Task manager tries to connect to the internet Options

[Christian J]

No idea, FWIW I've only used it to monitor traffic, not block.

So I can tun off some features? I'll try it tomorrow.

Maybe blocking requires the paid version, can't remember.

Could it be that one of your old apps has changed owner, and a recent update by the new owner has changed its functionality?

I don't think so. It was among "recently installed" or what it's called.

No I meant that one of the old trusted apps may have changed owner, and the new owner sends an update that makes it install more apps. I recall some apps may have permission for that (outrageous as it sounds), not sure.

It just splat open from nowhere.

It wasn't some kind of overlay screen from another app?

[pandy]

No I meant that one of the old trusted apps may have changed owner, and the new owner sends an update that makes it install more apps. I recall some apps may have permission for that (outrageous as it sounds), not sure.

Didn't know that.

It wasn't some kind of overlay screen from another app?

No. It was among recently installed apps.

I haven't got a single file in systemprofile today either. I haven't done anything that can have put an end to it.

[Christian J]

No I meant that one of the old trusted apps may have changed owner, and the new owner sends an update that makes it install more apps. I recall some apps may have permission for that (outrageous as it sounds), not sure.

Didn't know that.

It's likely not permitted by Google Play generally, but maybe Google's control is inefficient (especially for updates).

Not sure if this is tells everything, but if you go to:

CODE

Settings > Apps & Notifications > Advanced > Special App Access > Install unknown apps

the listed apps should have their permissions shown (none allowed in my case).

[pandy]

None? Don't you use your phone for anything?

I never checked. Just uninstalled it. The permission choices are so limited they feel like bogus anyway.

[Christian J]

None? Don't you use your phone for anything?

It's (allegedly) a list of apps that are allowed to install other apps, of course I don't allow that. Or maybe "unknown" means apps outside the Play store?

I never checked. Just uninstalled it.

I meant maybe you can see which of your old apps that had permission to install Bigo Live. That old app should still be in the list.

The permission choices are so limited they feel like bogus anyway.

Yeah, under "Special app access" the summary on my phone says "1 app can use unrestricted data", but in the actual list no app like that is shown, not even when I enable "Show system". Seems reassuring.

[pandy]

Where do you find that list? I'm only aware of the ridiculously few and unspecific permissions for individual apps.

[pandy]

Today systemprofile filled up again.

I made a mistake about the time stamps. I orignally hade files from early 2023 until now. So I thought that was the dates the files were copied to that folder and showed how long this has been going on. Most of today's files have a time stamp from this morning, but a bunch of them are much older, the oldest from 2012! So in reality I have no idea when it started.

I have 8 copies of the one from 2012, all of them have the same time stamp, to the second. The file doesn't exist elsewhere on the computer. It's a freaking DHL logo.

Gaaah!

[Christian J]

Where do you find that list? I'm only aware of the ridiculously few and unspecific permissions for individual apps.

Where I wrote above. You may have to scroll down to the bottom a couple of times.

[Christian J]

It's a freaking DHL logo.

Maybe it comes from an email? Either an email that has later been deleted, or maybe the image was hosted remotely before being copied to Windows.

The attachment didn't work.

[pandy]

Where do you find that list? I'm only aware of the ridiculously few and unspecific permissions for individual apps.

Where I wrote above. You may have to scroll down to the bottom a couple of times.

Ooo. Sorry. I didn't see that. Yes, I have it too. FF was allowed and Files by Google. Turned them off. Thank you.

[pandy]

Maybe it comes from an email? Either an email that has later been deleted, or maybe the image was hosted remotely before being copied to Windows.

Yes, everything does. Attachments, embedded pictures, eml files...

The attachment didn't work.

I know. It was just the GIF. I uploaded it elsewhere but forgot to remove the attachment here.

[pandy]

Heard of a program with an executable labeled savt-client?

I still get that folder C:\Windows\System32\config\systemprofile filled up with email related files and have to delete them regularly. Apart from those files it only contained an empty folder called AppData previously. A while ago a new empty folder called savt-client turned up.

Now I found an exe in a folder on my desktop. I call the folder TEST and initially it was for scribble from here and the like, but I may occasionally download files to it too, things I want to look at later. Now I found this program, savt-client-2.0.0-windows-amd64.exe . Google gives me nothing. I have no idea if I have downloaded it myself or if it's malware (defender says no), but odd place to put it if it's malware.

It has an icon the depicts a shield with a padlock .Which makes me think of an AV. SAV means S-something AV?

[pandy]

Second image didn't work. New go.

Nope. It's just a small JPG. What's with this image mess? I'll make it a GIF.


