Task manager tries to connect to the internet Options

[pandy]

That was quickly done. The only possible one is also in the Roaming directory and simly called ws. There's also a ws.exe, but that is clean. It's supposed to be this. There were also some > 10 years old email attachments that I deleted without regret.

https://www.f-secure.com/v-descs/trojan-js-cryxos.shtml

Since I haven't experienced anything like that and Defender and ClamWin don't find anything I'll let it be for now. It's supposed be used by a scanner software and I've never owned a scanner, so that's a little strange.
https://www.file.net/process/ws.exe.html

Viruses are pretty fun when they don't mess the computer up!

[Christian J]

https://www.f-secure.com/v-descs/trojan-js-cryxos.shtml

That description doesn't sound at all like the "Task Manager" files you found.

Are you sure the "ws" and "ws.exe" files are related? Where they both in the Roaming directory?

[pandy]

https://www.f-secure.com/v-descs/trojan-js-cryxos.shtml

That description doesn't sound at all like the "Task Manager" files you found.

I don't think these are related to the Task manager one.

Are you sure the "ws" and "ws.exe" files are related? Where they both in the Roaming directory?

Yes, they sure are related. They are the only files in a directory called ws.

I've never understood what that Roaming directory is for. All sorts of stuff end up there.

[pandy]

Here we go again. Is this really a legit warning from FF? Never got any such popups before. It keeps coming all the time. Sometime it has a Norton logo, sometimes it's McAffee. Most often the message is in Swedish, but not always which makes me suspicious. Got English which is plausible since I run Windows in English but also Polish or something like that.

I know what the virus is, or rather I found out now. It tricks you to download it with those popups at sites that ask if you will allow the site to send you notifications. I've never OK-ed that though. But just before I got the first FF notification I had landed on some pesky site, so surely I got it there. Then it the thing shows you fake ads. What I don't know is if this FF warning is part of the virus doings.

When it comes to removing it, all instruction is about how to block it in the browsers and FF had blocked it already. But I don't find any instructions about how to REMOVE it or information about what the file(s) is/are called.

I'm running an AV now, maybe it finds it. It's blocked and doesn't seem to do anything unless the FF warnings are its doing, but I want it gone anyway.

[pandy]

Gaah! Now image uploads don't work again!

Here.

[Christian J]

Never heard that Firefox displays virus warnings (and "via re-captcha-version-3-53.top"?). And even if it did, why would FF include a logo from Norton or other AV companies?

I can only assume that the false popup is meant to make you click on something, but why? To make you give the malware more permissions in FF? Or is the popup part of some kind of social engineering, eventually resulting in scam phone calls etc? That would explain the Swedish language.

Oh, and I notice the Windows Defender icon in taskbar in the screenshot has a warning "X".

[pandy]

Never heard that Firefox displays virus warnings (and "via re-captcha-version-3-53.top"?). And even if it did, why would FF include a logo from Norton or other AV companies?

It's added under Privacy & Security | Permissions | Notifications

As you can see there is an older version too a bit down. They are both already blocked, and to block them is the only advice I find.
I don't know if the option to remove the site would get rid of it or make it worse...

I can only assume that the false popup is meant to make you click on something, but why? To make you give the malware more permissions in FF? Or is the popup part of some kind of social engineering, eventually resulting in scam phone calls etc? That would explain the Swedish language.

I have clicked. First time it was reflex. Then I couldn't resist. Nothing happens more than that the window closes.

Oh, and I notice the Windows Defender icon in taskbar in the screenshot has a warning "X".

That's old. I haven't had time to go through that yet. None of them is called something that makes me think it's this.

Oh, the notification window has a menu (three dots). When I click it I get several options, like disable notification from re-captcha...). I was going to make a screen cap but happened to click and the whole thing closed. Now I can't see it before it appears again. But that made it look somewhat legit.

[pandy]

Got the menu!

[Christian J]

Never heard that Firefox displays virus warnings (and "via re-captcha-version-3-53.top"?). And even if it did, why would FF include a logo from Norton or other AV companies?

It's added under Privacy & Security | Permissions | Notifications

As you can see there is an older version too a bit down.

Oh, it's a domain name. How did you manage to allow both of them?

I assume you've read this (or similar): https://malwaretips.com/blogs/re-captha-version-3-35-top/

I have clicked. First time it was reflex. Then I couldn't resist. Nothing happens more than that the window closes.

According to the above link it's just notification spam, so disabling notifications from that URL should suffice.

Oh, and I notice the Windows Defender icon in taskbar in the screenshot has a warning "X".

That's old. I haven't had time to go through that yet. None of them is called something that makes me think it's this.

I was thinking maybe Defender doesn't work. Perhaps that could make Windows vulnerable, or some malware has even managed to disable Defender.

[pandy]

But how does it work? If it's just a URL the browser must be an active part in it. How silly.

Anyway, the window must be from FF. I disabled notifications and that stopped the pest. So I figure the notification really was legit. Hadn't that URL been blocked, maybe it spawns ads on certain web sites or something? Maybe it has. How could I know? What I don't get is when I clicked "Remove it now" the window just closed.

According to your find I can just delete the URLs. I'll do that.

[Christian J]

But how does it work? If it's just a URL the browser must be an active part in it. How silly.

I guess that's how notifications work. If you allow notifications from a spam site, you'll get spam notifications...

The fishy part is how they made you allow those notifications in the first place, without actually visiting the spam site. Maybe it can be done with framed pages.

[pandy]

But I did, just before this started. I googled something, clicked one one of the hits and came to a mock site with popups all over the place. I of course didn't click anything, but that's where I must have got it. So there must be another way to get infected then to OK one of those notification requests.

