Hi all,hi @Malnutrition In a nutshell,I think I got infected in August,ran both a McAfee and MalwareBytes scans,both were negative.I'll attach the FRST txt files and,being a tech-illiterate,wait for further instructions 🦍
Not sure if I got your instructions right,but I first unnstalled these two from the Installed Apps directory in Settings.Program Removal:
Uninstall these programs listed below:
- McAfee (HKLM\...\McAfee.WPS) (Version: 1.22.203.1 - McAfee, LLC)
- WebAdvisor by McAfee (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.1.1.949 - McAfee, LLC)
Then,once in Geek,I could find no trace of anything McAfee related,maybe I should have uninstalled with Geek from the start,sorry but I'm a noob 😕In Geek uninstaller click View MS Store Apps. Remove this:
While you are in there remove any apps that you do not use.
- McAfee -> C:\Program Files\McAfee\wps\1.22.203.1 [2024-09-19] ()
With GeekUninstaller:
Use Force Mode if one of the programs will not uninstall.
You will need to Remove Mcafee as there is already Avira installed on this machine, and having two Antivirus applications can cause issues!!
Before going on with the FRST fxes,I looked them up,and they seem to be shader cache files for my Intel graphic card.Should I delete them?
Do you know what these are?
C:\Users\mattn\AppData\LocalLow\f8afd462e3bf2d24ae8bff2dd7144205aeadf013a462d9112c9ef7d285208c99
C:\Users\mattn\AppData\LocalLow\9384b3ce81a0a4bec37d00c684944e3ecfbe8aa24714513ba90798b78c925035
C:\Users\mattn\AppData\LocalLow\a6540bf5930ec992dd5d2dc86377ffba82e6f01eb2fe57fc446d8c88aed6d278
C:\Users\mattn\AppData\LocalLow\2f3c47a346f652668c2a3cc07e6306669d2a6e5f9fb1088902ddabd1be757030
C:\Users\mattn\AppData\LocalLow\d40544c696616e4af0c6ea20714070e5b7e08d1e1f5d1ca03b7afe7bbc7ede28
C:\Users\mattn\AppData\LocalLow\779935c3c0e8495fea93095d68ef2bc50fb6b465ec8e46bf605902794d32d053
C:\Users\mattn\AppData\LocalLow\cdc1487962cfd44871b1c31969e0d909c1149dcefe7f58e2bdcc3962483dcf66
C:\Users\mattn\AppData\LocalLow\c8d1244d215a354e02651fb2b918c4dc22334b9d24247ca7ad75c99d3f1011ef
C:\Users\mattn\AppData\LocalLow\d7fb279b61b1161fd7158236631042e92e60bef281802679efcfb1f1ff298016
C:\Users\mattn\AppData\LocalLow\d3f2f420f6164bbff4f4c7be963975348677e4857eb910010960b99e1d8e3103
C:\Users\mattn\AppData\LocalLow\f5e2c3a594959493a6644dd17bf1964d506f0df4b0ecc6929ef7c1f8f6a3408c
C:\Users\mattn\AppData\LocalLow\86660111396adba6efd1ce5c30bb9a3e4e475e72123372aa61119381f7970872
C:\Users\mattn\AppData\LocalLow\3a91625889d020df5d7e22b8a5823c0517cc924c5f1b8d0036ed9c17c599bffe
C:\Users\mattn\AppData\LocalLow\a7dc5dfac87f7e1d729b3e3bbfccfb871f20c4c594434031e0411606fe1358de
C:\Users\mattn\AppData\LocalLow\1d20e7546529928277d4278a9d0ff3056b064cfafd8280d5cfe2836e1832256e
C:\Users\mattn\AppData\LocalLow\0b5eacb3a7d0189ae09bc2d2cb032ac8ce3360e9ae285e9e8878930f3a55be09
It's a kinda long story,I believe I got infected through a corrupted portable wi-fi router,and now I have reason to believe my activities on and off the web(while connected to a different network than the afore-mentioned one) are being monitored.Explain to me what your issues are?
Should I delete them?
All good we will get to the bottom of it. Run the FRST fix, post the Fixlog, and new FRST and Addition.txt logs, along with this as well. This tool will check in places that FRST does not.It's a kinda long story
Start::
SystemRestore: On
CreateRestorePoint:
S3 netprotection_network_filter2; System32\drivers\netprotection_network_filter2.sys [X]
S3 polarbear-split-tunneling; \??\C:\Program Files\McAfee\WPS\1.22.203.1\vpn\Drivers\x64\SplitTunnelingDriver.sys [X]
Unlock: C:\Windows\System32\Drivers\60fb613b.sys
S3 60fb613b; C:\Windows\System32\Drivers\60fb613b.sys [377392 2024-09-27] (Microsoft Windows Hardware Compatibility Publisher -> AO Kaspersky Lab)
C:\Windows\System32\Drivers\60fb613b.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\60fb613b.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\60fb613b.sys => ""="Driver"
C:\KVRT2020_Data\Temp\34105D1614A078122BA1CE2FB62AD56C\klupd_60fb613ba_arkmon.sys
C:\Users\mattn\AppData\Roaming\McAfee
C:\Program Files\McAfee\WPS\1.22.203.1\vpn\Drivers\x64\SplitTunnelingDriver.sys
C:\Program Files\McAfee
DeleteKeY: HKLM\SOFTWARE\BullGuard
DeleteKeY: HKLM\SOFTWARE\WOW6432Node\KasperskyLab
DeleteKeY: HKCU\SOFTWARE\McAfee
DeleteKeY: HKU\.DEFAULT\SOFTWARE\McAfee
DeleteKeY: HKU\S-1-5-21-2412115035-3100614054-1925598170-1001\SOFTWARE\McAfee
StartBatch:
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
sc stop DiagTrack
sc stop RasAuto
sc stop RasMan
sc stop SessionEnv
sc stop sysmain
sc stop TermService
sc stop UmRdpService
sc stop RemoteAccess
sc stop dmwappushservice
sc stop WSearch
sc stop lfsvc
sc config RasAuto start= disabled
sc config RasMan start= disabled
sc config SessionEnv start= disabled
sc config TermService start= disabled
sc config UmRdpService start= disabled
sc config RemoteAccess start= disabled
sc config sysmain start= disabled
sc config DiagTrack start= disabled
sc config dmwappushservice start= disabled
sc config WSearch start= disabled
sc config lfsvc start= disabled
EndBatch:
End::
Alas I clumsily interrupted the Autologger scan,and even after deleting the files and re-downloading it,I'm unable to run a new scan.Hope I'm not testing your patience
We use essential cookies to make this site work, and optional cookies to enhance your experience.