Why?
I've used TinyWall for several years, but haven't really looked at all the features. I found it can show all connections it has blocked the last 5 minutes. Taskmgr.exe has been blocked more than a hundred times - in 5 minutes. Why does it try to get out at all? Obviously it doesn't hurt anything that it's blocked, not that I've noticed anyway.
Note, TinyWall isn't a firewall in the usual sense. It sits on top Windows firewall and works by simply blocking all connections except those you OK. So when you first install it there's some fiddling. I think it's great, even if you have to remember to OK all new programs, but that's quickly done. I suppose it can be used as the only FW, but I keep the Windows one running. If anyone wants to try it, please note it doesn't work together with other firewall software, just the Windows one.
This is only the top of the list. You can see it's just 2 or 3 seconds between tries.
I don't know what the System process is about either. I didn't have to OK any system processes when I installed TinyWall, so it must have a built in whitelist.
Maybe its telemetry, but the IP 91.92.240.95 (91.92.240.0 - 91.92.240.255) seems to belong to the (hosting?) company Limenet, not Microsoft.
Have you been running Task manager at these times? Is it possible to tell if it's running in the background (without using Task Managare itself)?
I don't know. But it's the same now and I don't have Task manager running.
Yeah, Limenet is odd. I don't know exactly what it is. But I found the IP is on some blacklists, seems connected to spam.
Can't link with query string, you need to paste the IP in: 91.92.240.95 .
https://whatismyipaddress.com/blacklist-check
I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Of course nothing stops people from naming their programs anything, but would a sensible person choose that name?
How many copies do you have? I expected to find just one!
I scanned the one in the program directory with Defender that didn't find anything wrong with it.
OK. The one in the program directory is different from the others. Much larger to start with.
The ones in more expected directories have next to no information in Properties and lack the signature tab.
The fishy one says it comes from Microsoft and was originally called Lklropl.exe, a file name there is absolutely no information about. I also tried LkIropI.exe and so on. It's hard to see the small text and it can't be copied.
Micro-Star International seems to be a legit company, but I guess these things can be faked. Why does it refer to both Microsoft and Micro-Star? Seems odd.
https://en.wikipedia.org/wiki/Micro-Star_International
Whatever it is TinyWall seems to stop it, so that's good.
Fynny thing. When I googled LkIropI.exe there was one single hit. This.
https://answers.microsoft.com/en-us/windows/forum/all/possibly-new-malware-found/86502eb6-48ad-44e6-9c85-f401e987f5c8
But there's no mention of that file name in the text.
On the Details tab in Task Manger I see 6 Taskmgr.exe processes. 1 is the real thing. All the others come form those two big files, the one in the program directory and the one in Roaming. So I guess it would be safe to kill those processes. I was unsure about if task manger showed itself, so to speak.
Here goes nothing.
Gaah! Now it couldn't be deleted because it was open in Windows Explorer.
So command line. No go!
"The process cannot access the file because it is being used by another process."
OK! UnLockIt fixed it. Both gone. I'll reboot and see if they come back again.
Nope. Didn't come back. But the mystery continues.
All the others are gone too from TinyWalls list of blocked programs. It only blocks two System processes now. Nothing else.
Still have 14 copies though.
Nope. I don't know how to do that. I know there are programs, "process viewers", that dig deep down, but that's over my head.
But I tried to delete the one in Roaming first. Maybe it was run by the one in the program directory.
I saved a zipped up copy of the one in Roaming, but forgot to do it with the one in the program directory. Probably doesn't matter since they were exactly the same size. I'm curious about this so I might download some other AV when I get around to it and see if that knows what it is.
Tried ClamWin that didn't find anything.
Then I uploaded the zip to one of those online virus sites. I don't know if it can be trusted or not. But it did find a whole lot. 🥶
https://www.virustotal.com/gui/file/53f73e4065ef5eed732c75c875a64f07c0a0a5c77f197ee141737db2379a3e92?nocache=1
Why do they all call it different things? Not easy to google.
I downloadef a free version of one of the software that did detect something at virustotal, eScan. Never heard of it before. But it did detect the zipped virus.
It was pretty fast. I set it to scan everything - except mobile, but that's a nice feature, if it means phone. Two 500 GB hard drives and a 250 GB SSD, all pretty full. 2:10:16.
