taskmgr.exe is asking permission to connect to 66.152.109.110

3

taskmgr.exe is asking permission to connect to 66.152.109.110.

I am using windows 7. Is it normal? Is my machine infected with malware? Thank you!

smallbee

Posted 2012-04-18T20:39:42.073

Reputation: 41

If you are not using the services provided by that IP, this is certainly not normal and most likely your processes are suffering injection attacks by malicious code that came from somewhere. Be on your guard... – Tamara Wijsman – 2012-04-18T22:13:23.460

I use brighthouse network. May be it is asscociated with road runner. I am using COMODO firewall. I just don't understand why a task manager needs any connection to internet. – smallbee – 2012-04-18T23:14:05.690

Answers

3

Visiting http://66.152.109.110 gives us a Road Runner site.

When doing a google for Road Runner 66.152.109.110 gives us a domain name, which I looked up:

nslookup dnssearch.rr.com

Name:    twc.cfg.srchdeliv.com
Addresses:  184.106.15.239
          66.152.109.110
          204.232.137.207
Aliases:  dnssearch.rr.com

Now let's do some whois to see who these guys are:

whois rr.com

Domain Name: rr.com

    Registrar Name: Markmonitor.com
    Registrar Whois: whois.markmonitor.com
    Registrar Homepage: http://www.markmonitor.com

Administrative Contact:
    Domain Name Administrator
    Time Warner Cable Inc.
    60 Columbus Circle
     New York NY 10023
    US
    dnsadmin@rr.com +1.2123648539 Fax: +1.7049736228
Technical Contact, Zone Contact:
    Domain Name Administrator
    Time Warner Cable Inc.
    7910 Crescent Executive Drive
     Charlotte NC 28217
    US
    dnsadmin@rr.com +1.8777772263 Fax: +1.7047311180

Seems Markmonitor protects a brand, which less likely indicates an odd malicious IP.

But there's also srchdeliv.com, let's see what that one says:

whois srchdeliv.com

Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: SRCHDELIV.COM
   Created on: 19-Mar-08
   Expires on: 19-Mar-14
   Last Updated on: 25-Jul-10

Administrative Contact:
   Private, Registration  SRCHDELIV.COM@domainsbyproxy.com
   Domains By Proxy, LLC
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States
   (480) 624-2599      Fax -- (480) 624-2598

Technical Contact:
   Private, Registration  SRCHDELIV.COM@domainsbyproxy.com
   Domains By Proxy, LLC
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States
   (480) 624-2599      Fax -- (480) 624-2598

Again a brand being protected.

Doing a reverse IP gives 66-152-109-110.tvc-ip.com indeed, let's do another one:

whois tvc-ip.com

Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: TVC-IP.COM
   Created on: 17-Dec-03
   Expires on: 17-Dec-13
   Last Updated on: 05-Oct-11

Administrative Contact:
   Private, Registration  TVC-IP.COM@domainsbyproxy.com
   Domains By Proxy, LLC
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States
   (480) 624-2599      Fax -- (480) 624-2598

Technical Contact:
   Private, Registration  TVC-IP.COM@domainsbyproxy.com
   Domains By Proxy, LLC
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States
   (480) 624-2599      Fax -- (480) 624-2598

Notice anything? Exactly, covered by the same registrant which might link all three together.

What are we missing? Right, visiting the domain names to see what they host.

http://www.rr.com (Road Runner) seems like a completely safe site, which is associated with Time Warner Cable as stated at the bottom (Perhaps related to TVC?) which also seems like a completely safe site.

Small update:

I've found that rr.com also serves as the mail handler for the tt. domain.

Go to this online dig tool and type in tt. and select MX for the query, then click Look it up.

tt.    86400    IN    MX    0    66-27-54-138.san.rr.com.
tt.    86400    IN    MX    10   66-27-54-142.san.rr.com.

This makes the rr.com really as legit as it can be.

But why would taskmgr.exe try to connect to it?

Do you remember visiting Road Runner or Time Warner Cable, or are you an user of their services?

I see no other possibility than that, given that these last websites look safe. And clearly the IP is a DNS for their DNS Search functionality. It could be possible though, that they have an infection and that it spread to you; but I wouldn't be so certain at first...

Can you post us the output of ipconfig /all, perhaps you have it set as your DNS?

If you are completely not using any of these services, malware is most likely using that website to resolve things; meaning to bypass your hosts file / own DNS settings.

Tamara Wijsman

Posted 2012-04-18T20:39:42.073

Reputation: 54 163

I use brighthouse and it is associated with Road Runner I believe. Exactly, why would taskmgr.exe try to connection to the net? – smallbee – 2012-04-18T23:17:51.363

@smallbee: Doing a DNS request perhaps, but it is most likely a DLL is just trying to resolve another domain / IP... – Tamara Wijsman – 2012-04-19T00:10:01.240

He could always allow the connection and then capture what is being sent using Wireshark, if he's curious enough. – paradroid – 2012-04-19T15:41:48.587

@smallbee: Found it: https://plus.google.com/u/0/115701123100754845774/posts/QRSfEHvC3wT (which is a solution to https://plus.google.com/u/0/115701123100754845774/posts/J4nXXYXddKc, which lists the IP), it couldn't hurt walking through his steps...

– Tamara Wijsman – 2012-04-26T06:25:59.403

2

Named host is involved in massive abuse and present in most global blacklists. So you have a backdoor.

Use a clean computer to record a CD with:

  • Avira Antivirus
  • Comodo Antivirus
  • AVG Antivirus
  • Spybot s&d
  • All updates.
  • Some cleaner your company has around. Like Sophos or Dr.Web.

Then:

  • Disconnect computer from any type of network
  • Boot in safe mode
  • Uninstall any antivirus/antispyware you have - they are useless (but your firewall is still good)
  • Install spybot, update with *_includes.exe, immunize system, reboot back into safe mode, do scan & clean with spybot.
  • Once good, reboot and scan again untill clean.
  • Now install any AV of your choice and do a full cleanup, reboot, rescan untill clean, uninstall, reboot, then another, and so on until it feels right.

If you are directly connected to internet with a Windows computer you might want a NAT home router.

ZaB

Posted 2012-04-18T20:39:42.073

Reputation: 2 365

1When will you learn our formatting? – Tamara Wijsman – 2012-04-18T21:57:41.390

What blacklists is he in, do you have a link? What massive abuse has he done? What backdoor does he have? – Tamara Wijsman – 2012-04-18T22:05:15.200

1I have router and Avira Antivirus and Comodo Antivirus. Comodo is alerting taskmgr wants connection to net – smallbee – 2012-04-18T23:19:21.737

1

I quite positive that you're dealing with a worm or a trojan horse.

  • I can't think of any plausible reason why the Task Manager should open internet connections.

  • The Reverse DNS entry of the IP is 66-152-109-110.tvc-ip.com, so it's a residential end-user IP (Task Manager opening a connection to something.microsoft.com would be different).

  • The same IP has appeared in this post about a potential Conficker variant.

Try downloading Malwarebytes Anti-Malware Free, install it, boot in Safe Mode and scan your system.

Dennis

Posted 2012-04-18T20:39:42.073

Reputation: 42 934

1Task manager verifies executable signatures, which may involve CRL updates from internet... It also rises privileges which may involve network authentication... – ZaB – 2012-04-19T07:21:26.370

1

Actually, it isn't malware, just a service provided by RoadRunner/Bright House/TWC called "RoadRunner Search Guide".

Just go to http://dnssearch.rr.com, and you will see a link for "Opt in or Opt Out of this Service".

Under "Web Address Error Redirect Service" select "Disable"

This will opt you out, and give you back your usual DNS functions.

Also at http://dnssearch.rr.com, you will see a link for "Why am I here?"

I spent an evening trying to figure out why a friend kept getting nslookups for www sites for 66.162.109.110 and 69.16.143.110, but not for domain lookups. It looked enough like China's "Golden Shield" that I began to suspect the ISP.

Personally, I feel that they should have been a little more obvious about what they were doing. But that is just my opinion.

David Fowler

Posted 2012-04-18T20:39:42.073

Reputation: 11

-2

It is http://silkroad6ownowfk.onion Black market website. It will steal your info.

Alex Alomar

Posted 2012-04-18T20:39:42.073

Reputation: 7

Asked: 2012-04-18T20:39:42.073

Viewed: 2 110 times

Active: 2013-12-19T02:49:11.427