Hi, Do you remember the 1st Windows Update that you did after Windows 11 is installed. During the update, my Settings > Windows Update windows suddenly closed. If it happened to you too, then that tells me not to worry, nothing nefarious happened. (My Windows 11 is the publicly available one, not a preview)
That didn't happen for me, but it certainly does not mean that anything nefarious happened in your case. It's most likely just a bug due to Windows 11 being a new operating system. When things go wrong, it is extremely rare for anything nefarious to be going on.
.So I restore from prestine image where I haven't done Windows Update. Then I did a 2nd Windows Update. It closed my Settings>Windows Update window 3 times. And Voodooshield reported 2 bad batch files during the Update process. And when the update finished, I clicked on Control Panel shortcut on the desktop and it took 1 min to start, and showed some unknown parameter used. Also I went to the folder where VoodooShield found the bad batch files and the folder was empty. Why would a driver installer remove it's own batch files, only malicious software would do that. I didn't get the 2 bad batch file warnings from Voodoo the first time because I probably OK'd it with ReHIPS. It was displaying too many alerts to be useful so I: didn't run ReHIPs in the 2nd Windows Update run. So, not satisfied with the differences, I restored from pristine image again. Thinking the closing of the Settings>Windows Update window was caused by driver installs, because I watched the process like a hawk, I used gpedit to forbid Windows Update from doing driver updates. I did a 3rd Windows Update. The Settings>Windows Update windows closed around the same time when certain installation were done. So I am satisfied with that. And I only got 1 closing of the window. Several drivers were not installed, as instructed in gpedit. I checked the folder where voodooshield found the malicious bat files during the 2nd run and the folder is empty again. I clicked on Control Panel and it opened right away. So here I am. I would like to think everything is alright. But what if the attacker simply cleaned up his attack so that Control Panel opens without that parameter. And made sure her malware is not detectable? And what caused the Control Panel shortcut on the desktop to have that parameter? And what erased the batch files in the folder?
I remember vaguely that the parameter was a plus sign and a big number.(10 digits or so) I pressed it again and it was gone - it was normal again. And the disappearing batch files were inside C:\Intel\GfxCPLBatchFiles. The empty folder remains after the Windows Update.
Yesterday night, I opened firefox, and it pops up a message saying it is restricted by your administrator. But firefox opened anyways, probably because ReHIPS was managing it. Now this morning the message doesn't pop up again. Looks like a RAT with a bag of tricks, doesn't it?
No, it doesn't. It's quite possible that the batch files do ususally get removed, after the drivers are installed. Regarding the alerts from VoodooShield, it's possible they were false positives. What is the exact message you were getting in Firefox? I've rarely used Firefox, so am not familiar with the admin message you are talking about. If you want to check your system for malware, then you could run Norton Power Eraser and Kaspersky Removal Tool, as both are excellent at detecting malware. It's won't hurt to run them.
I don't remember the exact wording just now, but it is the same message that you get when you deny a program using Software Restriction Policy. Yes, I concede that the voodooshield finding can possibly be a false positive.
