- Content source
- https://dai.ly/x9qqhfs
How well can a fully signatureless, heuristic-based cleaner eradicate malware from a Windows system?
Let's find out.
In step one, we are infecting the system with an infostealer and we are confirming the infection with Norton Power Eraser.
In step 2, after reboot, we scan with Norton Power Eraser again.
Please post any questions, comments and suggestions down bellow.
Let's find out.
In step one, we are infecting the system with an infostealer and we are confirming the infection with Norton Power Eraser.
In step 2, after reboot, we scan with Norton Power Eraser again.
**********************
PowerShell transcript start
Start time: 20250917230028
Username: KATYA-LAPTOP\kgeor
RunAs User: KATYA-LAPTOP\kgeor
Configuration Name:
Machine: KATYA-LAPTOP (Microsoft Windows NT 10.0.26100.0)
Host Application: C:\Program Files\PowerShell\7\pwsh.dll
Process ID: 7772
PSVersion: 7.5.3
PSEdition: Core
GitCommitId: 7.5.3
OS: Microsoft Windows 10.0.26100
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is C:\Users\kgeor\Documents\Orion_Logs\Orion_Remediation_Log_2025-09-17_23-00-28.log
7-Zip found at 'C:\Program Files\7-Zip\7z.exe'.
Quarantine IS ENABLED. Artifacts will be moved to a password-protected archive.
================================================================
Welcome to the Orion Standalone Remediation Tool v3.2
================================================================
This script will perform a multi-phase scan of your system for
suspicious artifacts commonly associated with malware.
A detailed log of this session will be saved to:
C:\Users\kgeor\Documents\Orion_Logs\Orion_Remediation_Log_2025-09-17_23-00-28.log
PowerShell 7+ detected. Parallel scanning enabled.
Please select a scan mode:
----------------------------------------------------------------
[ 10 ] Gentle Scan (Log Only) - Finds persistence & logs it.
[ 11 ] Gentle Scan (Remove) - Removes persistence config, leaves files.
----------------------------------------------------------------
[ 20 ] Elevated Scan (Log Only) - Finds files/persistence & logs.
[ 21 ] Elevated Scan (Remove) - Quarantines files & persistence.
----------------------------------------------------------------
[ 30 ] Aggressive Scan (Log Only)- Finds orphans, unsigned processes, etc & logs.
[ 31 ] Aggressive Scan (Remove) - Kills/Quarantines unsigned processes & orphaned folders.
----------------------------------------------------------------
Selected Mode: Aggressive Scan
Remove Actions: True
Press Enter to begin the scan...
--- PRE-FLIGHT CHECK: System Restore Point ---
It is highly recommended to create a System Restore Point before making changes.
Skipping System Restore Point creation.
--- AGGRESSIVE PHASE 1: Terminate Unsigned Running Processes ---
Found running processes that are not digitally signed:
Name ID Path
---- -- ----
Drive 8144 C:\Users\kgeor\AppData\Roaming\sys-driver\Drive.exe
WARNING: WARNING: Terminating these could cause instability if they are part of legitimate (but poorly written) software.
Terminated: Drive (PID: 8144)
Quarantined: C:\Users\kgeor\AppData\Roaming\sys-driver\Drive.exe
True
--- AGGRESSIVE PHASE 2: Clean Orphaned Application Folders ---
Scanning for orphaned application folders...
Found folders in Program Files/ProgramData that may not belong to installed software:
FullName CreationTime
-------- ------------
C:\ProgramData\Norton 17.9.2025 г. 22:59:47
WARNING: EXTREME CAUTION: This could delete shared components or drivers. Review carefully.
Quarantined: C:\ProgramData\Norton
True
--- PHASE 1: Hunting for Suspicious Payloads & Hidden Data ---
Scanning Public and Downloads folders...
Scanning ProgramData and AppData\Roaming for isolated, suspicious files...
Suspicious Files Found in common areas:
FullName
--------
C:\Users\kgeor\Downloads\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584\f00591384ec47004189f26bd3766…
Quarantined: C:\Users\kgeor\Downloads\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584.exe
True
Scanning suspicious files for hidden data streams (ADS)...
