Hi, I have observed this malware files in bootexecute for several years on my computers and there is nothing i can do to prevent them, even with top security software like UnHackme, OsArmor and ESET antivirus. Files will normaly not show up only if i use UnHackme to modify BootExecuteReg value. After that i start to refresh scanning with Autoruns from Comodo. After refresh files appear. I cannot disable this autorun i can only delete them but malware files are back. Like i said there is nothing i can do and could not prevent them. Developer of UnHackme said this is trash in the registry but its clearly not. These are real files and some have text in chinese language and i think malware is making fun of security software! What is your opinion about this files? See the sttachments! Thank you so much!
Of note is Administrator and above level have full control over this registry key, HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager For starters, make sure you have UAC set to maximum level. Next check the permissions for the registry key for any suspicious entries. Do likewise for this key, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager, since anything in ControlSet001 is copied to CurrentControlSet at boot time. Finally, verify in Session Manager that BootExecute value only contains "autocheck autochk *" and BootShell value contains "%SystemRoot%\system32\bootim.exe" assuming your running Win 10. Also SETUPEXECUTE value should be blank. Make sure you verify these values in both ControlSet001 and CurrentControlSet.
Interesting in picture 3 it has a filename rdpclip.exe which is for copy pasting to a remote computer via terminal services. Looks like the filename is an abbreviation for RemoteDesktoP Clip.
Sorry, but i have messed up my system. Anyway there was no important info on that machine just a test pc for OS Armor. Could you please explain step by step what to do for my future installation. I had no restore points, sorry. Even if i reformat that pc again i am sure that files will be back soon. Thanks.
How do you think you got infected? Was you testing malware on your machine, surfing the internet, installing software that might have had a trojan in it, or some other way?
Hard to say, i am no malware tester, nothing special in that pc usage. It is a Intel Compute stick with HDMI connector. But like i said its been a long time not detected. I doubt the files can be removed. Once you get a rootkit infection your OS will always lie to you. Also RATtrap firewall blocked outgoing attempt on port 123 destined to Hangzhou, China. But i dont know if that pc triggered that block.
If you reformat that disk and re install everything from the original installers, then something is inadequate in your security and also where you are going. Otherwise how can that file come back?
The only way you're going to "get to the bottom of this" is to employ a security solution that can monitor(block) and log what process is modifying the BootExecute reg value. Since you mentioned Eset NOD32, just create block and ask HIPS rules with logging and alert user enabled for the following: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\* Enable the ask rule and disable(uncheck) the block rule when you want to modify values/subordinate reg. keys associated with the above noted keys. Then disable the ask and enable the block run. A block rule is required to catch anything modifying these keys at boot time since ask rules will auto allow if not responded to within the default rule response period. Important - only keep the block rule active while diagnosing this problem since it could block app or system necessary update activities to these reg. keys. Either delete the block/ask rules once the problem has been resolved or keep the ask rule enabled and the block rule disabled; or delete the block rule. The HIPS rules are as follows. Remember the following needs to be done twice; one with an "Ask" action and one for a "Block" action: HIPS rule settings: Operations affecting - Registry settings Enabled Logging severity - Diagnostic Notify User - Enabled Source applications - All applications Registry operations - Modify registry Registry entries - Specific entries HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\* Click on Finish button to save the rule. Click on OK button when existing each subsequent screen to save your settings.
I will also add that this type of activity can also be traced back to a malicious device driver. A few years back, I had a similar incident. I was running Win 7 at the time and was desperate for a fix for the Realtek network adapter problems I was having at the time. I went to their Taiwanese web site and was rummaging around on their site. Found something that looked good but only available via FTP download. A very bad move on my part. If the "culprit" is a malicious kernel mode device driver which is a likely possibility if your running a pre-Win 8.1 OS, nothing is going to help other than finding and removing that driver. A clean OS install might be the easiest option. Make sure you use a bootable hard drive "wipe" utility prior to reinstalling the OS or replace the hard drive. If the issue persists after a clean OS install and the hard drive was not replaced, then you can assume it is device firmware related; possibly within the hard drive itself. Also if your PC is a Lenovo, they are notorious for installing "imbedded" utilities that are nothing more than backdoors.