MSTask.exe - what's happening?

[Linea Recta]

I have disabled all automatic updating. I have disabled all planned tasks in
Windows.
Now and then I get an alert from Norton 2003 firewall:
"Microsoft Windows Task Scheduler (part of the Windows sub-system) is
attempting to access the internet."
Until now block I have blocked manually, because I scheduled nothing.
What could be going on?



--
regards,

|\ /|
| \/ |@rk
\../
\/os

mccm dot vos at hccnet dot nl

 

[George Hester]

Do you have the .NET Framework installed?

 

[Linea Recta]

Not that I know of. How can I check?




--
regards,

|\ /|
| \/ |@rk
\../
\/os

mccm dot vos at hccnet dot nl

 

[George Hester]

One way to check is if you have Show all files and folders and not hide
Hidden folders enabled you should have a folder Microsoft.NET somewhere on
the system. You should also have a Framework applet in Control Panel |
Administrative Tools.

Also Windows Update will show you if you need it or need an update to it.
It is in the Windows 2000 section not the Critical Updates section.

http://v4.windowsupdate.microsoft.com/en/default.asp

 

[Linea Recta]

Indeed, it seems I have a folder 'Microsoft Windows-netwerk' visible in
Windows Explorer, although I never use it.
When I do a manual Windows update check, I see 'Microsoft .NET Framework
versie 1.1' under the non-essential updates. It is quite large 23 MB and I
don't need it.

But is this the cause of the autonomous 'Microsoft Windows Task Scheduler'
activity??
I disabled all automatic updating and all tasks because I don't want any
autonomous actions.



--
regards,

|\ /|
| \/ |@rk
\../
\/os

mccm dot vos at hccnet dot nl

 

[George Hester]

No I don't think you have the Framework installed unless you have a prior
version. But I don't think so. You really don't need it until you try to
install something that requires it then you can install it if you want. Yes
the size is prohibitive for most people.

So getting back to your original concern.

I'm not sure here why you are getting this activity. One thing you might
try is to disconnect the machine from the Internet before you go to sleep
but leave the machine on. Then in the morning check to see if there are any
error message boxes up and/or look in the Event Viewer. We want to see if
an error occurs when access to the Internet is attempted and it is not
successful. You will need to enable its access in the Firewall first.
Since you won't be connected it shouldn't be an issue.

There is a folder for tasks in the Control Panel | Scheduled Tasks.

 

[Colyn]

Indeed, it seems I have a folder 'Microsoft Windows-netwerk' visible in
Windows Explorer, although I never use it.
When I do a manual Windows update check, I see 'Microsoft .NET Framework
versie 1.1' under the non-essential updates. It is quite large 23 MB and I
don't need it.

But is this the cause of the autonomous 'Microsoft Windows Task Scheduler'
activity??
I disabled all automatic updating and all tasks because I don't want any
autonomous actions.

Go to the control panel and click on scheduled tasks. You should have
an icon "add scheduled tasks" if there is a second task icon, right
click and delete. This will stop programs from running online checks
for updates etc which is probably what is happening.

 

[Java Jive]

Taking in George's help as well ...

1) You can tell if you have Microsoft .Net installed as follows: Start,
Settings, Control Panel, Add/Remove Programs. I have listed ...
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)

If you have any version installed, then run any updates required to ensure
it's the latest version.

2) It might be useful to work out who's trying to contact whom via Task
Scheduler, this might reveal a trojan/virus. Do the messages from Norton
give an IP address? If your Norton firewall doesn't give the IP address by
default, you may be able to configure it to, or it might be in the logs, or
it might if you do whatever is its equivalent of locking the internet. Once
you have an IP, check it out here (you may have to register, but it's free
at no risk) ...
http://www.whois.sc/
.... or if that reveals nothing useful, in a DOS box do ...
tracert <IP Address> (<> are field delimiters, don't type them)
.... and work backwards form the last server listed and named. The server
will usually have a domain, say 'blah.blah.blah.suspect.net'. If this
domain is suspicious, eg: it had has nothing to do with any 'trustworthy'
source such as Microsoft or your AV or firewall software, then start looking
for a trojan/virus. Note though that much legitimate software such as
Windows Media Player, Logitech mouse drivers, etc, can periodically check
for an update, though they should and usually do make this an explicit
option at installation time. If you find you have such, look in the
software options to switch the feature off.

Note another use for this technique ...

Occasionally spam goes to an internet address to fetch a picture trying to
sell you watches and doubtless you know what else -)! To report it, you
need a domain and/or an IP, but examining the HTML source in Outlook doesn't
always reveal what site is being accessed. The way I trace this is to
engage the internet lock in the firewall, Zone Alarm, then click on the mail
to preview or open it. ZA throws up a message box detailing what IP was
being accessed.

 

[Wolf Kirchmeir]

I have disabled all automatic updating. I have disabled all planned tasks in
Windows.
Now and then I get an alert from Norton 2003 firewall:
"Microsoft Windows Task Scheduler (part of the Windows sub-system) is
attempting to access the internet."
Until now block I have blocked manually, because I scheduled nothing.
What could be going on?

Some program is using Task Scheduler to access the 'net, but you've
blocked TS, so Norton very kindly is telling you that TS is being used.
You have to decide whether the program in question should be allowed
access to the 'net - but you'll have to find it first. Go to the running
processes window, and check. Not that running porcesses tells you much,
since it just lists the active modules, many of which have names that
don't give you any clue to the program they're a part of, but it's a
place to start. Look especially for processes initiated by the programs
that start at boot.

Some of your programs may be set to look for updates automatically, many
programs actually get Help from the 'net, and so on. Personally, I
detest this "integration" of my stand-alone machine with the 'net, and
like you have blocked just about everything. But once in a while you
have to let a program do its thing.

Happy hunting.

 

[Gary H]

Some program is using Task Scheduler to access the 'net, but you've
blocked TS, so Norton very kindly is telling you that TS is being used.
You have to decide whether the program in question should be allowed
access to the 'net - but you'll have to find it first. Go to the running
processes window, and check. Not that running porcesses tells you much,
since it just lists the active modules, many of which have names that
don't give you any clue to the program they're a part of, but it's a
place to start. Look especially for processes initiated by the programs
that start at boot.

Some of your programs may be set to look for updates automatically, many
programs actually get Help from the 'net, and so on. Personally, I
detest this "integration" of my stand-alone machine with the 'net, and
like you have blocked just about everything.

Same for me.

But once in a while you
have to let a program do its thing.

Happy hunting.

--
"Today, the theory of evolution is an accepted fact
for everyone but a fundamentalist minority, whose
objections are based not on reasoning but on
doctrinaire adherence to religious principles"
-- James D. Watson

 

[Linea Recta]

Go to the control panel and click on scheduled tasks. You should have
an icon "add scheduled tasks" if there is a second task icon, right
click and delete. This will stop programs from running online checks
for updates etc which is probably what is happening.

I have 3 tasks there, they were created by Norton Apps, but I had decided to
just disable them, to make my actions reversible.

These are:
Norton Antivirus - Scan My computer
Norton Systemworks One Button Checkup
Symantec NetDetect

But as goes for all MS stuff, I have also disabled all automatic updating
and other activities for all Norton Apps.
And I always disable automatic updating for all other programs.


--
regards,

|\ /|
| \/ |@rk
\../
\/os

mccm dot vos at hccnet dot nl

 

[Linea Recta]

Taking in George's help as well ...

1) You can tell if you have Microsoft .Net installed as follows: Start,
Settings, Control Panel, Add/Remove Programs. I have listed ...
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)

I don't seem to have these installed.

If you have any version installed, then run any updates required to ensure
it's the latest version.

2) It might be useful to work out who's trying to contact whom via Task
Scheduler, this might reveal a trojan/virus. Do the messages from Norton
give an IP address? If your Norton firewall doesn't give the IP address by
default, you may be able to configure it to, or it might be in the logs, or
it might if you do whatever is its equivalent of locking the internet. Once
you have an IP, check it out here (you may have to register, but it's free
at no risk) ...
http://www.whois.sc/
... or if that reveals nothing useful, in a DOS box do ...
tracert <IP Address> (<> are field delimiters, don't type them)
... and work backwards form the last server listed and named. The server
will usually have a domain, say 'blah.blah.blah.suspect.net'. If this
domain is suspicious, eg: it had has nothing to do with any 'trustworthy'
source such as Microsoft or your AV or firewall software, then start looking
for a trojan/virus. Note though that much legitimate software such as
Windows Media Player, Logitech mouse drivers, etc, can periodically check
for an update, though they should and usually do make this an explicit
option at installation time. If you find you have such, look in the
software options to switch the feature off.

