Why is the Softether VPN Client process/service using so much bandwidth when not connected to anything?

[goonlord]

This isn't the first time happening to me. The Softether VPN Client service would eat more than 25 Mbps of network bandwidth when not connected to anything and I had to disable the service altogether to stop it, as ending the process will simply prompt the service to restart it. Not sure what's happening here but it honestly feels like a malware to me. It actually slowed down my Internet significantly and increased my ping in games. I have done a virus scan via Windows Defender and Malwarebytes and found nothing. What I did before is just uninstalling it and it would be gone until I needed to use the VPN again. Thought they fixed it after 7 months but I guess not.

I'm on Windows 10, connected to ethernet if that matters.

[solo]

Softether is open source, anyone can compile it with malware and call this construct "Softether", so where did you get it and what version? (Post your sigcheck here)

[goonlord]

Softether is open source, anyone can compile it with malware and call this construct "Softether", so where did you get it and what version? (Post your sigcheck here)

Ok turns out I was using the February (2024.02.25) build, gonna update it and see how it goes. Also I always get my installation here https://www.vpngate.net/en/download.aspx which I suppose is the official site (that includes the plugin)?

[goonlord]

Softether is open source, anyone can compile it with malware and call this construct "Softether", so where did you get it and what version? (Post your sigcheck here)

Alright so I updated and the process dropped the network usage to 0.1Mbps-0.8Mbps which is much better. But it would be ideal for it to not use any network bandwidth when not connected anything though. Here's the sigcheck for your reference. I don't know if I'm doing it right though.


Sigcheck v2.90 - File version and signature viewer
Copyright (C) 2004-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\program files\softether vpn client\installer.cache:
Verified: Signed
Signing date: 10:55 AM 31/08/2023
Publisher: SOFTETHER CORPORATION
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 32-bit
c:\program files\softether vpn client\vpnclient.exe:
Verified: Signed
Signing date: 10:53 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 32-bit
c:\program files\softether vpn client\vpnclient_x64.exe:
Verified: Signed
Signing date: 10:53 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 64-bit
c:\program files\softether vpn client\vpncmd.exe:
Verified: Signed
Signing date: 10:53 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 32-bit
c:\program files\softether vpn client\vpncmd_x64.exe:
Verified: Signed
Signing date: 10:52 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 64-bit
c:\program files\softether vpn client\vpncmgr.exe:
Verified: Signed
Signing date: 10:53 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 32-bit
c:\program files\softether vpn client\vpncmgr_x64.exe:
Verified: Signed
Signing date: 10:52 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 64-bit
c:\program files\softether vpn client\VpnGatePlugin_x64.dll:
Verified: Unsigned
Link date: 10:52 AM 31/08/2023
Publisher: n/a
Company: University of Tsukuba
Description: VPN Gate Plug-in DLL for SoftEther VPN
Product: VPN Gate Software
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 64-bit
c:\program files\softether vpn client\VpnGatePlugin_x86.dll:
Verified: Unsigned
Link date: 10:51 AM 31/08/2023
Publisher: n/a
Company: University of Tsukuba
Description: VPN Gate Plug-in DLL for SoftEther VPN
Product: VPN Gate Software
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 32-bit
c:\program files\softether vpn client\vpninstall.exe:
Verified: Signed
Signing date: 10:53 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 32-bit
c:\program files\softether vpn client\vpnsetup.exe:
Verified: Signed
Signing date: 10:53 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 32-bit
c:\program files\softether vpn client\vpnsetup_x64.exe:
Verified: Signed
Signing date: 10:52 AM 31/08/2023
Publisher: SoftEther Corporation
Company: SoftEther VPN Project at University of Tsukuba, Japan.
Description: SoftEther VPN
Product: SoftEther VPN
Prod version: 4, 43, 0, 9799
File version: 4, 43, 0, 9799
MachineType: 64-bit

[solo]

On the same vpngate-client-2024.06.15-build-9799.159115 there is no traffic whatsoever after a brief connection to random VPN Gate and then idling for 1 hour as logged below...
.

log.png

[goonlord]

On the same vpngate-client-2024.06.15-build-9799.159115 there is no traffic whatsoever after a brief connection to random VPN Gate and then idling for 1 hour as logged below...
.
log.png

I will try to use the network monitor app you used and see how it goes. I'm only basing it off task manager for now.

[goonlord]

On the same vpngate-client-2024.06.15-build-9799.159115 there is no traffic whatsoever after a brief connection to random VPN Gate and then idling for 1 hour as logged below...
.
log.png

Alright logs shows that it's uploading something (10 MB after 40 mins) while downloading a little bit of stuff (0.66 MB). Used netstat -ban and found these IP that vpngate is connected to. Also ran it again with the -o parameter and found the unnamed SoftEther Service (PID 516) is connected to what seems to be an Indian IP address? Anyway here's the log:

[solo]

Please run these commands:

Code: Select all

"C:\Program Files\SoftEther VPN Client\vpncmd.exe" localhost /client /cmd RemoteDisable
net stop SEVPNCLIENT
net start SEVPNCLIENT

If or when the unwelcome traffic re-appears, run and post as code:

Code: Select all

ipconfig /all
netstat -r

Also include in your post relevant log from "C:\Program Files\SoftEther VPN Client\client_log" folder at the time of the rogue connection.

While at it, open up "SoftEther VPN Client Manager" and check the GUI for any active connection.

[goonlord]

Please run these commands:

Code: Select all

"C:\Program Files\SoftEther VPN Client\vpncmd.exe" localhost /client /cmd RemoteDisable
net stop SEVPNCLIENT
net start SEVPNCLIENT

If or when the unwelcome traffic re-appears, run and post as code:

Code: Select all

ipconfig /all
netstat -r

Also include in your post relevant log from "C:\Program Files\SoftEther VPN Client\client_log" folder at the time of the rogue connection.

While at it, open up "SoftEther VPN Client Manager" and check the GUI for any active connection.

I did another run of Malwarebytes, Windows Defender full scan + offline scan just in case and again, found nothing. Windows 10 is on the latest version as well. Also the issue seems to have worsened as it's starting to go at 300Kbps~ sometimes now, even after running your commands. Here's the ipconfig/netstat log:

Code: Select all

C:\WINDOWS\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SPECTAL
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Unknown adapter VPN - VPN Client:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN Client Adapter - VPN
   Physical Address. . . . . . . . . : 5E-27-01-F5-93-7E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 5:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller #2
   Physical Address. . . . . . . . . : 00-D8-61-D4-01-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7f72:51a0:6472:c045%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.195(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, 16 June 2024 11:59:46 PM
   Lease Expires . . . . . . . . . . : Sunday, 23 June 2024 11:59:46 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 536926305
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-E5-47-06-00-D8-61-D4-01-8B
   DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
                                       2001:4860:4860::8844
                                       8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\WINDOWS\system32>netstat -r
===========================================================================
Interface List
 12...5e 27 01 f5 93 7e ......VPN Client Adapter - VPN
  3...00 d8 61 d4 01 8b ......Realtek PCIe GbE Family Controller #2
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.195     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0    255.255.255.0         On-link     192.168.0.195    281
    192.168.0.195  255.255.255.255         On-link     192.168.0.195    281
    192.168.0.255  255.255.255.255         On-link     192.168.0.195    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.0.195    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.0.195    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  3    281 fe80::/64                On-link
  3    281 fe80::7f72:51a0:6472:c045/128
                                    On-link
  1    331 ff00::/8                 On-link
  3    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Attached is the client log and GUI, there's no connection visible in the client.

[goonlord]

Honestly I'm gonna assume that it's either there's something wrong with the client, or there's rogue VPN servers in the list. It would be weird for a malware (which I have yet to detect any) to be targeting SoftEther services exclusively and be permanently gone if I uninstall the client, especially when I downloaded the client from the official source. The logs you requested (and probably this reply) is still pending mod approval, but I'm giving my 2 cents anyway.

I have used Proton VPN, connected to both Japan and US servers for a bit and still yet to meet any issues like this. Not that I'm saying SoftEther is bad, I'm just pointing this out. I've been using SE for years few years ago for gaming and this issue never happened to me before.