--- PHASE 2: Hunting for Masquerading System Processes (Advanced) ---
Running parallel masquerading process scan...
No process masquerading detected in high-risk locations.
--- PHASE 3: Hunting for Suspicious Persistence Mechanisms ---
Sub-Phase 3a: Scanning Registry Run keys for suspicious entries...
Suspicious Run Key Entries Found:
KeyPath Name Value
------- ---- -----
Registry::CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater "C:\Users\kgeor\AppData\Roaming\sys-driver\
Drive.exe"
Registry::CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater "C:\Users\kgeor\AppData\Roaming\sys-driver\
Drive.exe"
PS>TerminatingError(Get-ItemProperty): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Cannot find path 'CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' because it does not exist."
WARNING: Failed to process registry value 'Updater': Cannot find path 'CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' because it does not exist..Exception.Message
False
PS>TerminatingError(Get-ItemProperty): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Cannot find path 'CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' because it does not exist."
WARNING: Failed to process registry value 'Updater': Cannot find path 'CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' because it does not exist..Exception.Message
False
Sub-Phase 3b: Scanning Scheduled Tasks for suspicious actions...
No suspicious Scheduled Tasks found.
Sub-Phase 3c: Scanning for suspicious WMI persistence...
No suspicious WMI persistence subscriptions found.
Sub-Phase 3d: Hunting for Suspicious Services...
No suspicious services found.
Sub-Phase 3e: Hunting for Suspicious BITS Jobs...
No suspicious BITS jobs found.
Sub-Phase 3f: Hunting for Office Macro Persistence...
No suspicious files found in Office startup locations.
--- PHASE 4: System Integrity & Hardening ---
Scanning for disabled system tools and critical services...
No disabled system tools or critical services found.
Scanning HOSTS file for potential network hijacks...
No active or suspicious HOSTS file entries found.
Scanning Firewall for suspicious outbound rules...
No suspicious outbound firewall rules found.
Scanning for suspicious Defender exclusions...
No suspicious Defender exclusions found.
--- PHASE 5: Proactive System Hygiene ---
Clearing Startup folders...
Cleared: C:\Users\kgeor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Cleared: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Clearing user temporary files...
PS>TerminatingError(Remove-Item): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: The process cannot access the file 'C:\Users\kgeor\AppData\Local\Temp\0632740e-220e-46a8-a9f4-7e1939299424.tmp' because it is being used by another process."
WARNING: Failed to clear Temp folder: The process cannot access the file 'C:\Users\kgeor\AppData\Local\Temp\0632740e-220e-46a8-a9f4-7e1939299424.tmp' because it is being used by another process..Exception.Message
Emptying Recycle Bin...
Recycle Bin emptied.
--- PHASE 6: Browser Reset ---
This step can remove malicious browser extensions and settings.
It will reset Chrome, Edge, and Firefox profiles by renaming their parent folders.
Your bookmarks and passwords should be preserved if you are signed into a browser account.
Skipping browser reset.
--- PHASE 7: System File Integrity Check & Updates ---
Skipping Windows Update check.
After a malware infection, it's possible that core system files were corrupted.
This final, optional step will use built-in Windows tools to scan for and repair any damage.
Skipping System File Integrity Check.
================================================================
Orion Remediation Script Finished
================================================================
Summary of Actions Taken:
- Quarantine enabled. Archive: C:\Users\kgeor\Documents\Orion_Logs\Orion_Quarantine_2025-09-17_23-00-28.zip
- Terminated unsigned process: Drive
- Quarantined unsigned process executable: C:\Users\kgeor\AppData\Roaming\sys-driver\Drive.exe
- Quarantined orphaned folder: C:\ProgramData\Norton
- Quarantined file: C:\Users\kgeor\Downloads\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584.exe
- Cleared Startup folder: C:\Users\kgeor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- Cleared Startup folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- Emptied Recycle Bin
A quarantine archive has been created:
Path: C:\Users\kgeor\Documents\Orion_Logs\Orion_Quarantine_2025-09-17_23-00-28.zip
Password: susp
**********************
PowerShell transcript end
End time: 20250917230305
**********************
PowerShell transcript start
Start time: 20250917230028
Username: KATYA-LAPTOP\kgeor
RunAs User: KATYA-LAPTOP\kgeor
Configuration Name:
Machine: KATYA-LAPTOP (Microsoft Windows NT 10.0.26100.0)
Host Application: C:\Program Files\PowerShell\7\pwsh.dll
Process ID: 7772
PSVersion: 7.5.3
PSEdition: Core
GitCommitId: 7.5.3
OS: Microsoft Windows 10.0.26100
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is C:\Users\kgeor\Documents\Orion_Logs\Orion_Remediation_Log_2025-09-17_23-00-28.log
7-Zip found at 'C:\Program Files\7-Zip\7z.exe'.
Quarantine IS ENABLED. Artifacts will be moved to a password-protected archive.
================================================================
Welcome to the Orion Standalone Remediation Tool v3.2
================================================================
This script will perform a multi-phase scan of your system for
suspicious artifacts commonly associated with malware.
A detailed log of this session will be saved to:
C:\Users\kgeor\Documents\Orion_Logs\Orion_Remediation_Log_2025-09-17_23-00-28.log
PowerShell 7+ detected. Parallel scanning enabled.
Please select a scan mode:
----------------------------------------------------------------
[ 10 ] Gentle Scan (Log Only) - Finds persistence & logs it.
[ 11 ] Gentle Scan (Remove) - Removes persistence config, leaves files.
----------------------------------------------------------------
[ 20 ] Elevated Scan (Log Only) - Finds files/persistence & logs.
[ 21 ] Elevated Scan (Remove) - Quarantines files & persistence.
----------------------------------------------------------------
[ 30 ] Aggressive Scan (Log Only)- Finds orphans, unsigned processes, etc & logs.
[ 31 ] Aggressive Scan (Remove) - Kills/Quarantines unsigned processes & orphaned folders.
----------------------------------------------------------------
Selected Mode: Aggressive Scan
Remove Actions: True
Press Enter to begin the scan...
--- PRE-FLIGHT CHECK: System Restore Point ---
It is highly recommended to create a System Restore Point before making changes.
Skipping System Restore Point creation.
--- AGGRESSIVE PHASE 1: Terminate Unsigned Running Processes ---
Found running processes that are not digitally signed:
Name ID Path
---- -- ----
Drive 8144 C:\Users\kgeor\AppData\Roaming\sys-driver\Drive.exe
WARNING: WARNING: Terminating these could cause instability if they are part of legitimate (but poorly written) software.
Terminated: Drive (PID: 8144)
Quarantined: C:\Users\kgeor\AppData\Roaming\sys-driver\Drive.exe
True
--- AGGRESSIVE PHASE 2: Clean Orphaned Application Folders ---
Scanning for orphaned application folders...
Found folders in Program Files/ProgramData that may not belong to installed software:
FullName CreationTime
-------- ------------
C:\ProgramData\Norton 17.9.2025 г. 22:59:47
WARNING: EXTREME CAUTION: This could delete shared components or drivers. Review carefully.
Quarantined: C:\ProgramData\Norton
True
--- PHASE 1: Hunting for Suspicious Payloads & Hidden Data ---
Scanning Public and Downloads folders...
Scanning ProgramData and AppData\Roaming for isolated, suspicious files...
Suspicious Files Found in common areas:
FullName
--------
C:\Users\kgeor\Downloads\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584\f00591384ec47004189f26bd3766…
Quarantined: C:\Users\kgeor\Downloads\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584.exe
True
Scanning suspicious files for hidden data streams (ADS)...
--- PHASE 2: Hunting for Masquerading System Processes (Advanced) ---
Running parallel masquerading process scan...
No process masquerading detected in high-risk locations.
--- PHASE 3: Hunting for Suspicious Persistence Mechanisms ---
Sub-Phase 3a: Scanning Registry Run keys for suspicious entries...