Found 37 threats. I see at the glance that many are not but I'll have to go through the rest.
That was quickly done. The only possible one is also in the Roaming directory and simly called ws. There's also a ws.exe, but that is clean. It's supposed to be this. There were also some > 10 years old email attachments that I deleted without regret.
https://www.f-secure.com/v-descs/trojan-js-cryxos.shtml
Since I haven't experienced anything like that and Defender and ClamWin don't find anything I'll let it be for now. It's supposed be used by a scanner software and I've never owned a scanner, so that's a little strange.
https://www.file.net/process/ws.exe.html
Viruses are pretty fun when they don't mess the computer up!
Here we go again. Is this really a legit warning from FF? Never got any such popups before. It keeps coming all the time. Sometime it has a Norton logo, sometimes it's McAffee. Most often the message is in Swedish, but not always which makes me suspicious. Got English which is plausible since I run Windows in English but also Polish or something like that.
I know what the virus is, or rather I found out now. It tricks you to download it with those popups at sites that ask if you will allow the site to send you notifications. I've never OK-ed that though. But just before I got the first FF notification I had landed on some pesky site, so surely I got it there. Then it the thing shows you fake ads. What I don't know is if this FF warning is part of the virus doings.
When it comes to removing it, all instruction is about how to block it in the browsers and FF had blocked it already. But I don't find any instructions about how to REMOVE it or information about what the file(s) is/are called.
I'm running an AV now, maybe it finds it. It's blocked and doesn't seem to do anything unless the FF warnings are its doing, but I want it gone anyway.
Gaah! Now image uploads don't work again!
Here.
Never heard that Firefox displays virus warnings (and "via re-captcha-version-3-53.top"?). And even if it did, why would FF include a logo from Norton or other AV companies?
I can only assume that the false popup is meant to make you click on something, but why? To make you give the malware more permissions in FF? Or is the popup part of some kind of social engineering, eventually resulting in scam phone calls etc? That would explain the Swedish language.
Oh, and I notice the Windows Defender icon in taskbar in the screenshot has a warning "X".
But how does it work? If it's just a URL the browser must be an active part in it. How silly.
Anyway, the window must be from FF. I disabled notifications and that stopped the pest. So I figure the notification really was legit. Hadn't that URL been blocked, maybe it spawns ads on certain web sites or something? Maybe it has. How could I know? What I don't get is when I clicked "Remove it now" the window just closed.
According to your find I can just delete the URLs. I'll do that.
But I did, just before this started. I googled something, clicked one one of the hits and came to a mock site with popups all over the place. I of course didn't click anything, but that's where I must have got it. So there must be another way to get infected then to OK one of those notification requests.
My computer oddities continues. I'm short of space on C, I discovered. So I downloaded a program that searches a disk and lists files after size. It also has some other information, for example what file types takes up most space. Apart from some scattered stuff on the desktop I only have programs on C, but it says only 3.7% of the space is taken up by .exe files and 19,3% of PDF files! Ok, programs may come with PDFs, but they hardly take up more space than the programs themselves.
So I searched C for .pdf. And found a shitload in C:\Windows\System32\config\systemprofile . What files are supposed to be in that directory? I'll google, but maybe you know right off?
It's crazy. There are oodles of PDF files with a few different file names but numbered from nothing to very high. The files with the same base name are all the same size. None can be opened. Well, what happens is the PDF program opens but no file is loaded. They are duplicated in the hundreds.
I have for example #044838.pdf to #044838_642.pdf. But that one isn't the worst. There are several thousands of some of them. Some file names I recognize, among them what probably is a protocol form a condo board meeting, also duplicated in absurdum. There are also image that follow the same pattern. The images open in IrfanView when I click the files. But when I try to close the window again IV freezes. There are also text files, mails (.eml), .vcf and good knows what duplicated the same way.
I don't see anything resembling system files, but I'm not sure. The content is hard to handle because the directory is so big - 99.8 GB of duplicated junk!!! It takes time for Explorer to sort them.
Why has this happened? Is my computer taken over by gremlins?
OK. I discovered that if I move the files out of that folder I can view them. One is called datasäkerhet.pdf (computer safety). It's from Addnature (Swedish web shop). I may have browsed their site on occasion, but I certainly haven't downloaded that PDF deliberately.