That didn't work either.

Here goes.

[pandy]

I think I've found it. I changed my search criteria a little and googled "sav-t client". Led to a PDF on this domain https://datatracker.ietf.org/ . "Datatracker" sounds dangerous but probably isn't.

It runs some kind of tests. I've just glanced at the PDF, didn't understand much of what I read, but the icon is certainly the same (see attached). But how did it end up on my computer and in a very random folder? I certainly haven't downloaded it.



I'll delete it, but I'll search for more traces of it first. Maybe I'll even run it.

[Christian J]

I think I've found it. I changed my search criteria a little and googled "sav-t client".

Doesn't malware sometimes use similar (but non-identical) file names as legit software?

https://datatracker.ietf.org/release/about says Datatracker is an open-source project using GitHub, maybe you could check there if
there's a downloadeable file with the exact same file name "savt-client-2.0.0-windows-amd64.exe" (and same file size)?

But how did it end up on my computer and in a very random folder? I certainly haven't downloaded it.

If you sometimes use your TEST folder to download files, maybe your browser has remembered that download location, which could mean that the same browser downloaded the exe. But would Windows let it download an exe without your permission?

Or maybe your firewall(?) can tell you what other program put the exe there. I recall Glasswire can at least show which program acessed what IP at a given time.

But to me this whole thread sounds like your PC is used for file sharing or something malicious.

[pandy]

I think I've found it. I changed my search criteria a little and googled "sav-t client".

Doesn't malware sometimes use similar (but non-identical) file names as legit software?

But do they bother with embedding the icon, in different sizes at that?

https://datatracker.ietf.org/release/about says Datatracker is an open-source project using GitHub, maybe you could check there if
there's a downloadeable file with the exact same file name "savt-client-2.0.0-windows-amd64.exe" (and same file size)?

I don't get it. IEFT, aren't that the guys that create the RFSs?

But how did it end up on my computer and in a very random folder? I certainly haven't downloaded it.

If you sometimes use your TEST folder to download files, maybe your browser has remembered that download location, which could mean that the same browser downloaded the exe. But would Windows let it download an exe without your permission?

Or maybe your firewall(?) can tell you what other program put the exe there. I recall Glasswire can at least show which program acessed what IP at a given time.

But to me this whole thread sounds like your PC is used for file sharing or something malicious.

Don't think I have anything that can do that. But nothing get's out that I haven't OK'ed. Or in. There are no suspicious communication that has been blocked.

I've zipped it up for now. I've found some other folders that can be related to it. Mostly with empty files and few, very short, binary files with odd extensions. But those folder could as well be Windows stuff. Long, maningless file names that maybe just happens to have savt/sav-t in them.

[pandy]

I know where sav-t came from know and it's OK. I already had begun to suspected it had to do with the surveys we talked about earlier, but couldn't be sure. Now I got a new task there which in the description says "In this research study, you will be required to DOWNLOAD AND RUN THE SAV-T SOFTWARE ON YOUR COMPUTER to help us gather IP spoofing data". They've probably run the same study before. Mystery solved.

Note I don't generally download programs this way. But this site is different. It isn't the usual market research crap. It's kind of a platform for more serious studies. Everything about it is serious and fair. The clients are usually universities and most often you get the researcher's complete contact information (while they don't get yours). Very occasionally the study requires you run some small software. And they pay a decent hourly wage. Often more than decent. The studies can be tiresome though. When I started there was a lot of psychological tests, very quick paced, that could be an hour long. I needed to rest after those! Lately I've got a lot of AI image evaluation studies. Very nice. Just judge which of an image pair that is the best, if any. Those pay $5 for exactly 15 minutes. $20 an hour directly to PP isn't bad. I think I've done more than 40 of those. Helps with the bread and butter. And camera gear, of course.

[Christian J]

That's a relief, but does it explain everything in this thread?

[pandy]

Should it? It explains sav-t. Or at least lets you know it was nothing to worry about.

If you mean that folder filling up with email related files, it goes on. I've just incorporated emptying that folder in my weekend routine when I go trough and delete email trash. If I remember. Seems to be a pretty common win10 bug, but since I found no fix I just live with it. It was scary when I discovered it though since I had just a small fraction of the free space Windows is supposed to require left. It could have crashed the computer and probably would have pretty soon. I remember I was up all night deleting files. Since I didn't know what was going on then I was afraid to just delete them all and looked at at least one copy of each duplicated file.

Only afterwards I realized I could have zipped the whole lot up and moved it to another drive or off the computer as a temporary step, which would have freed up space quick. Then I could have gone through the files later.