Suspicious Run Key Entries Found:
KeyPath Name Value
------- ---- -----
Registry::CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater "C:\Users\kgeor\AppData\Roaming\sys-driver\
Drive.exe"
Registry::CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater "C:\Users\kgeor\AppData\Roaming\sys-driver\
Drive.exe"
PS>TerminatingError(Get-ItemProperty): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Cannot find path 'CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' because it does not exist."
WARNING: Failed to process registry value 'Updater': Cannot find path 'CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' because it does not exist..Exception.Message
False
PS>TerminatingError(Get-ItemProperty): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Cannot find path 'CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' because it does not exist."
WARNING: Failed to process registry value 'Updater': Cannot find path 'CurrentUser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' because it does not exist..Exception.Message
False
Sub-Phase 3b: Scanning Scheduled Tasks for suspicious actions...
No suspicious Scheduled Tasks found.
Sub-Phase 3c: Scanning for suspicious WMI persistence...
No suspicious WMI persistence subscriptions found.
Sub-Phase 3d: Hunting for Suspicious Services...
No suspicious services found.
Sub-Phase 3e: Hunting for Suspicious BITS Jobs...
No suspicious BITS jobs found.
Sub-Phase 3f: Hunting for Office Macro Persistence...
No suspicious files found in Office startup locations.
--- PHASE 4: System Integrity & Hardening ---
Scanning for disabled system tools and critical services...
No disabled system tools or critical services found.
Scanning HOSTS file for potential network hijacks...
No active or suspicious HOSTS file entries found.
Scanning Firewall for suspicious outbound rules...
No suspicious outbound firewall rules found.
Scanning for suspicious Defender exclusions...
No suspicious Defender exclusions found.
--- PHASE 5: Proactive System Hygiene ---
Clearing Startup folders...
Cleared: C:\Users\kgeor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Cleared: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Clearing user temporary files...
PS>TerminatingError(Remove-Item): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: The process cannot access the file 'C:\Users\kgeor\AppData\Local\Temp\0632740e-220e-46a8-a9f4-7e1939299424.tmp' because it is being used by another process."
WARNING: Failed to clear Temp folder: The process cannot access the file 'C:\Users\kgeor\AppData\Local\Temp\0632740e-220e-46a8-a9f4-7e1939299424.tmp' because it is being used by another process..Exception.Message
Emptying Recycle Bin...
Recycle Bin emptied.
--- PHASE 6: Browser Reset ---
This step can remove malicious browser extensions and settings.
It will reset Chrome, Edge, and Firefox profiles by renaming their parent folders.
Your bookmarks and passwords should be preserved if you are signed into a browser account.
Skipping browser reset.
--- PHASE 7: System File Integrity Check & Updates ---
Skipping Windows Update check.
After a malware infection, it's possible that core system files were corrupted.
This final, optional step will use built-in Windows tools to scan for and repair any damage.
Skipping System File Integrity Check.
================================================================
Orion Remediation Script Finished
================================================================
Summary of Actions Taken:
- Quarantine enabled. Archive: C:\Users\kgeor\Documents\Orion_Logs\Orion_Quarantine_2025-09-17_23-00-28.zip
- Terminated unsigned process: Drive
- Quarantined unsigned process executable: C:\Users\kgeor\AppData\Roaming\sys-driver\Drive.exe
- Quarantined orphaned folder: C:\ProgramData\Norton
- Quarantined file: C:\Users\kgeor\Downloads\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584\f00591384ec47004189f26bd3766220e991c70987e0c130331a32c38e3411584.exe
- Cleared Startup folder: C:\Users\kgeor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- Cleared Startup folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- Emptied Recycle Bin
A quarantine archive has been created:
Path: C:\Users\kgeor\Documents\Orion_Logs\Orion_Quarantine_2025-09-17_23-00-28.zip
Password: susp
**********************
PowerShell transcript end
End time: 20250917230305
**********************
Please post any questions, comments and suggestions down bellow.