[solo]

Can you run AppNetworkCounter for 1 hour "when not connected to anything" and post its screenshot? It is essential to select fully visible "application path" and sent/received bytes like this:
.

log.png

[goonlord]

Can you run AppNetworkCounter for 1 hour "when not connected to anything" and post its screenshot? It is essential to select fully visible "application path" and sent/received bytes like this:
.

log.png

There you go. The issue got way worse and uploaded 4GB worth of data lol. Also vpncmgr didn't show up so I assumed it did not consumed any bandwidth which I suppose is normal?

[solo]

It would be weird for a malware (which I have yet to detect any) to be targeting SoftEther services exclusively and be permanently gone if I uninstall the client

Malware can be detected only if its signature is known. In your case some malware injects itself into the vpnclient_x64 process in order to pass through your firewall, it is as simple as that, and has nothing to do with SoftEther's devs evil ideas. It works flawlessly for me and thousands of other users. You could verify it yourself on a fresh and clean Windows installation in a virtual machine or another PC. As for your current "Windows 10" predicament, it may range from a hardcore rootkit infection to a mild exploit, and any countermeasures may be ineffective or short-lived. That said, if you wish, we could probably inconclusively check out a few exploit vectors - get PC Hunter and when the rogue traffic keeps flowing run it and click "Examination", select "hide safe items" and click "Generate...", wait 10 minutes, click "Terminate...", click "Export..." and post the file as code.

[goonlord]

It would be weird for a malware (which I have yet to detect any) to be targeting SoftEther services exclusively and be permanently gone if I uninstall the client

Malware can be detected only if its signature is known. In your case some malware injects itself into the vpnclient_x64 process in order to pass through your firewall, it is as simple as that, and has nothing to do with SoftEther's devs evil ideas. It works flawlessly for me and thousands of other users. You could verify it yourself on a fresh and clean Windows installation in a virtual machine or another PC. As for your current "Windows 10" predicament, it may range from a hardcore rootkit infection to a mild exploit, and any countermeasures may be ineffective or short-lived. That said, if you wish, we could probably inconclusively check out a few exploit vectors - get PC Hunter and when the rogue traffic keeps flowing run it and click "Examination", select "hide safe items" and click "Generate...", wait 10 minutes, click "Terminate...", click "Export..." and post the file as code.

If the software is actually fine then there's probably rogue VPN servers among the list. Because it still doesn't make sense to me that a malware would specifically target just SoftEther and not something more "popular". I have not downloaded anything suspicious or visited any weird sites AFAIK.

As for the PC Hunter thing, it showed a "Load driver error" but I ignored it (Google said it doesn't support newer version of Windows) and proceed to do the Examination thing you asked. Here's the log:

Code: Select all

PC Hunter Standard --- Computer Examination Report
Examination Date: 2024-06-18 18:20
OS Information: Microsoft Windows 10  (build 19045), 64-bit
Internet Explorer: 9.11.19041.0

Examination Items:
      Process
      Process Modules
      Process Threads
      Kernel Module
      Notify Routine
      Filter
      DPC Timer
      Worker Thread
      HalDispatchTable
      HalPrivateDispatchTable
      HalAcpiDispatchTable
      MiniFilter
      File System
      Sfilter FileSystem Filter Callback
      ClassInitData Callback
      Npfs Dispatch Fun
      Msfs Dispatch Fun
      Usbport Dispatch Fun
      System Debug
      Object Hijack
      Direct IO
      GDT
      SSDT
      Shadow SSDT
      FSD
      Keyboard
      I8042prt
      Mouclass
      Partmgr
      Classpnp
      Atapi
      Acpi
      Scsi
      Kernel Hook
      PTE HOOK
      Object Type
      IDT
      Message Hook
      Process Hook
      KernelCallbackTable
      Port
      Tcpip
      Ndis Handler
      IE Plugin
      IE Shell
      Spi
      Hosts File
      Startup
      Service
      Schedule Task
      File Association
      IFEO
      IME/CTF
      Firewall Rule
      System User Name
      Scan MBR Rootkit

==========================================================================================