The oldest file is from 2023-03-05 and the newest from today (.eml files). An eml file from yesterday has 10353 copies! If one of the big PDF was duplicated that many times the computer would crash.
I'll delete all of them now before the computer really crashes, but it seems the folder fills up on a more or less daily basis, so I must solve this.
This is nuts. I've been deleting like crazy. It takes forever. A little faster now when I realized I could stop the folder list from updating. That takes a really long time with that many files. I didn't check how many files there were to begin with, but 462 844 still remains!
I don't get it. Basically everything seems email related. But there has been a few photos that I have taken myself, totally hopeless ones, out of focus and so on. I can't imagine I've emailed them to anyone.
Furthermore, quite a few files are 10 years old or more. Still email related, attachments, but I've had my current email client just a few years. And the date stamps in the file list is from this or the previous year.
How come whatever is doing this chooses email related stuff from different email programs. Yes, I still have the old ones and the emails and probably a lot of attachments.
BTW, have you checked if Disk Cleanup or similar removes the files?
I'm scared of automatic cleanup. I deleted them manually. Took me until 6 in the morning. My whole body was aching from doing the same few moves for so long. You have no idea how slow it gets with probably more than a million files in a folder! In the beginning I wanted to check the files too. Both in case they were fishy and to be sure they weren't files needed by Windows. Or my own invaluable files that had mysteriously been moved there. But when I realized they were all copies I deleted everything with common extensions, images, PDFs, text files, HTML...
I have just a handful left because I don't know what they are. Probably of no importance, but I'm curious. I had a bunch of .com files. Can't find of any use for that extension other the the old executive. Also very many .iso, small ones, 50 kB or so. I deleted all by mistake, so can't check those further, but I'll look into the .com. And also a bunch without extension, just long numeric file names.
There's also a folder called AppData in there with the subdirectories Local, LocalLow and Roaming. Do you have those? There are what I think are some kind of backup files in there, among others.
I haven't gotten any new files in systemprofile. But I haven't used my email program. I expect them to come when I start it. I can't figure what's doing this, but I think it's a Windows bug. Maybe email stuff is dumped there temporarily but Windows forgets to do cleanup? And what to do about it? I don't want to babysit that folder forever.
Lucky I happened to see I was that low on free space. I was down on 6 GB, I think. Less than what Windows is supposed to require anyway. Had this continued a while I guess a total crash had happened. Now I have 127 GB free. Much better! And I don't need to buy a larger SSD as I thought.
Oh yes. I had 5 files. Fetched mail and now I have 931 files. 🥶
Duplicates are created right off. Have for instance 150x250-banner_kamda_logga_se_1_liten.png to 150x250-banner_kamda_logga_se_1_liten_34.png . If it's old or new I don't know. But I have attachments that have the date in the filename form 2022, 2018 and so on.
The plot thickens. I didn't get many more files in the folder yesterday. Perhaps a hundred in total.
When I started email today I once again got a lot. So it seems to be mainly the first time email is active after a reboot. Only I don't turn the computer off, I just hibernate.
When I glanced through the files I saw at least three that aren't related to email. Notetab's two help files. But they at least exists on disk. The third was the most peculiar. An eBook (epub) with the author name misspelled. The file does exist but not under that name. The name can very well have been misspelled at some point, but I have corrected it and probably long ago. It could be I copied the file to another directory, renamed it, and deleted the original file. Notetab has moved around a bit too. Could these three be deleted files that the gremlin found? I certainly haven't sent or received any of them by email. But none of these three files is corrupt which they ought to be if they were deleted long ago.
I've bought a license for the new version of the email program and am about to install it. Either this helps or not I'll contact the author. Maybe someone else have had the same problem.
But it hasn't done that in a long time.
It didn't help to update the email program. 1232 files. And it looks like the ones I last deleted is recreated. At least those three odd ones I mentioned. I don't think they were there yesterday though. I would have noticed. Especially the help files stand out. .chm files, the icon with the bright yellow question mark. And I sorted by file type when I looked through them.
Now I see the email programs ini file is also copied. And I have a new ISO file. MNF43.ISO, 54 kB. That file doesn't exist elsewhere on my computer. Only here and in the backup of odd files I made yesterday.