That sounds very technical, but I have found the alerts in the Norton log:
(note I removed my IP)

10-07-2005 16:48:39
Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (VOS-Q8MY1RJB257(myIP),1025)
Remote address,service is (62.47.245.204,3990)
Process name is "C:\WINNT\system32\MSTask.exe"
---------------------------------
09-07-2005 18:09:53
Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (VOS-Q8MY1RJB257(myIP),1025)
Remote address,service is (62.55.107.103,2911)
Process name is "C:\WINNT\system32\MSTask.exe"

Note another use for this technique ...

Occasionally spam goes to an internet address to fetch a picture trying to
sell you watches and doubtless you know what else -)! To report it, you
need a domain and/or an IP, but examining the HTML source in Outlook doesn't
always reveal what site is being accessed. The way I trace this is to
engage the internet lock in the firewall, Zone Alarm, then click on the mail
to preview or open it. ZA throws up a message box detailing what IP was
being accessed.

I'll see what I can do using your techniques.



--
thanks,

|\ /|
| \/ |@rk
\../
\/os

mccm dot vos at hccnet dot nl

 

[Linea Recta]

Some program is using Task Scheduler to access the 'net, but you've
blocked TS, so Norton very kindly is telling you that TS is being used.

Yes, the Norton firewall is proving to be useful.

You have to decide whether the program in question should be allowed
access to the 'net - but you'll have to find it first. Go to the running
processes window, and check. Not that running porcesses tells you much,
since it just lists the active modules, many of which have names that
don't give you any clue to the program they're a part of, but it's a
place to start. Look especially for processes initiated by the programs
that start at boot.

Some of your programs may be set to look for updates automatically, many
programs actually get Help from the 'net, and so on. Personally, I
detest this "integration" of my stand-alone machine with the 'net, and
like you have blocked just about everything. But once in a while you
have to let a program do its thing.

If there is any updating to be done I gladly do so manually, at a time
convenient to me, and not e.g. when it's disturbing the capture of an
important video. I think these automatic processes are a stupid invention
and it takes ages to hunt them down in all kinds of places to disable them.
But I noticed these alerts are only appearing very recently.

Happy hunting.

--
thanks,

|\ /|
| \/ |@rk
\../
\/os

mccm dot vos at hccnet dot nl

 

[Java Jive]

Noting that your NNTP Posting Host is ...
http://www.whois.sc/62.251.76.14
Netherlands - Noord-holland - Amsterdam - Isp Dsl-vi
tracert gives:
adm-b2-pos2-0.telia.net [213.248.64.190]
.... which is in the same top-level address band as both of these, I wonder
if this is just some keep-alive signal from your network?

1) Are you running bespoke connection software provided by your ISP?
2) Are you using dialup or broadband?

I would most expect a keep-alive signal using dialup and running bespoke
software provided by your ISP, but I think that would be outbound, whereas
yours are inbound. Perhaps your ISP's servers generate a keep-alive, in
which case I think that would be inbound - ISTR NTL used to do that when I
used to connect via their cable modem broadband, but I got rid of them
several years ago now. I suggest you ring your ISP, probably technical
support, and ask if they know anything about these attempted connections.

10-07-2005 16:48:39
Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (VOS-Q8MY1RJB257(myIP),1025)
Remote address,service is (62.47.245.204,3990)
Process name is "C:\WINNT\system32\MSTask.exe"

http://www.whois.sc/62.47.245.204
Austria - Vorarlberg - Dornbirn - Highway Customers
tracert gives:
M687P012.adsl.highway.telekom.at [62.47.245.204]

---------------------------------
09-07-2005 18:09:53
Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (VOS-Q8MY1RJB257(myIP),1025)
Remote address,service is (62.55.107.103,2911)
Process name is "C:\WINNT\system32\MSTask.exe"

http://www.whois.sc/62.55.107.103
United Kingdom - Mways-bigdial
tracert gives:
rdsl-lond-uk02.nw.mediaways.net [62.55.96.197]

 

[Linea Recta]

Noting that your NNTP Posting Host is ...
http://www.whois.sc/62.251.76.14
Netherlands - Noord-holland - Amsterdam - Isp Dsl-vi
tracert gives:
adm-b2-pos2-0.telia.net [213.248.64.190]
... which is in the same top-level address band as both of these, I wonder
if this is just some keep-alive signal from your network?

1) Are you running bespoke connection software provided by your ISP?

I never heard of bespoke. I'm using an ADSL modem (SpeedTouch 330) connected
to USB port and with its Alcatel software.

2) Are you using dialup or broadband?

Broadband. (Though I also have a dialup modem installed for faxing and
electronic banking purposes, and I have a dial up internet connection for
reserve).

I would most expect a keep-alive signal using dialup and running bespoke
software provided by your ISP, but I think that would be outbound, whereas
yours are inbound. Perhaps your ISP's servers generate a keep-alive, in
which case I think that would be inbound - ISTR NTL used to do that when I
used to connect via their cable modem broadband, but I got rid of them
several years ago now. I suggest you ring your ISP, probably technical
support, and ask if they know anything about these attempted connections.

Just got another one this evening:
11-07-2005 20:1324
Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (VOS-Q8MY1RJB257(myIP),1025)
Remote address,service is (62.127.26.94,2276)
Process name is "C:\WINNT\system32\MSTask.exe"


When I get this alert again, I wil make the firewall block the attempts
definitely.


--
regards,

|\ /|
| \/ |@rk
\../
\/os

mccm dot vos at hccnet dot nl

10-07-2005 16:48:39
Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (VOS-Q8MY1RJB257(myIP),1025)
Remote address,service is (62.47.245.204,3990)
Process name is "C:\WINNT\system32\MSTask.exe"

http://www.whois.sc/62.47.245.204
Austria - Vorarlberg - Dornbirn - Highway Customers
tracert gives:
M687P012.adsl.highway.telekom.at [62.47.245.204]

---------------------------------
09-07-2005 18:09:53
Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (VOS-Q8MY1RJB257(myIP),1025)
Remote address,service is (62.55.107.103,2911)
Process name is "C:\WINNT\system32\MSTask.exe"

http://www.whois.sc/62.55.107.103
United Kingdom - Mways-bigdial
tracert gives:
rdsl-lond-uk02.nw.mediaways.net [62.55.96.197]

 

[Wolf Kirchmeir]

Noting that your NNTP Posting Host is ...
http://www.whois.sc/62.251.76.14
Netherlands - Noord-holland - Amsterdam - Isp Dsl-vi
tracert gives:
adm-b2-pos2-0.telia.net [213.248.64.190]
... which is in the same top-level address band as both of these, I wonder
if this is just some keep-alive signal from your network?

1) Are you running bespoke connection software provided by your ISP?

I never heard of bespoke. [...]

bespoke: custom ordered from the maker, eg, at one time people had
"bespoke overcoats" made by a tailor. There's a story titled The Bespoke
Overcoat, kinda amusing as I recall, but I can't recall any details of
the story, let alone who wrote it.

I think Java Jive intends a version of standard connection software
tailored to the ISP's desires, including perhaps built-in drivers for
any hardware the ISP sells or rents to you.

HTH

 

[Java Jive]

Precisely ...

 

[Enkidu]

bespoke: custom ordered from the maker, eg, at one time
people had "bespoke overcoats" made by a tailor. There's
a story titled The Bespoke Overcoat, kinda amusing as I
recall, but I can't recall any details of the story, let
alone who wrote it.

Nicolai Gogol.

Cheers,

Cliff

 

[Linea Recta]

Noting that your NNTP Posting Host is ...
http://www.whois.sc/62.251.76.14
Netherlands - Noord-holland - Amsterdam - Isp Dsl-vi
tracert gives:
adm-b2-pos2-0.telia.net [213.248.64.190]
... which is in the same top-level address band as both of these, I wonder
if this is just some keep-alive signal from your network?

1) Are you running bespoke connection software provided by your ISP?

I never heard of bespoke. [...]

bespoke: custom ordered from the maker, eg, at one time people had
"bespoke overcoats" made by a tailor. There's a story titled The Bespoke
Overcoat, kinda amusing as I recall, but I can't recall any details of
the story, let alone who wrote it.

I think Java Jive intends a version of standard connection software
tailored to the ISP's desires, including perhaps built-in drivers for
any hardware the ISP sells or rents to you.

Today I got this:

12-07-2005 15:55
A computer with the IP adres 127.0.0.1 sent information that is
characteristic of the HTTP MS IIS ASP Source Disclosure attack



--
regards,

|\ /|
| \/ |@rk
\../
\/os

mccm dot vos at hccnet dot nl

 

[Java Jive]

127.0.0.1 (aka localhost) is a standard loopback address referring to your
own machine. Perhaps your PC is infected? I note the message refers to
Microsoft's Internet Information Services. Are you running this? Rt-click
My Computer, and choose Manage, Services and Applications, Services, then if
the entry is there, double-click it. Unless you have specific reason to be
running it, you'd know if you had, if it is started, stop it, and then set
the startup type to Disabled.

Then check your AV software is running properly and up-to-date.