Task manager tries to connect to the internet |
Task manager tries to connect to the internet |
pandy |
Dec 24 2023, 07:40 PM
Post
#1
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Why?
I've used TinyWall for several years, but haven't really looked at all the features. I found it can show all connections it has blocked the last 5 minutes. Taskmgr.exe has been blocked more than a hundred times - in 5 minutes. Why does it try to get out at all? Obviously it doesn't hurt anything that it's blocked, not that I've noticed anyway. Note, TinyWall isn't a firewall in the usual sense. It sits on top Windows firewall and works by simply blocking all connections except those you OK. So when you first install it there's some fiddling. I think it's great, even if you have to remember to OK all new programs, but that's quickly done. I suppose it can be used as the only FW, but I keep the Windows one running. If anyone wants to try it, please note it doesn't work together with other firewall software, just the Windows one. This is only the top of the list. You can see it's just 2 or 3 seconds between tries. I don't know what the System process is about either. I didn't have to OK any system processes when I installed TinyWall, so it must have a built in whitelist. |
Christian J |
Dec 25 2023, 06:15 AM
Post
#2
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
Maybe its telemetry, but the IP 91.92.240.95 (91.92.240.0 - 91.92.240.255) seems to belong to the (hosting?) company Limenet, not Microsoft.
Have you been running Task manager at these times? Is it possible to tell if it's running in the background (without using Task Managare itself)? |
pandy |
Dec 25 2023, 08:20 AM
Post
#3
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
I don't know. But it's the same now and I don't have Task manager running.
Yeah, Limenet is odd. I don't know exactly what it is. But I found the IP is on some blacklists, seems connected to spam. Can't link with query string, you need to paste the IP in: 91.92.240.95 . https://whatismyipaddress.com/blacklist-check |
pandy |
Dec 25 2023, 08:33 AM
Post
#4
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Of course nothing stops people from naming their programs anything, but would a sensible person choose that name?
How many copies do you have? I expected to find just one! I scanned the one in the program directory with Defender that didn't find anything wrong with it. |
Christian J |
Dec 27 2023, 09:28 AM
Post
#5
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Which program's directory? Is that program trustworthy? QUOTE Of course nothing stops people from naming their programs anything, but would a sensible person choose that name? Malware may disguise itself as wellknown programs. QUOTE How many copies do you have? I expected to find just one! I only have one, in the Windows\System32 directory. |
pandy |
Dec 27 2023, 10:45 AM
Post
#6
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Which program's directory? Is that program trustworthy? Yes, very. QUOTE QUOTE Of course nothing stops people from naming their programs anything, but would a sensible person choose that name? Malware may disguise itself as wellknown programs. That's why I worry. At first I was just curious about what Task Manager was up to. But anyhow, TinyWall stops them from getting out. QUOTE QUOTE How many copies do you have? I expected to find just one! I only have one, in the Windows\System32 directory. Attached a list of mine (except the big one). The big one had also placed itself in AppData\Roaming, so there are 12 others. They have different sizes and all are pretty new. I find that strange. The one in System32 is the real thing and should be as old as the computer. Then again, MS might have updated it, of course. As you can see there are also a couple of taskmgr.exe-****.pf and I have 156 copies of taskmgr.exe.mui. At the bottom of the list there are 6 copies of taskmgr.exe.mun . Anyway, I've found that the only one that tries to get out is the one in AppData\Roaming. I'll do some deleting and see what happens. Sigh. |
pandy |
Dec 27 2023, 10:50 AM
Post
#7
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
|
Christian J |
Dec 27 2023, 12:18 PM
Post
#8
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
|
pandy |
Dec 27 2023, 01:53 PM
Post
#9
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Nope. I don't know how to do that. I know there are programs, "process viewers", that dig deep down, but that's over my head.
But I tried to delete the one in Roaming first. Maybe it was run by the one in the program directory. |
pandy |
Dec 27 2023, 07:11 PM
Post
#10
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
I saved a zipped up copy of the one in Roaming, but forgot to do it with the one in the program directory. Probably doesn't matter since they were exactly the same size. I'm curious about this so I might download some other AV when I get around to it and see if that knows what it is.
|
pandy |
Dec 27 2023, 10:21 PM
Post
#11
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
Tried ClamWin that didn't find anything.
Then I uploaded the zip to one of those online virus sites. I don't know if it can be trusted or not. But it did find a whole lot. 🥶 https://www.virustotal.com/gui/file/53f73e4...a3e92?nocache=1 Why do they all call it different things? Not easy to google. |
pandy |
Dec 27 2023, 11:06 PM
Post
#12
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
I downloadef a free version of one of the software that did detect something at virustotal, eScan. Never heard of it before. But it did detect the zipped virus.
CODE File C:\Users\user\AppData\Roaming\Taskmgr - possible virus.zip infected by "IL:Trojan.MSILZilla.22206[ZP] (DB)" Virus! Action Taken: No Action Taken. I'll let it scan the whole computer tomorrow. I don't want to leave it on while I sleep. Very nice GUI on that eScan! Like old times, not flashy and confusing and looking like a webpage with childish colours and huge buttons. Why did this look go out of style? Just look at the screen cap here https://www.escanav.com/en/mwav-tools/downl...rus-toolkit.asp . What more do you need? It takes 5 seconds to learn how to use it. Those newfangled things drive me nuts with their obscure interfaces and automated everything. This lets me do just what I want - just scan and report and THEN I decide what do do with what it finds. No risk that little burp program you loved so much is deleted by mistake. Read what it says under the screen cap too. It's portable. Wonder where it puts all files it downloads though. I mean, if you put it on a stick and run it on another person's machine you would want to clean up afterwards. Log files go in AppData, but I haven't found the many virus files it downloaded yet. I'd prefer if it put everything in the program directory so one could just remove the stick and leave no traces. |
pandy |
Dec 28 2023, 10:38 AM
Post
#13
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
It was pretty fast. I set it to scan everything - except mobile, but that's a nice feature, if it means phone. Two 500 GB hard drives and a 250 GB SSD, all pretty full. 2:10:16.
Found 37 threats. I see at the glance that many are not but I'll have to go through the rest. |
pandy |
Dec 28 2023, 11:25 AM
Post
#14
|
🌟Computer says no🌟 Group: WDG Moderators Posts: 20,753 Joined: 9-August 06 Member No.: 6 |
That was quickly done. The only possible one is also in the Roaming directory and simly called ws. There's also a ws.exe, but that is clean. It's supposed to be this. There were also some > 10 years old email attachments that I deleted without regret.
https://www.f-secure.com/v-descs/trojan-js-cryxos.shtml Since I haven't experienced anything like that and Defender and ClamWin don't find anything I'll let it be for now. It's supposed be used by a scanner software and I've never owned a scanner, so that's a little strange. https://www.file.net/process/ws.exe.html Viruses are pretty fun when they don't mess the computer up! |
Lo-Fi Version | Time is now: 24th September 2024 - 06:30 PM |