Malware removal?(Couldn't think of an original title)

**Malnutrition** · 09-27-2024, 04:11 AM

Alright, run these for me while I check over the logs. Need to make sure I am not missing anything, with a little help from an on demand scanner. (y)

[HEADING=2]Dr Web Scan[/HEADING]

[ul]
[li]Disable your antivirus[/li][li]Download Dr Web[/li][li]Save the file to your desktop.[/li][li]Right Click on the randomly named file.[/li][li]Run as administrator.[/li][li]Agree to terms and continue.[/li][li]Select objects for scanning, make sure all boxes are ticked.[/li][li]Then check mark the click to select files and folders.[/li][li]Make sure C: drive is checked.[/li][li]Click OK.[/li][li]Then click start scanning.[/li][li]Once the scan is completed.[/li][li]click on open report.[/li][li]Then select file.[/li][li]Save then save cureit.log to desktop.[/li][li]Upload the log to https://pomf2.lain.la/ or https://ufile.io/ and send me a link to the file.[/li][li]If you are sure about the files detected being malicious.[/li][li]Then make sure all items are ticked and under action move to delete.[/li][li]Then hit the Neutralize button.[/li][li]Reboot your computer after the scan.[/li][/ul]

Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.

[ul]
[li]Unzip it there. – If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----[/li][li]Right click Autologger and run as administrator. (Xp user double click)[/li][li]AVZ4 will open and scan your machine, allow this to complete.[/li][li]Upload Collectionlog.zip to your next reply.[/li][/ul]

**Matnat** · 09-27-2024, 04:41 AM

Here’s the link to the cureitlog file. https://pomf2.lain.la/f/m58z342g.txt

**Matnat** · 09-27-2024, 05:00 AM

Alas I clumsily interrupted the Autologger scan,and even after deleting the files and re-downloading it,I’m unable to run a new scan.Hope I’m not testing your patience :censored:

**Malnutrition** · 09-27-2024, 05:08 AM

No infected files in DrWeb. (y)
Here is your next fix for FRST, no temp file removal this time.
I see no malware, but this will disable remote desktop services as well as remove some redundant files.

Code:

Start::
SystemRestore: On
CreateRestorePoint:
S3 netprotection_network_filter2; System32\drivers\netprotection_network_filter2.sys [X]
S3 polarbear-split-tunneling; \??\C:\Program Files\McAfee\WPS\1.22.203.1\vpn\Drivers\x64\SplitTunnelingDriver.sys [X]
Unlock: C:\Windows\System32\Drivers\60fb613b.sys
S3 60fb613b; C:\Windows\System32\Drivers\60fb613b.sys [377392 2024-09-27] (Microsoft Windows Hardware Compatibility Publisher -> AO Kaspersky Lab)
C:\Windows\System32\Drivers\60fb613b.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\60fb613b.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\60fb613b.sys => ""="Driver"
C:\KVRT2020_Data\Temp\34105D1614A078122BA1CE2FB62AD56C\klupd_60fb613ba_arkmon.sys
C:\Users\mattn\AppData\Roaming\McAfee
C:\Program Files\McAfee\WPS\1.22.203.1\vpn\Drivers\x64\SplitTunnelingDriver.sys
C:\Program Files\McAfee
DeleteKeY: HKLM\SOFTWARE\BullGuard
DeleteKeY: HKLM\SOFTWARE\WOW6432Node\KasperskyLab
DeleteKeY: HKCU\SOFTWARE\McAfee
DeleteKeY: HKU\.DEFAULT\SOFTWARE\McAfee
DeleteKeY: HKU\S-1-5-21-2412115035-3100614054-1925598170-1001\SOFTWARE\McAfee

StartBatch:
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
sc stop DiagTrack
sc stop RasAuto
sc stop RasMan
sc stop SessionEnv
sc stop sysmain
sc stop TermService
sc stop UmRdpService
sc stop RemoteAccess
sc stop dmwappushservice
sc stop WSearch
sc stop lfsvc
sc config RasAuto start= disabled
sc config RasMan start= disabled
sc config SessionEnv start= disabled
sc config TermService start= disabled
sc config UmRdpService start= disabled
sc config RemoteAccess start= disabled
sc config sysmain start= disabled
sc config DiagTrack start= disabled
sc config dmwappushservice start= disabled
sc config WSearch start= disabled
sc config lfsvc start= disabled
EndBatch:

End::

Security Check Scan.

Download Security Check to your desktop.

[ul]
[li]Right click it run as administrator.[/li][li]When the program completes, the tool will automatically open a log file.[/li][li]Please Copy and paste that log here in your next post.[/li][li]There will be items listed in red when you post this log, those items need to be updated.[/li][/ul]

In your next reply:

Post security check log and the fix log from FRST.

