jaclaz Posted July 14, 2015 Posted July 14, 2015 I don't know, maybe I am too simple minded, but what would you think if you found a file:<drive letter>\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6To_60S7K_FU06yjEhjh5dpFw96549UU\scout.exe And after deleting it, it comes back at next boot? UNless of course some sophisticated techniques were used to make *somehow* the file super-hidden:http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/ jaclaz
CamTron Posted July 15, 2015 Posted July 15, 2015 There are many ways in which a program can replace a deleted file. There's probably something running at startup that regenerates that file. In addition to the startup folder in the start menu, everything in the HKEY_LOCAL_MACHINE(and HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run registry key (they may be more keys), and things that are set to run via scheduled tasks, will execute on startup. You could also have a virus in one of your system files that executes code when the system starts up. IMHO, any program that refuses to be removed from the startup folder is a piece of malware.
Mcinwwl Posted July 15, 2015 Posted July 15, 2015 Same here, for me also looks like PUP element or other sort of malware.
Yzöwl Posted July 19, 2015 Posted July 19, 2015 The only legitimate files I'd like to see located there would be of the type *.lnk or *.url, not executables. Along the lines of the previous response, I'd prefer to rename the startup folder and create a file with the name startup whilst I try to locate the rogue process(es).
Techie007 Posted July 25, 2015 Posted July 25, 2015 (edited) If I saw a file with a name like that in that folder, I'd be all over it. Reeks like a virus! I wouldn't settle until it was gone for good. Hiding that file by subverting the file system (i.e. rootkit) would just make it stand out more to me. If it kept coming back, that would just tell me that there's more (probably a rogue driver/service or scheduled task) hidden somewhere. But then, I remove stuff like this from computers all the time, so go figure. Edited July 25, 2015 by Techie007
jaclaz Posted July 25, 2015 Author Posted July 25, 2015 If I saw a file with a name like that in that folder, I'd be all over it. Yep that was exactly the point whilst adding to the UEFI NTFS read/write capabilities is IMHO a nice trick, one cannot really-really call the "<drive letter>\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6To_60S7K_FU06yjEhjh5dpFw96549UU\scout.exe" either "sophisticated", "smart" or "inconspicuous". jaclaz
Drugwash Posted July 28, 2015 Posted July 28, 2015 Sounds similar to the old PhoenixNet trick that raised the whole Internet community back then. Personally I'd rather swallow an angry porcupine than use an UEFI BIOS machine. On another note and slightly related to the AV company linked to in first post: how does it sound when, following an on-demand scan with both Sysclean and RootkitBuster which found nothing, one suddenly finds an apparently Dr.Watson-related executable installed in Common files\System folder and running, plus a hidden running CMD window that launched a hidden download and install of .NET 4.0 without asking user's consent and no notification whatsoever, besides silently enabling Windows Update (previously disabled by the user) which already tried to install a handful of updates (which were already present on the system)? I should be the most stupid person on Earth if I ever run an antivirus (especially from TrendMicro) on any of my systems unless it's built by me and I know what it's doing. :angrym:
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now