Today I have a firewall rule allowing incoming traffic for a program called kmss.exe in Windows Firewall on one of my computers and I'm 100% sure that I didn't add it, neither was I ever asked to allow that program to connect to the internet through Windows Firewall.
So, the firewall rule says that the program must be in C:/Windows/Temp/Files/Bin/kmss.exe but when I opened C:/Windows/Temp/ in file explorer, there was no directory named "Files". I tried to use command prompt to find it, I failed again. And my settings already allow for hidden folders to be shown in file explorer.
So, I suspect that C:/Windows/Temp/Files/Bin/kmss.exe does exist, but somehow it has managed to modify or fool Windows into thinking that it does not. Is that possible? If yes, what can I do to access that file and remove it?
122 Answers
Yes it's possible to hide files from windows with a root kit. You can use RootkitRevealer to try and figure out if that's happening. It scans your system and tries to find discrepancies between what the kernel apis report and what the windows apis report. That link has a much better explanation of how root kits work.
2That file, kmss.exe, appears to be part of a hack tool, AutoKMS, used to bypass Windows or Microsoft Office activation. It could be that someone tried to install that hack, and an antimalware application has moved the file to quarantine or has deleted it.