Process


==========================================================================================

Process Modules


==========================================================================================

Process Threads


==========================================================================================

Kernel Module


==========================================================================================

Notify Routine

       Nothing

==========================================================================================

Filter


==========================================================================================

DPC Timer


==========================================================================================

Worker Thread


==========================================================================================

HalDispatchTable

       Nothing

==========================================================================================

HalPrivateDispatchTable

       Nothing

==========================================================================================

HalAcpiDispatchTable

       Nothing

==========================================================================================

MiniFilter

       Nothing

==========================================================================================

File System

       Nothing

==========================================================================================

Sfilter FileSystem Filter Callback

       Nothing

==========================================================================================

ClassInitData Callback

       Nothing

==========================================================================================

Npfs Dispatch Fun

       Nothing

==========================================================================================

Msfs Dispatch Fun

       Nothing

==========================================================================================

Usbport Dispatch Fun

       Nothing

==========================================================================================

System Debug

       Nothing

==========================================================================================

Object Hijack

       Nothing

==========================================================================================

Direct IO


==========================================================================================

GDT

       Nothing

==========================================================================================

SSDT

       Nothing

==========================================================================================

Shadow SSDT

       Nothing

==========================================================================================

FSD

       Nothing

==========================================================================================

Keyboard

       Nothing

==========================================================================================

I8042prt

       Nothing

==========================================================================================

Mouclass

       Nothing

==========================================================================================

Partmgr

       Nothing

==========================================================================================

Classpnp

       Nothing

==========================================================================================

Atapi

       Nothing

==========================================================================================

Acpi

       Nothing

==========================================================================================

Scsi

       Nothing

==========================================================================================

Kernel Hook

       Nothing

==========================================================================================

PTE HOOK

       Nothing

==========================================================================================

Object Type

       Nothing

==========================================================================================

IDT

       Nothing

==========================================================================================

Message Hook

       Nothing

==========================================================================================

Process Hook

            Nothing

==========================================================================================

KernelCallbackTable

       Nothing

==========================================================================================

Port

       Nothing

==========================================================================================

Tcpip

       Nothing

==========================================================================================

Ndis Handler

       Nothing

==========================================================================================

IE Plugin

       Nothing

==========================================================================================

IE Shell

       Nothing

==========================================================================================

Spi

       Nothing

==========================================================================================

Hosts File

       Nothing

==========================================================================================

Startup

       Nothing

==========================================================================================

Service

       AdobeARMservice *---* Stopped *---* Disabled *---* "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" *---* Adobe Inc. *---*  *---* 
       AGMService *---* Stopped *---* Disabled *---* "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe" *---* Adobe Systems, Incorporated *---*  *---* 
       AGSService *---* Stopped *---* Disabled *---* "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe" *---* Adobe Systems, Incorporated *---*  *---* 
       AntiCheatExpert Service *---* Stopped *---* Manual *---* "C:\Program Files\AntiCheatExpert\SGuard\x64\SGuardSvc64.exe" -autorun *---* ANTICHEATEXPERT.COM *---*  *---* 
       BEService *---* Stopped *---* Manual *---* "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" *---* File not found *---*  *---* 
       EasyAntiCheat *---* Stopped *---* Manual *---* "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" *---* Epic Games, Inc *---*  *---* 
       EasyAntiCheat_EOS *---* Stopped *---* Manual *---* "C:\Program Files (x86)\EasyAntiCheat_EOS\EasyAntiCheat_EOS.exe" *---* Epic Games, Inc. *---*  *---* 
       FvSvc *---* Stopped *---* Manual *---* "C:\Program Files\NVIDIA Corporation\FrameViewSDK\nvfvsdksvc_x64.exe" -service *---* NVIDIA *---*  *---* 
       GoogleChromeElevationService *---* Stopped *---* Disabled *---* "C:\Program Files (x86)\Google\Chrome\Application\96.0.4664.45\elevation_service.exe" *---* Google LLC *---*  *---* 
       GoogleIMEJaCacheService *---* Started *---* Automatic *---* "C:\Program Files (x86)\Google\Google Japanese Input\GoogleIMEJaCacheService.exe" *---* Google Inc. *---*  *---* 
       gupdate *---* Stopped *---* Disabled *---* "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc *---* Google Inc. *---*  *---* 
       gupdatem *---* Stopped *---* Disabled *---* "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc *---* Google Inc. *---*  *---* 
       MozillaMaintenance *---* Stopped *---* Disabled *---* "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" *---* Mozilla Foundation *---*  *---* 
       nlsvc *---* Stopped *---* Disabled *---* "C:\Program Files\Locktime Software\NetLimiter 4\NLSvc.exe" *---* Locktime Software *---*  *---* 
       npggsvc *---* Stopped *---* Manual *---* C:\WINDOWS\syswow64\GameMon.des -service *---* INCA Internet Co., Ltd. *---*  *---* 
       NvContainerLocalSystem *---* Started *---* Automatic *---* "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -a -f "C:\ProgramData\NVIDIA Corporation\NVIDIA app\NvContainer\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000  -ert *---* NVIDIA Corporation *---*  *---* 
       NVDisplay.ContainerLocalSystem *---* Started *---* Automatic *---* C:\WINDOWS\syswow64\DriverStore\FileRepository\nvmdig.inf_amd64_23954e33c8a39da4\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\WINDOWS\System32\DriverStore\FileRepository\nvmdig.inf_amd64_23954e33c8a39da4\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem /ert *---* File not found *---*  *---* 
       ProtonVPN Service *---* Stopped *---* Manual *---* "C:\Program Files\Proton\VPN\v3.2.11\ProtonVPNService.exe" *---* ProtonVPN *---*  *---* 
       ProtonVPN WireGuard *---* Stopped *---* Manual *---* "C:\Program Files\Proton\VPN\v3.2.11\ProtonVPN.WireGuardService.exe" "C:\Program Files\Proton\VPN\v3.2.11\ServiceData\WireGuard\ProtonVPN.conf" *---* ProtonVPN *---*  *---* 
       RunSwUSB *---* Started *---* Automatic *---* C:\Windows\runSW.exe *---*  *---*  *---* 
       SEVPNCLIENT *---* Started *---* Automatic *---* "C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe" /service *---* SoftEther VPN Project at University of Tsukuba, Japan. *---*  *---* 
       ssh-agent *---* Stopped *---* Disabled *---* C:\Windows\System32\OpenSSH\ssh-agent.exe *---* File not found *---*  *---* 
       ss_conn_launcher_service *---* Stopped *---* Manual *---* C:\Windows\System32\Samsung\EasySetup\ss_conn_launcher.exe *---* Samsung Electronics Co., Ltd. *---*  *---* 
       ss_conn_service *---* Stopped *---* Manual *---* "C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe" *---* DEVGURU Co., LTD. *---*  *---* 
       ss_conn_service2 *---* Stopped *---* Manual *---* "C:\Program Files\Samsung\USB Drivers\28_ssconn2\conn\ss_conn_service2.exe" *---* DEVGURU Co., LTD. *---*  *---* 
       Steam Client Service *---* Stopped *---* Manual *---* "C:\Program Files (x86)\Common Files\Steam\steamservice.exe" /RunAsService *---* Valve Corporation *---*  *---* 
       ucldr_PSO2_JP *---* Stopped *---* Manual *---* "C:\Program Files\Common Files\Wellbia.com\ucldr_PSO2_JP.exe" *---* Wellbia.com Co., Ltd. *---*  *---* 
       vgc *---* Stopped *---* Manual *---* "C:\Program Files\Riot Vanguard\vgc.exe" *---* Riot Games, Inc. *---*  *---* 

==========================================================================================