Forgot to say. I had hopes at first after installing the new version of the email program. No new files. I both fetched and sent email to provoke it. Then I made a hard reboot. And then they came.
So it seems the bulk comes after windows has loaded AND the email program is active. But some minor activity can also happen after that.
Could some kind of malware do this? With the purpose to slowly crash the computer? Or a spy program that's after email related stuff and needs to temporary store files somewhere but isn't so good at it and grabs some other files too? I'm thinking of that taskmanager.exe that TinyWall stopped from getting out. Some related program could still be active maybe.
I have scanned with three different AV and they only find files I know is OK and have been around a long time.
Found a tip about ProcessExplorer in a thread about a similar problem. It's supposed to show what process writes the files. I'm downloading it. If I understand how to use it is another matter. It's one of the Sysinternals programs. I tried a lot of them many years ago, but I didn't know enough to make real use of them.
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
Nah. It just lists active processes and tells you a little about what they are. I don't see how I can relate a process to a file unless I catch it in the act, and that isn't likely to happen with a long list of active processes.
If I could tell ProcessExplorer to hide all processes that are running now and then reboot I would be able to catch it. But I don't see such an option.
I caught it.
I used another Sysinternals program. I rebooted, opened the systemprofile folder, started Process Monitor, started the email program and sent a few mails to myself. After a minute to two it happened.
Only I don't get anything out of it. The process has no name. Looking at details most fields are blank. Those that aren't are too low level for me.
I suppose you don't get anything out of this either? She says hopefully.
The right field that's partly hidden in the first screen cap says "SyncType: SyncTypeOther". Very enlightening.
FYI the upload thing only allows one image now. If I try to attach another it replaces the first one.
I emptied the folder and now 4 new files are created. Three are copies of egpor95.vcf that doesn't exist anywhere else. Neither does the fourth, 732117007_a. Spooky!
The sync part seems related to the problem anyway.
Maybe some process is gathering suitable files for syncing with other devices (both legit and spyware would perhaps both work in a similar way).
Yes, that's what I was touching on before. A temp storage for some reason. But after seeing how common similar problems are, I lean towards a Windows bug.
The most peculiar is really those long ago deleted files.
My conclusion was wrong. Yesterday it didn't happen closely after I booted up. I even rebooted to provoke it. It did happen later though. Several times, I guess, since I had 5000 files something when I went to bed. Hasn't happened yet today either.
Sorry for going on about this. But this thread became like a log of everything related to the problem, so I thought I could just as well continue, for my own sake.
Same time of day? Perhaps it tries to do it a certain time, or if Windows is not running as soon as it's restarted?
Can you see if any process has connected to the Internet around the same time?
No, I don't think it was the same time. When started to look into this it happened very soon after boot up - if email was running. I have very irregular hours and I also rebooted to provoke it.
I don't know how to check connections and I didn't note down the time stamp on the last bunch. If something tries to connect it won't succeed anyway since TinyWall will block it. And its block list alas only covers the last 5 minutes.
Glasswire keeps longer logs.
OK. Can several firewalls run at the same time or do they fight?
Today a nasty app called bigo live opened on my phone. It's on Google Play, so assumedly a legit live streaming app. But all I saw on the splash screen were big boobs and tushies. That's the first time I have had an app install on my phone without my consent. How does that happen? I hardly ever use my phone for the web. I don't even read email on it. I use it for SMS and a hand-full of apps that I've used for ages.
WTF is going on? I'm beginning to feel stalked here.
None? Don't you use your phone for anything?
I never checked. Just uninstalled it. The permission choices are so limited they feel like bogus anyway.
Where do you find that list? I'm only aware of the ridiculously few and unspecific permissions for individual apps.
Today systemprofile filled up again.
I made a mistake about the time stamps. I orignally hade files from early 2023 until now. So I thought that was the dates the files were copied to that folder and showed how long this has been going on. Most of today's files have a time stamp from this morning, but a bunch of them are much older, the oldest from 2012! So in reality I have no idea when it started.
I have 8 copies of the one from 2012, all of them have the same time stamp, to the second. The file doesn't exist elsewhere on the computer. It's a freaking DHL logo.
Gaaah!
Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)