Hi Tashi,

as I'm a pretty n00b in this kind of task, may I ask you how to figure out, if my accidently click on an unknown EXE, which was downloaded from a not reliable source, was any harmful in my case?



// info: Rootkit removal help file
// copyright: (c) 2008-2023 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\ProgramData\Acronis:Win32App_1:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA:$DATA"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-08-06-19-40-20-805-10872"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-08-14-17-28-29-088-9424"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-08-18-42-30-436-9548"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-09-23-21-29-627-16000"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-23-23-42-17-320-7336"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-10-08-02-11-48-092-8744"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-10-22-19-09-36-711-9520"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-11-05-00-03-06-485-9768"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-11-18-00-50-48-508-8044"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-12-02-21-23-28-167-10108"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-12-17-06-41-52-118-7484"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-13-16-03-43-858-788"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-18-22-45-51-583-3628"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-30-22-46-36-607-7184"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-04-14-23-30-04-627-4324"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-04-28-21-02-09-482-3356"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-05-12-21-28-27-043-7964"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-06-12-03-14-31-837-9544"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-07-07-12-20-20-727-10172"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-07-21-23-43-16-517-8592"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-08-07-20-44-16-487-4712"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-09-15-22-30-31-161-9604"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-09-29-19-54-58-869-8984"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-10-13-18-19-42-014-6352"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-10-26-22-06-14-566-3052"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-11-13-01-10-08-464-5236"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-11-30-19-29-29-135-4820"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-12-23-04-33-07-255-8748"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-01-06-04-00-43-752-6428"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-01-20-00-35-04-200-8884"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-02-03-00-14-55-688-8360"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-03-16-00-57-49-278-8536"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-03-30-22-08-46-727-636"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-04-13-22-10-34-739-4464"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-04-28-03-57-26-445-6604"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-05-25-17-57-50-068-5428"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-06-08-21-47-45-521-8560"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-06-23-17-28-17-774-7060"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-07-06-18-09-17-157-1608"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-07-21-02-56-45-257-8632"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-04-02-56-31-430-8884"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-17-23-17-45-635-8660"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-25-01-35-24-043-9880"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-01-03-09-22-629-6284"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-14-17-28-42-440-9152"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-17-06-57-22-604-6268"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-27-22-18-51-083-6032"
File:"Unknown ADS","C:\Program Files (x86)\Acronis:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Bonjour:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\CheckDrive:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\HD Tune:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Spybot - Search & Destroy 2:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Google\Chrome\Application:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\EaseUS\EaseUS Partition Master 12.8:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Acronis:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Bonjour\Bonjour.Resources:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Acronis\TrueImageHome:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Bonjour:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\MiniTool Partition Wizard 10:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Mozilla Firefox:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\rempl:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\WinRAR:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\RealVNC\VNC4:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\RealVNC\VNC4\Mirror Driver:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\RealVNC\VNC4\Printer Driver:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\CPUID\CPU-Z:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Axis Communications\AXIS Camera Station:Win32App_1:$DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\CPK2HWU","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\CPK1HWU","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\CPK2HWU","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\CPK1HWU","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\WOW6432Node\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\WOW6432Node\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","MsSense.exe"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Provider"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","ProvidersMigration"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Svc"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","Av"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","CBP"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","DPA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","Fw"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","SecurityApp"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider\SecurityApp","WebProtection"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Chs","DuState"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","MsSense.exe"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center","Provider"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center","ProvidersMigration"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","Av"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","CBP"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","DPA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","Fw"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","SecurityApp"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider\SecurityApp","WebProtection"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"


Thanks and regards,
Borg666

Hi Borg666,

Apologies, I missed this, it was posted to another member's 2021 topic. :)

The RootAlyzer is an analyst tool and not a scan and fix program but the log isn't waving a flag.

How is the computer running, any issues? Also when you clicked on the .exe did your anti-virus alert?

Best regards,
tashi

Hi Tashi, all,

Windows Defender seemed to be offline in that situation
I suspect that I have caught a very nasty malware - my suspicion is that it is a rootkit.

Can anyone confirm or disprove my suspicion?
If it is a rootkit, a normal Windows reinstallation is probably not enough? Does anyone here have experience with this?


Portable App Packet:
file name: PowerISO.exe
md5 hash: 3debb2474a113af506a0bb57b8d2aeef
https://www.virustotal.com/gui/file/61de92a79b56d1990608ebffd80869d7c430c859acf4be22a1b9481ad45522b8


The following file is created when the portable app above is started.
When you exit the above app, this file is immediately deleted:

file name: Registry.tlog
alternate file name: android-cts-7.1_r6-linux_x86-arm.zip
md5: D41D8CD98F00B204E9800998ECF8427E
https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Hello Borg666,

The first link to Virus Total has one vendor flagging Trojan.Inject.Win32.309794



Windows Defender seemed to be offline in that situation

Strange.

"Microsoft Defender Antivirus detects and removes this threat."
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FInject.AO

The second link is inconclusive, it shows: File distributed by ExpressVPN, Microsoft and others

If you haven't already please run a scan with your anti-virus enabled.

Best regards,

tashi

file name: Registry.tlog
alternate file name: android-cts-7.1_r6-linux_x86-arm.zip
md5: D41D8CD98F00B204E9800998ECF8427E
https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

That md5 is the hash for an empty file, that's why it can't be associated with something specific. Empty files are created by many.