Schedule Task

       BackgroundDownload *---* \Microsoft\VisualStudio\Updates\BackgroundDownload *---* C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe *---*  *---* Disable *---* Microsoft
       FODCleanupTask *---* \Microsoft\Windows\HelloFace\FODCleanupTask *---* C:\Windows\System32\WinBioPlugIns\FaceFodUninstaller.exe *---*  *---* Enable *---* File not found
       GatherNetworkInfo *---* \Microsoft\Windows\NetTrace\GatherNetworkInfo *---* C:\Windows\System32\gatherNetworkInfo.vbs *---* Network information collector *---* Enable *---* File not found
       Firefox Default Browser Agent 308046B0AF4A39CB *---* \Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB *---* C:\Program Files\Mozilla Firefox\default-browser-agent.exe *---* The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspicious circumstances, it will prompt users to change back to Firefox no more than two times. This task is installed automatically by Firefox, and is reinstalled when Firefox updates. To disable this task, update the “default-browser-agent.enabled” preference on the about:config page or the Firefox enterprise policy setting “DisableDefaultBrowserAgent”. *---* Enable *---* Mozilla Foundation
       BlueStacksHelper_nxt *---* \BlueStacksHelper_nxt *---* C:\Program Files\BlueStacks_nxt\BlueStacksHelper.exe *---* BlueStacks Helper *---* Enable *---* File not found
       GoogleUpdateTaskMachineCore *---* \GoogleUpdateTaskMachineCore *---* C:\Program Files (x86)\Google\Update\GoogleUpdate.exe *---* Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. *---* Disable *---* Google Inc.
       GoogleUpdateTaskMachineUA *---* \GoogleUpdateTaskMachineUA *---* C:\Program Files (x86)\Google\Update\GoogleUpdate.exe *---* Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. *---* Disable *---* Google Inc.
       MSIAfterburner *---* \MSIAfterburner *---* C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe *---*  *---* Enable *---* File not found
       MSISW_Host *---* \MSISW_Host *---* C:\Windows\SysWOW64\muachost.exe *---* MSI Software Host *---* Enable *---* MSI
       NVIDIA App SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} *---* \NVIDIA App SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} *---* C:\Program Files\NVIDIA Corporation\NVIDIA app\CEF\NVIDIA App.exe *---*  *---* Enable *---* NVIDIA Corporation

==========================================================================================

File Association

       Nothing

==========================================================================================

IFEO

       Nothing

==========================================================================================

IME/CTF

       Nothing

==========================================================================================

Firewall Rule

       Nothing

==========================================================================================

System User Name

       Nothing

==========================================================================================

Scan MBR Rootkit

       Nothing

[solo]

According to your earlier logs there is no VPN Gate connection active while the vpnclient_x64 process is transmitting vast amounts of data. SoftEther is an easy target for malware process injection due to being open source.

Unfortunately PC Hunter without the driver is useless, but its basic service list logs one item of interest:

Code: Select all

       RunSwUSB *---* Started *---* Automatic *---* C:\Windows\runSW.exe *---*  *---*  *---* 

This thing has no product signature and runs in the system folder! Search suggests that it's from Realtek but why no Realtek signature? Do investigate it. Also try alternative AV scanners.

[goonlord]

According to your earlier logs there is no VPN Gate connection active while the vpnclient_x64 process is transmitting vast amounts of data. SoftEther is an easy target for malware process injection due to being open source.

Unfortunately PC Hunter without the driver is useless, but its basic service list logs one item of interest:

Code: Select all

       RunSwUSB *---* Started *---* Automatic *---* C:\Windows\runSW.exe *---*  *---*  *---* 

This thing has no product signature and runs in the system folder! Search suggests that it's from Realtek but why no Realtek signature? Do investigate it. Also try alternative AV scanners.

I checked and it does have a digital signature signed by Realtek when I clicked to view its properties. I tried to disable the service, then enable SoftEther service again, but it changed nothing. I will try to remove this and run the VPN again and see how it goes. Do you have any AV scanners recommendation? I will try to use that if nothing works then I guess I will have to uninstall SoftEther sadly.

Also not sure if related but I noticed that Google has been mass banning public VPN addresses which leads to 403 error on their sites.

[solo]

if nothing works then I guess I will have to uninstall SoftEther sadly.

This will remove only a symptom of an infection. Try https://duckduckgo.com/?q=rootkit+scanner

[goonlord]

if nothing works then I guess I will have to uninstall SoftEther sadly.

