I can't seem to remove a trojan, should I reset my pc ?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • prescilgema
    PCHF Member
    • Nov 2022
    • 9

    #1

    I can't seem to remove a trojan, should I reset my pc ?

    Hello everyone, (excuse my rusty english, I’m french).

    I finally regret not having invested in an antivirus earlier, because I am now infected, but it is indeed my fault.

    After I realized that my data was being stolen and that my accounts were being logged in, I did a scan with Windows Defender, which found the Trojan (after I removed the exclusions from the scan because it was trying to hide). Unfortunately, WindowsDefender wasn’t powerful enough to remove it, so I looked for a more effective antivirus.

    So I tried BitDefender, and with its full analysis found me the Trojan, and other dirt, but he also failed to remove it. It just happens to prevent it from executing a command to PowerShell.

    Then I tried Norton, which doesn’t even find it, just like Avast, GridinSoft AntiMalware, and TrojanRemover. (all these software are on trial, I didn’t spend all my money)

    In the BitDefender analysis report, the trojan is written under the name “Generic.Trojan.DiscordStealer.B.642CEF03”, and its path: C:\Windows\System32\config\SOFTWARE => (Embedded EXE g). If I’m not mistaken, it may be because access to this file is very protected, is that why I can’t remove it, and that some software can’t find it?

    I think I’m losing hope and I think I just need to reset my computer, but I wanted to at least make sure there wasn’t a last solution.

    Thank you in advance for your response and time!
  • Malnutrition
    PCHF Moderator
    • Jul 2016
    • 7045

    #2
    Welcome to PCHF

    Make sure and remove all antivirus products prior to running autologger, if you have multiple there can be conflict, you can reinstall one of your choice after we are done here.

    Remove them all with Geek unisntaller, then reboot and run autologger. I suggest using force mode for a quicker operation, we can remove any traces of any antivirus that remains later in the thread.


    Download Autologger to your desktop.
    Disable your Anitivirus/Defender prior to running.
    [ul]
    [li]Unzip it there. – If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----[/li][li]Right click Autologger and run as admin. (Xp user double click)[/li][li]AVZ4 will open and scan your machine, allow this to complete.[/li][li]Upload Collectionlog.zip to your next reply.[/li][/ul]

    Comment

    • Malnutrition
      PCHF Moderator
      • Jul 2016
      • 7045

      #3
      If you are unable to use Autologger, then let me know I can walk you thru any steps, or we can use another tool… just ask.

      Comment

      • prescilgema
        PCHF Member
        • Nov 2022
        • 9

        #4
        Hello,

        It’s all good no worries ! Norton is still on my computer, even though I did uninstall it, but I will see that later

        Comment

        • Malnutrition
          PCHF Moderator
          • Jul 2016
          • 7045

          #5
          Ok, this will take me about 30 minutes to look over.

          While you wait run this tool, it is just a basic crapware remover.

          Adware Cleaner
          [ul]
          [li]Download AdwCleaner and save it to your Desktop[/li][li]Right-click on AdwCleaner.exeand select, Run as Administrator[/li][li]Accept the EULA (I accept), then click on Scan Now[/li][li]Let the scan complete[/li][li]Once the scan completes, make sure that every item listed in the different tabs is checked and click on the Clean & Repair button[/li][li]Subsequently you may be asked to Run Basic Repair. This is optional. I would suggest holding off on this for now.[/li][li]Once the cleaning process is complete, AdwCleaner will ask you to restart your computer[/li][li]Close all other open windows and allow it to restart[/li][li]After the restart, Notepad will open with the AdwCleaner cleaning log[/li][li]Please Attach the contents of that log into your next reply to me[/li][/ul]

          Comment

          • prescilgema
            PCHF Member
            • Nov 2022
            • 9

            #6
            Oh I didn’t mention it, but AdwCleaner was the first thing I tried, and it didn’t find anyting, and still doesn’t

            Comment

            • Malnutrition
              PCHF Moderator
              • Jul 2016
              • 7045

              #7


              I have found a suspicous file on your machine. Do you have any idea what this is? I do not want to remove things that you may have installed…

              C:\Users\Prescilia\AppData\Roaming\OzqLuwrCYU



              Run the Norton Removal Tool.
              Use Avast Removal Tool as well.



              Right click Hijack this as admin, (located in the autologger folder on your desktop.

              Click on do a system scan, then check mark the items listed below make sure and check only these, then click Fix Checked.
              O21 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive1: (no name) - {BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file)
              O21 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive2: (no name) - {5AB7172C-9C11-405C-8DD5-AF20F3606282} - (no file)
              O21 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive3: (no name) - {A78ED123-AB77-406B-9962-2A5D9D2F7F30} - (no file)
              O21 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive4: (no name) - {F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file)
              O21 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive5: (no name) - {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file)
              O21 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive6: (no name) - {9AA2F32D-362A-42D9-9328-24A483E2CCC3} - (no file)
              O21 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive7: (no name) - {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} - (no file)
              O21-32 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive1: (no name) - {BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file)
              O21-32 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive2: (no name) - {5AB7172C-9C11-405C-8DD5-AF20F3606282} - (no file)
              O21-32 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive3: (no name) - {A78ED123-AB77-406B-9962-2A5D9D2F7F30} - (no file)
              O21-32 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive4: (no name) - {F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file)
              O21-32 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive5: (no name) - {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file)
              O21-32 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive6: (no name) - {9AA2F32D-362A-42D9-9328-24A483E2CCC3} - (no file)
              O21-32 - HKLM..\ShellIconOverlayIdentifiers\ OneDrive7: (no name) - {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} - (no file)
              O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{91B3861 1-608D-4DE1-89AA-A7DCAC96AD96} - (no key)
              O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{91B3861 1-608D-4DE1-89AA-A7DCAC96AD96} - \GoogleUpdateTaskMachineQC (no xml)
              O22 - Tasks: \Microsoft\Windows Live\SOXE\Extractor Definitions Update Task - {3519154C-227E-47F3-9CC9-12C3F05817F1} - (no file)
              O22 - Tasks: \Microsoft\Windows\WaaSMedic\PerformRemediation - {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32},None - (no file)
              O22 - Tasks: OneDrive Standalone Update Task-S-1-5-21-1564632507-2548938045-3526008437-1001 - C:\Users\Prescilia\AppData\Local\Microsoft\OneDriv e\OneDriveStandaloneUpdater.exe (file missing)
              O22 - Tasks_Migrated: \Microsoft\Windows Live\SOXE\Extractor Definitions Update Task - {3519154C-227E-47F3-9CC9-12C3F05817F1} - (no file)
              O22 - Tasks_Migrated: \Microsoft\Windows\Diagnosis\RecommendedTroublesho otingScanner - C:\WINDOWS\system32\mitigationscanner.exe (file missing)
              O22 - Tasks_Migrated: \Microsoft\Windows\WaaSMedic\PerformRemediation - {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32},None - (no file)
              O23 - Service S2: AvastWscReporter - C:\Program Files\Avast Software\Avast\wsc_proxy.exe /runassvc /rpcserver (file missing)

              Comment

              • Malnutrition
                PCHF Moderator
                • Jul 2016
                • 7045

                #8


                Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.

                If you are unsure if your operating system is 32 or 64 Bit please go HERE.
                Once downloaded right click the FRST desktop icon and select “Run as administrator” from the menu"
                If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
                FRST will open with two dialogue boxes, accept the disclaimer.
                Then select Scan
                Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.
                Please Attach the contents of these logs in your next post for review by our Security Team

                Comment

                • prescilgema
                  PCHF Member
                  • Nov 2022
                  • 9

                  #9
                  Here they are, thanks again for helping me !

                  I deleted the suspicious file, I didn’t know what it was.

                  Also, during the FRST scan, WindowsDefender warned me about the trojan again “Trojan:Win64/SpyLoader.MFP!MTB”, and it say that it affects these elements, I don’t know if it’s helpfull or not :

                  file: C:\Program Files\Google\Chrome\updater.exe
                  file: C:\Users\Prescilia\AppData\Local\Google\brave.exe
                  file: C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineQ C->(UTF-16LE)
                  regkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{91B3861 1-608D-4DE1-89AA-A7DCAC96AD96}
                  regkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUp dateTaskMachineQC
                  taskscheduler: C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineQ C

                  Comment

                  • Malnutrition
                    PCHF Moderator
                    • Jul 2016
                    • 7045

                    #10
                    OK, I apologize but I need these logs in english please. You can do that for me by renaming FRST

                    Sorry for the inconvenience.

                    I’d like to have these logs in English please.
                    Right Click on FRST64 and rename the FRST file to FRST64english.exe
                    Please then re-run the scan and post the FRST and Addition.txt logs.
                    Make sure and still run the program as Administrator.

                    Comment

                    • prescilgema
                      PCHF Member
                      • Nov 2022
                      • 9

                      #11
                      No problems !

                      Comment

                      • Malnutrition
                        PCHF Moderator
                        • Jul 2016
                        • 7045

                        #12
                        OK, I’ll take a look now.

                        Comment

                        • Malnutrition
                          PCHF Moderator
                          • Jul 2016
                          • 7045

                          #13
                          These are files I do not recognize and they are cued for a scan at virus total with this FRST fix I am posting. They may indeed need to be removed, but we will see what the report says first. They may be legit, I have just not seen them. The way i have them listed in the FRST fix will only scan them at Virustotal.

                          C:\Program Files\icudtl.dat
                          C:\Program Files\glcards.dat
                          C:\WINDOWS\system32\httpproxy.json
                          C:\WINDOWS\system32\ctc.json
                          C:\Users\Prescilia\AppData\Roaming.cache3678791056 .dat
                          C:\Program Files\uninstaller_helper.exe


                          FRST Fix.
                          Download attached fixlist.txt file and save it to the Desktop. NOTE. It’s important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.



                          Download RogueKiller and install the program.
                          Once downloaded and installed, right click and run as admin.
                          Click the check for updates button.
                          Go to scan setting then slide the MalPE option right to activate.
                          Then go to scan, then start a full scan on your machine.
                          Then click report when the scan completes.
                          Under Share my report click on open then select text file.
                          Copy it and paste the results here.
                          Make sure you do not remove anything detected until I see the log please.



                          Download Malwarebytes v.4 . Install and run.

                          [ul]
                          [li]Once the MBAM dashboard opens, click on Settings (gear icon).[/li][li]Click on Security tab and make sure that all four Scan options are enabled.[/li][li]Close Settings and click on the Scan button on the dashboard.[/li][li]Once the scan is completed make sure you have it quarantine any detections it finds.[/li][li]If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.[/li][li]If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.[/li][li]If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.[/li][/ul]

                          Comment

                          • Malnutrition
                            PCHF Moderator
                            • Jul 2016
                            • 7045

                            #14
                            @prescilgema if you need help with the instructions, let me know. ???

                            Comment

                            • Malnutrition
                              PCHF Moderator
                              • Jul 2016
                              • 7045

                              #15
                              Copy the content of the code box below, paste it into a notepad and save it as fixlist.txt to your desktop. Then right click FRST64 run as admin, and hit the fix button.

                              Note: Do not copy the word code!!
                              Code:
                              Start::
                              CloseProcesses:
                              SystemRestore: On
                              CreateRestorePoint:
                              RemoveProxy:
                              AV: Norton 360 (Disabled - Up to date) {AECE2126-F4E7-6909-11F2-1B69D1FBCBD0}
                              FW: Norton 360 (Enabled) {96F5A003-BE88-6851-3AAD-B25C2F288CAB}
                              AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [135]
                              C:\WINDOWS\system32\drivers\etc\hosts
                              Hosts:
                              FirewallRules: [{4F05D070-02C4-4EAB-9031-310919F657E5}] => (Allow) LPort=5357
                              HKLM\...\Run: [CL-26-DAC77647-06F3-40D3-8B5E-C6DB493ADBBF] => "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-DAC77647-06F3-40D3-8B5E-C6DB493ADBBF\setuplauncher.exe" /run:Installer.exe /args:"/setup-folder:"CL-26-DAC77647-06F3-40D3-8B5E-C6DB493 (the data entry has 7 more characters). (No File)
                              S4 AvastWscReporter; "C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver [X]
                              S3 nsvst_NGC; \SystemRoot\System32\drivers\NGCx64\16160A0.009\nsvst.sys [X]
                              S3 SymEvnt; \??\C:\Program Files\Norton Security\NortonData\22.22.10.9\SymPlatform\SymEvnt.sys [X]
                              HKU\S-1-5-21-1564632507-2548938045-3526008437-1002\...\MountPoints2: {3246c72c-65c5-11ed-bbe7-b06ebfacad7a} - "E:\OnePlus_setup.exe" /s
                              HKU\S-1-5-21-1564632507-2548938045-3526008437-1002\...\MountPoints2: {dadd6067-8608-11ec-bbd1-00e18cb25f92} - "E:\OnePlus_setup.exe" /s
                              ShortcutAndArgument: Alertes de surveillance de l'encre - HP ENVY 4500 series.lnk -> C:\Windows\system32\RunDll32.exe => "C:\Program Files\HP\HP ENVY 4500 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN53R222NZ060F;CONNECTION=USB;MONITOR=1;
                              Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
                              Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
                              Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
                              Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
                              S4 AvastWscReporter; "C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver [X]
                              U1 aswbdisk; no ImagePath
                              C:\ProgramData\agent.uninstall.1669593020.bdinstall.v2.bin
                              C:\ProgramData\cl.uninstall.1669592932.bdinstall.v2.bin
                              S4 AvastWscReporter; "C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver [X]
                              S3 aswWintun; C:\WINDOWS\System32\drivers\aswWintun.sys [37104 2022-11-27] (Avast Software s.r.o. -> WireGuard LLC)
                              2022-11-28 02:10 - 2022-11-28 02:10 - 000000000 ____D C:\Program Files\Common Files\Avast Software
                              2022-11-27 21:06 - 2022-11-28 00:55 - 000000000 ____D C:\Users\Prescilia\AppData\Local\Avast Software
                              2022-11-27 21:01 - 2022-11-28 02:11 - 000000000 ____D C:\ProgramData\Avast Software
                              2022-11-27 21:00 - 2022-11-27 21:00 - 000268488 _____ (AVAST Software) C:\Users\Prescilia\Downloads\avast_one_free_antivirus.exe
                              Task: {A78A458F-3B97-4A55-AD08-361692BC70BB} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton 360\Upgrade.exe [2353000 2022-11-07] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
                              S3 SymEvnt; \??\C:\Program Files\Norton Security\NortonData\22.22.10.9\SymPlatform\SymEvnt.sys [X]
                              2022-11-26 15:57 - 2022-11-28 01:54 - 000000000 ____D C:\ProgramData\Norton
                              2022-11-26 15:57 - 2022-11-26 15:57 - 004061136 _____ (NortonLifeLock Inc.) C:\Users\Prescilia\Downloads\N360Downloader.exe
                              2022-11-26 15:57 - 2022-11-26 15:57 - 000000000 ____D C:\ProgramData\NortonInstaller
                              C:\Program Files\Common Files\Symantec Shared
                              2022-11-26 13:44 - 2022-11-26 13:44 - 000000000 ____D C:\ProgramData\48C4687D-9760-4F5B-BAB3-60351B0841E4
                              2022-11-26 13:42 - 2022-11-26 13:42 - 000156348 _____ C:\ProgramData\agent.1669466531.bdinstall.v2.bin
                              2022-11-28 02:18 - 2019-12-07 15:50 - 000792972 _____ C:\WINDOWS\system32\perfh00C.dat
                              2022-11-28 02:18 - 2019-12-07 15:50 - 000150102 _____ C:\WINDOWS\system32\perfc00C.dat
                              ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  -> No File
                              ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  -> No File
                              ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  -> No File
                              ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  -> No File
                              ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  -> No File
                              ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  -> No File
                              ContextMenuHandlers1: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} =>  -> No File
