Printable Version of Topic

Posted by: pandy Dec 24 2023, 07:40 PM

Why?

I've used TinyWall for several years, but haven't really looked at all the features. I found it can show all connections it has blocked the last 5 minutes. Taskmgr.exe has been blocked more than a hundred times - in 5 minutes. Why does it try to get out at all? Obviously it doesn't hurt anything that it's blocked, not that I've noticed anyway.

Note, TinyWall isn't a firewall in the usual sense. It sits on top Windows firewall and works by simply blocking all connections except those you OK. So when you first install it there's some fiddling. I think it's great, even if you have to remember to OK all new programs, but that's quickly done. I suppose it can be used as the only FW, but I keep the Windows one running. If anyone wants to try it, please note it doesn't work together with other firewall software, just the Windows one.

This is only the top of the list. You can see it's just 2 or 3 seconds between tries.



I don't know what the System process is about either. I didn't have to OK any system processes when I installed TinyWall, so it must have a built in whitelist.

Posted by: Christian J Dec 25 2023, 06:15 AM

Maybe its telemetry, but the IP 91.92.240.95 (91.92.240.0 - 91.92.240.255) seems to belong to the (hosting?) company Limenet, not Microsoft.

Have you been running Task manager at these times? Is it possible to tell if it's running in the background (without using Task Managare itself)?

Posted by: pandy Dec 25 2023, 08:20 AM

I don't know. But it's the same now and I don't have Task manager running.

Yeah, Limenet is odd. I don't know exactly what it is. But I found the IP is on some blacklists, seems connected to spam.
Can't link with query string, you need to paste the IP in: 91.92.240.95 .

https://whatismyipaddress.com/blacklist-check

Posted by: pandy Dec 25 2023, 08:33 AM

I have 16 copies of taskmgr.exe. One of them is in a program directory which is maybe suspicious. Of course nothing stops people from naming their programs anything, but would a sensible person choose that name?

How many copies do you have? I expected to find just one!

I scanned the one in the program directory with Defender that didn't find anything wrong with it.

Posted by: pandy Dec 25 2023, 08:59 AM

OK. The one in the program directory is different from the others. Much larger to start with.

The ones in more expected directories have next to no information in Properties and lack the signature tab.



The fishy one says it comes from Microsoft and was originally called Lklropl.exe, a file name there is absolutely no information about. I also tried LkIropI.exe and so on. It's hard to see the small text and it can't be copied.





Micro-Star International seems to be a legit company, but I guess these things can be faked. Why does it refer to both Microsoft and Micro-Star? Seems odd.
https://en.wikipedia.org/wiki/Micro-Star_International

Whatever it is TinyWall seems to stop it, so that's good.

Posted by: pandy Dec 25 2023, 09:04 AM

Fynny thing. When I googled LkIropI.exe there was one single hit. This.
https://answers.microsoft.com/en-us/windows/forum/all/possibly-new-malware-found/86502eb6-48ad-44e6-9c85-f401e987f5c8
But there's no mention of that file name in the text.

Posted by: Christian J Dec 27 2023, 09:27 AM

Their website seems to be limenet.io

Posted by: Christian J Dec 27 2023, 09:28 AM

Which program's directory? Is that program trustworthy?


Malware may disguise itself as wellknown programs.


I only have one, in the Windows\System32 directory.

Posted by: pandy Dec 27 2023, 10:45 AM

Yes, very.



That's why I worry. At first I was just curious about what Task Manager was up to. But anyhow, TinyWall stops them from getting out.



Attached a list of mine (except the big one). The big one had also placed itself in AppData\Roaming, so there are 12 others. They have different sizes and all are pretty new. I find that strange. The one in System32 is the real thing and should be as old as the computer. Then again, MS might have updated it, of course.

As you can see there are also a couple of taskmgr.exe-****.pf and I have 156 copies of taskmgr.exe.mui. At the bottom of the list there are 6 copies of taskmgr.exe.mun .

Anyway, I've found that the only one that tries to get out is the one in AppData\Roaming. I'll do some deleting and see what happens.

Sigh.

Posted by: pandy Dec 27 2023, 10:50 AM

That went well.

Posted by: pandy Dec 27 2023, 11:04 AM

On the Details tab in Task Manger I see 6 Taskmgr.exe processes. 1 is the real thing. All the others come form those two big files, the one in the program directory and the one in Roaming. So I guess it would be safe to kill those processes. I was unsure about if task manger showed itself, so to speak.

Here goes nothing.

Posted by: pandy Dec 27 2023, 11:13 AM

Gaah! Now it couldn't be deleted because it was open in Windows Explorer.

So command line. No go!
"The process cannot access the file because it is being used by another process."

OK! UnLockIt fixed it. Both gone. I'll reboot and see if they come back again.

Posted by: pandy Dec 27 2023, 11:40 AM

Nope. Didn't come back. But the mystery continues.

All the others are gone too from TinyWalls list of blocked programs. It only blocks two System processes now. Nothing else.
Still have 14 copies though.

Posted by: Christian J Dec 27 2023, 12:17 PM

How about its download source?

Also something must have started all these processes, either a compromised program or something that autostarts with Windows.

Posted by: Christian J Dec 27 2023, 12:18 PM

You can't see which of the (fake) Taskmanagers it refers to? That alone might explain the high number, as a way to make deletion harder.

Posted by: pandy Dec 27 2023, 01:53 PM

Nope. I don't know how to do that. I know there are programs, "process viewers", that dig deep down, but that's over my head.

But I tried to delete the one in Roaming first. Maybe it was run by the one in the program directory.

Posted by: pandy Dec 27 2023, 07:11 PM

I saved a zipped up copy of the one in Roaming, but forgot to do it with the one in the program directory. Probably doesn't matter since they were exactly the same size. I'm curious about this so I might download some other AV when I get around to it and see if that knows what it is.

Posted by: pandy Dec 27 2023, 10:21 PM

Tried ClamWin that didn't find anything.

Then I uploaded the zip to one of those online virus sites. I don't know if it can be trusted or not. But it did find a whole lot. 🥶

https://www.virustotal.com/gui/file/53f73e4065ef5eed732c75c875a64f07c0a0a5c77f197ee141737db2379a3e92?nocache=1

Why do they all call it different things? Not easy to google.

Posted by: pandy Dec 27 2023, 11:06 PM

I downloadef a free version of one of the software that did detect something at virustotal, eScan. Never heard of it before. But it did detect the zipped virus.

I'll let it scan the whole computer tomorrow. I don't want to leave it on while I sleep.

Very nice GUI on that eScan! Like old times, not flashy and confusing and looking like a webpage with childish colours and huge buttons. Why did this look go out of style? Just look at the screen cap here https://www.escanav.com/en/mwav-tools/download-free-antivirus-toolkit.asp . What more do you need? It takes 5 seconds to learn how to use it. Those newfangled things drive me nuts with their obscure interfaces and automated everything. This lets me do just what I want - just scan and report and THEN I decide what do do with what it finds. No risk that little burp program you loved so much is deleted by mistake.

Read what it says under the screen cap too. It's portable. Wonder where it puts all files it downloads though. I mean, if you put it on a stick and run it on another person's machine you would want to clean up afterwards. Log files go in AppData, but I haven't found the many virus files it downloaded yet. I'd prefer if it put everything in the program directory so one could just remove the stick and leave no traces.

Posted by: pandy Dec 28 2023, 10:38 AM

It was pretty fast. I set it to scan everything - except mobile, but that's a nice feature, if it means phone. Two 500 GB hard drives and a 250 GB SSD, all pretty full. 2:10:16.

Found 37 threats. I see at the glance that many are not but I'll have to go through the rest.

Posted by: pandy Dec 28 2023, 11:25 AM

That was quickly done. The only possible one is also in the Roaming directory and simly called ws. There's also a ws.exe, but that is clean. It's supposed to be this. There were also some > 10 years old email attachments that I deleted without regret.

https://www.f-secure.com/v-descs/trojan-js-cryxos.shtml

Since I haven't experienced anything like that and Defender and ClamWin don't find anything I'll let it be for now. It's supposed be used by a scanner software and I've never owned a scanner, so that's a little strange.
https://www.file.net/process/ws.exe.html

Viruses are pretty fun when they don't mess the computer up!

