September 2, 2021

Suspicious folder created, event log indicates it was caused by TiWorker.exe or Kaspersky?

I found an odd folder in my C:/Users/User/Appdata/Local/Temp folder called 7ZipSfx.000, and when I searched it up it seemed to be linked to multiple trojans.

Now, as soon as I saw this I started to investigate what happened. The folder was created at 8:43:14 PM, on August 29, 2021. This was shortly after I reinstalled Windows.

After this, I checked Event Viewer to see what was going on and see if I could get any support from the logs in Event Viewer. Surely enough, two services had generated Logon events and a Security Group Management event was created by C:\Windows\System32\VSSVC.exe, which supposedly stands for Volume Shadow Copy Service, and is a Microsoft signed file.

A couple seconds later in the Event Viewer, hundreds of Audit Policy Changes had occurred, all caused by C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.925_none_e76d4f6f260a683e\TiWorker.exe, changing the security descriptors. There were then User Account Management tasks logged, which were caused by avp.exe, belonging to Kaspersky Security Cloud.

Shortly after this, vault credentials were read.
Should I be concerned? Is this the work of a virus, or is it simply just a Windows update occurring, or Windows Defender/Kaspersky updating their databases? I have been very paranoid and stressed about malware on my computer since I was infected last week, and would like some input on the matter. I will not be available on my computer all day, but I will be willing to provide more detail on the event viewer logs. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.