                              ContextMenuHandlers2: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} =>  -> No File
                              ContextMenuHandlers6: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} =>  -> No File
                              FirewallRules: [{DA2FB396-8237-4A90-B56B-4A97430850A8}] => (Allow) C:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\QtDecoder\QTDecoder.exe => No File
                              FirewallRules: [{FAABC69B-7D31-4CD4-B4CC-35DFC5CC577A}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\OxygenPanelDaemon.exe => No File
                              FirewallRules: [{69CA6A0E-A8C9-4FA7-BA52-7B6640D9031A}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File
                              FirewallRules: [UDP Query User{3391DB04-93F8-4B6B-B256-7119E3F37BDC}C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe => No File
                              FirewallRules: [TCP Query User{A04E0A12-493E-45F5-814A-2B052091643F}C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe => No File
                              FirewallRules: [UDP Query User{F55FC9BB-6E36-4464-A016-960E125BF9D2}C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe => No File
                              FirewallRules: [TCP Query User{6850BD97-480A-4793-BFBC-723A89A66E76}C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe => No File
                              FirewallRules: [UDP Query User{BFD9DB61-75E9-45DE-BEF7-BAC8F815B4B3}C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe => No File
                              FirewallRules: [TCP Query User{F68CDE9A-A761-451A-9B86-BBABF3A1C047}C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe => No File
                              FirewallRules: [UDP Query User{70455248-EDED-4286-A7E0-B5DBD3C8577F}C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe => No File
                              FirewallRules: [TCP Query User{A68371DF-E0F8-4C1E-A65C-F8BE67272FC5}C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe => No File
                              FirewallRules: [{24D7F8DC-8FCA-4A0F-A92C-9030859FCD9A}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
                              FirewallRules: [{A2DC6E5F-E0B8-4467-AA7F-1E7E97538912}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
                              FirewallRules: [UDP Query User{F9C6E7E5-A9B2-4E57-B229-EE5BE6F959E2}C:\program files (x86)\java\jre1.8.0_261\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_261\bin\javaw.exe => No File
                              FirewallRules: [TCP Query User{4EE9E7E3-8F8E-4C7A-A1A3-7FAB3ABA48BE}C:\program files (x86)\java\jre1.8.0_261\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_261\bin\javaw.exe => No File
                              FirewallRules: [{4F05D070-02C4-4EAB-9031-310919F657E5}] => (Allow) LPort=5357
                              FirewallRules: [{A30EC94D-5C40-412E-A064-D794332F9E28}] => (Allow) LPort=1900
                              FirewallRules: [{38C29492-283D-4A9F-B340-8D30A0CD1FB7}] => (Allow) LPort=2869
                              File: C:\Program Files\icudtl.dat
                              File: C:\Program Files\glcards.dat
                              File: C:\WINDOWS\system32\httpproxy.json
                              File: C:\WINDOWS\system32\ctc.json
                              File: C:\Users\Prescilia\AppData\Roaming\.cache3678791056.dat
                              VirusTotal: C:\WINDOWS\system32\httpproxy.json
                              VirusTotal: C:\WINDOWS\system32\ctc.json
                              VirusTotal: C:\Users\Prescilia\AppData\Roaming\.cache3678791056.dat
                              VirusTotal: C:\Program Files\glcards.dat
                              VirusTotal: C:\Program Files\icudtl.dat
                              VirusTotal: C:\Program Files\uninstaller_helper.exe
                              cmd: netsh winsock reset catalog
                              cmd: netsh int ip reset C:\resettcpip.txt
                              cmd: net stop bits
                              Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
                              cmd: net start bits
                              cmd:  bitsadmin /list /allusers
                              CMD: "%WINDIR%\SYSTEM32\lodctr.exe /R"
                              CMD: "%WINDIR%\SysWOW64\lodctr.exe /R"
                              CMD: "C:\Windows\SYSTEM32\lodctr.exe /R"
                              CMD: "C:\Windows\SysWOW64\lodctr.exe /R"
                              CMD: del /f /s /q %windir%\prefetch\*.*
                              CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
                              CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
                              CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
                              CMD: MsiExec.exe /I{19C3AB22-3718-4E4D-B203-242F5001565B}
                              CMD: ipconfig /flushdns
                              C:\Windows\Temp\*.*
                              C:\WINDOWS\system32\*.tmp
                              C:\WINDOWS\syswow64\*.tmp
                              ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
                              emptytemp:
                              Reboot:
                              End::

                              Comment

                              Working...