Posted by: Christian J Dec 28 2023, 01:03 PM

That description doesn't sound at all like the "Task Manager" files you found.

Are you sure the "ws" and "ws.exe" files are related? Where they both in the Roaming directory?

Posted by: pandy Dec 28 2023, 10:35 PM

I don't think these are related to the Task manager one.



Yes, they sure are related. They are the only files in a directory called ws.

I've never understood what that Roaming directory is for. All sorts of stuff end up there.

Posted by: pandy Jan 10 2024, 08:08 AM

Here we go again. Is this really a legit warning from FF? Never got any such popups before. It keeps coming all the time. Sometime it has a Norton logo, sometimes it's McAffee. Most often the message is in Swedish, but not always which makes me suspicious. Got English which is plausible since I run Windows in English but also Polish or something like that.

I know what the virus is, or rather I found out now. It tricks you to download it with those popups at sites that ask if you will allow the site to send you notifications. I've never OK-ed that though. But just before I got the first FF notification I had landed on some pesky site, so surely I got it there. Then it the thing shows you fake ads. What I don't know is if this FF warning is part of the virus doings.

When it comes to removing it, all instruction is about how to block it in the browsers and FF had blocked it already. But I don't find any instructions about how to REMOVE it or information about what the file(s) is/are called.

I'm running an AV now, maybe it finds it. It's blocked and doesn't seem to do anything unless the FF warnings are its doing, but I want it gone anyway.

Posted by: pandy Jan 10 2024, 08:11 AM

Gaah! Now image uploads don't work again!

Here.

Posted by: Christian J Jan 10 2024, 08:25 AM

Never heard that Firefox displays virus warnings (and "via re-captcha-version-3-53.top"?). And even if it did, why would FF include a logo from Norton or other AV companies?

I can only assume that the false popup is meant to make you click on something, but why? To make you give the malware more permissions in FF? Or is the popup part of some kind of social engineering, eventually resulting in scam phone calls etc? That would explain the Swedish language.

Oh, and I notice the Windows Defender icon in taskbar in the screenshot has a warning "X".

Posted by: pandy Jan 10 2024, 09:01 AM

It's added under Privacy & Security | Permissions | Notifications

As you can see there is an older version too a bit down. They are both already blocked, and to block them is the only advice I find.
I don't know if the option to remove the site would get rid of it or make it worse...





I have clicked. First time it was reflex. Then I couldn't resist. Nothing happens more than that the window closes.



That's old. I haven't had time to go through that yet. None of them is called something that makes me think it's this.

Oh, the notification window has a menu (three dots). When I click it I get several options, like disable notification from re-captcha...). I was going to make a screen cap but happened to click and the whole thing closed. Now I can't see it before it appears again. But that made it look somewhat legit.

Posted by: pandy Jan 10 2024, 09:07 AM

Got the menu!

Posted by: Christian J Jan 10 2024, 09:14 AM

Oh, it's a domain name. How did you manage to allow both of them?

I assume you've read this (or similar): https://malwaretips.com/blogs/re-captha-version-3-35-top/


According to the above link it's just notification spam, so disabling notifications from that URL should suffice.


I was thinking maybe Defender doesn't work. Perhaps that could make Windows vulnerable, or some malware has even managed to disable Defender.

Posted by: pandy Jan 10 2024, 11:05 AM

But how does it work? If it's just a URL the browser must be an active part in it. How silly.

Anyway, the window must be from FF. I disabled notifications and that stopped the pest. So I figure the notification really was legit. Hadn't that URL been blocked, maybe it spawns ads on certain web sites or something? Maybe it has. How could I know? What I don't get is when I clicked "Remove it now" the window just closed.

According to your find I can just delete the URLs. I'll do that.

Posted by: Christian J Jan 10 2024, 01:09 PM

I guess that's how notifications work. If you allow notifications from a spam site, you'll get spam notifications...

The fishy part is how they made you allow those notifications in the first place, without actually visiting the spam site. Maybe it can be done with framed pages.

Posted by: pandy Jan 10 2024, 07:39 PM

But I did, just before this started. I googled something, clicked one one of the hits and came to a mock site with popups all over the place. I of course didn't click anything, but that's where I must have got it. So there must be another way to get infected then to OK one of those notification requests.

