Solved Malware removal?(Couldn't think of an original title)

  • Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Welcome to our Community
Wanting to join the rest of our members? Feel free to sign up today.
Sign up
Status
Not open for further replies.

Matnat

PCHF Member
Sep 27, 2024
14
3
28
Hi all,hi @Malnutrition In a nutshell,I think I got infected in August,ran both a McAfee and MalwareBytes scans,both were negative.I'll attach the FRST txt files and,being a tech-illiterate,wait for further instructions 🦍
 

Attachments

Program Removal:​


Uninstall these programs listed below:

  • McAfee (HKLM\...\McAfee.WPS) (Version: 1.22.203.1 - McAfee, LLC)
  • WebAdvisor by McAfee (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.1.1.949 - McAfee, LLC)


In Geek uninstaller click View MS Store Apps. Remove this:

  • McAfee -> C:\Program Files\McAfee\wps\1.22.203.1 [2024-09-19] ()
While you are in there remove any apps that you do not use.

With GeekUninstaller:

Use Force Mode if one of the programs will not uninstall.

You will need to Remove Mcafee as there is already Avira installed on this machine, and having two Antivirus applications can cause issues!!


 

FRST Fix.


Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Unzip to your desktop.





Do you know what these are?​


C:\Users\mattn\AppData\LocalLow\f8afd462e3bf2d24ae8bff2dd7144205aeadf013a462d9112c9ef7d285208c99
C:\Users\mattn\AppData\LocalLow\9384b3ce81a0a4bec37d00c684944e3ecfbe8aa24714513ba90798b78c925035
C:\Users\mattn\AppData\LocalLow\a6540bf5930ec992dd5d2dc86377ffba82e6f01eb2fe57fc446d8c88aed6d278
C:\Users\mattn\AppData\LocalLow\2f3c47a346f652668c2a3cc07e6306669d2a6e5f9fb1088902ddabd1be757030
C:\Users\mattn\AppData\LocalLow\d40544c696616e4af0c6ea20714070e5b7e08d1e1f5d1ca03b7afe7bbc7ede28
C:\Users\mattn\AppData\LocalLow\779935c3c0e8495fea93095d68ef2bc50fb6b465ec8e46bf605902794d32d053
C:\Users\mattn\AppData\LocalLow\cdc1487962cfd44871b1c31969e0d909c1149dcefe7f58e2bdcc3962483dcf66
C:\Users\mattn\AppData\LocalLow\c8d1244d215a354e02651fb2b918c4dc22334b9d24247ca7ad75c99d3f1011ef
C:\Users\mattn\AppData\LocalLow\d7fb279b61b1161fd7158236631042e92e60bef281802679efcfb1f1ff298016
C:\Users\mattn\AppData\LocalLow\d3f2f420f6164bbff4f4c7be963975348677e4857eb910010960b99e1d8e3103
C:\Users\mattn\AppData\LocalLow\f5e2c3a594959493a6644dd17bf1964d506f0df4b0ecc6929ef7c1f8f6a3408c
C:\Users\mattn\AppData\LocalLow\86660111396adba6efd1ce5c30bb9a3e4e475e72123372aa61119381f7970872
C:\Users\mattn\AppData\LocalLow\3a91625889d020df5d7e22b8a5823c0517cc924c5f1b8d0036ed9c17c599bffe
C:\Users\mattn\AppData\LocalLow\a7dc5dfac87f7e1d729b3e3bbfccfb871f20c4c594434031e0411606fe1358de
C:\Users\mattn\AppData\LocalLow\1d20e7546529928277d4278a9d0ff3056b064cfafd8280d5cfe2836e1832256e
C:\Users\mattn\AppData\LocalLow\0b5eacb3a7d0189ae09bc2d2cb032ac8ce3360e9ae285e9e8878930f3a55be09


I'll need the following:​


Post the Fixlog after running the fixlist:
Post fresh FRST and addition.txt logs.
Explain to me what your issues are?
 
Last edited:
I Apologize, there was a misspelled word in my script, that will cause the batch to not function.

Here it is revised.
 

Attachments

Last edited:

Program Removal:​


Uninstall these programs listed below:

  • McAfee (HKLM\...\McAfee.WPS) (Version: 1.22.203.1 - McAfee, LLC)
  • WebAdvisor by McAfee (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.1.1.949 - McAfee, LLC)
Not sure if I got your instructions right,but I first unnstalled these two from the Installed Apps directory in Settings.
In Geek uninstaller click View MS Store Apps. Remove this:

  • McAfee -> C:\Program Files\McAfee\wps\1.22.203.1 [2024-09-19] ()
While you are in there remove any apps that you do not use.

With GeekUninstaller:

Use Force Mode if one of the programs will not uninstall.

You will need to Remove Mcafee as there is already Avira installed on this machine, and having two Antivirus applications can cause issues!!


Then,once in Geek,I could find no trace of anything McAfee related,maybe I should have uninstalled with Geek from the start,sorry but I'm a noob 😕
 
  • Like
Reactions: Malnutrition




Do you know what these are?​


C:\Users\mattn\AppData\LocalLow\f8afd462e3bf2d24ae8bff2dd7144205aeadf013a462d9112c9ef7d285208c99
C:\Users\mattn\AppData\LocalLow\9384b3ce81a0a4bec37d00c684944e3ecfbe8aa24714513ba90798b78c925035
C:\Users\mattn\AppData\LocalLow\a6540bf5930ec992dd5d2dc86377ffba82e6f01eb2fe57fc446d8c88aed6d278
C:\Users\mattn\AppData\LocalLow\2f3c47a346f652668c2a3cc07e6306669d2a6e5f9fb1088902ddabd1be757030
C:\Users\mattn\AppData\LocalLow\d40544c696616e4af0c6ea20714070e5b7e08d1e1f5d1ca03b7afe7bbc7ede28
C:\Users\mattn\AppData\LocalLow\779935c3c0e8495fea93095d68ef2bc50fb6b465ec8e46bf605902794d32d053
C:\Users\mattn\AppData\LocalLow\cdc1487962cfd44871b1c31969e0d909c1149dcefe7f58e2bdcc3962483dcf66
C:\Users\mattn\AppData\LocalLow\c8d1244d215a354e02651fb2b918c4dc22334b9d24247ca7ad75c99d3f1011ef
C:\Users\mattn\AppData\LocalLow\d7fb279b61b1161fd7158236631042e92e60bef281802679efcfb1f1ff298016
C:\Users\mattn\AppData\LocalLow\d3f2f420f6164bbff4f4c7be963975348677e4857eb910010960b99e1d8e3103
C:\Users\mattn\AppData\LocalLow\f5e2c3a594959493a6644dd17bf1964d506f0df4b0ecc6929ef7c1f8f6a3408c
C:\Users\mattn\AppData\LocalLow\86660111396adba6efd1ce5c30bb9a3e4e475e72123372aa61119381f7970872
C:\Users\mattn\AppData\LocalLow\3a91625889d020df5d7e22b8a5823c0517cc924c5f1b8d0036ed9c17c599bffe
C:\Users\mattn\AppData\LocalLow\a7dc5dfac87f7e1d729b3e3bbfccfb871f20c4c594434031e0411606fe1358de
C:\Users\mattn\AppData\LocalLow\1d20e7546529928277d4278a9d0ff3056b064cfafd8280d5cfe2836e1832256e
C:\Users\mattn\AppData\LocalLow\0b5eacb3a7d0189ae09bc2d2cb032ac8ce3360e9ae285e9e8878930f3a55be09

Before going on with the FRST fxes,I looked them up,and they seem to be shader cache files for my Intel graphic card.Should I delete them?
Explain to me what your issues are?
It's a kinda long story,I believe I got infected through a corrupted portable wi-fi router,and now I have reason to believe my activities on and off the web(while connected to a different network than the afore-mentioned one) are being monitored.
 
Should I delete them?

No If they are related to your Intel graphic card then leave them.
It's a kinda long story
All good we will get to the bottom of it. Run the FRST fix, post the Fixlog, and new FRST and Addition.txt logs, along with this as well. This tool will check in places that FRST does not.

Download ZHP Suite to your desktop.
Unzip it there.
Right Click Run as admin.
Hit the scanner button.
Once it is complete a file name ZHPdiag.txt will be on your desktop.
Attach it.
 