This will remove only a symptom of an infection. Try https://duckduckgo.com/?q=rootkit+scanner

Alright so I discovered something funny. Apparently my SoftEther folder is 19GB now lol. Most of them are taken up by massive logs, with some going up to 1 GB. I'm going to upload a smaller one for you to see, it's around 100MB. I have found that it's connecting to what seems to be advertisement sites, social media, google api and some gaming site (Nexon). Normal uninstallation method doesn't remove these apparently. So I'm doing a thorough cleanup with Revo Uninstaller and see how it goes. So far Windows Defender (offline, full scan ,malicious software remover), Malwarebytes, and BitDefender (full, rescue mode) didn't detect anything, all of them has rootkit scans AFAIK. I'm going for a Hitman Pro scan as a last resort later on.

Here's the log. It's in .log format from "C:\Program Files\SoftEther VPN Client\packet_log\VPNGATE" so it should be safe for you.
https://mega.nz/file/kH0kTR5B#uyGQiKHjf ... d5CBi0k1Xk

[solo]

This is a "VPN Gate Relay Service" log!

Read...

Enable the VPN Gate Relay Service and Join the VPN Gate Research as a Volunteer.

If you check the above checkbox and press OK, the VPN Gate Relay Service will be activated on this computer. As the result, any VPN Gate Client will be able to communicate towards the Internet via the VPN Gate Relay Service. It is secure even if your computer is on the private network (e.g. corporate network) because any accesses to private IP addresses will not be permitted to pass via the VPN Gate Relay Service.

This will activate the VPN Gate Relay Service function.

After the VPN Gate Relay Service will be enabled and you are participating in the VPN Gate experiment as a volunteer, the VPN Gate Relay Service will relay VPN communications and packets from any VPN Gate clients via the Internet. Therefore, the source IP address of the communication via a VPN tunnel will be replaced to the IP address of the computer running the VPN Gate Relay Service. Since VPN communications are encrypted, the communication between the VPN client and the VPN Gate Relay Service will be able to avoid censorship by government censorship firewalls. The VPN Gate Relay Service runs as a Windows background program, even before the user logs on.

It is assumed that users will use VPN Gate primarily to circumvent censorship; VPN Gate Relay Service records VPN connection logs and packet logs; note that unlike Tor, VPN Gate has no anonymizing effect.

Running the VPN Gate Relay Service and offering it to other VPN Gate users over the Internet has the same technical effect as running Public WiFi at airports, town squares, or other public spaces, etc. As Public WiFi also saves communication logs, the VPN Gate Relay Service does save communication logs. It is stored on the disk of the computer running the VPN Gate Relay Service. Both administrators of VPN Gate Relay Services and VPN users may encounter legal problems as a result of their communications through the VPN Gate Relay Service. In this case, it may be necessary for the administrator of the VPN Gate Relay Service to disclose the communication logs to the police, courts, lawyers, etc. If the administrator is requested or ordered to disclose the logs in accordance with the applicated laws, the administrator is obligated to cooperate lawfully in order to maintain the public safety of the Internet. Please understand the above before activating the VPN Gate Relay Service.

VPN Gate Relay Service function must be activated by your own risk.
Some countries prohibit using of encrypted VPN by laws.

For more details about VPN Gate Relay Service please visit http://www.vpngate.net/en/join.aspx.

The VPN Gate Academic Experiment Service is operated as a research project at the graduate school on University of Tsukuba, Japan. The service is governed under the Japanese laws. Other countries' laws are none of our concerns nor responsibilities.

By nature, there are almost 200 countries in the World, with different laws. It is impossible to verify every countries' laws and regulations and make the software comply with all countries' laws in advance to release the software. If a user uses VPN Gate service in a specific country, and damaged by public servants of the authority, the developer of either the service or software will never be liable to recover or compensate such damages or criminal responsibilities. By using this software and service, the user must observe all concerned laws and rules with user's own responsibility. The user will be completely liable to any damages and responsibilities which are results of using this software and service, regardless of either inside or outside of Japan's territory. VPN Gate Relay Service will be installed on your computer as system services. System services always run in the background. After you terminate these management GUI tools, this system service will continue to run in the background. System services consume CPU time, computer power, memory and disk space. If you don't agree nor understand the above warnings, do not use any of VPN Gate Academic Experiment Service functions.

Why did you do it? Just go: Tools > Switch Operation Mode > VPN Gate Service Settings > Enable the VPN Gate Relay Service and Join the VPN Gate Research as a Volunteer > OFF

Case closed, LOL

[goonlord]

This is a "VPN Gate Relay Service" log!

Read...

Enable the VPN Gate Relay Service and Join the VPN Gate Research as a Volunteer.

If you check the above checkbox and press OK, the VPN Gate Relay Service will be activated on this computer. As the result, any VPN Gate Client will be able to communicate towards the Internet via the VPN Gate Relay Service. It is secure even if your computer is on the private network (e.g. corporate network) because any accesses to private IP addresses will not be permitted to pass via the VPN Gate Relay Service.

This will activate the VPN Gate Relay Service function.

After the VPN Gate Relay Service will be enabled and you are participating in the VPN Gate experiment as a volunteer, the VPN Gate Relay Service will relay VPN communications and packets from any VPN Gate clients via the Internet. Therefore, the source IP address of the communication via a VPN tunnel will be replaced to the IP address of the computer running the VPN Gate Relay Service. Since VPN communications are encrypted, the communication between the VPN client and the VPN Gate Relay Service will be able to avoid censorship by government censorship firewalls. The VPN Gate Relay Service runs as a Windows background program, even before the user logs on.

It is assumed that users will use VPN Gate primarily to circumvent censorship; VPN Gate Relay Service records VPN connection logs and packet logs; note that unlike Tor, VPN Gate has no anonymizing effect.

Running the VPN Gate Relay Service and offering it to other VPN Gate users over the Internet has the same technical effect as running Public WiFi at airports, town squares, or other public spaces, etc. As Public WiFi also saves communication logs, the VPN Gate Relay Service does save communication logs. It is stored on the disk of the computer running the VPN Gate Relay Service. Both administrators of VPN Gate Relay Services and VPN users may encounter legal problems as a result of their communications through the VPN Gate Relay Service. In this case, it may be necessary for the administrator of the VPN Gate Relay Service to disclose the communication logs to the police, courts, lawyers, etc. If the administrator is requested or ordered to disclose the logs in accordance with the applicated laws, the administrator is obligated to cooperate lawfully in order to maintain the public safety of the Internet. Please understand the above before activating the VPN Gate Relay Service.

VPN Gate Relay Service function must be activated by your own risk.
Some countries prohibit using of encrypted VPN by laws.

For more details about VPN Gate Relay Service please visit http://www.vpngate.net/en/join.aspx.

The VPN Gate Academic Experiment Service is operated as a research project at the graduate school on University of Tsukuba, Japan. The service is governed under the Japanese laws. Other countries' laws are none of our concerns nor responsibilities.

By nature, there are almost 200 countries in the World, with different laws. It is impossible to verify every countries' laws and regulations and make the software comply with all countries' laws in advance to release the software. If a user uses VPN Gate service in a specific country, and damaged by public servants of the authority, the developer of either the service or software will never be liable to recover or compensate such damages or criminal responsibilities. By using this software and service, the user must observe all concerned laws and rules with user's own responsibility. The user will be completely liable to any damages and responsibilities which are results of using this software and service, regardless of either inside or outside of Japan's territory. VPN Gate Relay Service will be installed on your computer as system services. System services always run in the background. After you terminate these management GUI tools, this system service will continue to run in the background. System services consume CPU time, computer power, memory and disk space. If you don't agree nor understand the above warnings, do not use any of VPN Gate Academic Experiment Service functions.

Why did you do it? Just go: Tools > Switch Operation Mode > VPN Gate Service Settings > Enable the VPN Gate Relay Service and Join the VPN Gate Research as a Volunteer > OFF

Case closed, LOL

Now this is awkward, because I cleaned it with Revo Uninstaller, reinstalled the latest version and did not tick the box and and yeah, it's fixed lol. It's probably ticked by default on the older version or something. Does activating it means I just turned myself into a VPN server?

Anyway thanks a lot for the help and follow up you provided, really appreciate it.