Posted by: pandy Jan 12 2024, 05:57 PM

My computer oddities continues. I'm short of space on C, I discovered. So I downloaded a program that searches a disk and lists files after size. It also has some other information, for example what file types takes up most space. Apart from some scattered stuff on the desktop I only have programs on C, but it says only 3.7% of the space is taken up by .exe files and 19,3% of PDF files! Ok, programs may come with PDFs, but they hardly take up more space than the programs themselves.

So I searched C for .pdf. And found a shitload in C:\Windows\System32\config\systemprofile . What files are supposed to be in that directory? I'll google, but maybe you know right off?

It's crazy. There are oodles of PDF files with a few different file names but numbered from nothing to very high. The files with the same base name are all the same size. None can be opened. Well, what happens is the PDF program opens but no file is loaded. They are duplicated in the hundreds.

I have for example #044838.pdf to #044838_642.pdf. But that one isn't the worst. There are several thousands of some of them. Some file names I recognize, among them what probably is a protocol form a condo board meeting, also duplicated in absurdum. There are also image that follow the same pattern. The images open in IrfanView when I click the files. But when I try to close the window again IV freezes. There are also text files, mails (.eml), .vcf and good knows what duplicated the same way.

I don't see anything resembling system files, but I'm not sure. The content is hard to handle because the directory is so big - 99.8 GB of duplicated junk!!! It takes time for Explorer to sort them.

Why has this happened? Is my computer taken over by gremlins?

Posted by: pandy Jan 12 2024, 06:16 PM

OK. I discovered that if I move the files out of that folder I can view them. One is called datasäkerhet.pdf (computer safety). It's from Addnature (Swedish web shop). I may have browsed their site on occasion, but I certainly haven't downloaded that PDF deliberately.

The oldest file is from 2023-03-05 and the newest from today (.eml files). An eml file from yesterday has 10353 copies! If one of the big PDF was duplicated that many times the computer would crash.

I'll delete all of them now before the computer really crashes, but it seems the folder fills up on a more or less daily basis, so I must solve this.

Posted by: pandy Jan 12 2024, 08:49 PM

This is nuts. I've been deleting like crazy. It takes forever. A little faster now when I realized I could stop the folder list from updating. That takes a really long time with that many files. I didn't check how many files there were to begin with, but 462 844 still remains!

I don't get it. Basically everything seems email related. But there has been a few photos that I have taken myself, totally hopeless ones, out of focus and so on. I can't imagine I've emailed them to anyone.

Furthermore, quite a few files are 10 years old or more. Still email related, attachments, but I've had my current email client just a few years. And the date stamps in the file list is from this or the previous year.

How come whatever is doing this chooses email related stuff from different email programs. Yes, I still have the old ones and the emails and probably a lot of attachments.

Posted by: Christian J Jan 13 2024, 07:39 AM

I don't know, it seems to be used for all kinds of things.

I seem to have lots of empty "tmp" directories, possibly caused by a Windows bug, but not a lot of disk usage: https://www.ghacks.net/2021/11/01/windows-11-creates-lots-of-empty-folders-in-a-system32-directory/

Posted by: Christian J Jan 13 2024, 10:08 AM

BTW, have you checked if Disk Cleanup or similar removes the files?

Posted by: pandy Jan 13 2024, 11:51 AM

I'm scared of automatic cleanup. I deleted them manually. Took me until 6 in the morning. My whole body was aching from doing the same few moves for so long. You have no idea how slow it gets with probably more than a million files in a folder! In the beginning I wanted to check the files too. Both in case they were fishy and to be sure they weren't files needed by Windows. Or my own invaluable files that had mysteriously been moved there. But when I realized they were all copies I deleted everything with common extensions, images, PDFs, text files, HTML...

I have just a handful left because I don't know what they are. Probably of no importance, but I'm curious. I had a bunch of .com files. Can't find of any use for that extension other the the old executive. Also very many .iso, small ones, 50 kB or so. I deleted all by mistake, so can't check those further, but I'll look into the .com. And also a bunch without extension, just long numeric file names.

