Backdoor on my pc (Solved)

@Malnutrition here are the logs:

@Malnutrition the ZHP log is in french because I didn’t find a way to change the application’s language

No problem. Did you create and are you aware of this user?

hermi (S-1-5-21-13960046-46231223-1468497707-1002 - Administrator - Enabled) => C:\Users\hermi

No I am not

But I’m not sure because it sounds familiar.

Is it this user?

I just checked by using a command in cmd, it is this account and I created it.

It will be a couple hours… just so you know. Around same time as yesterday.

Alright

Right click ZHP Suite
Run as admin.
Click on Repair.
Copy the content of the quote box below.
In the top right click on paste a report.
It will be the second down from the top right.
Then click on start script at the top left.
Start::
CreateRestorePoint
EmptyCLSID
EmptyFlash
EmptyTemp
EmptyTracing
EmptyPrefetch
EmptyProxy
EmptyRecycle
O4 - HKLM..\Wow6432Node\Run: [Lightshot] . (. - .) – C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe (.Not File.) =>.SUP.Orphan
HKLM\SOFTWARE\RAVAntivirus
HKLM\SOFTWARE\Symantec =>.Symantec
HKLM\SOFTWARE\TeamViewer =>.TeamViewer GmbH
HKLM\SOFTWARE\WOW6432Node\McAfee =>.McAfee Inc.
HKLM\SOFTWARE\WOW6432Node\mcafeeupdater =>.McAfee Inc.
HKLM\SOFTWARE\WOW6432Node\Symantec =>.Symantec
HKLM\SOFTWARE\WOW6432Node\WiseCleaner =>.wisecleaner
HKCU\SOFTWARE\0046085e-ca7d-5ae0-84da-edb50a69f027 =>Adware.CrossRider
HKCU\SOFTWARE\22789c4f-79c4-5364-9ee1-c5a09f5035b1 =>Adware.CrossRider
HKCU\SOFTWARE\AvastAdSDK =>.Avast Software s.r.o
HKCU\SOFTWARE\d294c24a-fad9-5048-ad38-b25b1ab733a1 =>Adware.CrossRider
HKCU\SOFTWARE\da60f423-202e-5908-a438-cd6fbbc819c8 =>Adware.CrossRider
HKCU\SOFTWARE\f844a100-2ca0-51d4-8013-d11548b01669 =>Adware.CrossRider
HKCU\SOFTWARE\Opera Software =>.Opera Software
HKCU\SOFTWARE\Opera Stable Offer =>.Opera Software
HKCU\SOFTWARE\TeamViewer =>.TeamViewer GmbH
HKCU\SOFTWARE\AppDataLow\Software\Norton =>.Symantec Corporation
HKU.DEFAULT\SOFTWARE\Norton =>.Symantec Corporation
HKU\S-1-5-21-13960046-46231223-1468497707-1001\SOFTWARE\0046085e-ca7d-5ae0-84da-edb50a69f027 =>Adware.CrossRider
HKU\S-1-5-21-13960046-46231223-1468497707-1001\SOFTWARE\22789c4f-79c4-5364-9ee1-c5a09f5035b1 =>Adware.CrossRider
HKU\S-1-5-21-13960046-46231223-1468497707-1001\SOFTWARE\AvastAdSDK =>.Avast Software s.r.o
HKU\S-1-5-21-13960046-46231223-1468497707-1001\SOFTWARE\d294c24a-fad9-5048-ad38-b25b1ab733a1 =>Adware.CrossRider
HKU\S-1-5-21-13960046-46231223-1468497707-1001\SOFTWARE\da60f423-202e-5908-a438-cd6fbbc819c8 =>Adware.CrossRider
HKU\S-1-5-21-13960046-46231223-1468497707-1001\SOFTWARE\f844a100-2ca0-51d4-8013-d11548b01669 =>Adware.CrossRider
HKU\S-1-5-21-13960046-46231223-1468497707-1001\SOFTWARE\Norton =>.Symantec Corporation
O43 - CFD: 12/02/2021 - D – C:\ProgramData\McAfee
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\McAfee\WebAdvisor\uihost.exe.FriendlyAppName
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\McAfee\WebAdvisor\uihost.exe.ApplicationComp any
[HKU\S-1-5-21-13960046-46231223-1468497707-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\McAfee\WebAdvisor\uihost.exe.FriendlyAppName
[HKU\S-1-5-21-13960046-46231223-1468497707-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\McAfee\WebAdvisor\uihost.exe.ApplicationComp any
O43 - CFD: 30/04/2021 - D – C:\ProgramData\Norton
O43 - CFD: 07/12/2019 - D – C:\ProgramData\NortonInstaller
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.17.1.50\NortonSecurity.exe
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.20.2.57\uiStub.exe.FriendlyAppN ame
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.20.2.57\uiStub.exe.ApplicationC ompany
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.20.4.57\uiStub.exe.FriendlyAppN ame
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.20.4.57\uiStub.exe.ApplicationC ompany
[HKU\S-1-5-21-13960046-46231223-1468497707-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.17.1.50\NortonSecurity.exe
[HKU\S-1-5-21-13960046-46231223-1468497707-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.20.2.57\uiStub.exe.FriendlyAppN ame
[HKU\S-1-5-21-13960046-46231223-1468497707-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.20.2.57\uiStub.exe.ApplicationC ompany
[HKU\S-1-5-21-13960046-46231223-1468497707-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.20.4.57\uiStub.exe.FriendlyAppN ame
[HKU\S-1-5-21-13960046-46231223-1468497707-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]:C:\Program Files\Norton Security\Engine\22.20.4.57\uiStub.exe.ApplicationC ompany
HKU\S-1-5-21-13960046-46231223-1468497707-1001\SOFTWARE\TeamViewer
O43 - CFD: 06/07/2021 - [0] D – C:\Program Files\RAVAntivirus
O43 - CFD: 18/03/2021 - [0] D – C:\Program Files (x86)\360
O43 - CFD: 18/03/2021 - SHD – C:\ProgramData\360Quarant
O43 - CFD: 18/03/2021 - – C:\Windows\System32\Config\systemprofile\AppData\R oaming\360safe
O43 - CFD: 04/12/2020 - [0] D – C:\ProgramData{1BD627EA-33FE-5F92-6BA6-77BA834EAF62}
O43 - CFD: 27/02/2021 - D – C:\Users\PCGAMER\AppData\Local\jILhSZuRqThbQPTW9VU
O43 - CFD: 09/10/2021 - D – C:\Users\PCGAMER\AppData\Local\UTW008
O43 - CFD: 18/05/2022 - D – C:\Users\PCGAMER\AppData\Local_
O43 - CFD: 29/10/2020 - D – C:\Users\PCGAMER\AppData\LocalLow\n9h9r91h8fna789q
O43 - CFD: 27/06/2022 - D – C:\Users\PCGAMER\AppData\LocalLow\nb98wqnehe8bw89h b
End::

---

---

---

FRST Fix.
Download attached fixlist.txt file and save it to the Desktop. NOTE. It’s important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

---

---

---

After running the two fixes above, I am confident that you will be 100 percent malware free .

We will check with one more tool to make sure.

Download RogueKiller and install the program.
Once downloaded and installed, right click and run as admin.
Click the check for updates button.
Go to scan setting then slide the MalPE option right to activate.
Then go to scan, then start a full scan on your machine.
Then click report when the scan completes.
Under Share my report click on open then select text file.
Copy it and paste the results here.
Make sure you do not remove anything detected until I see the log please.

Here are the log:
Program : RogueKiller Anti-Malware
Version : 15.6.4.0
x64 : Yes
Program Date : Dec 15 2022
Location : C:\Program Files\RogueKiller\RogueKiller64.exe
Premium : No
Company : Adlice Software
Website : https://www.adlice.com/
Contact : Support Form | Contact • Adlice Software
Website : Free Virus Cleaner | RogueKiller AntiMalware • Adlice Software
Operating System : Windows 10 (10.0.19045) 64-bit
64-bit OS : Yes
Startup : 0
WindowsPE : No
User : PC GAMER
User is Admin : Yes
Date : 2022/12/21 11:15:33
Type : Scan
Aborted : No
Scan Mode : Standard
Duration : 706
Found items : 6
Total scanned : 112439
Signatures Version : 20221221_082448
Truesight Driver : Yes
Updates Count : 10
Arguments : -minimize

************************* Warnings *************************

************************* Updates *************************
BlueStacks 5 (64-bit), version 5.9.140.1014
[+] Available Version : 5.9.410.1001
[+] Size : 1,99 Go
[+] Wow6432 : No
[+] Portable : No

