Results 1 to 5 of 5

Thread: No admin in ACL

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Apr 2014
    Posts
    2

    Default No admin in ACL

    Hi Tashi,

    as I'm a pretty n00b in this kind of task, may I ask you how to figure out, if my accidently click on an unknown EXE, which was downloaded from a not reliable source, was any harmful in my case?



    // info: Rootkit removal help file
    // copyright: (c) 2008-2023 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"Unknown ADS","C:\ProgramData\Acronis:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA:$DATA"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-08-06-19-40-20-805-10872"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-08-14-17-28-29-088-9424"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-08-18-42-30-436-9548"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-09-23-21-29-627-16000"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-23-23-42-17-320-7336"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-10-08-02-11-48-092-8744"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-10-22-19-09-36-711-9520"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-11-05-00-03-06-485-9768"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-11-18-00-50-48-508-8044"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-12-02-21-23-28-167-10108"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-12-17-06-41-52-118-7484"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-13-16-03-43-858-788"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-18-22-45-51-583-3628"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-30-22-46-36-607-7184"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-04-14-23-30-04-627-4324"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-04-28-21-02-09-482-3356"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-05-12-21-28-27-043-7964"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-06-12-03-14-31-837-9544"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-07-07-12-20-20-727-10172"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-07-21-23-43-16-517-8592"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-08-07-20-44-16-487-4712"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-09-15-22-30-31-161-9604"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-09-29-19-54-58-869-8984"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-10-13-18-19-42-014-6352"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-10-26-22-06-14-566-3052"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-11-13-01-10-08-464-5236"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-11-30-19-29-29-135-4820"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-12-23-04-33-07-255-8748"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-01-06-04-00-43-752-6428"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-01-20-00-35-04-200-8884"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-02-03-00-14-55-688-8360"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-03-16-00-57-49-278-8536"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-03-30-22-08-46-727-636"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-04-13-22-10-34-739-4464"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-04-28-03-57-26-445-6604"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-05-25-17-57-50-068-5428"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-06-08-21-47-45-521-8560"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-06-23-17-28-17-774-7060"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-07-06-18-09-17-157-1608"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-07-21-02-56-45-257-8632"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-04-02-56-31-430-8884"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-17-23-17-45-635-8660"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-25-01-35-24-043-9880"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-01-03-09-22-629-6284"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-14-17-28-42-440-9152"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-17-06-57-22-604-6268"
    File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-27-22-18-51-083-6032"
    File:"Unknown ADS","C:\Program Files (x86)\Acronis:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Bonjour:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\CheckDrive:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\HD Tune:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Spybot - Search & Destroy 2:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Google\Chrome\Application:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\EaseUS\EaseUS Partition Master 12.8:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Acronis:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Bonjour\Bonjour.Resources:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Acronis\TrueImageHome:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Bonjour:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\MiniTool Partition Wizard 10:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Mozilla Firefox:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\rempl:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\WinRAR:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\RealVNC\VNC4:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\RealVNC\VNC4\Mirror Driver:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\RealVNC\VNC4\Printer Driver:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\CPUID\CPU-Z:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Axis Communications\AXIS Camera Station:Win32App_1:$DATA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\CPK2HWU","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\CPK1HWU","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\CPK2HWU","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\CPK1HWU","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\WOW6432Node\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\WOW6432Node\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","MsSense.exe"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Provider"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","ProvidersMigration"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Svc"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","Av"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","CBP"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","DPA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","Fw"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","SecurityApp"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider\SecurityApp","WebProtection"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Chs","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","MsSense.exe"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center","Provider"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center","ProvidersMigration"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","Av"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","CBP"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","DPA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","Fw"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","SecurityApp"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider\SecurityApp","WebProtection"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"


    Thanks and regards,
    Borg666
    Last edited by tashi; 2023-02-23 at 18:03. Reason: Split off from another thread, so you have your own topic. :-)

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hi Borg666,

    Apologies, I missed this, it was posted to another member's 2021 topic.

    The RootAlyzer is an analyst tool and not a scan and fix program but the log isn't waving a flag.

    How is the computer running, any issues? Also when you clicked on the .exe did your anti-virus alert?

    Best regards,
    tashi
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Apr 2014
    Posts
    2

    Default

    Hi Tashi, all,

    Windows Defender seemed to be offline in that situation
    I suspect that I have caught a very nasty malware - my suspicion is that it is a rootkit.

    Can anyone confirm or disprove my suspicion?
    If it is a rootkit, a normal Windows reinstallation is probably not enough? Does anyone here have experience with this?


    Portable App Packet:
    file name: PowerISO.exe
    md5 hash: 3debb2474a113af506a0bb57b8d2aeef
    https://www.virustotal.com/gui/file/...b9481ad45522b8


    The following file is created when the portable app above is started.
    When you exit the above app, this file is immediately deleted:

    file name: Registry.tlog
    alternate file name: android-cts-7.1_r6-linux_x86-arm.zip
    md5: D41D8CD98F00B204E9800998ECF8427E
    https://www.virustotal.com/gui/file/...95991b7852b855

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello Borg666,

    The first link to Virus Total has one vendor flagging Trojan.Inject.Win32.309794

    Quote Originally Posted by Borg666 View Post
    Windows Defender seemed to be offline in that situation
    Strange.

    "Microsoft Defender Antivirus detects and removes this threat."
    https://www.microsoft.com/en-us/wdsi...32%2FInject.AO

    The second link is inconclusive, it shows: File distributed by ExpressVPN, Microsoft and others

    If you haven't already please run a scan with your anti-virus enabled.

    Best regards,

    tashi
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Quote Originally Posted by Borg666 View Post
    file name: Registry.tlog
    alternate file name: android-cts-7.1_r6-linux_x86-arm.zip
    md5: D41D8CD98F00B204E9800998ECF8427E
    https://www.virustotal.com/gui/file/...95991b7852b855
    That md5 is the hash for an empty file, that's why it can't be associated with something specific. Empty files are created by many.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •