start:: CreateRestorePoint: cmd: Net stop wuauserv cmd: Rd /s /q %windir%\SoftwareDistribution\. CloseProcesses: EmptyTemp: EmptyEventLogs: Hosts: RemoveProxy: C:\Windows\Temp\*.* C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\* C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\* C:\Users\CurrentUserName\Appdata\Local\Temp\*.* C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*.* StartBatch: rd /s /q "%userprofile%\AppData\Roaming\discord\Cache" rd /s /q "%userprofile%\AppData\Roaming\discord\code cache" rd /s /q "%userprofile%\AppData\Roaming\discord\gpucache" Endbatch: Unlock: HKCU\SOFTWARE\AvastAdSDK DeleteKey: HKCU\SOFTWARE\AvastAdSDK DeleteKey: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\SOFTWARE\AvastAdSDK Unlock: HKLM\SOFTWARE\Avira DeleteKey: HKLM\SOFTWARE\Avira DeleteKey: HKLM\SOFTWARE\WOW6432Node\Avira DeleteKey: HKCU\SOFTWARE\Avira DeleteKey: HKU\.DEFAULT\SOFTWARE\Avira DeleteKey: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\SOFTWARE\Avira Unlock: HKLM\SOFTWARE\AVG DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|AVGUI.exe DeleteKey: HKLM\SOFTWARE\AVG DeleteKey: HKLM\SOFTWARE\WOW6432Node\AVG DeleteKey: HKCU\SOFTWARE\AVG DeleteKey: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\SOFTWARE\AVG C:\ProgramData\AVG DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{98ADD1CB-DD16-4CBC-B892-0ECFD2F75BB3} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{98ADD1CB-DD16-4CBC-B892-0ECFD2F75BB3} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{98ADD1CB-DD16-4CBC-B892-0ECFD2F75BB3} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance\{98ADD1CB-DD16-4CBC-B892-0ECFD2F75BB3} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{98ADD1CB-DD16-4CBC-B892-0ECFD2F75BB3} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{98ADD1CB-DD16-4CBC-B892-0ECFD2F75BB3} C:\Windows\System32\Tasks\R@1n-KMS\Office15ProPlus DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C26F0910-D04C-4BF7-A881-BE9312337E19} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C26F0910-D04C-4BF7-A881-BE9312337E19} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C26F0910-D04C-4BF7-A881-BE9312337E19} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance\{C26F0910-D04C-4BF7-A881-BE9312337E19} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C26F0910-D04C-4BF7-A881-BE9312337E19} DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{C26F0910-D04C-4BF7-A881-BE9312337E19} C:\Windows\System32\Tasks\R@1n-KMS\Windows100Professional C:\WINDOWS\System32\Tasks\R@1n-KMS\Office15ProPlus C:\WINDOWS\System32\Tasks\R@1n-KMS\Windows100Professional DeleteKey: HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\WinRAR32 DeleteKey: HKLM\Software\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} DeleteKey: HKLM\Software\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 DeleteKey: HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\NvCplDesktopContext DeleteKey: HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32 DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\EveryDaySoft\EDSWindows10Tuner\EDSWindows10Tuner.exe.FriendlyAppName DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\EveryDaySoft\EDSWindows10Tuner\EDSWindows10Tuner.exe.ApplicationCompany DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\SlySoft\CloneCD\RegCloneCD.exe.FriendlyAppName DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\SlySoft\CloneCD\RegCloneCD.exe.ApplicationCompany DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\SlySoft\CloneCD\CloneCD.exe.FriendlyAppName DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\SlySoft\CloneCD\CloneCD.exe.ApplicationCompany DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\Deluge\deluge.exe.FriendlyAppName DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\Deluge\deluge.exe.ApplicationCompany DeleteValue: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\EveryDaySoft\EDSWindows10Tuner\EDSWindows10Tuner.exe.FriendlyAppName DeleteValue: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\EveryDaySoft\EDSWindows10Tuner\EDSWindows10Tuner.exe.ApplicationCompany DeleteValue: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\SlySoft\CloneCD\RegCloneCD.exe.FriendlyAppName DeleteValue: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\SlySoft\CloneCD\RegCloneCD.exe.ApplicationCompany DeleteValue: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\SlySoft\CloneCD\CloneCD.exe.FriendlyAppName DeleteValue: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\SlySoft\CloneCD\CloneCD.exe.ApplicationCompany DeleteValue: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\Deluge\deluge.exe.FriendlyAppName DeleteValue: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files (x86)\Deluge\deluge.exe.ApplicationCompany DeleteKey: HKLM\SOFTWARE\WOW6432Node\Lavasoft DeleteKey: HKCU\SOFTWARE\Lavasoft DeleteKey: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\SOFTWARE\Lavasoft C:\Program Files (x86)\lavasoft DeleteKey: HKCU\SOFTWARE\Adlice Software DeleteKey: HKU\.DEFAULT\SOFTWARE\Adlice Software DeleteKey: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\SOFTWARE\Adlice Software HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1 HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1 HKLM\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 HKLM\...\Policies\Explorer: [NoResolveSearch] 1 HKU\S-1-5-19\...\Policies\Explorer: [NoInstrumentation] 1 HKU\S-1-5-19\...\Policies\Explorer: [TaskbarNoNotification] 1 HKU\S-1-5-20\...\Policies\Explorer: [NoInstrumentation] 1 HKU\S-1-5-20\...\Policies\Explorer: [TaskbarNoNotification] 1 HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\Run: [MicrosoftEdgeAutoLaunch_0FBB3CA904637366835E02E7613312E2] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3923496 2025-01-24] (Microsoft Corporation -> Microsoft Corporation) HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\Run: [Ww5EqxGa] => C:\Users\Mamou\AppData\Roaming\WycT1ndu\Set-up.exe [1353752 2024-09-20] (IObit CO., LTD -> IObit) HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\Policies\Explorer: [NoInstrumentation] 1 HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\Policies\Explorer: [TaskbarNoNotification] 1 HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\MountPoints2: {32870ddc-71bd-11ee-bfab-0456e5e4b4ec} - "F:\autoplay\nop.exe" HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\MountPoints2: {32872a1a-71bd-11ee-bfab-0456e5e4b4ec} - "G:\autoplay\nop.exe" HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\MountPoints2: {32872a24-71bd-11ee-bfab-0456e5e4b4ec} - "H:\autoplay\nop.exe" HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\MountPoints2: {32872a2b-71bd-11ee-bfab-0456e5e4b4ec} - "I:\autoplay\autoplay.exe" HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\MountPoints2: {6be97157-335c-11ee-bf7a-0456e5e4b4ec} - "E:\LaunchU3.exe" -a HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\MountPoints2: {ce19c1dc-6b2e-11ee-bfa1-0456e5e4b4ec} - "E:\autoplay\autoplay.exe" IFEO\mpcmdrun.exe: [Debugger] C:\WINDOWS\System32\systray.exe HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION Task: {937C803E-CD08-49A0-AB23-7D21C4731216} - System32\Tasks\DLLSearchUpdater => C:\Users\Mamou\AppData\Local\DLLSearch\Updater\UpdaterLauncher.exe /check_updates (Pas de fichier) Task: {75E902B8-C4B8-4746-A187-4D1E925A5211} - System32\Tasks\EOSv3 Scheduler onLogOn => C:\Users\Mamou\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe LOGON (Pas de fichier) Task: {D1979B6A-3F3C-4550-8564-352321CE6E04} - System32\Tasks\EOSv3 Scheduler onTime => C:\Users\Mamou\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe SCHED (Pas de fichier) Task: {0A6AA953-7278-4845-B7BD-C592059AFBDD} - System32\Tasks\EPPHealthCheck => C:\Program Files\ReasonLabs\EPP\Uninstall.exe /uninstall-repair (Pas de fichier) S2 AlService; C:\Program Files (x86)\Alsoft\AlService.exe -s [X] S2 ELANFPService; %SystemRoot%\System32\ELANFPService.exe [X] S2 EsgShKernel; "C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe" [X] S2 ShMonitor; "C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe" [X] S3 rsDwf; \SystemRoot\system32\DRIVERS\rsDwf.sys [X] Task: {1DC4CB87-94F6-4B47-B7C4-055DA884B126} - System32\Tasks\Remove AdwCleaner Application => C:\WINDOWS\system32\CMD.EXE [289792 2024-05-17] (Microsoft Windows -> Microsoft Corporation) -> /C DEL /F /Q "D:\adwcleaner(1).exe" Task: {CFC5E9E4-E535-48E7-8230-8CE6D52FA9E1} - System32\Tasks\Uninstall AdwCleaner Application => D:\adwcleaner(1).exe [8790880 2025-01-17] (Malwarebytes Inc. -> Malwarebytes) Task: {85DA25C3-E075-4F66-9077-49A1983BE762} - System32\Tasks\USER_ESRV_SVC_QUEENCREEK => C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe [455680 2024-02-17] (Microsoft Windows -> Microsoft Corporation) -> C:\Program Files\Intel\SUR\QUEENCREEK\x64\-Command "Start-Process -WindowStyle Hidden task.bat" FF Plugin: @videolan.org/vlc,version=3.0.18 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2023-10-30] (VideoLAN -> VideoLAN) FF Plugin: @videolan.org/vlc,version=3.0.19 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2023-10-30] (VideoLAN -> VideoLAN) AlternateDataStreams: C:\Windows:AA94644717A371F4 [50] SearchScopes: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = FirewallRules: [{638a0da1-1e7f-47e7-a4f4-7321276a4877}] => (Allow) C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe => Pas de fichier FirewallRules: [{6f5a979a-ef5b-4b81-81be-48de4b31f909}] => (Allow) C:\Program Files\ldplayer9box\VBoxNetNAT.exe => Pas de fichier FirewallRules: [{49ac4437-e379-41f4-9af0-dd450f5144d0}] => (Allow) D:\LDPlayer\LDPlayer9\dnplayer.exe => Pas de fichier FirewallRules: [TCP Query User{0E30B5B5-8D84-4F7C-9219-F9F2DEC97950}C:\users\mamou\desktop\chicken.invaders.2.build.7688955\chicken.invaders.2.build.7688955\ci2rm.exe] => (Allow) C:\users\mamou\desktop\chicken.invaders.2.build.7688955\chicken.invaders.2.build.7688955\ci2rm.exe => Pas de fichier FirewallRules: [UDP Query User{971FF153-A01E-4C80-83AA-628F5E2EF995}C:\users\mamou\desktop\chicken.invaders.2.build.7688955\chicken.invaders.2.build.7688955\ci2rm.exe] => (Allow) C:\users\mamou\desktop\chicken.invaders.2.build.7688955\chicken.invaders.2.build.7688955\ci2rm.exe => Pas de fichier FirewallRules: [TCP Query User{3E5B4D68-B171-4F17-889D-08090DBC8CB0}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe => Pas de fichier FirewallRules: [UDP Query User{AE15B92D-C3B0-457A-B8A3-8EC9BB5A3A3B}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe => Pas de fichier FirewallRules: [{D27657B6-5419-4B79-A574-84F8BBBDE6C4}] => (Block) C:\program files (x86)\deluge\deluge.exe => Pas de fichier FirewallRules: [{F0DCBBF3-8AA2-4C68-9005-37C282305EB4}] => (Block) C:\program files (x86)\deluge\deluge.exe => Pas de fichier FirewallRules: [{A95E9BF5-4D55-42B4-BE77-213A6A5CCC7D}] => (Allow) F:\format factory\FormatFactory\FormatFactory.exe => Pas de fichier FirewallRules: [{54FEE9AB-9363-432D-A53A-9516FAF6F6CC}] => (Allow) F:\format factory\FormatFactory\FFModules\Encoder\Doc\EBookCodec.exe => Pas de fichier FirewallRules: [{76DC446A-679E-44AA-92D7-9D0A0763D9AD}] => (Allow) F:\format factory\FormatFactory\FormatFactory.exe => Pas de fichier FirewallRules: [{DC10ADE3-7A53-4197-8C53-2EF56EE80672}] => (Allow) F:\format factory\FormatFactory\FFModules\Encoder\Doc\EBookCodec.exe => Pas de fichier FirewallRules: [{991034E1-51CE-4CEC-A8D8-3F9F2113D6ED}] => (Allow) C:\Program Files\Cybelsoft\DriversCloud.com\DriversCloudAgent.exe => Pas de fichier FirewallRules: [{AAEFE582-41C9-4FFE-92BE-E1CC3DBB4827}] => (Allow) C:\Program Files\Cybelsoft\DriversCloud.com\DriversCloudAgent.exe => Pas de fichier IE trusted site: HKU\S-1-5-21-3824323892-2633900218-3341220402-1001\...\localhost -> localhost C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnigmaSoft\SpyHunter5.lnk C:\Users\Mamou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk C:\Users\Mamou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RAV Antivirus.lnk StartBatch: del /s /q C:\Windows\prefetch\*.* del /s /q "%userprofile%\AppData\Local\Temp\*.*" del /s /q "%userprofile%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*.*" del /s /q "%userprofile%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Metada\*.*" del /s /q "%userprofile%\AppData\Local\Microsoft\Windows\History\*.*" del /s /q "%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*" del /s /q "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.lnk" For /D %%d In ("%userprofile%\AppData\Local\Mozilla\Firefox\Profiles\*") Do (If Exist "%%d\Cache2" Del /s /q "%%d\Cache2\*.*") del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\Js\." del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\." del /s /q "%userprofile%\AppData\Roaming\Opera Software\Opera GX Stable\Code Cache\Js\." del /s /q "%userprofile%\AppData\Roaming\Opera Software\Opera Stable\Code Cache\Js\." del /s /q "%userprofile%\AppData\Roaming\Opera Software\*" For /D %%d In ("%userprofile%\AppData\Local\Thunderbird\Profiles\*") Do (If Exist "%%d\Cache2" Del /s /q "%%d\Cache2\*.*") For /D %%d In ("%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*") Do (If Exist "%%d\cookies.sqlite" Del /s /q "%%d\cookies.sqlite") For /D %%d In ("%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*") Do (If Exist "%%d\Places.Sqlite" Del /s /q "%%d\Places.Sqlite") del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\History" del /s /q "%userprofile%\AppData\Roaming\Opera Software\Opera Stable\History" del /s /q "%userprofile%\AppData\Roaming\Opera Software\Opera GX Stable\History" ipconfig /release ipconfig /renew ipconfig /flushdns ipconfig /registerdns netsh winsock reset netsh advfirewall reset netsh advfirewall set allprofiles state on netsh winhttp reset proxy bitsadmin /reset /allusers net start sdrsvc net start vss net start rpcss net start eventsystem net start winmgmt net start msiserver net start bfe net start trustedinstaller net start windefend net start mpssvc net start mpsdrv Winmgmt /salvagerepository Winmgmt /resetrepository Winmgmt /resyncperf Endbatch: cmd: Net start wuauserv Reboot: end::