Microsoft.
Have you been running Task manager at these times? Is it possible to tell if it's running in the background (without using Task Managare itself)? |
pandy |
Dec 25 2023, 08:20 AM
Post
#3
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
I don't know. But it's the same now and I don't have Task manager running.
Yeah, Limenet is odd. I don't know exactly what it is. But I found the IP is on some blacklists, seems connected to spam. Can't link with query string, you need to paste the IP in: 91.92.240.95 . https://whatismyipaddress.com/blacklist-check |
pandy |
Dec 25 2023, 08:33 AM
Post
#4
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Of course nothing stops people from naming their programs anything, but would a sensible person choose that name?
How many copies do you have? I expected to find just one! I scanned the one in the program directory with Defender that didn't find anything wrong with it. |
pandy |
Dec 25 2023, 08:59 AM
Post
#5
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
OK. The one in the program directory is different from the others. Much larger to start with.
The ones in more expected directories have next to no information in Properties and lack the signature tab. The fishy one says it comes from Microsoft and was originally called Lklropl.exe, a file name there is absolutely no information about. I also tried LkIropI.exe and so on. It's hard to see the small text and it can't be copied. Micro-Star International seems to be a legit company, but I guess these things can be faked. Why does it refer to both Microsoft and Micro-Star? Seems odd. https://en.wikipedia.org/wiki/Micro-Star_International Whatever it is TinyWall seems to stop it, so that's good. |
pandy |
Dec 25 2023, 09:04 AM
Post
#6
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Fynny thing. When I googled LkIropI.exe there was one single hit. This.
https://answers.microsoft.com/en-us/windows...85-f401e987f5c8 But there's no mention of that file name in the text. |
Christian J |
Dec 27 2023, 09:27 AM
Post
#7
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
|
Christian J |
Dec 27 2023, 09:28 AM
Post
#8
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Which program's directory? Is that program trustworthy? QUOTE Of course nothing stops people from naming their programs anything, but would a sensible person choose that name? Malware may disguise itself as wellknown programs. QUOTE How many copies do you have? I expected to find just one! I only have one, in the Windows\System32 directory. |
pandy |
Dec 27 2023, 10:45 AM
Post
#9
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Which program's directory? Is that program trustworthy? Yes, very. QUOTE QUOTE Of course nothing stops people from naming their programs anything, but would a sensible person choose that name? Malware may disguise itself as wellknown programs. That's why I worry. At first I was just curious about what Task Manager was up to. But anyhow, TinyWall stops them from getting out. QUOTE QUOTE How many copies do you have? I expected to find just one! I only have one, in the Windows\System32 directory. Attached a list of mine (except the big one). The big one had also placed itself in AppData\Roaming, so there are 12 others. They have different sizes and all are pretty new. I find that strange. The one in System32 is the real thing and should be as old as the computer. Then again, MS might have updated it, of course. As you can see there are also a couple of taskmgr.exe-****.pf and I have 156 copies of taskmgr.exe.mui. At the bottom of the list there are 6 copies of taskmgr.exe.mun . Anyway, I've found that the only one that tries to get out is the one in AppData\Roaming. I'll do some deleting and see what happens. Sigh. |
pandy |
Dec 27 2023, 10:50 AM
Post
#10
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
|
pandy |
Dec 27 2023, 11:04 AM
Post
#11
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
On the Details tab in Task Manger I see 6 Taskmgr.exe processes. 1 is the real thing. All the others come form those two big files, the one in the program directory and the one in Roaming. So I guess it would be safe to kill those processes. I was unsure about if task manger showed itself, so to speak.
Here goes nothing. |
pandy |
Dec 27 2023, 11:13 AM
Post
#12
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Gaah! Now it couldn't be deleted because it was open in Windows Explorer.
So command line. No go! "The process cannot access the file because it is being used by another process." OK! UnLockIt fixed it. Both gone. I'll reboot and see if they come back again. |
pandy |
Dec 27 2023, 11:40 AM
Post
#13
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Nope. Didn't come back. But the mystery continues.
All the others are gone too from TinyWalls list of blocked programs. It only blocks two System processes now. Nothing else. Still have 14 copies though. |
Christian J |
Dec 27 2023, 12:17 PM
Post
#14
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
Which program's directory? Is that program trustworthy? Yes, very. How about its download source? Also something must have started all these processes, either a compromised program or something that autostarts with Windows. |
Christian J |
Dec 27 2023, 12:18 PM
Post
#15
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
|
pandy |
Dec 27 2023, 01:53 PM
Post
#16
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Nope. I don't know how to do that. I know there are programs, "process viewers", that dig deep down, but that's over my head.
But I tried to delete the one in Roaming first. Maybe it was run by the one in the program directory. |
pandy |
Dec 27 2023, 07:11 PM
Post
#17
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
I saved a zipped up copy of the one in Roaming, but forgot to do it with the one in the program directory. Probably doesn't matter since they were exactly the same size. I'm curious about this so I might download some other AV when I get around to it and see if that knows what it is.
|
pandy |
Dec 27 2023, 10:21 PM
Post
#18
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Tried ClamWin that didn't find anything.
Then I uploaded the zip to one of those online virus sites. I don't know if it can be trusted or not. But it did find a whole lot. 🥶 https://www.virustotal.com/gui/file/53f73e4...a3e92?nocache=1 Why do they all call it different things? Not easy to google. |
pandy |
Dec 27 2023, 11:06 PM
Post
#19
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
I downloadef a free version of one of the software that did detect something at virustotal, eScan. Never heard of it before. But it did detect the zipped virus.
CODE File C:\Users\user\AppData\Roaming\Taskmgr - possible virus.zip infected by "IL:Trojan.MSILZilla.22206[ZP] (DB)" Virus! Action Taken: No Action Taken. I'll let it scan the whole computer tomorrow. I don't want to leave it on while I sleep. Very nice GUI on that eScan! Like old times, not flashy and confusing and looking like a webpage with childish colours and huge buttons. Why did this look go out of style? Just look at the screen cap here https://www.escanav.com/en/mwav-tools/downl...rus-toolkit.asp . What more do you need? It takes 5 seconds to learn how to use it. Those newfangled things drive me nuts with their obscure interfaces and automated everything. This lets me do just what I want - just scan and report and THEN I decide what do do with what it finds. No risk that little burp program you loved so much is deleted by mistake. Read what it says under the screen cap too. It's portable. Wonder where it puts all files it downloads though. I mean, if you put it on a stick and run it on another person's machine you would want to clean up afterwards. Log files go in AppData, but I haven't found the many virus files it downloaded yet. I'd prefer if it put everything in the program directory so one could just remove the stick and leave no traces. |
pandy |
Dec 28 2023, 10:38 AM
Post
#20
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
It was pretty fast. I set it to scan everything - except mobile, but that's a nice feature, if it means phone. Two 500 GB hard drives and a 250 GB SSD, all pretty full. 2:10:16.
Found 37 threats. I see at the glance that many are not but I'll have to go through the rest. |
Lo-Fi Version | Time is now: 26th September 2024 - 10:05 AM |