Jump to content

2 potential FP possibly associated with gigabyte computers


vidyagaem

Recommended Posts

Thank you for reporting. I'm not sure what it belongs to exactly. Here's the script gathered from the file:

cd /d %~dp0
rem regedit /s buildf9.reg
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "autobuildf9" /d "%windir%\system32\buildf9.exe" /t REG_SZ /f 
if not exist "%windir%\system32\buildf9.exe" (
copy "%windir%\temp\buildf9.exe" "%windir%\system32\" /y
exit
goto :EOF
)
rem call var.cmd
rem call masterdisk.cmd
for %%i in (0 1 2 3 4) do call :finddisk %%i
for %%k in (1 2 3 4 5) do call :findpart %%k
echo disk=%disk%
echo part=%part%
call :assignletter
set REVOL=T:
set BCDVOL=S:
set WINVOL=W:
set IMGVOL=R:
set BCDSTORE=S:\EFI\Microsoft\Boot\BCD
set F9STORE=S:\EFI\pro\Boot\BCD
set BCDSOURCE=S:\EFI\Microsoft\
set F9SOURCE=S:\EFI\pro\
bcdedit /store %BCDSTORE% /enum {default} | find "recoverysequence" > temp.scp
set /p qoo=<temp.scp
set WINREGUID=%qoo:~24,38%
bcdedit /store %BCDSTORE% /ENUM %WINREGUID% | find "osdevice" > OSID.TXT
set /p TATOSID=<OSID.TXT
set OSDEVICEID=%TATOSID:~24,80%
set OSSDIID=%TATOSID:~66,38%
SET OSSDIPATH=%TATOSID:~33,2%
XCOPY %BCDSOURCE%*.* %F9SOURCE% /E /Y
bcdedit /store %F9STORE% /set {bootmgr} integrityservices Enable
bcdedit /store %F9STORE% /set {bootmgr} default %WINREGUID%
bcdedit /store %F9STORE% /set {bootmgr} displayorder %WINREGUID%
bcdedit /store %F9STORE% /set {bootmgr} locale en-us
bcdedit /store %F9STORE% /set {default} locale en-us
bcdedit /store %F9STORE% /set {default} device %OSDEVICEID%
bcdedit /store %F9STORE% /set {default} osdevice %OSDEVICEID%
bcdedit /store %F9STORE% /create %OSSDIID% /d "Windows Recovery" /device
bcdedit /store %F9STORE% /set %OSSDIID% ramdisksdidevice partition=%OSSDIPATH%
bcdedit /store %F9STORE% /set %OSSDIID% ramdisksdipath \Recovery\WindowsRE\boot.sdi
bcdedit /set {bootmgr} customactions 0x1000043000001 0x54000001
bcdedit /set {bootmgr} custom:54000001 %WINREGUID%
bcdedit /set {default} bootmenupolicy legacy
bcdedit /set %WINREGUID% bootmenupolicy legacy
rem bcdedit /store %F9STORE% /set {bootmgr} customactions 0x1000043000001 0x54000001
rem bcdedit /store %F9STORE% /set {bootmgr} custom:54000001 %WINREGUID%
rem bcdedit /store %F9STORE% /set {default} bootmenupolicy legacy
rem bcdedit /store %F9STORE% /set %WINREGUID% bootmenupolicy legacy
rem bcdedit /store %F9STORE% /deletevalue {bootmgr} customactions
rem bcdedit /store %F9STORE% /deletevalue {bootmgr} custom:54000001
rem bcdedit /store %F9STORE% /set {bootmgr} displaybootmenu no
bcdedit /store %F9STORE% /set {default} bootmenupolicy Standard
bcdedit /store %F9STORE% /set %WINREGUID% bootmenupolicy Standard
call :removeletter
exit
goto :EOF


:finddisk
echo sel disk %1 > temp.scp
echo detail disk >> temp.scp
echo exit >> temp.scp
diskpart /s temp.scp | find /i "Windows"
if %ERRORLEVEL%==0 set DISK=%1
goto :EOF


:findpart
echo sel disk %disk% > temp.scp
echo sel par %1 >> temp.scp
echo detail par >> temp.scp
echo exit >> temp.scp
diskpart /s temp.scp | find /i "system"
if %ERRORLEVEL%==0 set part=%1
goto :EOF


:assignletter
echo sel disk %disk% > temp.scp
echo sel par %part% >> temp.scp
echo ass letter=s >> temp.scp
echo exit >> temp.scp
diskpart /s temp.scp
goto :EOF


:removeletter
echo sel disk %disk% > temp.scp
echo sel par %part% >> temp.scp
echo remove >> temp.scp
echo exit >> temp.scp
diskpart /s temp.scp
goto :EOF

There were a couple of other topics I found online, both had Gigabyte boards. It's also from ~2017. Not malware but not something you need on the computer so feel free to remove. I have whitelisted the file so you shouldn't see this detection anymore.

Regards

Link to post
Share on other sites

16 minutes ago, thisisu said:

Thank you for reporting. I'm not sure what it belongs to exactly. Here's the script gathered from the file:

cd /d %~dp0
rem regedit /s buildf9.reg
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "autobuildf9" /d "%windir%\system32\buildf9.exe" /t REG_SZ /f 
if not exist "%windir%\system32\buildf9.exe" (
copy "%windir%\temp\buildf9.exe" "%windir%\system32\" /y
exit
goto :EOF
)
rem call var.cmd
rem call masterdisk.cmd
for %%i in (0 1 2 3 4) do call :finddisk %%i
for %%k in (1 2 3 4 5) do call :findpart %%k
echo disk=%disk%
echo part=%part%
call :assignletter
set REVOL=T:
set BCDVOL=S:
set WINVOL=W:
set IMGVOL=R:
set BCDSTORE=S:\EFI\Microsoft\Boot\BCD
set F9STORE=S:\EFI\pro\Boot\BCD
set BCDSOURCE=S:\EFI\Microsoft\
set F9SOURCE=S:\EFI\pro\
bcdedit /store %BCDSTORE% /enum {default} | find "recoverysequence" > temp.scp
set /p qoo=<temp.scp
set WINREGUID=%qoo:~24,38%
bcdedit /store %BCDSTORE% /ENUM %WINREGUID% | find "osdevice" > OSID.TXT
set /p TATOSID=<OSID.TXT
set OSDEVICEID=%TATOSID:~24,80%
set OSSDIID=%TATOSID:~66,38%
SET OSSDIPATH=%TATOSID:~33,2%
XCOPY %BCDSOURCE%*.* %F9SOURCE% /E /Y
bcdedit /store %F9STORE% /set {bootmgr} integrityservices Enable
bcdedit /store %F9STORE% /set {bootmgr} default %WINREGUID%
bcdedit /store %F9STORE% /set {bootmgr} displayorder %WINREGUID%
bcdedit /store %F9STORE% /set {bootmgr} locale en-us
bcdedit /store %F9STORE% /set {default} locale en-us
bcdedit /store %F9STORE% /set {default} device %OSDEVICEID%
bcdedit /store %F9STORE% /set {default} osdevice %OSDEVICEID%
bcdedit /store %F9STORE% /create %OSSDIID% /d "Windows Recovery" /device
bcdedit /store %F9STORE% /set %OSSDIID% ramdisksdidevice partition=%OSSDIPATH%
bcdedit /store %F9STORE% /set %OSSDIID% ramdisksdipath \Recovery\WindowsRE\boot.sdi
bcdedit /set {bootmgr} customactions 0x1000043000001 0x54000001
bcdedit /set {bootmgr} custom:54000001 %WINREGUID%
bcdedit /set {default} bootmenupolicy legacy
bcdedit /set %WINREGUID% bootmenupolicy legacy
rem bcdedit /store %F9STORE% /set {bootmgr} customactions 0x1000043000001 0x54000001
rem bcdedit /store %F9STORE% /set {bootmgr} custom:54000001 %WINREGUID%
rem bcdedit /store %F9STORE% /set {default} bootmenupolicy legacy
rem bcdedit /store %F9STORE% /set %WINREGUID% bootmenupolicy legacy
rem bcdedit /store %F9STORE% /deletevalue {bootmgr} customactions
rem bcdedit /store %F9STORE% /deletevalue {bootmgr} custom:54000001
rem bcdedit /store %F9STORE% /set {bootmgr} displaybootmenu no
bcdedit /store %F9STORE% /set {default} bootmenupolicy Standard
bcdedit /store %F9STORE% /set %WINREGUID% bootmenupolicy Standard
call :removeletter
exit
goto :EOF


:finddisk
echo sel disk %1 > temp.scp
echo detail disk >> temp.scp
echo exit >> temp.scp
diskpart /s temp.scp | find /i "Windows"
if %ERRORLEVEL%==0 set DISK=%1
goto :EOF


:findpart
echo sel disk %disk% > temp.scp
echo sel par %1 >> temp.scp
echo detail par >> temp.scp
echo exit >> temp.scp
diskpart /s temp.scp | find /i "system"
if %ERRORLEVEL%==0 set part=%1
goto :EOF


:assignletter
echo sel disk %disk% > temp.scp
echo sel par %part% >> temp.scp
echo ass letter=s >> temp.scp
echo exit >> temp.scp
diskpart /s temp.scp
goto :EOF


:removeletter
echo sel disk %disk% > temp.scp
echo sel par %part% >> temp.scp
echo remove >> temp.scp
echo exit >> temp.scp
diskpart /s temp.scp
goto :EOF

There were a couple of other topics I found online, both had Gigabyte boards. It's also from ~2017. Not malware but not something you need on the computer so feel free to remove. I have whitelisted the file so you shouldn't see this detection anymore.

Regards

oh wow thanks for the fast response, good to know it looks like a nothingburger

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.