Discussion in 'Windows 10' started by t0mn8r, Oct 20, 2018.
You need to login to view this posts content.
You should have checked the digital application signature. If that executable was genuine from Sysinternals/MS, it would have a valid signature from them. If not, it could be a Malware decoy/camouflage.
I kept the files and looked at the digital signatures and, yes, it's from Microsoft.
I guess that means it's legit but how it wound up where it was and the negative impact it had on performance is a mystery...
TiWorker is doing a bunch of system operations, including disk cleanup.
Well, in this case, Windows f*ckup. Not the first, won't be the last.
This really looks like some sort of virus or piece of spyware because i found another instance without a digital signature in another syswow64 subdirectory. Still had RICHED32.DLL and another different copy of non-signed tiworker.exe. Same 20-30% CPU load. It's a little bit smar because when you open task manager it disappears. The only way i can see it is through another process monitor app from Yamicsoft Windows 10 Manager called Process Manager.
I have done scans but can't detect any virus or Spyware...
S O B...
TiWorker = Trusted Installer Worker
it's part of the servicing stack
and it's probably doing scheduled component cleanup, or WU background scans
believe or not, most Windows system files are not digitally signed individually, they are verified by security catalogs
Although TiWorker.exe usually is. Please note that the Signature tab might not show if you do not have access to the file, making it appear as being unsigned.
Thank you for your input.
Another copy appeared again overnight and it's the same as the original one I discovered (i.e. notmyfault.exe signed by Micro$oft). I got rid of it again by killing the process and moving the file. It's exactly the same as the first one I found but not the same as yesterdays which had no signature.
Carlos, I understand what you said in your reply but the exe was not the same as the first one or the one from today.
The trusted installer would not work from the subdirectories created by the location and identifiers of S-1-4-87 or S-1-5-41 indifferent subdirectories of syswow64.
Not really a big problem for me...I just kill the process chewing up 50% of my resources and then i'm good until the next day. It's annoying, that's all..
I'm just trying to keep everyone updated...
I think it is not a bad idea to download, install and run Malwarebytes Antimalware (free) on your PC.
I have d/l and installed BitDefender Free and did a full scan.
Then, like clockwork, the false TIWorker.exe and riched32.dll were placed into another directory sucking up CPU cycles again. I scanned them with Bitdefender but not even a peep.
All have the same details and all, except one, have different identifiers as subdirectory names which look like S-1-xxx
I know this is a virus/trojan but i don't know where it comes from.
We struggle on comrades!
I have used my recovery system image (I use Macrium Reflect, your mileage may vary) because the files just kept coming back into various subdirectories below syswow64 and i was not able to find where it was coming from. My guess is that it was probablysome mining trojan...anyway, all gonenow but i kept the files separately.