Today I've found one very suspiciously looking environment variable :
Quote
COMPLUS_FodPath=c:\no-fod.exe
Deleting it for several times made no good - it was reappearing every time .
I searched for "COMPLUS_FodPath" but there were only 2 (!!!) results in the whole internet . The most significant one was found here (http://pastebin.com/Tn0qX70e) .
It contained the same variable with different value :
Quote
COMPLUS_FODPATH = C:\FOD_IS_Disabled_By_AC_SHIM.exe
That's a very strange name for "normal" executable .
What does "FOD" mean?
Foreign object damage (http://en.wikipedia.org/wiki/Foreign_object_damage) or one of those meanings (http://www.urbandictionary.com/define.php?term=FOD&defid=270716) ?
Any ideas?
maybe Feature-On-Demand
let me see what i can find.....
Quote from: dedndave on October 02, 2013, 07:42:27 AM
maybe Feature-On-Demand
let me see what i can find.....
very likely to be
see: Features on Demand in Windows 8 and Windows Server 2012 (http://blogs.technet.com/b/joscon/archive/2012/11/20/features-on-demand-in-windows-8-and-windows-server-2012.aspx)
FOD trojan? (http://www.paretologic.com/resources/definitions.aspx?remove=Fod%20Trojan)
Or launch your debugger and see what c:\no-fod.exe does...
well - you were playing with database's the other day
maybe it's related to Oracle Fusion Order Demo (FOD) schema
http://www.oracle.com/technetwork/testcontent/connection11g-088156.html (http://www.oracle.com/technetwork/testcontent/connection11g-088156.html)
QuoteSome JDeveloper collaterals require the Fusion Order Demo (FOD) schema to
exist in the database. To install the schema, perform the following steps:....
perhaps you have something that needs the no-fod.exe file if the schema is not installed - hence the name
Quote from: jj2007 on October 02, 2013, 07:54:37 AM
FOD trojan? (http://www.paretologic.com/resources/definitions.aspx?remove=Fod%20Trojan)
Or launch your debugger and see what c:\no-fod.exe does...
I didn't find the exe with that name on the drive :(
Quote from: dedndave on October 02, 2013, 07:59:23 AM
well - you were playing with database's the other day
maybe it's related to Oracle Fusion Order Demo (FOD) schema
http://www.oracle.com/technetwork/testcontent/connection11g-088156.html (http://www.oracle.com/technetwork/testcontent/connection11g-088156.html)
No , Dave , I didn't play with Oracle database at all .
Maybe try:
findstr /s "no-fod.exe" c:\*.*
?
Quote from: jj2007 on October 02, 2013, 07:54:37 AMOr launch your debugger and see what c:\no-fod.exe does...
bad idea for potential malware!
I scanned drive C:\ with MSE .
7 "unwanted" files were found .
MSE froze on the half-way of the cleaning stage ... but today there's no more the strange environment variable .
Thank you all
Take care
Did you made an analysis with Autoruns?
http://technet.microsoft.com/en-US/sysinternals/bb963902.aspx
I would also try and find the EXE file. Command line "dir /s filename.ext" should find it for you when run from the root directory.
Quote from: hutch-- on October 03, 2013, 05:03:07 AM
I would also try and find the EXE file. Command line "dir /s filename.ext" should find it for you when run from the root directory.
I tried but didn't find it .
After AV scan that environment variable disappeared.
Interestingly that in both cases the value of %COMPLUS_FodPath% looks more like report (return value) than just a name of executable.
I tend to think it was malicious software .
Quote from: Vortex on October 03, 2013, 04:08:04 AM
Did you made an analysis with Autoruns?
http://technet.microsoft.com/en-US/sysinternals/bb963902.aspx
I already have Sysinternals suite . I like those tools very much.
I had such a thought yesterday but AV scan was already running at that moment.