[pandy]

My computer oddities continues. I'm short of space on C, I discovered. So I downloaded a program that searches a disk and lists files after size. It also has some other information, for example what file types takes up most space. Apart from some scattered stuff on the desktop I only have programs on C, but it says only 3.7% of the space is taken up by .exe files and 19,3% of PDF files! Ok, programs may come with PDFs, but they hardly take up more space than the programs themselves.

So I searched C for .pdf. And found a shitload in C:\Windows\System32\config\systemprofile . What files are supposed to be in that directory? I'll google, but maybe you know right off?

It's crazy. There are oodles of PDF files with a few different file names but numbered from nothing to very high. The files with the same base name are all the same size. None can be opened. Well, what happens is the PDF program opens but no file is loaded. They are duplicated in the hundreds.

I have for example #044838.pdf to #044838_642.pdf. But that one isn't the worst. There are several thousands of some of them. Some file names I recognize, among them what probably is a protocol form a condo board meeting, also duplicated in absurdum. There are also image that follow the same pattern. The images open in IrfanView when I click the files. But when I try to close the window again IV freezes. There are also text files, mails (.eml), .vcf and good knows what duplicated the same way.

I don't see anything resembling system files, but I'm not sure. The content is hard to handle because the directory is so big - 99.8 GB of duplicated junk!!! It takes time for Explorer to sort them.

Why has this happened? Is my computer taken over by gremlins?

[pandy]

OK. I discovered that if I move the files out of that folder I can view them. One is called datasäkerhet.pdf (computer safety). It's from Addnature (Swedish web shop). I may have browsed their site on occasion, but I certainly haven't downloaded that PDF deliberately.

The oldest file is from 2023-03-05 and the newest from today (.eml files). An eml file from yesterday has 10353 copies! If one of the big PDF was duplicated that many times the computer would crash.

I'll delete all of them now before the computer really crashes, but it seems the folder fills up on a more or less daily basis, so I must solve this.

[pandy]

This is nuts. I've been deleting like crazy. It takes forever. A little faster now when I realized I could stop the folder list from updating. That takes a really long time with that many files. I didn't check how many files there were to begin with, but 462 844 still remains!

I don't get it. Basically everything seems email related. But there has been a few photos that I have taken myself, totally hopeless ones, out of focus and so on. I can't imagine I've emailed them to anyone.

Furthermore, quite a few files are 10 years old or more. Still email related, attachments, but I've had my current email client just a few years. And the date stamps in the file list is from this or the previous year.

How come whatever is doing this chooses email related stuff from different email programs. Yes, I still have the old ones and the emails and probably a lot of attachments.

[Christian J]

So I searched C for .pdf. And found a shitload in C:\Windows\System32\config\systemprofile . What files are supposed to be in that directory? I'll google, but maybe you know right off?

I don't know, it seems to be used for all kinds of things.

I seem to have lots of empty "tmp" directories, possibly caused by a Windows bug, but not a lot of disk usage: https://www.ghacks.net/2021/11/01/windows-1...em32-directory/

[Christian J]

BTW, have you checked if Disk Cleanup or similar removes the files?

[pandy]

I'm scared of automatic cleanup. I deleted them manually. Took me until 6 in the morning. My whole body was aching from doing the same few moves for so long. You have no idea how slow it gets with probably more than a million files in a folder! In the beginning I wanted to check the files too. Both in case they were fishy and to be sure they weren't files needed by Windows. Or my own invaluable files that had mysteriously been moved there. But when I realized they were all copies I deleted everything with common extensions, images, PDFs, text files, HTML...

I have just a handful left because I don't know what they are. Probably of no importance, but I'm curious. I had a bunch of .com files. Can't find of any use for that extension other the the old executive. Also very many .iso, small ones, 50 kB or so. I deleted all by mistake, so can't check those further, but I'll look into the .com. And also a bunch without extension, just long numeric file names.

There's also a folder called AppData in there with the subdirectories Local, LocalLow and Roaming. Do you have those? There are what I think are some kind of backup files in there, among others.

I haven't gotten any new files in systemprofile. But I haven't used my email program. I expect them to come when I start it. I can't figure what's doing this, but I think it's a Windows bug. Maybe email stuff is dumped there temporarily but Windows forgets to do cleanup? And what to do about it? I don't want to babysit that folder forever.

Lucky I happened to see I was that low on free space. I was down on 6 GB, I think. Less than what Windows is supposed to require anyway. Had this continued a while I guess a total crash had happened. Now I have 127 GB free. Much better! And I don't need to buy a larger SSD as I thought.

[pandy]

Oh yes. I had 5 files. Fetched mail and now I have 931 files. 🥶

Duplicates are created right off. Have for instance 150x250-banner_kamda_logga_se_1_liten.png to 150x250-banner_kamda_logga_se_1_liten_34.png . If it's old or new I don't know. But I have attachments that have the date in the filename form 2022, 2018 and so on.

[Christian J]

I'm scared of automatic cleanup.

Why? I could understand distrust in third-party cleanup software though.

There's also a folder called AppData in there with the subdirectories Local, LocalLow and Roaming. Do you have those?

I have those as well.

Oh yes. I had 5 files. Fetched mail and now I have 931 files. 🥶

Try your other email program as well, to see if both add files. If that's the case I would suspect a Windows bug (while if it's only one email program maybe the bug is in there, though that doesn't explain all the images and PDF files).

I guess it could also be some buggy maintenance program doing this, such as third-party antivirus, indexing etc.