Would It be okay If I can take a break for today, And will return to do the scans tomorrow please?
-
Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.
Why not Click Here To Sign Up and start enjoying great FREE Tech Support.
This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Solved Trying to remove Generic.Trojan.DiscordStealer.B.D6426E8C
- Thread starter Phoenix VR
- Start date
- Status
Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
Code:
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
VirusTotal: C:\ProgramData\Nexon\NGS\NGService.exe
virusTotal: D:\Steam\steamapps\common\wallpaper_engine\bin\wallpaperservice32_c.exe
C:\Windows\system32\Drivers\etc\hosts.rollback
C:\Users\theph\AppData\Roaming\uTorrent
C:\Users\theph\AppData\Local\BitTorrentHelper
ShortcutWithArgument: C:\Users\theph\Desktop\Launchers\9Anime.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) -> --profile-directory=Default --app-id=kkhmlnhenkbmpkojdhniaicigbblkobp
ShortcutWithArgument: C:\Users\theph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Maps.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) -> --profile-directory=Default --app-id=nfoelejpajdgdjldhnpaobkadhhhlmha
ShortcutWithArgument: C:\Users\theph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) -> --profile-directory=Default --app-id=agimnkijcaahngcdmfeangaknmldooml
AlternateDataStreams: C:\Users\theph\AppData\Local\Temp:$DATA [16]
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data\*.*"
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
Reboot:
End::
Last edited:
@Phoenix VR I had a person who is far more experienced than I check this thread, they to believe this is a false positive by Bitdefender, none the less you can post the logs and we can continue to check if you wish.
Ahhh oki if its a false thing by Bitdefender, Im fine with stopping, Thank you soo much for helping me try and remove it. If it won't effect my pc then I'm fine with keeping it there since its a false positive.
I would like you to run the last fix for FRST and post the log, and out of curiosity run rogue killer, then we can clean up the tools we used and send you on your way. Maybe even zip up and upload the entire .xml file if you could, so I can submit it to Bitdefender.
As part of the process I sent a couple files to Virustotal This one came back with 4 hits, are you sure this file is safe?
C:\ProgramData\Nexon\NGS\NGService.exe https://www.virustotal.com/gui/file...e918acb33ddc1c5fada4fd776f05f4eca6-1671626189
This one came back with one hit. D:\Steam\steamapps\common\wallpaper_engine\bin\wallpaperservice32_c.exe => https://www.virustotal.com/gui/file...6717ea73c9e2fa46ccd1e9d74e70002e7a-1646348503
Also, one file was not able to be removed.
AlternateDataStreams: C:\Users\theph\AppData\Local\Temp:$DATA [16]
C:\Users\theph\AppData\Local\Temp => ":$DATA" ADS could not remove.
We do need to address these issues before I send you on the way. I will create a new fixlist based on your response. I personally think this file needs to go. No .exe file should be running from the program data folder to be honest.
C:\ProgramData\Nexon\NGS\NGService.exe https://www.virustotal.com/gui/file...e918acb33ddc1c5fada4fd776f05f4eca6-1671626189
This one came back with one hit. D:\Steam\steamapps\common\wallpaper_engine\bin\wallpaperservice32_c.exe => https://www.virustotal.com/gui/file...6717ea73c9e2fa46ccd1e9d74e70002e7a-1646348503
Also, one file was not able to be removed.
AlternateDataStreams: C:\Users\theph\AppData\Local\Temp:$DATA [16]
C:\Users\theph\AppData\Local\Temp => ":$DATA" ADS could not remove.
We do need to address these issues before I send you on the way. I will create a new fixlist based on your response. I personally think this file needs to go. No .exe file should be running from the program data folder to be honest.
The 2nd one is from Steam and its a wallpaper engine from there, I doubt steam would let a trojan in on there program.
Ok, lets remove the other one. I will leave the steam. I need you to run this fix for me in safe mode, after the rogue killer scan. Maybe this is what bitdefender is detecting. We will see...
Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
Edit: Seems the legit file should be displayed the same as below in a FRST log. I believe we may have found the culprit, these guys are getting crafty at hiding things and making them seem legit.
S3 NGS; C:\WINDOWS\NGService.exe [3134240 2022-07-17] (NEXON Korea Corporation. -> NEXON Korea Corporation)
Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
Code:
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
DeleteKey: HKU\.DEFAULT\SOFTWARE\Nexon
C:\ProgramData\Nexon\NGS\NGService.exe
C:\ProgramData\Nexon\NGS
C:\ProgramData\Nexon
AlternateDataStreams: C:\Users\theph\AppData\Local\Temp:$DATA [16]
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
Reboot:
End::Edit: Seems the legit file should be displayed the same as below in a FRST log. I believe we may have found the culprit, these guys are getting crafty at hiding things and making them seem legit.
S3 NGS; C:\WINDOWS\NGService.exe [3134240 2022-07-17] (NEXON Korea Corporation. -> NEXON Korea Corporation)
Last edited:
It says Everything is good so far NO Detection
Code:
Program : RogueKiller Anti-Malware
Version : 15.6.4.0
x64 : Yes
Program Date : Dec 15 2022
Location : C:\Program Files\RogueKiller\RogueKiller64.exe
Premium : No
Company : Adlice Software
Website : https://www.adlice.com/
Contact : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19044) 64-bit
64-bit OS : Yes
Startup : 0
WindowsPE : No
User : ThePhoenixVR
User is Admin : Yes
Date : 2023/01/02 15:43:36
Type : Scan
Aborted : No
Scan Mode : Standard
Duration : 1111
Found items : 0
Total scanned : 186508
Signatures Version : 20210423_062556
Truesight Driver : Yes
Updates Count : 8
************************* Warnings *************************
************************* Updates *************************
Git (64-bit), version 2.37.3
[+] Available Version : 2.39.0
[+] Size : 266 MB
[+] Wow6432 : No
[+] Portable : No
[+] update_location : D:\Waifu thing\Git\
WinRAR 6.02 (64-bit) (64-bit), version 6.02.0
[+] Available Version : 6.11
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Program Files\WinRAR\
Java 8 Update 321 (64-bit) (64-bit), version 8.0.3210.7
[+] Available Version : 8.0.3330.0
[+] Size : 49.1 MB
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Program Files\Java\jre1.8.0_321\
paint.net (64-bit), version 4.3.11
[+] Available Version : 4.3.12
[+] Size : 220 MB
[+] Wow6432 : No
[+] Portable : No
Notepad++ (32-bit x86) (32-bit), version 8.4.4
[+] Available Version : 8.4.8
[+] Size : 12.6 MB
[+] Wow6432 : Yes
[+] Portable : No
OBS Studio (32-bit), version 27.1.3
[+] Available Version : 28.1.2
[+] Wow6432 : Yes
[+] Portable : No
Discord (64-bit), version 1.0.9007
[+] Available Version : 1.0.9008
[+] Size : 78.4 MB
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Users\theph\AppData\Local\Discord
Python 3.10.6 (64-bit) (64-bit), version 3.10.6150.0
[+] Available Version : 3.11.1000.0
[+] Size : 105 MB
[+] Wow6432 : No
[+] Portable : No
************************* Processes *************************
************************* Modules *************************
************************* Services *************************
************************* Scheduled Tasks *************************
************************* Registry *************************
************************* WMI *************************
************************* Hosts File *************************
is_too_big : No
hosts_file_path : C:\Windows\System32\drivers\etc\hosts
************************* Filesystem *************************
************************* Web Browsers *************************
************************* Antirootkit *************************
Last edited by a moderator:
Ohhhh so it could be NEXON doing it
Im trying to put my computer in safe mode but its not letting me do it, It stays black for awhile and then turns off, I turn it back on and its not in safe mode.
Ok, run the fix in normal mode. Let's see how it goes. If further action needs to be taken on the file that would not delete we will do so if needed.
Run the fix in normal mode, then post the log created please.
I think it's a possibility that you have a fake version of the Nexon. If you will notice from my edit. The legit file loads from C:\Windows, the file you have is loading from program data folder. Also, now looking at your installed programs, Nexon is not listed, so indeed this may be the culprit.
Run the fix in normal mode, then post the log created please.
Ok, one last fix, then I want you to scan again with Bitdefender after this.
First download RunX
www.d7xtech.com
Unzip it to your desktop.
Where FRST and RunX.exe are side by side.
Then drag FRST onto RunX.
Make sure run as trusted installer it ticked.
Then click the Run button.
This will start FRST with Trusted Installer Permissiion, and will be able to delete this C:\Users\theph\AppData\Local\Temp:$DATA [16] which is being stubborn. Then you just run the fix as normal after FRST is started thru RunX
Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
First download RunX
RunX
Current version: 1.0.0.1 Released May 19th, 2021 (fixed a bug with launching processes in general d7x code as explained here.) RunX is designed to easily launch any process with System account or…
www.d7xtech.com
Where FRST and RunX.exe are side by side.
Then drag FRST onto RunX.
Make sure run as trusted installer it ticked.
Then click the Run button.
This will start FRST with Trusted Installer Permissiion, and will be able to delete this C:\Users\theph\AppData\Local\Temp:$DATA [16] which is being stubborn. Then you just run the fix as normal after FRST is started thru RunX
Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
Code:
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
AlternateDataStreams: C:\Users\theph\AppData\Local\Temp:$DATA [16]
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
Reboot:
End::- Status