No admin in ACL

Borg666 · Feb 22, 2023

Hi Tashi,

as I'm a pretty n00b in this kind of task, may I ask you how to figure out, if my accidently click on an unknown EXE, which was downloaded from a not reliable source, was any harmful in my case?

// info: Rootkit removal help file
// copyright: (c) 2008-2023 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\ProgramData\Acronis:Win32App_1:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA:$DATA"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-08-06-19-40-20-805-10872"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-08-14-17-28-29-088-9424"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-08-18-42-30-436-9548"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-09-23-21-29-627-16000"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-09-23-23-42-17-320-7336"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-10-08-02-11-48-092-8744"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-10-22-19-09-36-711-9520"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-11-05-00-03-06-485-9768"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-11-18-00-50-48-508-8044"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-12-02-21-23-28-167-10108"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2020-12-17-06-41-52-118-7484"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-13-16-03-43-858-788"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-18-22-45-51-583-3628"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-03-30-22-46-36-607-7184"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-04-14-23-30-04-627-4324"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-04-28-21-02-09-482-3356"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-05-12-21-28-27-043-7964"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-06-12-03-14-31-837-9544"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-07-07-12-20-20-727-10172"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-07-21-23-43-16-517-8592"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-08-07-20-44-16-487-4712"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-09-15-22-30-31-161-9604"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-09-29-19-54-58-869-8984"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-10-13-18-19-42-014-6352"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-10-26-22-06-14-566-3052"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-11-13-01-10-08-464-5236"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-11-30-19-29-29-135-4820"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2021-12-23-04-33-07-255-8748"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-01-06-04-00-43-752-6428"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-01-20-00-35-04-200-8884"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-02-03-00-14-55-688-8360"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-03-16-00-57-49-278-8536"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-03-30-22-08-46-727-636"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-04-13-22-10-34-739-4464"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-04-28-03-57-26-445-6604"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-05-25-17-57-50-068-5428"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-06-08-21-47-45-521-8560"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-06-23-17-28-17-774-7060"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-07-06-18-09-17-157-1608"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-07-21-02-56-45-257-8632"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-04-02-56-31-430-8884"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-17-23-17-45-635-8660"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-08-25-01-35-24-043-9880"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-01-03-09-22-629-6284"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-14-17-28-42-440-9152"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-17-06-57-22-604-6268"
File:"No admin in ACL","C:\ProgramData\Dropbox\Update\Log\DropboxUpdate.log-2022-09-27-22-18-51-083-6032"
File:"Unknown ADS","C:\Program Files (x86)\Acronis:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Bonjour:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\CheckDrive:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\HD Tune:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Spybot - Search & Destroy 2:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Google\Chrome\Application:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\EaseUS\EaseUS Partition Master 12.8:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Acronis:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Bonjour\Bonjour.Resources:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Acronis\TrueImageHome:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Bonjour:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\MiniTool Partition Wizard 10:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Mozilla Firefox:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\rempl:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\WinRAR:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\RealVNC\VNC4:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\RealVNC\VNC4\Mirror Driver:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\RealVNC\VNC4\Printer Driver:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\CPUID\CPU-Z:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Axis Communications\AXIS Camera Station:Win32App_1:$DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\CPK2HWU","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\CPK1HWU","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\CPK2HWU","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\CPK1HWU","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\WOW6432Node\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\WOW6432Node\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\WOW6432Node\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Classes\AppID","{1111A26D-EF95-4A45-9F55-21E52ADF9887}"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","MsSense.exe"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Provider"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","ProvidersMigration"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Svc"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","Av"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","CBP"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","DPA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","Fw"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","SecurityApp"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider\SecurityApp","WebProtection"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Chs","DuState"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","MsSense.exe"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center","Provider"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center","ProvidersMigration"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","Av"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","CBP"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","DPA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","Fw"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","SecurityApp"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider\SecurityApp","WebProtection"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"

Thanks and regards,
Borg666

tashi · Feb 23, 2023

Hi Borg666,

Apologies, I missed this, it was posted to another member's 2021 topic.

The RootAlyzer is an analyst tool and not a scan and fix program but the log isn't waving a flag.

How is the computer running, any issues? Also when you clicked on the .exe did your anti-virus alert?

Best regards,
tashi

Borg666 · Feb 23, 2023

Hi Tashi, all,

Windows Defender seemed to be offline in that situation
I suspect that I have caught a very nasty malware - my suspicion is that it is a rootkit.

Can anyone confirm or disprove my suspicion?
If it is a rootkit, a normal Windows reinstallation is probably not enough? Does anyone here have experience with this?

Portable App Packet:
file name: PowerISO.exe
md5 hash: 3debb2474a113af506a0bb57b8d2aeef
https://www.virustotal.com/gui/file/61de92a79b56d1990608ebffd80869d7c430c859acf4be22a1b9481ad45522b8

The following file is created when the portable app above is started.
When you exit the above app, this file is immediately deleted:

file name: Registry.tlog
alternate file name: android-cts-7.1_r6-linux_x86-arm.zip
md5: D41D8CD98F00B204E9800998ECF8427E
https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

tashi · Feb 24, 2023

Hello Borg666,

The first link to Virus Total has one vendor flagging Trojan.Inject.Win32.309794

Borg666 said:
Windows Defender seemed to be offline in that situation

Strange.

"Microsoft Defender Antivirus detects and removes this threat."
https://www.microsoft.com/en-us/wds...pedia-description?Name=Trojan:Win32/Inject.AO

The second link is inconclusive, it shows: File distributed by ExpressVPN, Microsoft and others

If you haven't already please run a scan with your anti-virus enabled.

Best regards,

tashi

PepiMK · Feb 24, 2023

Borg666 said:
file name: Registry.tlog
alternate file name: android-cts-7.1_r6-linux_x86-arm.zip
md5: D41D8CD98F00B204E9800998ECF8427E
https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

That md5 is the hash for an empty file, that's why it can't be associated with something specific. Empty files are created by many.

No admin in ACL

Borg666

New member

tashi

Member of Team Spybot

Borg666

New member

tashi

Member of Team Spybot

PepiMK

Administrator