![]() |
![]() |
pandy |
![]()
Post
#1
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
Why?
I've used TinyWall for several years, but haven't really looked at all the features. I found it can show all connections it has blocked the last 5 minutes. Taskmgr.exe has been blocked more than a hundred times - in 5 minutes. Why does it try to get out at all? Obviously it doesn't hurt anything that it's blocked, not that I've noticed anyway. Note, TinyWall isn't a firewall in the usual sense. It sits on top Windows firewall and works by simply blocking all connections except those you OK. So when you first install it there's some fiddling. I think it's great, even if you have to remember to OK all new programs, but that's quickly done. I suppose it can be used as the only FW, but I keep the Windows one running. If anyone wants to try it, please note it doesn't work together with other firewall software, just the Windows one. This is only the top of the list. You can see it's just 2 or 3 seconds between tries. ![]() I don't know what the System process is about either. I didn't have to OK any system processes when I installed TinyWall, so it must have a built in whitelist. |
![]() ![]() |
Christian J |
![]()
Post
#2
|
. ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 9,687 Joined: 10-August 06 Member No.: 7 ![]() |
Maybe its telemetry, but the IP 91.92.240.95 (91.92.240.0 - 91.92.240.255) seems to belong to the (hosting?) company Limenet, not Microsoft.
![]() Have you been running Task manager at these times? Is it possible to tell if it's running in the background (without using Task Managare itself)? |
pandy |
![]()
Post
#3
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
I don't know. But it's the same now and I don't have Task manager running.
Yeah, Limenet is odd. I don't know exactly what it is. But I found the IP is on some blacklists, seems connected to spam. Can't link with query string, you need to paste the IP in: 91.92.240.95 . https://whatismyipaddress.com/blacklist-check |
pandy |
![]()
Post
#4
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Of course nothing stops people from naming their programs anything, but would a sensible person choose that name?
How many copies do you have? I expected to find just one! I scanned the one in the program directory with Defender that didn't find anything wrong with it. |
Christian J |
![]()
Post
#5
|
. ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 9,687 Joined: 10-August 06 Member No.: 7 ![]() |
I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Which program's directory? Is that program trustworthy? QUOTE Of course nothing stops people from naming their programs anything, but would a sensible person choose that name? Malware may disguise itself as wellknown programs. ![]() QUOTE How many copies do you have? I expected to find just one! I only have one, in the Windows\System32 directory. |
pandy |
![]()
Post
#6
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
Which program's directory? Is that program trustworthy? Yes, very. QUOTE QUOTE Of course nothing stops people from naming their programs anything, but would a sensible person choose that name? Malware may disguise itself as wellknown programs. ![]() That's why I worry. At first I was just curious about what Task Manager was up to. But anyhow, TinyWall stops them from getting out. QUOTE QUOTE How many copies do you have? I expected to find just one! I only have one, in the Windows\System32 directory. Attached a list of mine (except the big one). The big one had also placed itself in AppData\Roaming, so there are 12 others. They have different sizes and all are pretty new. I find that strange. The one in System32 is the real thing and should be as old as the computer. Then again, MS might have updated it, of course. As you can see there are also a couple of taskmgr.exe-****.pf and I have 156 copies of taskmgr.exe.mui. At the bottom of the list there are 6 copies of taskmgr.exe.mun . ![]() Anyway, I've found that the only one that tries to get out is the one in AppData\Roaming. I'll do some deleting and see what happens. Sigh. ![]() |
pandy |
![]()
Post
#7
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
|
Christian J |
![]()
Post
#8
|
. ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 9,687 Joined: 10-August 06 Member No.: 7 ![]() |
|
pandy |
![]()
Post
#9
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
Nope. I don't know how to do that. I know there are programs, "process viewers", that dig deep down, but that's over my head.
But I tried to delete the one in Roaming first. Maybe it was run by the one in the program directory. |
pandy |
![]()
Post
#10
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
I saved a zipped up copy of the one in Roaming, but forgot to do it with the one in the program directory. Probably doesn't matter since they were exactly the same size. I'm curious about this so I might download some other AV when I get around to it and see if that knows what it is.
|
pandy |
![]()
Post
#11
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
Tried ClamWin that didn't find anything.
Then I uploaded the zip to one of those online virus sites. I don't know if it can be trusted or not. But it did find a whole lot. 🥶 https://www.virustotal.com/gui/file/53f73e4...a3e92?nocache=1 Why do they all call it different things? Not easy to google. |
pandy |
![]()
Post
#12
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
I downloadef a free version of one of the software that did detect something at virustotal, eScan. Never heard of it before. But it did detect the zipped virus.
CODE File C:\Users\user\AppData\Roaming\Taskmgr - possible virus.zip infected by "IL:Trojan.MSILZilla.22206[ZP] (DB)" Virus! Action Taken: No Action Taken. I'll let it scan the whole computer tomorrow. I don't want to leave it on while I sleep. Very nice GUI on that eScan! Like old times, not flashy and confusing and looking like a webpage with childish colours and huge buttons. Why did this look go out of style? Just look at the screen cap here https://www.escanav.com/en/mwav-tools/downl...rus-toolkit.asp . What more do you need? It takes 5 seconds to learn how to use it. Those newfangled things drive me nuts with their obscure interfaces and automated everything. This lets me do just what I want - just scan and report and THEN I decide what do do with what it finds. No risk that little burp program you loved so much is deleted by mistake. ![]() Read what it says under the screen cap too. It's portable. Wonder where it puts all files it downloads though. I mean, if you put it on a stick and run it on another person's machine you would want to clean up afterwards. Log files go in AppData, but I haven't found the many virus files it downloaded yet. I'd prefer if it put everything in the program directory so one could just remove the stick and leave no traces. |
pandy |
![]()
Post
#13
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
It was pretty fast. I set it to scan everything - except mobile, but that's a nice feature, if it means phone. Two 500 GB hard drives and a 250 GB SSD, all pretty full. 2:10:16.
Found 37 threats. I see at the glance that many are not but I'll have to go through the rest. |
pandy |
![]()
Post
#14
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
That was quickly done. The only possible one is also in the Roaming directory and simly called ws. There's also a ws.exe, but that is clean. It's supposed to be this. There were also some > 10 years old email attachments that I deleted without regret.
https://www.f-secure.com/v-descs/trojan-js-cryxos.shtml Since I haven't experienced anything like that and Defender and ClamWin don't find anything I'll let it be for now. It's supposed be used by a scanner software and I've never owned a scanner, so that's a little strange. https://www.file.net/process/ws.exe.html Viruses are pretty fun when they don't mess the computer up! ![]() |
Christian J |
![]()
Post
#15
|
. ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 9,687 Joined: 10-August 06 Member No.: 7 ![]() |
That description doesn't sound at all like the "Task Manager" files you found. ![]() Are you sure the "ws" and "ws.exe" files are related? Where they both in the Roaming directory? |
pandy |
![]()
Post
#16
|
🌟Computer says no🌟 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: WDG Moderators Posts: 20,744 Joined: 9-August 06 Member No.: 6 ![]() |
That description doesn't sound at all like the "Task Manager" files you found. ![]() I don't think these are related to the Task manager one. QUOTE Are you sure the "ws" and "ws.exe" files are related? Where they both in the Roaming directory? Yes, they sure are related. They are the only files in a directory called ws. I've never understood what that Roaming directory is for. All sorts of stuff end up there. |
![]() ![]() |
![]() |
Lo-Fi Version | Time is now: 23rd June 2024 - 04:41 AM |