3
taskmgr.exe is asking permission to connect to 66.152.109.110.
I am using windows 7. Is it normal? Is my machine infected with malware? Thank you!
3
taskmgr.exe is asking permission to connect to 66.152.109.110.
I am using windows 7. Is it normal? Is my machine infected with malware? Thank you!
3
Visiting http://66.152.109.110
gives us a Road Runner
site.
When doing a google for Road Runner 66.152.109.110
gives us a domain name, which I looked up:
nslookup dnssearch.rr.com
Name: twc.cfg.srchdeliv.com
Addresses: 184.106.15.239
66.152.109.110
204.232.137.207
Aliases: dnssearch.rr.com
Now let's do some whois to see who these guys are:
whois rr.com
Domain Name: rr.com
Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com
Administrative Contact:
Domain Name Administrator
Time Warner Cable Inc.
60 Columbus Circle
New York NY 10023
US
dnsadmin@rr.com +1.2123648539 Fax: +1.7049736228
Technical Contact, Zone Contact:
Domain Name Administrator
Time Warner Cable Inc.
7910 Crescent Executive Drive
Charlotte NC 28217
US
dnsadmin@rr.com +1.8777772263 Fax: +1.7047311180
Seems Markmonitor protects a brand, which less likely indicates an odd malicious IP.
But there's also srchdeliv.com
, let's see what that one says:
whois srchdeliv.com
Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: SRCHDELIV.COM
Created on: 19-Mar-08
Expires on: 19-Mar-14
Last Updated on: 25-Jul-10
Administrative Contact:
Private, Registration SRCHDELIV.COM@domainsbyproxy.com
Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598
Technical Contact:
Private, Registration SRCHDELIV.COM@domainsbyproxy.com
Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598
Again a brand being protected.
Doing a reverse IP gives 66-152-109-110.tvc-ip.com
indeed, let's do another one:
whois tvc-ip.com
Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: TVC-IP.COM
Created on: 17-Dec-03
Expires on: 17-Dec-13
Last Updated on: 05-Oct-11
Administrative Contact:
Private, Registration TVC-IP.COM@domainsbyproxy.com
Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598
Technical Contact:
Private, Registration TVC-IP.COM@domainsbyproxy.com
Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598
Notice anything? Exactly, covered by the same registrant which might link all three together.
What are we missing? Right, visiting the domain names to see what they host.
http://www.rr.com (Road Runner) seems like a completely safe site, which is associated with Time Warner Cable as stated at the bottom (Perhaps related to TVC?) which also seems like a completely safe site.
Small update:
I've found that rr.com
also serves as the mail handler for the tt.
domain.
Go to this online dig
tool and type in tt.
and select MX
for the query, then click Look it up
.
tt. 86400 IN MX 0 66-27-54-138.san.rr.com.
tt. 86400 IN MX 10 66-27-54-142.san.rr.com.
This makes the rr.com
really as legit as it can be.
But why would taskmgr.exe try to connect to it?
Do you remember visiting Road Runner or Time Warner Cable, or are you an user of their services?
I see no other possibility than that, given that these last websites look safe. And clearly the IP is a DNS for their DNS Search functionality. It could be possible though, that they have an infection and that it spread to you; but I wouldn't be so certain at first...
Can you post us the output of ipconfig /all
, perhaps you have it set as your DNS?
If you are completely not using any of these services, malware is most likely using that website to resolve things; meaning to bypass your hosts file / own DNS settings.
I use brighthouse and it is associated with Road Runner I believe. Exactly, why would taskmgr.exe try to connection to the net? – smallbee – 2012-04-18T23:17:51.363
@smallbee: Doing a DNS request perhaps, but it is most likely a DLL is just trying to resolve another domain / IP... – Tamara Wijsman – 2012-04-19T00:10:01.240
He could always allow the connection and then capture what is being sent using Wireshark, if he's curious enough. – paradroid – 2012-04-19T15:41:48.587
@smallbee: Found it: https://plus.google.com/u/0/115701123100754845774/posts/QRSfEHvC3wT (which is a solution to https://plus.google.com/u/0/115701123100754845774/posts/J4nXXYXddKc, which lists the IP), it couldn't hurt walking through his steps...
– Tamara Wijsman – 2012-04-26T06:25:59.4032
Named host is involved in massive abuse and present in most global blacklists. So you have a backdoor.
Use a clean computer to record a CD with:
Then:
If you are directly connected to internet with a Windows computer you might want a NAT home router.
1When will you learn our formatting? – Tamara Wijsman – 2012-04-18T21:57:41.390
What blacklists is he in, do you have a link? What massive abuse has he done? What backdoor does he have? – Tamara Wijsman – 2012-04-18T22:05:15.200
1I have router and Avira Antivirus and Comodo Antivirus. Comodo is alerting taskmgr wants connection to net – smallbee – 2012-04-18T23:19:21.737
1
I quite positive that you're dealing with a worm or a trojan horse.
I can't think of any plausible reason why the Task Manager should open internet connections.
The Reverse DNS entry of the IP is 66-152-109-110.tvc-ip.com
, so it's a residential end-user IP (Task Manager opening a connection to something.microsoft.com
would be different).
The same IP has appeared in this post about a potential Conficker variant.
Try downloading Malwarebytes Anti-Malware Free, install it, boot in Safe Mode and scan your system.
1Task manager verifies executable signatures, which may involve CRL updates from internet... It also rises privileges which may involve network authentication... – ZaB – 2012-04-19T07:21:26.370
1
Actually, it isn't malware, just a service provided by RoadRunner/Bright House/TWC called "RoadRunner Search Guide".
Just go to http://dnssearch.rr.com, and you will see a link for "Opt in or Opt Out of this Service".
Under "Web Address Error Redirect Service" select "Disable"
This will opt you out, and give you back your usual DNS functions.
Also at http://dnssearch.rr.com, you will see a link for "Why am I here?"
I spent an evening trying to figure out why a friend kept getting nslookups for www sites for 66.162.109.110 and 69.16.143.110, but not for domain lookups. It looked enough like China's "Golden Shield" that I began to suspect the ISP.
Personally, I feel that they should have been a little more obvious about what they were doing. But that is just my opinion.
-2
It is http://silkroad6ownowfk.onion Black market website. It will steal your info.
If you are not using the services provided by that IP, this is certainly not normal and most likely your processes are suffering injection attacks by malicious code that came from somewhere. Be on your guard... – Tamara Wijsman – 2012-04-18T22:13:23.460
I use brighthouse network. May be it is asscociated with road runner. I am using COMODO firewall. I just don't understand why a task manager needs any connection to internet. – smallbee – 2012-04-18T23:14:05.690