CPUID HWMonitor 1.41 (64-bit), version 1.41
[+] Available Version : 1.48
[+] Size : 3,06 Mo
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Program Files\CPUID\HWMonitor\

TeamSpeak 3 Client (64-bit), version 3.5.3
[+] Available Version : 3.5.6
[+] Wow6432 : No
[+] Portable : No
[+] update_location : D:\Games\ts

PuTTY release 0.74 (64-bit) (64-bit), version 0.74.0.0
[+] Available Version : 0.78
[+] Size : 3,79 Mo
[+] Wow6432 : No
[+] Portable : No

paint.net (64-bit), version 4.2.13
[+] Available Version : 4.3.12
[+] Size : 40,2 Mo
[+] Wow6432 : No
[+] Portable : No

Malwarebytes version 4.5.18.226 (64-bit), version 4.5.18.226
[+] Available Version : 4.5.19
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Program Files\Malwarebytes\Anti-Malware

HandBrake 1.4.2 (32-bit), version 1.4.2
[+] Available Version : 1.5.1
[+] Wow6432 : Yes
[+] Portable : No

OBS Studio (32-bit), version 26.0.2
[+] Available Version : 28.1.2
[+] Wow6432 : Yes
[+] Portable : No

VLC media player (32-bit), version 3.0.17.4
[+] Available Version : 3.0.18
[+] Wow6432 : Yes
[+] Portable : No
[+] update_location : D:\Games\VLC

WinSCP 5.17.8 (32-bit), version 5.17.8
[+] Available Version : 5.21.6
[+] Size : 96,6 Mo
[+] Wow6432 : Yes
[+] Portable : No
[+] update_location : C:\Program Files (x86)\WinSCP\

************************* Processes *************************

************************* Modules *************************

************************* Services *************************

************************* Scheduled Tasks *************************

************************* Registry *************************
************************* WMI *************************

************************* Hosts File *************************
is_too_big : No
hosts_file_path : C:\Windows\System32\drivers\etc\hosts

************************* Filesystem *************************
[PUP.AutoIt.Gen (Potentially Malicious)] (shortcut) AutoClicker.exe - Raccourci.lnk – C:\Users\PCGAMER\Desktop\AutoClicker.exe - Raccourci.lnk => D:\AutoClicker.exe → Found
[PUP.HackTool (Potentially Malicious)] (folder) jjsploit – C:\Users\PCGAMER\AppData\Local\Programs\jjsploit → Found
[Tr.Gen (Malicious)] (folder) TranslateService – C:\ProgramData\TranslateService → Found
[Adw.Gen (Malicious)] (folder) Wondershare Helper Compact – C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact → Found
[PUP.AutoIt.Gen (Potentially Malicious)] (shortcut) AutoClicker.exe - Raccourci.lnk – C:\Users\PCGAMER\Desktop\AutoClicker.exe - Raccourci.lnk => D:\AutoClicker.exe → Found

************************* Web Browsers *************************

************************* Antirootkit *************************

@Malnutrition you’re 100% sure that if i log on my account he won’t be able to hack it again?

Rerun rogue killer and delete/quarantine this. If you do not know of this program, if you installed it leave it be.

[PUP.HackTool (Potentially Malicious)] (folder) jjsploit – C:\Users\PCGAMER\AppData\Local\Programs\jjsploit → Found

Delete/quarantine, anything else you do not use/recognize.

I do not think wondershare is bad as for the others that’s up to you if you are unsure.

As far as me being sure, yes there is no more malware that I can see. If you would like to make a final check to make absolutely certain, then run a scan with kaspersky virus removal tool.

Make sure to quarantine/delete anything detected!!

This scan may take a while, do not let your computer sleep while the scan runs. This will check all Harddrives on the machine…

Save it to your desktop.
I suggest a full scan with Kaspersky.
Disable Defender …
Download and run a full scan with the Kaspersky Virus Removal tool.
Accept the terms.
Click Change Parameters.
Select the System drive.
All volumes.
Click OK, start Scan.
Report any detections here.

[IMG alt=“Capture.PNG”]https://pchelpforum.net/attachments/capture-png.9392/[/IMG]

alright

[ATTACH type=“full”]11079[/ATTACH]
@Malnutrition