Task manager tries to connect to the internet Options

[pandy]

Why?

I've used TinyWall for several years, but haven't really looked at all the features. I found it can show all connections it has blocked the last 5 minutes. Taskmgr.exe has been blocked more than a hundred times - in 5 minutes. Why does it try to get out at all? Obviously it doesn't hurt anything that it's blocked, not that I've noticed anyway.

Note, TinyWall isn't a firewall in the usual sense. It sits on top Windows firewall and works by simply blocking all connections except those you OK. So when you first install it there's some fiddling. I think it's great, even if you have to remember to OK all new programs, but that's quickly done. I suppose it can be used as the only FW, but I keep the Windows one running. If anyone wants to try it, please note it doesn't work together with other firewall software, just the Windows one.

This is only the top of the list. You can see it's just 2 or 3 seconds between tries.



I don't know what the System process is about either. I didn't have to OK any system processes when I installed TinyWall, so it must have a built in whitelist.

[Christian J]

Maybe its telemetry, but the IP 91.92.240.95 (91.92.240.0 - 91.92.240.255) seems to belong to the (hosting?) company Limenet, not Microsoft.

Have you been running Task manager at these times? Is it possible to tell if it's running in the background (without using Task Managare itself)?

[pandy]

I don't know. But it's the same now and I don't have Task manager running.

Yeah, Limenet is odd. I don't know exactly what it is. But I found the IP is on some blacklists, seems connected to spam.
Can't link with query string, you need to paste the IP in: 91.92.240.95 .

https://whatismyipaddress.com/blacklist-check

[pandy]

I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Of course nothing stops people from naming their programs anything, but would a sensible person choose that name?

How many copies do you have? I expected to find just one!

I scanned the one in the program directory with Defender that didn't find anything wrong with it.

[pandy]

OK. The one in the program directory is different from the others. Much larger to start with.

The ones in more expected directories have next to no information in Properties and lack the signature tab.



The fishy one says it comes from Microsoft and was originally called Lklropl.exe, a file name there is absolutely no information about. I also tried LkIropI.exe and so on. It's hard to see the small text and it can't be copied.





Micro-Star International seems to be a legit company, but I guess these things can be faked. Why does it refer to both Microsoft and Micro-Star? Seems odd.
https://en.wikipedia.org/wiki/Micro-Star_International

Whatever it is TinyWall seems to stop it, so that's good.

[pandy]

Fynny thing. When I googled LkIropI.exe there was one single hit. This.
https://answers.microsoft.com/en-us/windows...85-f401e987f5c8
But there's no mention of that file name in the text.

[Christian J]

Yeah, Limenet is odd. I don't know exactly what it is.

Their website seems to be limenet.io

[Christian J]

I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious.

Which program's directory? Is that program trustworthy?

Of course nothing stops people from naming their programs anything, but would a sensible person choose that name?

Malware may disguise itself as wellknown programs.

How many copies do you have? I expected to find just one!

I only have one, in the Windows\System32 directory.

[pandy]

Which program's directory? Is that program trustworthy?

Yes, very.

Of course nothing stops people from naming their programs anything, but would a sensible person choose that name?

Malware may disguise itself as wellknown programs.

That's why I worry. At first I was just curious about what Task Manager was up to. But anyhow, TinyWall stops them from getting out.

How many copies do you have? I expected to find just one!

I only have one, in the Windows\System32 directory.

Attached a list of mine (except the big one). The big one had also placed itself in AppData\Roaming, so there are 12 others. They have different sizes and all are pretty new. I find that strange. The one in System32 is the real thing and should be as old as the computer. Then again, MS might have updated it, of course.

As you can see there are also a couple of taskmgr.exe-****.pf and I have 156 copies of taskmgr.exe.mui. At the bottom of the list there are 6 copies of taskmgr.exe.mun .

Anyway, I've found that the only one that tries to get out is the one in AppData\Roaming. I'll do some deleting and see what happens.

Sigh.

[pandy]

That went well.

[pandy]

On the Details tab in Task Manger I see 6 Taskmgr.exe processes. 1 is the real thing. All the others come form those two big files, the one in the program directory and the one in Roaming. So I guess it would be safe to kill those processes. I was unsure about if task manger showed itself, so to speak.

Here goes nothing.

[pandy]

Gaah! Now it couldn't be deleted because it was open in Windows Explorer.

So command line. No go!
"The process cannot access the file because it is being used by another process."

OK! UnLockIt fixed it. Both gone. I'll reboot and see if they come back again.

[pandy]

Nope. Didn't come back. But the mystery continues.

All the others are gone too from TinyWalls list of blocked programs. It only blocks two System processes now. Nothing else.
Still have 14 copies though.

[Christian J]

Which program's directory? Is that program trustworthy?

Yes, very.

How about its download source?

Also something must have started all these processes, either a compromised program or something that autostarts with Windows.

[Christian J]

That went well.

You can't see which of the (fake) Taskmanagers it refers to? That alone might explain the high number, as a way to make deletion harder.

[pandy]

Nope. I don't know how to do that. I know there are programs, "process viewers", that dig deep down, but that's over my head.

But I tried to delete the one in Roaming first. Maybe it was run by the one in the program directory.

[pandy]

I saved a zipped up copy of the one in Roaming, but forgot to do it with the one in the program directory. Probably doesn't matter since they were exactly the same size. I'm curious about this so I might download some other AV when I get around to it and see if that knows what it is.

[pandy]

Tried ClamWin that didn't find anything.

Then I uploaded the zip to one of those online virus sites. I don't know if it can be trusted or not. But it did find a whole lot. 🥶

https://www.virustotal.com/gui/file/53f73e4...a3e92?nocache=1

Why do they all call it different things? Not easy to google.

[pandy]

I downloadef a free version of one of the software that did detect something at virustotal, eScan. Never heard of it before. But it did detect the zipped virus.

CODE

File C:\Users\user\AppData\Roaming\Taskmgr - possible virus.zip infected by "IL:Trojan.MSILZilla.22206[ZP] (DB)" Virus! Action Taken: No Action Taken.

I'll let it scan the whole computer tomorrow. I don't want to leave it on while I sleep.

Very nice GUI on that eScan! Like old times, not flashy and confusing and looking like a webpage with childish colours and huge buttons. Why did this look go out of style? Just look at the screen cap here https://www.escanav.com/en/mwav-tools/downl...rus-toolkit.asp . What more do you need? It takes 5 seconds to learn how to use it. Those newfangled things drive me nuts with their obscure interfaces and automated everything. This lets me do just what I want - just scan and report and THEN I decide what do do with what it finds. No risk that little burp program you loved so much is deleted by mistake.

Read what it says under the screen cap too. It's portable. Wonder where it puts all files it downloads though. I mean, if you put it on a stick and run it on another person's machine you would want to clean up afterwards. Log files go in AppData, but I haven't found the many virus files it downloaded yet. I'd prefer if it put everything in the program directory so one could just remove the stick and leave no traces.

[pandy]

It was pretty fast. I set it to scan everything - except mobile, but that's a nice feature, if it means phone. Two 500 GB hard drives and a 250 GB SSD, all pretty full. 2:10:16.

Found 37 threats. I see at the glance that many are not but I'll have to go through the rest.