Originally posted by Matnat

Alas I clumsily interrupted the Autologger scan,and even after deleting the files and re-downloading it,I’m unable to run a new scan.Hope I’m not testing your patience

No I assume you stopped it because it opened a brower, it is supposed to do that. You could try again after the fix or not, that is your choice.

**Matnat** · 09-27-2024, 05:18 AM

Apologies,the fixlist txt file goes in Desktop along with FRST,but what do I do with that code?

**Malnutrition** · 09-27-2024, 05:23 AM

You can copy the code, just do not copy the word code; and right click FRST run as admin.
It just runs the fix from the clipboard. (y)

**Matnat** · 09-27-2024, 05:24 AM

Originally posted by Matnat

Apologies,the fixlist txt file goes in Desktop along with FRST,but what do I do with that code?

My bad,just saw it’s same as the txt file:LOL:

**Matnat** · 09-27-2024, 05:31 AM

Fixlog attached,and here’s the log from SecurityCheck:

SecurityCheck by glax24 & Severnyj v.1.4.0.58 [15.08.24]
WebSite: www.safezone.cc
DateLog: 27.09.2024 07:28:38
Path starting: C:\Users\mattn\AppData\Local\Temp\SecurityCheck\Se curityCheck.exe
Log directory: C:\SecurityCheck
IsAdmin: True
User: mattn
VersionXML: 12.55is-22.09.2024

Windows 11 Core (x64) Release: 23H2 (10.0.22631.4169) Lang: English(0409)
Installation date OS: 04.10.2023 09:48:08
LicenseStatus: Windows(R), Core edition The machine is permanently activated.
LicenseStatus: Office 16, Office16OneNoteFreeR_Bypass edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: Internet Explorer (C:\Program Files\Internet Explorer\iexplore.exe)
SystemDrive: C: FS: [NTFS] Capacity: [474.7 Gb] Used: [225.7 Gb] Free: [249 Gb]
------------------------------- [ Windows ] -------------------------------
User Account Control enabled (Level 3)
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled and up to date)
Avira Security (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Defender Firewall (mpssvc) - The service is running
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 5.1.10.127 v.5.1.10.127
Avira Fallback Updater
Avira Security v.1.1.104.1294
--------------------------- [ OtherUtilities ] ----------------------------
Microsoft 365 - en-us v.16.0.17928.20156
Microsoft Edge WebView2 Runtime v.129.0.2792.52
------------------------------- [ Backup ] --------------------------------
Google Drive v.1.0 Warning! Download Update
Microsoft OneDrive v.24.171.0825.0002
------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 24.08 (x64) v.24.08
WinRAR 7.00 (64-bit) v.7.00.0 Warning! Download Update
---------------------------- [ ProxyAndVPNs ] -----------------------------
Avira Phantom VPN v.2.44.1.19908
--------------------------------- [ P2P ] ---------------------------------
qBittorrent v.4.6.3 Warning! Download Update
-------------------------------- [ Media ] --------------------------------
PotPlayer-64 bit v.240618
------------------------------- [ Browser ] -------------------------------
Brave v.129.1.70.119
Google Chrome v.129.0.6668.60
Microsoft Edge v.129.0.2792.52
------------------ [ AntivirusFirewallProcessServices ] -------------------
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.2.0.1314
Microsoft Defender Antivirus Service (WinDefend) - The service has stopped
Microsoft Defender Antivirus Network Inspection Service (WdNisSvc) - The service has stopped
---------------------------- [ UnwantedApps ] -----------------------------
Avira System Speedup v.7.3.0.502 << Hidden Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
----------------------------- [ End of Log ] ------------------------------

**Malnutrition** · 09-27-2024, 05:35 AM

Follow the suggestions for the items in red. I really so no issues on your machine.

We can .

A: Close the thread and I give you a couple suggestions:
B: Give you a couple more on demand scanners and you post the autologger, we continue later.

**Matnat** · 09-27-2024, 05:39 AM

Well,I guess we can close the thread.Maybe it was just my misapprehension from the start.
Thank you for your time! (y)

**Malnutrition** · 09-27-2024, 05:43 AM

[COLOR=rgb(243, 121, 52)]Everything looks good, and there is no malware on your machine.

Download KpRM
Save to Desktop
Check Delete Tools’
Check Delete Restore points.
Create Restore point.
Click delete quarantines.
Then click run.

I suggest:
Ublock Origin
O&O Shutup Ten
O&O App Buster[/COLOR]

Malware removal?(Couldn't think of an original title)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment