Solved I can't seem to remove a trojan, should I reset my pc ?

[prescilgema]

Hello everyone, (excuse my rusty english, I'm french).

I finally regret not having invested in an antivirus earlier, because I am now infected, but it is indeed my fault.

After I realized that my data was being stolen and that my accounts were being logged in, I did a scan with Windows Defender, which found the Trojan (after I removed the exclusions from the scan because it was trying to hide). Unfortunately, WindowsDefender wasn't powerful enough to remove it, so I looked for a more effective antivirus.

So I tried BitDefender, and with its full analysis found me the Trojan, and other dirt, but he also failed to remove it. It just happens to prevent it from executing a command to PowerShell.

Then I tried Norton, which doesn’t even find it, just like Avast, GridinSoft AntiMalware, and TrojanRemover. (all these software are on trial, I didn’t spend all my money)

In the BitDefender analysis report, the trojan is written under the name "Generic.Trojan.DiscordStealer.B.642CEF03", and its path: C:\\Windows\System32\config\SOFTWARE => (Embedded EXE g). If I’m not mistaken, it may be because access to this file is very protected, is that why I can’t remove it, and that some software can’t find it?

I think I’m losing hope and I think I just need to reset my computer, but I wanted to at least make sure there wasn’t a last solution.

Thank you in advance for your response and time!

 

[Malnutrition]

Welcome to PCHF


Make sure and remove all antivirus products prior to running autologger, if you have multiple there can be conflict, you can reinstall one of your choice after we are done here.

Remove them all with Geek unisntaller, then reboot and run autologger. I suggest using force mode for a quicker operation, we can remove any traces of any antivirus that remains later in the thread.

---

Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.

• Unzip it there. -- If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----
• Right click Autologger and run as admin. (Xp user double click)
• AVZ4 will open and scan your machine, allow this to complete.
• Upload Collectionlog.zip to your next reply.

 

[Malnutrition]

If you are unable to use Autologger, then let me know I can walk you thru any steps, or we can use another tool... just ask.

 

[prescilgema]

Hello,

It's all good no worries ! Norton is still on my computer, even though I did uninstall it, but I will see that later

 

[Malnutrition]

Ok, this will take me about 30 minutes to look over.

While you wait run this tool, it is just a basic crapware remover.


Adware Cleaner

• Download AdwCleaner and save it to your Desktop
• Right-click on AdwCleaner.exeand select, Run as Administrator
• Accept the EULA (I accept), then click on Scan Now
• Let the scan complete
• Once the scan completes, make sure that every item listed in the different tabs is checked and click on the Clean & Repair button
• Subsequently you may be asked to Run Basic Repair. This is optional. I would suggest holding off on this for now.
• Once the cleaning process is complete, AdwCleaner will ask you to restart your computer
• Close all other open windows and allow it to restart
• After the restart, Notepad will open with the AdwCleaner cleaning log
• Please Attach the contents of that log into your next reply to me

 

[prescilgema]

Oh I didn't mention it, but AdwCleaner was the first thing I tried, and it didn't find anyting, and still doesn't

 

[Malnutrition]

---

I have found a suspicous file on your machine. Do you have any idea what this is? I do not want to remove things that you may have installed...

C:\Users\Prescilia\AppData\Roaming\OzqLuwrCYU

---

Run the Norton Removal Tool.
Use Avast Removal Tool as well.

---

Right click Hijack this as admin, (located in the autologger folder on your desktop.

Click on do a system scan, then check mark the items listed below make sure and check only these, then click Fix Checked.

O21 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive1: (no name) - {BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive2: (no name) - {5AB7172C-9C11-405C-8DD5-AF20F3606282} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive3: (no name) - {A78ED123-AB77-406B-9962-2A5D9D2F7F30} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive4: (no name) - {F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive5: (no name) - {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive6: (no name) - {9AA2F32D-362A-42D9-9328-24A483E2CCC3} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive7: (no name) - {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} - (no file)
O21-32 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive1: (no name) - {BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file)
O21-32 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive2: (no name) - {5AB7172C-9C11-405C-8DD5-AF20F3606282} - (no file)
O21-32 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive3: (no name) - {A78ED123-AB77-406B-9962-2A5D9D2F7F30} - (no file)
O21-32 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive4: (no name) - {F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file)
O21-32 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive5: (no name) - {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file)
O21-32 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive6: (no name) - {9AA2F32D-362A-42D9-9328-24A483E2CCC3} - (no file)
O21-32 - HKLM\..\ShellIconOverlayIdentifiers\ OneDrive7: (no name) - {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} - (no file)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{91B38611-608D-4DE1-89AA-A7DCAC96AD96} - (no key)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{91B38611-608D-4DE1-89AA-A7DCAC96AD96} - \GoogleUpdateTaskMachineQC (no xml)
O22 - Tasks: \Microsoft\Windows Live\SOXE\Extractor Definitions Update Task - {3519154C-227E-47F3-9CC9-12C3F05817F1} - (no file)
O22 - Tasks: \Microsoft\Windows\WaaSMedic\PerformRemediation - {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32},None - (no file)
O22 - Tasks: OneDrive Standalone Update Task-S-1-5-21-1564632507-2548938045-3526008437-1001 - C:\Users\Prescilia\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (file missing)
O22 - Tasks_Migrated: \Microsoft\Windows Live\SOXE\Extractor Definitions Update Task - {3519154C-227E-47F3-9CC9-12C3F05817F1} - (no file)
O22 - Tasks_Migrated: \Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner - C:\WINDOWS\system32\mitigationscanner.exe (file missing)
O22 - Tasks_Migrated: \Microsoft\Windows\WaaSMedic\PerformRemediation - {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32},None - (no file)
O23 - Service S2: AvastWscReporter - C:\Program Files\Avast Software\Avast\wsc_proxy.exe /runassvc /rpcserver (file missing)

---

 

[Malnutrition]

---

Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.

If you are unsure if your operating system is 32 or 64 Bit please go HERE.
Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu"
If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.
Then select Scan
Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.
Please Attach the contents of these logs in your next post for review by our Security Team

 

[prescilgema]

Here they are, thanks again for helping me !

I deleted the suspicious file, I didn't know what it was.

Also, during the FRST scan, WindowsDefender warned me about the trojan again "Trojan:Win64/SpyLoader.MFP!MTB", and it say that it affects these elements, I don't know if it's helpfull or not :

file: C:\Program Files\Google\Chrome\updater.exe
file: C:\Users\Prescilia\AppData\Local\Google\brave.exe
file: C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineQC->(UTF-16LE)
regkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{91B38611-608D-4DE1-89AA-A7DCAC96AD96}
regkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineQC
taskscheduler: C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineQC

 

[Malnutrition]

OK, I apologize but I need these logs in english please. You can do that for me by renaming FRST

Sorry for the inconvenience.

I'd like to have these logs in English please.
Right Click on FRST64 and rename the FRST file to FRST64english.exe
Please then re-run the scan and post the FRST and Addition.txt logs.
Make sure and still run the program as Administrator.

 

[prescilgema]

No problems !

 

[Malnutrition]

OK, I'll take a look now.

 

[Malnutrition]

These are files I do not recognize and they are cued for a scan at virus total with this FRST fix I am posting. They may indeed need to be removed, but we will see what the report says first. They may be legit, I have just not seen them. The way i have them listed in the FRST fix will only scan them at Virustotal.

C:\Program Files\icudtl.dat
C:\Program Files\glcards.dat
C:\WINDOWS\system32\httpproxy.json
C:\WINDOWS\system32\ctc.json
C:\Users\Prescilia\AppData\Roaming\.cache3678791056.dat
C:\Program Files\uninstaller_helper.exe

---

FRST Fix.
Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

---

Download RogueKiller and install the program.
Once downloaded and installed, right click and run as admin.
Click the check for updates button.
Go to scan setting then slide the MalPE option right to activate.
Then go to scan, then start a full scan on your machine.
Then click report when the scan completes.
Under Share my report click on open then select text file.
Copy it and paste the results here.
Make sure you do not remove anything detected until I see the log please.

---

Download Malwarebytes v.4 . Install and run.

• Once the MBAM dashboard opens, click on Settings (gear icon).
• Click on Security tab and make sure that all four Scan options are enabled.
• Close Settings and click on the Scan button on the dashboard.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
• If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.

 

[Malnutrition]

@prescilgema if you need help with the instructions, let me know.

 

[Malnutrition]

Copy the content of the code box below, paste it into a notepad and save it as fixlist.txt to your desktop. Then right click FRST64 run as admin, and hit the fix button.

Note: Do not copy the word code!!

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
AV: Norton 360 (Disabled - Up to date) {AECE2126-F4E7-6909-11F2-1B69D1FBCBD0}
FW: Norton 360 (Enabled) {96F5A003-BE88-6851-3AAD-B25C2F288CAB}
AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [135]
C:\WINDOWS\system32\drivers\etc\hosts
Hosts:
FirewallRules: [{4F05D070-02C4-4EAB-9031-310919F657E5}] => (Allow) LPort=5357
HKLM\...\Run: [CL-26-DAC77647-06F3-40D3-8B5E-C6DB493ADBBF] => "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-DAC77647-06F3-40D3-8B5E-C6DB493ADBBF\setuplauncher.exe" /run:Installer.exe /args:"/setup-folder:"CL-26-DAC77647-06F3-40D3-8B5E-C6DB493 (the data entry has 7 more characters). (No File)
S4 AvastWscReporter; "C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver [X]
S3 nsvst_NGC; \SystemRoot\System32\drivers\NGCx64\16160A0.009\nsvst.sys [X]
S3 SymEvnt; \??\C:\Program Files\Norton Security\NortonData\22.22.10.9\SymPlatform\SymEvnt.sys [X]
HKU\S-1-5-21-1564632507-2548938045-3526008437-1002\...\MountPoints2: {3246c72c-65c5-11ed-bbe7-b06ebfacad7a} - "E:\OnePlus_setup.exe" /s
HKU\S-1-5-21-1564632507-2548938045-3526008437-1002\...\MountPoints2: {dadd6067-8608-11ec-bbd1-00e18cb25f92} - "E:\OnePlus_setup.exe" /s
ShortcutAndArgument: Alertes de surveillance de l'encre - HP ENVY 4500 series.lnk -> C:\Windows\system32\RunDll32.exe => "C:\Program Files\HP\HP ENVY 4500 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN53R222NZ060F;CONNECTION=USB;MONITOR=1;
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
S4 AvastWscReporter; "C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver [X]
U1 aswbdisk; no ImagePath
C:\ProgramData\agent.uninstall.1669593020.bdinstall.v2.bin
C:\ProgramData\cl.uninstall.1669592932.bdinstall.v2.bin
S4 AvastWscReporter; "C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver [X]
S3 aswWintun; C:\WINDOWS\System32\drivers\aswWintun.sys [37104 2022-11-27] (Avast Software s.r.o. -> WireGuard LLC)
2022-11-28 02:10 - 2022-11-28 02:10 - 000000000 ____D C:\Program Files\Common Files\Avast Software
2022-11-27 21:06 - 2022-11-28 00:55 - 000000000 ____D C:\Users\Prescilia\AppData\Local\Avast Software
2022-11-27 21:01 - 2022-11-28 02:11 - 000000000 ____D C:\ProgramData\Avast Software
2022-11-27 21:00 - 2022-11-27 21:00 - 000268488 _____ (AVAST Software) C:\Users\Prescilia\Downloads\avast_one_free_antivirus.exe
Task: {A78A458F-3B97-4A55-AD08-361692BC70BB} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton 360\Upgrade.exe [2353000 2022-11-07] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
S3 SymEvnt; \??\C:\Program Files\Norton Security\NortonData\22.22.10.9\SymPlatform\SymEvnt.sys [X]
2022-11-26 15:57 - 2022-11-28 01:54 - 000000000 ____D C:\ProgramData\Norton
2022-11-26 15:57 - 2022-11-26 15:57 - 004061136 _____ (NortonLifeLock Inc.) C:\Users\Prescilia\Downloads\N360Downloader.exe
2022-11-26 15:57 - 2022-11-26 15:57 - 000000000 ____D C:\ProgramData\NortonInstaller
C:\Program Files\Common Files\Symantec Shared
2022-11-26 13:44 - 2022-11-26 13:44 - 000000000 ____D C:\ProgramData\48C4687D-9760-4F5B-BAB3-60351B0841E4
2022-11-26 13:42 - 2022-11-26 13:42 - 000156348 _____ C:\ProgramData\agent.1669466531.bdinstall.v2.bin
2022-11-28 02:18 - 2019-12-07 15:50 - 000792972 _____ C:\WINDOWS\system32\perfh00C.dat
2022-11-28 02:18 - 2019-12-07 15:50 - 000150102 _____ C:\WINDOWS\system32\perfc00C.dat
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  -> No File
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  -> No File
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  -> No File
ContextMenuHandlers1: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} =>  -> No File
ContextMenuHandlers2: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} =>  -> No File
ContextMenuHandlers6: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} =>  -> No File
FirewallRules: [{DA2FB396-8237-4A90-B56B-4A97430850A8}] => (Allow) C:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\QtDecoder\QTDecoder.exe => No File
FirewallRules: [{FAABC69B-7D31-4CD4-B4CC-35DFC5CC577A}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\OxygenPanelDaemon.exe => No File
FirewallRules: [{69CA6A0E-A8C9-4FA7-BA52-7B6640D9031A}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File
FirewallRules: [UDP Query User{3391DB04-93F8-4B6B-B256-7119E3F37BDC}C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe => No File
FirewallRules: [TCP Query User{A04E0A12-493E-45F5-814A-2B052091643F}C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe => No File
FirewallRules: [UDP Query User{F55FC9BB-6E36-4464-A016-960E125BF9D2}C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe => No File
FirewallRules: [TCP Query User{6850BD97-480A-4793-BFBC-723A89A66E76}C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_281\bin\javaw.exe => No File
FirewallRules: [UDP Query User{BFD9DB61-75E9-45DE-BEF7-BAC8F815B4B3}C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe => No File
FirewallRules: [TCP Query User{F68CDE9A-A761-451A-9B86-BBABF3A1C047}C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe => No File
FirewallRules: [UDP Query User{70455248-EDED-4286-A7E0-B5DBD3C8577F}C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe => No File
FirewallRules: [TCP Query User{A68371DF-E0F8-4C1E-A65C-F8BE67272FC5}C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_271\bin\javaw.exe => No File
FirewallRules: [{24D7F8DC-8FCA-4A0F-A92C-9030859FCD9A}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{A2DC6E5F-E0B8-4467-AA7F-1E7E97538912}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [UDP Query User{F9C6E7E5-A9B2-4E57-B229-EE5BE6F959E2}C:\program files (x86)\java\jre1.8.0_261\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_261\bin\javaw.exe => No File
FirewallRules: [TCP Query User{4EE9E7E3-8F8E-4C7A-A1A3-7FAB3ABA48BE}C:\program files (x86)\java\jre1.8.0_261\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_261\bin\javaw.exe => No File
FirewallRules: [{4F05D070-02C4-4EAB-9031-310919F657E5}] => (Allow) LPort=5357
FirewallRules: [{A30EC94D-5C40-412E-A064-D794332F9E28}] => (Allow) LPort=1900
FirewallRules: [{38C29492-283D-4A9F-B340-8D30A0CD1FB7}] => (Allow) LPort=2869
File: C:\Program Files\icudtl.dat
File: C:\Program Files\glcards.dat
File: C:\WINDOWS\system32\httpproxy.json
File: C:\WINDOWS\system32\ctc.json
File: C:\Users\Prescilia\AppData\Roaming\.cache3678791056.dat
VirusTotal: C:\WINDOWS\system32\httpproxy.json
VirusTotal: C:\WINDOWS\system32\ctc.json
VirusTotal: C:\Users\Prescilia\AppData\Roaming\.cache3678791056.dat
VirusTotal: C:\Program Files\glcards.dat
VirusTotal: C:\Program Files\icudtl.dat
VirusTotal: C:\Program Files\uninstaller_helper.exe
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits
cmd:  bitsadmin /list /allusers
CMD: "%WINDIR%\SYSTEM32\lodctr.exe /R"
CMD: "%WINDIR%\SysWOW64\lodctr.exe /R"
CMD: "C:\Windows\SYSTEM32\lodctr.exe /R"
CMD: "C:\Windows\SysWOW64\lodctr.exe /R"
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: MsiExec.exe /I{19C3AB22-3718-4E4D-B203-242F5001565B}
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
emptytemp:
Reboot:
End::

 

[Malnutrition]

@prescilgema any update? How are you moving along with the instructions?

 

[prescilgema]

Hello !

Sorry I didn't have the time to work on this, but here is everything you ask for

---

RogueKiller report :

Program : RogueKiller Anti-Malware
Version : 15.6.3.0
x64 : Yes
Program Date : Nov 15 2022
Location : C:\Program Files\RogueKiller\RogueKiller64.exe
Premium : No
Company : Adlice Software
Website : https://www.adlice.com/
Contact : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19044) 64-bit
64-bit OS : Yes
Startup : 0
WindowsPE : No
User : Prescilia
User is Admin : Yes
Date : 2022/11/30 22:33:38
Type : Scan
Aborted : No
Scan Mode : Standard
Duration : 986
Found items : 3
Total scanned : 72199
Signatures Version : 20221128_091401
Truesight Driver : Yes
Updates Count : 10
************************* Warnings *************************
************************* Updates *************************
BlueStacks App Player (64-bit), version 4.260.0.1032
[+] Available Version : 5.9.410.1001
[+] Size : 1,99 Go
[+] Wow6432 : No
[+] Portable : No
Mozilla Firefox (x64 fr) (64-bit), version 107.0
[+] Available Version : 107.0.1
[+] Size : 216 Mo
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Program Files\Mozilla Firefox
VLC media player (64-bit), version 3.0.12
[+] Available Version : 3.0.18
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Program Files\VideoLAN\VLC
WinRAR 5.91 (64-bit) (64-bit), version 5.91.0
[+] Available Version : 6.11
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Program Files\WinRAR\
LibreOffice 7.0.3.1 (64-bit), version 7.0.3.1
[+] Available Version : 7.4.3
[+] Size : 657 Mo
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Program Files\LibreOffice\
paint.net (64-bit), version 4.2.15
[+] Available Version : 4.3.12
[+] Size : 53,9 Mo
[+] Wow6432 : No
[+] Portable : No
Google Chrome (32-bit), version 108.0.5359.71
[+] Available Version : 108.0.5359.72
[+] Wow6432 : Yes
[+] Portable : No
[+] update_location : C:\Program Files\Google\Chrome\Application
Java 8 Update 301 (32-bit), version 8.0.3010.9
[+] Available Version : 8.0.3330.0
[+] Size : 41,5 Mo
[+] Wow6432 : Yes
[+] Portable : No
[+] update_location : C:\Program Files (x86)\Java\jre1.8.0_301\
Discord (64-bit), version 0.0.311
[+] Available Version : 1.0.9007
[+] Size : 77,1 Mo
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Users\Prescilia\AppData\Local\Discord
Zoom (64-bit), version 5.4.9 (59931.0110)
[+] Available Version : 5.12.9
[+] Size : 9,76 Mo
[+] Wow6432 : No
[+] Portable : No
[+] update_location : C:\Users\Prescilia\AppData\Roaming\Zoom\bin
************************* Processes *************************
************************* Modules *************************
************************* Services *************************
************************* Scheduled Tasks *************************
************************* Registry *************************
>>>>>> XX - System Policies
└── [PUM.Policies (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin -- 0 -> Found
************************* WMI *************************
************************* Hosts File *************************
is_too_big : No
hosts_file_path : C:\Windows\System32\drivers\etc\hosts
************************* Filesystem *************************
[Tr.Razy (Malicious)] (folder) resources -- C:\Program Files\resources -> Found
[Adw.TopTools (Malicious)] (folder) Tools -- C:\Program Files\Tools -> Found
************************* Web Browsers *************************
************************* Antirootkit *************************

 

[Malnutrition]

@prescilgema Ok, we need to run another fix with FRST.

Please download Zhp Cleaner to your desktop. Right Click the icon and select run as administrator.
Once you have started the program, you will need to click the scanner button.
The program will close all open browsers!
Once the scan is completed, the you will want to click the Repair button.
At the end of the process you may be asked to reboot your machine.
After you reboot a report will open on your desktop.
Attach the report here in your next reply.

---

FRST Fix.

Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

---

Let me know what issues remain after this latest fix please.

 

[prescilgema]

I did struggle a bit to use ZHP, I scanned more than one time, because I didn't clean everything it found each time, I didn't really know how to use it, so I put all the report it did, sorry for the incovenience.

 

[Malnutrition]

Any more issues to speak of? I’ll check the logs when I get home. Leaving work now.