[Solved] False tiworker.exe - high CPU usage

Discussion in 'Windows 10' started by t0mn8r, Oct 20, 2018.

  1. t0mn8r

    t0mn8r MDL Junior Member

    Aug 21, 2009
    59
    7
    0
    #1 t0mn8r, Oct 20, 2018
    Last edited: Oct 20, 2018
  2. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    2,562
    2,228
    90
    You should have checked the digital application signature. If that executable was genuine from Sysinternals/MS, it would have a valid signature from them. If not, it could be a Malware decoy/camouflage.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. t0mn8r

    t0mn8r MDL Junior Member

    Aug 21, 2009
    59
    7
    0
    I kept the files and looked at the digital signatures and, yes, it's from Microsoft.

    viz.

    signature.jpg

    I guess that means it's legit but how it wound up where it was and the negative impact it had on performance is a mystery...

    :confused:
     
  4. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    733
    614
    30
    TiWorker is doing a bunch of system operations, including disk cleanup.
     
  5. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    2,562
    2,228
    90
    Well, in this case, Windows f*ckup. Not the first, won't be the last.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. t0mn8r

    t0mn8r MDL Junior Member

    Aug 21, 2009
    59
    7
    0
    Team,
    This really looks like some sort of virus or piece of spyware because i found another instance without a digital signature in another syswow64 subdirectory. Still had RICHED32.DLL and another different copy of non-signed tiworker.exe. Same 20-30% CPU load. It's a little bit smar because when you open task manager it disappears. The only way i can see it is through another process monitor app from Yamicsoft Windows 10 Manager called Process Manager.

    I have done scans but can't detect any virus or Spyware...

    S O B...
     
  7. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    8,205
    27,832
    270
    TiWorker = Trusted Installer Worker
    it's part of the servicing stack
    and it's probably doing scheduled component cleanup, or WU background scans

    believe or not, most Windows system files are not digitally signed individually, they are verified by security catalogs
    C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
     
  8. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    2,562
    2,228
    90
    Although TiWorker.exe usually is. Please note that the Signature tab might not show if you do not have access to the file, making it appear as being unsigned.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. t0mn8r

    t0mn8r MDL Junior Member

    Aug 21, 2009
    59
    7
    0
    Team,
    Thank you for your input.

    Another copy appeared again overnight and it's the same as the original one I discovered (i.e. notmyfault.exe signed by Micro$oft). I got rid of it again by killing the process and moving the file. It's exactly the same as the first one I found but not the same as yesterdays which had no signature.

    Carlos, I understand what you said in your reply but the exe was not the same as the first one or the one from today.

    The trusted installer would not work from the subdirectories created by the location and identifiers of S-1-4-87 or S-1-5-41 indifferent subdirectories of syswow64.

    Not really a big problem for me...I just kill the process chewing up 50% of my resources and then i'm good until the next day. It's annoying, that's all..

    I'm just trying to keep everyone updated...
     
  10. taviruni

    taviruni MDL Member

    May 8, 2010
    218
    142
    10
    I think it is not a bad idea to download, install and run Malwarebytes Antimalware (free) on your PC.
     
  11. t0mn8r

    t0mn8r MDL Junior Member

    Aug 21, 2009
    59
    7
    0
    Team,
    I have d/l and installed BitDefender Free and did a full scan.

    Nada.

    Then, like clockwork, the false TIWorker.exe and riched32.dll were placed into another directory sucking up CPU cycles again. I scanned them with Bitdefender but not even a peep.

    All have the same details and all, except one, have different identifiers as subdirectory names which look like S-1-xxx

    I know this is a virus/trojan but i don't know where it comes from.

    We struggle on comrades!
     
  12. t0mn8r

    t0mn8r MDL Junior Member

    Aug 21, 2009
    59
    7
    0
    Update!
    I have used my recovery system image (I use Macrium Reflect, your mileage may vary) because the files just kept coming back into various subdirectories below syswow64 and i was not able to find where it was coming from. My guess is that it was probablysome mining trojan...anyway, all gonenow but i kept the files separately.

    HTH