There's also a folder called AppData in there with the subdirectories Local, LocalLow and Roaming. Do you have those? There are what I think are some kind of backup files in there, among others.

I haven't gotten any new files in systemprofile. But I haven't used my email program. I expect them to come when I start it. I can't figure what's doing this, but I think it's a Windows bug. Maybe email stuff is dumped there temporarily but Windows forgets to do cleanup? And what to do about it? I don't want to babysit that folder forever.

Lucky I happened to see I was that low on free space. I was down on 6 GB, I think. Less than what Windows is supposed to require anyway. Had this continued a while I guess a total crash had happened. Now I have 127 GB free. Much better! And I don't need to buy a larger SSD as I thought.

Posted by: pandy Jan 13 2024, 12:16 PM

Oh yes. I had 5 files. Fetched mail and now I have 931 files. 🥶

Duplicates are created right off. Have for instance 150x250-banner_kamda_logga_se_1_liten.png to 150x250-banner_kamda_logga_se_1_liten_34.png . If it's old or new I don't know. But I have attachments that have the date in the filename form 2022, 2018 and so on.

Posted by: Christian J Jan 13 2024, 01:22 PM

Why? I could understand distrust in third-party cleanup software though.


I have those as well.


Try your other email program as well, to see if both add files. If that's the case I would suspect a Windows bug (while if it's only one email program maybe the bug is in there, though that doesn't explain all the images and PDF files).

I guess it could also be some buggy maintenance program doing this, such as third-party antivirus, indexing etc.

Posted by: pandy Jan 13 2024, 02:16 PM

Microsoft and I don't always agree and what should be done. The only cleanup program I've trusted was a freeware. But it want paid and became bulky.



Thank you. Then I can leave that at least.



I don't want to mess up my mail. OK, I could set it to leave the mail on the server, I guess. But it's so old now, Eudora, I'm afraid it'll mess up anyway. The one I used after that crashed beyond repair. I only have the mail.

I'll update my current program, been meaning to anyway. If that doesn't help I'll contact the author. It's that kind of program.



I didn't use any third party AV until the previous hickup. And those run on demand, not in the background, and I have set them to only scan, not take any action. Maybe it is the email program anyway. The oldest file was from the beginning of 2023. Could be about then I updated it. I'll install the new version tomorrow. Today I deserve a night off.

Posted by: pandy Jan 14 2024, 07:50 AM

The plot thickens. I didn't get many more files in the folder yesterday. Perhaps a hundred in total.

When I started email today I once again got a lot. So it seems to be mainly the first time email is active after a reboot. Only I don't turn the computer off, I just hibernate.

When I glanced through the files I saw at least three that aren't related to email. Notetab's two help files. But they at least exists on disk. The third was the most peculiar. An eBook (epub) with the author name misspelled. The file does exist but not under that name. The name can very well have been misspelled at some point, but I have corrected it and probably long ago. It could be I copied the file to another directory, renamed it, and deleted the original file. Notetab has moved around a bit too. Could these three be deleted files that the gremlin found? I certainly haven't sent or received any of them by email. But none of these three files is corrupt which they ought to be if they were deleted long ago.

I've bought a license for the new version of the email program and am about to install it. Either this helps or not I'll contact the author. Maybe someone else have had the same problem.

Posted by: Christian J Jan 14 2024, 07:56 AM

Maybe it happens when Windows updates force a reboot?

Posted by: pandy Jan 14 2024, 08:51 AM

But it hasn't done that in a long time.

It didn't help to update the email program. 1232 files. And it looks like the ones I last deleted is recreated. At least those three odd ones I mentioned. I don't think they were there yesterday though. I would have noticed. Especially the help files stand out. .chm files, the icon with the bright yellow question mark. And I sorted by file type when I looked through them.

Now I see the email programs ini file is also copied. And I have a new ISO file. MNF43.ISO, 54 kB. That file doesn't exist elsewhere on my computer. Only here and in the backup of odd files I made yesterday.

Posted by: pandy Jan 14 2024, 08:57 AM

Forgot to say. I had hopes at first after installing the new version of the email program. No new files. I both fetched and sent email to provoke it. Then I made a hard reboot. And then they came.

So it seems the bulk comes after windows has loaded AND the email program is active. But some minor activity can also happen after that.

Could some kind of malware do this? With the purpose to slowly crash the computer? Or a spy program that's after email related stuff and needs to temporary store files somewhere but isn't so good at it and grabs some other files too? I'm thinking of that taskmanager.exe that TinyWall stopped from getting out. Some related program could still be active maybe.

I have scanned with three different AV and they only find files I know is OK and have been around a long time.

Posted by: pandy Jan 14 2024, 09:11 AM

Found a tip about ProcessExplorer in a thread about a similar problem. It's supposed to show what process writes the files. I'm downloading it. If I understand how to use it is another matter. It's one of the Sysinternals programs. I tried a lot of them many years ago, but I didn't know enough to make real use of them.

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Posted by: pandy Jan 14 2024, 09:20 AM

Nah. It just lists active processes and tells you a little about what they are. I don't see how I can relate a process to a file unless I catch it in the act, and that isn't likely to happen with a long list of active processes.

If I could tell ProcessExplorer to hide all processes that are running now and then reboot I would be able to catch it. But I don't see such an option.

Posted by: pandy Jan 14 2024, 10:39 AM

I caught it.

I used another Sysinternals program. I rebooted, opened the systemprofile folder, started Process Monitor, started the email program and sent a few mails to myself. After a minute to two it happened.

Only I don't get anything out of it. The process has no name. Looking at details most fields are blank. Those that aren't are too low level for me.

I suppose you don't get anything out of this either? She says hopefully.

The right field that's partly hidden in the first screen cap says "SyncType: SyncTypeOther". Very enlightening.









FYI the upload thing only allows one image now. If I try to attach another it replaces the first one.

Posted by: pandy Jan 14 2024, 10:47 AM

I emptied the folder and now 4 new files are created. Three are copies of egpor95.vcf that doesn't exist anywhere else. Neither does the fourth, 732117007_a. Spooky!

Posted by: Christian J Jan 14 2024, 12:35 PM

No idea what it is, but I get a couple of MS-related search hits for that phrase.

Posted by: pandy Jan 14 2024, 01:22 PM

The sync part seems related to the problem anyway.

Posted by: Christian J Jan 14 2024, 03:00 PM

Maybe some process is gathering suitable files for syncing with other devices (both legit and spyware would perhaps both work in a similar way).

Posted by: pandy Jan 14 2024, 03:59 PM

Yes, that's what I was touching on before. A temp storage for some reason. But after seeing how common similar problems are, I lean towards a Windows bug.

The most peculiar is really those long ago deleted files.

Posted by: pandy Jan 16 2024, 10:30 AM

My conclusion was wrong. Yesterday it didn't happen closely after I booted up. I even rebooted to provoke it. It did happen later though. Several times, I guess, since I had 5000 files something when I went to bed. Hasn't happened yet today either.

Sorry for going on about this. But this thread became like a log of everything related to the problem, so I thought I could just as well continue, for my own sake.

Posted by: Christian J Jan 16 2024, 05:28 PM

Same time of day? Perhaps it tries to do it a certain time, or if Windows is not running as soon as it's restarted?

Can you see if any process has connected to the Internet around the same time?

Posted by: pandy Jan 16 2024, 07:56 PM

No, I don't think it was the same time. When started to look into this it happened very soon after boot up - if email was running. I have very irregular hours and I also rebooted to provoke it.

I don't know how to check connections and I didn't note down the time stamp on the last bunch. If something tries to connect it won't succeed anyway since TinyWall will block it. And its block list alas only covers the last 5 minutes.

Posted by: Christian J Jan 17 2024, 01:50 PM

Glasswire keeps longer logs.

Posted by: pandy Jan 17 2024, 05:29 PM

OK. Can several firewalls run at the same time or do they fight?

Today a nasty app called bigo live opened on my phone. It's on Google Play, so assumedly a legit live streaming app. But all I saw on the splash screen were big boobs and tushies. That's the first time I have had an app install on my phone without my consent. How does that happen? I hardly ever use my phone for the web. I don't even read email on it. I use it for SMS and a hand-full of apps that I've used for ages.

WTF is going on? I'm beginning to feel stalked here.

Posted by: Christian J Jan 17 2024, 06:44 PM

No idea, FWIW I've only used it to monitor traffic, not block.

Maybe Pi-hole could be used as well for monitoring? Since it runs on its own hardware it won't fight anything.


Could it be that one of your old apps has changed owner, and a recent update by the new owner has changed its functionality?

Nowadays I'm feeling very reluctant to update apps for this reason, and because even legit developers may suddenly start displaying ads, change functionality etc.

Posted by: pandy Jan 17 2024, 10:14 PM

So I can tun off some features? I'll try it tomorrow.

I had a connection monitoring program at some point. In those days I wouldn't even have ran Windows firewall or AV. Today I'm so tired of everything and just make do with what's there.




I don't think so. It was among "recently installed" or what it's called. But I found that later. It just splat open from nowhere. I thought it was FF with a porn site loaded and wondered how that happened. And I don't have any apps that are even remotely similar. I just have boring things like map apps, photography related apps, bird and flower recognition apps, apps that list historical places... Things like that. Please don't tell anyone.

This is crazy. I think it's 10 or 15 years ago I had a virus that actually did something (I don't count the odd attachment that can't do anything if you don't click it) and I've never had anything on my phone. Now it's something new each day.

BTW I got nothing in the systemprofile folder today. There is no system to this.

Posted by: Christian J Jan 18 2024, 07:29 AM

Maybe blocking requires the paid version, can't remember.



No I meant that one of the old trusted apps may have changed owner, and the new owner sends an update that makes it install more apps. I recall some apps may have permission for that (outrageous as it sounds), not sure.


It wasn't some kind of overlay screen from another app?

Posted by: pandy Jan 18 2024, 05:58 PM

Didn't know that.



No. It was among recently installed apps.

I haven't got a single file in systemprofile today either. I haven't done anything that can have put an end to it.

Posted by: Christian J Jan 18 2024, 07:33 PM

It's likely not permitted by Google Play generally, but maybe Google's control is inefficient (especially for updates).

Not sure if this is tells everything, but if you go to:


the listed apps should have their permissions shown (none allowed in my case).

Posted by: pandy Jan 19 2024, 01:44 AM

None? Don't you use your phone for anything?

I never checked. Just uninstalled it. The permission choices are so limited they feel like bogus anyway.

Posted by: Christian J Jan 19 2024, 08:13 AM

It's (allegedly) a list of apps that are allowed to install other apps, of course I don't allow that. Or maybe "unknown" means apps outside the Play store?


I meant maybe you can see which of your old apps that had permission to install Bigo Live. That old app should still be in the list.


Yeah, under "Special app access" the summary on my phone says "1 app can use unrestricted data", but in the actual list no app like that is shown, not even when I enable "Show system". Seems reassuring.

Posted by: pandy Jan 19 2024, 09:53 PM

Where do you find that list? I'm only aware of the ridiculously few and unspecific permissions for individual apps.

Posted by: pandy Jan 20 2024, 05:52 AM

Today systemprofile filled up again.

I made a mistake about the time stamps. I orignally hade files from early 2023 until now. So I thought that was the dates the files were copied to that folder and showed how long this has been going on. Most of today's files have a time stamp from this morning, but a bunch of them are much older, the oldest from 2012! So in reality I have no idea when it started.

I have 8 copies of the one from 2012, all of them have the same time stamp, to the second. The file doesn't exist elsewhere on the computer. It's a freaking DHL logo.

Gaaah!

Posted by: Christian J Jan 20 2024, 08:18 AM

Where I wrote above. You may have to scroll down to the bottom a couple of times.

Posted by: Christian J Jan 20 2024, 08:20 AM

Maybe it comes from an email? Either an email that has later been deleted, or maybe the image was hosted remotely before being copied to Windows.

The attachment didn't work.

Posted by: pandy Jan 21 2024, 12:59 AM

Ooo. Sorry. I didn't see that. Yes, I have it too. FF was allowed and Files by Google. Turned them off. Thank you.

Posted by: pandy Jan 21 2024, 01:02 AM

Yes, everything does. Attachments, embedded pictures, eml files...



I know. It was just the GIF. I uploaded it elsewhere but forgot to remove the attachment here.