none
What is boost_interprocess folder

    Question

  • Hi,

    Our Windows 2008 R2 Remote Desktop Service server has a "boost_interprocess" under the "programdata" folder on C drive.  Does anyone one know what is used for and why?  The folder inside contain long random folder name.  The server is not infected with any malware or spyware or virus of any kind as we already check.  Any info will be greatly appreciated.  Thanks.

    Willy

    Thursday, April 04, 2013 11:19 PM

All replies

  • Looks to be this one.

    http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3AWin32%2FKelihos.A

    The malwarecreates a mapped file in the following file format:
    <path>\boost_interprocess\<14 numerical digits>.<6 numerical digits>\googleimpl
    The mapped file above refers to a shared memory object that the malware may use to check for its presence on the affected computer.

     Note: "<path>" refers to either “C:\Documents and Settings\All Users\Application Data” or “C:\ProgramData”, depending on the version of Windows operating system. The folder name “<14 numerical digits>.<6 numerical digits>” is created from the system date and time value.

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 05, 2013 1:16 AM
  • Hi Dave,

    Thanks for the info but I don't think we are dealing with something else.  We have an update version of virus scanner and definitions and the properties of the malware doesn't match correctly.  Here is one set of files we have:

    C:\programdata\boost_interprocess\12BCC86CA823CE01
    03/20/2013  11:10 AM       149,971,760 d04fbbc1-f740-4af0-b740-daf0f740daf0
    03/20/2013  11:10 AM                 8 d04fbbc1-f740-4af0-b740-daf0f740daf0_counter

    Thanks.

    Friday, April 05, 2013 6:12 AM
  • Probably some variant of it then. More info here.

    http://about-threats.trendmicro.com/us/malware/WORM_KELIHOS.SM

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 05, 2013 2:03 PM
  • Unfortunately that's not it.  It's not virus or malware as we have run multiple scans and check out fine.  Thanks.
    Sunday, April 07, 2013 1:22 AM
  • Old thread so this may no longer be relevant, but I also found the boost_interprocess folder in C:\ProgramData. I have discovered that the boost_interprocess folder, and its contents, are created by the Cloudfogger app on my system.

    Cloudfogger is (was) an app to automatically encrypt the contents of folders synced with cloud storage services. Unfortunately, there has been no activity from them since December 2012, and they are not responding to contact.

    I'm not saying that their software is purposefully malicious because I have no evidence, other than the creation of that folder, that anything untoward is happening. However, bearing in mind the lack of development and response, I have uninstalled Cloudfogger which has allowed me to delete the boost_interprocess folder, and, without Cloudfogger running, it doesn't come back.
    Thursday, July 11, 2013 4:53 AM