Seems legit.

[jaclaz]

I don't know, maybe I am too simple minded, but what would you think if you found a file:

<drive letter>\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6To_60S7K_FU06yjEhjh5dpFw96549UU\scout.exe

 

And after deleting it, it comes back at next boot?

 

UNless of course some sophisticated techniques were used to make *somehow* the file super-hidden:

http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/

 

jaclaz

[CamTron]

There are many ways in which a program can replace a deleted file. There's probably something running at startup that regenerates that file. In addition to the startup folder in the start menu, everything in the HKEY_LOCAL_MACHINE(and HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run registry key (they may be more keys), and things that are set to run via scheduled tasks, will execute on startup. You could also have a virus in one of your system files that executes code when the system starts up. IMHO, any program that refuses to be removed from the startup folder is a piece of malware.

[Mcinwwl]

Same here, for me also looks like PUP element or other sort of malware.

[jumper]

Replace the file with a folder of the same name.

[Yzöwl]

The only legitimate files I'd like to see located there would be of the type *.lnk or *.url, not executables.

 

Along the lines of the previous response, I'd prefer to rename the startup folder and create a file with the name startup whilst I try to locate the rogue process(es).

[Techie007]

    If I saw a file with a name like that in that folder, I'd be all over it.  Reeks like a virus!  I wouldn't settle until it was gone for good.  Hiding that file by subverting the file system (i.e. rootkit) would just make it stand out more to me.  If it kept coming back, that would just tell me that there's more (probably a rogue driver/service or scheduled task) hidden somewhere.  But then, I remove stuff like this from computers all the time, so go figure.

Edited July 25, 2015 by Techie007

[jaclaz]

    If I saw a file with a name like that in that folder, I'd be all over it.  

Yep that was exactly the point whilst adding to the UEFI NTFS read/write capabilities is IMHO a nice trick, one cannot really-really call the "<drive letter>\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6To_60S7K_FU06yjEhjh5dpFw96549UU\scout.exe" either "sophisticated", "smart"  or "inconspicuous".

 

jaclaz

[Drugwash]

Sounds similar to the old PhoenixNet trick that raised the whole Internet community back then.

 

Personally I'd rather swallow an angry porcupine than use an UEFI BIOS machine.

 

On another note and slightly related to the AV company linked to in first post: how does it sound when, following an on-demand scan with both Sysclean and RootkitBuster which found nothing, one suddenly finds an apparently Dr.Watson-related executable installed in Common files\System folder and running, plus a hidden running CMD window that launched a hidden download and install of .NET 4.0 without asking user's consent and no notification whatsoever, besides silently enabling Windows Update (previously disabled by the user) which already tried to install a handful of updates (which were already present on the system)?

 

I should be the most stupid person on Earth if I ever run an antivirus (especially from TrendMicro) on any of my systems unless it's built by me and I know what it's doing. :angrym: