Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Some strange software trying to download and run "Setup.exe" file...

anupam_luv

By anupam_luv
in Software Chat

 Share
Go to solution Solved by anupam_luv,

Recommended Posts

anupam_luv

anupam_luv

Posted
  • Author
Posted

@visshaJust did some risky experiment... The file setup.exe get downloaded to c:\windows\performance which has admin rights to copy any file .... it means there is some file in process which is loaded with admin rights which is trying to download that file...

 

So what I did is, in the Norton history I restored that removed setup.exe file .... Cut it and moved it to another Virtual machine running windows 10 without any antivirus .. I checked its properties ... It is Remote Utilities version 6.10  ... 

 

image.png.7da0a14f9347e66893f6bf41ac20a346.png

 

I extracted this file , it has a fie version.txt which has following content

 

FILEVERSION    6,10,10,0
PRODUCTVERSION 6,10,10,0
FILEFLAGSMASK  0x3F
FILEFLAGS      0x0
FILEOS         VOS_UNKNOWN | VOS__WINDOWS32
FILETYPE       VFT_APP
FILESUBTYPE    0x0
{
  BLOCK "StringFileInfo"
  {
    BLOCK "040904E4"
    {
      VALUE "CompanyName",       "Remote Utilities LLC"
      VALUE "FileDescription",   "Remote Utilities"
      VALUE "FileVersion",       "6.10.10.0"
      VALUE "LegalCopyright",    "Copyright © 2019 Remote Utilities LLC. All rights reserved."
      VALUE "ProgramID",         "com.remoteutilities.SfxExtractor"
      VALUE "ProductName",       "Remote Utilities"
      VALUE "ProductVersion",    "6.10.10.0"
    }
  }
  BLOCK "VarFileInfo"
  {
    VALUE "Translation", 0x409, 1252
  }
}
 

This setup file is same at https://www.remoteutilities.com/download/host6.10.exe  which was renamed as setup.exe ....

Both files has exact same size and content but first one detected as virus and other is clean ... 

I extracted its contents and compared... Both are exactly same bit by bit ...

Now I have to check which program want me to download remote utilities....

  • Israeli_Eagle and vissha
  • Like 2
Link to comment
Share on other sites
  • Replies 29
  • Views 2.8k
  • Created
  • Last Reply

Top Posters In This Topic

  • anupam_luv

    13

  • vissha

    4

  • leapinlizards

    3

  • Israeli_Eagle

    3

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

MrZeb
MrZeb

@anupam_luv It seems your computer needs a deep cleaning! https://giters.com/sausagenoods/bittex-unpacked

anupam_luv
anupam_luv

@visshaJust did some risky experiment... The file setup.exe get downloaded to c:\windows\performance which has admin rights to copy any file .... it means there is some file in process which is loaded

anupam_luv
anupam_luv

Just found in autoruns under services "Remote Utilities-Host" and removing its all traces in file system and registry.... will restart and check if the problems appears again ... 

anupam_luv

anupam_luv

Posted
  • Author
Posted

Just found in autoruns under services "Remote Utilities-Host" and removing its all traces in file system and registry.... will restart and check if the problems appears again ... 

image.thumb.png.51ee7bffc2706cace247f264f895cb26.png

  • Israeli_Eagle and vissha
  • Like 2
Link to comment
Share on other sites
Israeli_Eagle

Israeli_Eagle

Posted
Posted (edited)
3 hours ago, MrZeb said:

 

As I posted the guys at bleepingcomputer can help you cleaning the computer only in very bad cases you have to do a clean install...

 

On that weird bleeping planet any help or tools to clean the registry are not allowed, instead they wanna you to publish your privacy & files history. LMAO... :lmao:

And only super-n00bs would ever reinstall the system.

 

Edited by Israeli_Eagle
Link to comment
Share on other sites
  • Solution
anupam_luv

anupam_luv

Posted
  • Author
  • Solution
Posted

@vissha @MrZeb

Mission accomplished.... removed all traces of "Remote Utilities-Host" from my PC, registry services.... and more interestingly there were some related setup files hidden in C:\Windows\Performance folder which were not only hidden but ther were visible after I unchecked "Hide Protected operating system files" ... means these files were marked as important to run operating system ... thats why the antivirus or antimalware was not even scanning them... cleaned all that clutter and in that process i felt that i might have deleted some genuine windows files , so i reinstalled windows 11 again ....

 

Till now restarted 4-5 times , no "setup.exe" file bothering to run now....  

 

but a strange SecurityCenter.bat file is there in my startup folder... it contains the following command

taskkill /f /im explorer.exe
start explorer.exe
exit /B
 

Dont know why it there ? why would a program want explorer to be restarted on startup? Can I safely delete it?

 

 

Link to comment
Share on other sites
Israeli_Eagle

Israeli_Eagle

Posted
Posted (edited)

If the different explorer.exe is not in the normal folder C:\Windows then you can simply delete it. And also delete that .bat as well.

 

Edited by Israeli_Eagle
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...