Alright, run these for me while I check over the logs. Need to make sure I am not missing anything, with a little help from an on demand scanner. 👍

Dr Web Scan



  • Disable your antivirus
  • Download Dr Web
  • Save the file to your desktop.
  • Right Click on the randomly named file.
  • Run as administrator.
  • Agree to terms and continue.
  • Select objects for scanning, make sure all boxes are ticked.
  • Then check mark the click to select files and folders.
  • Make sure C: drive is checked.
  • Click OK.
  • Then click start scanning.
  • Once the scan is completed.
  • click on open report.
  • Then select file.
  • Save then save cureit.log to desktop.
  • Upload the log to https://pomf2.lain.la/ or https://ufile.io/ and send me a link to the file.
  • If you are sure about the files detected being malicious.
  • Then make sure all items are ticked and under action move to delete.
  • Then hit the Neutralize button.
  • Reboot your computer after the scan.






Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.


  • Unzip it there. -- If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----
  • Right click Autologger and run as administrator. (Xp user double click)
  • AVZ4 will open and scan your machine, allow this to complete.
  • Upload Collectionlog.zip to your next reply.
 
Alas I clumsily interrupted the Autologger scan,and even after deleting the files and re-downloading it,I'm unable to run a new scan.Hope I'm not testing your patience 🤐
 
No infected files in DrWeb. 👍
Here is your next fix for FRST, no temp file removal this time.
I see no malware, but this will disable remote desktop services as well as remove some redundant files.

Code:
Start::
SystemRestore: On
CreateRestorePoint:
S3 netprotection_network_filter2; System32\drivers\netprotection_network_filter2.sys [X]
S3 polarbear-split-tunneling; \??\C:\Program Files\McAfee\WPS\1.22.203.1\vpn\Drivers\x64\SplitTunnelingDriver.sys [X]
Unlock: C:\Windows\System32\Drivers\60fb613b.sys
S3 60fb613b; C:\Windows\System32\Drivers\60fb613b.sys [377392 2024-09-27] (Microsoft Windows Hardware Compatibility Publisher -> AO Kaspersky Lab)
C:\Windows\System32\Drivers\60fb613b.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\60fb613b.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\60fb613b.sys => ""="Driver"
C:\KVRT2020_Data\Temp\34105D1614A078122BA1CE2FB62AD56C\klupd_60fb613ba_arkmon.sys
C:\Users\mattn\AppData\Roaming\McAfee
C:\Program Files\McAfee\WPS\1.22.203.1\vpn\Drivers\x64\SplitTunnelingDriver.sys
C:\Program Files\McAfee
DeleteKeY: HKLM\SOFTWARE\BullGuard
DeleteKeY: HKLM\SOFTWARE\WOW6432Node\KasperskyLab
DeleteKeY: HKCU\SOFTWARE\McAfee
DeleteKeY: HKU\.DEFAULT\SOFTWARE\McAfee
DeleteKeY: HKU\S-1-5-21-2412115035-3100614054-1925598170-1001\SOFTWARE\McAfee

StartBatch:
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
sc stop DiagTrack
sc stop RasAuto
sc stop RasMan
sc stop SessionEnv
sc stop sysmain
sc stop TermService
sc stop UmRdpService
sc stop RemoteAccess
sc stop dmwappushservice
sc stop WSearch
sc stop lfsvc
sc config RasAuto start= disabled
sc config RasMan start= disabled
sc config SessionEnv start= disabled
sc config TermService start= disabled
sc config UmRdpService start= disabled
sc config RemoteAccess start= disabled
sc config sysmain start= disabled
sc config DiagTrack start= disabled
sc config dmwappushservice start= disabled
sc config WSearch start= disabled
sc config lfsvc start= disabled
EndBatch:

End::


Security Check Scan.

Download Security Check to your desktop.

  • Right click it run as administrator.
  • When the program completes, the tool will automatically open a log file.
  • Please Copy and paste that log here in your next post.
  • There will be items listed in red when you post this log, those items need to be updated.



In your next reply:

Post security check log and the fix log from FRST.

Alas I clumsily interrupted the Autologger scan,and even after deleting the files and re-downloading it,I'm unable to run a new scan.Hope I'm not testing your patience


No I assume you stopped it because it opened a brower, it is supposed to do that. You could try again after the fix or not, that is your choice.
 

Attachments

Apologies,the fixlist txt file goes in Desktop along with FRST,but what do I do with that code?
 
Status
Not open for further replies.