Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
1 - 20 of 83 Posts

·
Registered
Joined
·
52 Posts
Discussion Starter · #1 ·
Let me apologize in advance for being not very computer tech savvy, so apologies if things are unclear or confusing. A few days ago, I was on the internet using my home wi-fi, which is password protected with a strong password (although it was assigned by the router provider). I live alone. No one else has permission to use my wifi, except my sister when she visits, which she last did prior to 2019. I have never shared the wifi password with anyone and no one but me has had access to my computer or used it ever, even to just jump on the internet or check email or whatever. I do NOT visit known risky sites (like porn or piracy sites) or conduct any illegal activity on my computer, but I do spend a lot of time on the internet browsing sites, reading newsletters, checking email and that sort of thing. I also tend to have multiple tabs open and saved, and multiple windows of multiple tabs (if that makes sense). So as not to lose these, I generally restore them when I restart my computer, although I usually just keep my computer in sleep mode.

So, a few days back, I was on one of my sites. I was posting in a forum (this is a gaming site, but not a paid site and I have been on it for over seven years and never had any issues). All of a sudden, I had to fight to keep control of my mouse (I was trying to navigate to the lower part of the screen to post a comment and it kept wanting to go up to the top). I struggled for a few seconds, then let go of the mouse and turned it off (it is a remote mouse). I did not engage the touchpad on the computer (I use a remote keyboard as well). I watched the mouse navigate up to the top and sort of hover over the tabs (as though looking for something), then they closed the browser window. At that point I did a hard stop on the computer (shut down). When I turned it back on a few minutes later, everything worked normally and no one else *seemed* to have control. A few seconds or minutes prior to this, a McAfee popup appeared at the lower left o my screen (something about running a scan---the typical ones they send out---it did NOT say anything about installing, just running a scan), but because I was busy, I just clicked the "X" in the upper right corner to close the pop-up. I don't know if that allowed them to breach or if it was coincidence.

My sister (who does not live with or even near me---she is in another town) had a similar incident happen about 9 months ago; however, at the time, she was on a public wi-fi network. She eventually found a virus embedded somewhere, but her regular antivirus and malware bytes both missed it. She eventually found it using clamwire (or something like that) and running a scan that took three days. She only knew she had been infected because she does website design and was working on a site on the backend and one of the sites got blacklisted by google for having malware or something on it (sorry----this is all from what I remember her saying and again, I'm not very tech savvy, so some of those details may be wrong). But she found it because a site she was working on was flagged and there was apparently something they had planted on her computer or server or something.

Anyway, I have McAfee Total Protection on my computer and ran a quick and deep scan. It didn't find anything. I also downloaded and ran a malware bytes scan (this was all before finding your site) and that didn't find anything. Just to be safe, I did a factory reset of the computer (except for documents and pictures, as my sister said those are less likely to have anything put on them) and have reinstalled McAfee Total Protection, malware bytes (free version) and SuperAntiSpyware (since discovering your site). I ran scans and the only thing that was found (by SuperAntispyware) was tracking cookies and adware, which it removed. But I'm still concerned there could be something on the computer based on what happened to my sister that I'm not finding.

I'm also concerned as to how this could have happened. Is it just being on the internet that can allow someone to hack in and gain remote control? I know most 'bad actors" probably don't want to let you KNOW they are gaining control, so I also wonder if it could have been kids messing around, but I'm also very nervous since, like so many these days, I do use the computer to purchase items and such.

I'm sorry for the long post, but am hoping someone can shed light to me on how this happened, how I can ensure nothing nefarious is on here now (or at least find out if there is and remove it), and how I can prevent it from happening again. I did read the General Security article on here, so I have set up an Admin Account and a user account and will start using my user account (once I figure out how to switch them upon sign in) and I plan to poke around this site more, too. But I thought maybe some of you more techy folks might have some advice and/or ways of explaining what happened and how it may have happened.

Also, I do use my home wifi for work. I use a different computer for that and am required to use a VPN when accessing my work files. Nothing happened that day with the work file.

I am (and was) on Windows 11 at the time this occurred. I have had this computer approximately two years and this is the first time this happened. Oh, and just in case it could be related, I HAVE been having issues with the internet (wifi) frequently dropping and/or stopping. I have reset the router numerous times. That has been going on for a few months.

Thank you so much for offering your site and time to help others out. I really appreciate it!

Tech Support Guy System Info Utility version 1.0.0.9
OS Version: Microsoft Windows 11 Home, 64 bit, Build 22000, Installed 20220902005222.000000-420
Processor: Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, Intel64 Family 6 Model 126 Stepping 5, CPU Count: 8
Total Physical RAM: 12 GB
Graphics Card: Intel(R) Iris(R) Plus Graphics, 1024 MB
Hard Drives: C: 930 GB (876 GB Free);
Motherboard: HP 86AB, ver 95.36, s/n PJMZA038JE902G
System: Insyde, ver HPQOEM - 2, s/n 5CD040280R
Antivirus: Malwarebytes, Enabled and Updated
 

·
Trusted Advisor & Malware Specialist
Joined
·
3,914 Posts
Hi and welcome to TSG Forums.

Probably it was a coincidence. I recommend you to change your router's and wi-fi's passwords, and after that, provide here some logs for me to check for any possible malware.

To do that:

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it's safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe
  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the two logs in your next reply.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #3 · (Edited)
Thank you, Dr. M, it's nice to meet you. And I very much appreciate your help.

I know this is a stupid question, but I have no idea how to change my router and wi-fi passwords. I did a search on how to change router settings and tried to follow step by step instructions and I changed my device access code (I think), but the instructions talk about it taking me to a default password and log in page and I don't see anything like that on my AT&T router page. Also, the page I entered (http: + router ISP address) is not secure, so I don't know if the changes I made were secure either. :( I don't know if changing the device access code is the same as changing the router code? But I changed it (I think?)

The article also talked about changing the SSID and to do that it said I'd have a login thing that's not showing up either. Basically, I can access the device and see into putting the IP address into my web browser, but I can't see how I can get admin privileges to change anything. Should I handle the router and wireless before I run the suggested scan?

Update: I did change the device password, but I don't see a way to change the wifi password. It shows the default password and then has a confirm button, but won't allow me to enter anything or change anything.

Apologies in advance for my ignorance. This is definitely a learning process. I really appreciate your help.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #4 ·
I was having trouble changing the router and wi-fi passwords, but that's been fixed now with the help of my internet provider. So I will commence with getting the other information to you as soon as I can.

I am so grateful for your assistance. And your patience and kindness. I'll be back soon with the logs you requested.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #5 · (Edited)
Hello again, Dr. M. I used the link to access Farbar. My antivirus blocked the first download saying it was infected, so I tried the second. That one downloaded and ran fine, but didn't save to my desktop (it didn't give me an option of where to save it). However, I was able to find the log and save to my desktop and have attached it, as instructed.

Thank you so much for all your help with this. I really appreciate it.

Also, I don't see the files attached, so I'll try again. (Okay, still not seeing it on my end. When I tried to attach it, it's showing up with an strikeout on the file name and I'm not sure if it's attaching. I can't see it here, so hopefully it is there for you? If not, let me know what I can do to attach it. I clicked the attach files and opened it to upload like I normally do, but for some reason it doesn't seem to be working.

Please let me know if you are able to see them and if they attached properly or not.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #6 ·
I have attached the log. It is only one, but I uploaded twice, just in case. It is only one document, though.

And it's still not showing up for me, so hoping it is showing up somewhere. Apologies if there are multiples attached now. :)
 

·
Trusted Advisor & Malware Specialist
Joined
·
3,914 Posts
Hi!

Thank you for all the information given. Unfortunately nothing got attached. Since you are experiencing this error, transforming the 2 logs into a zip file would fix the issue. Select both the logs, right click and choose Send to zip. Save the zip file and then attach it in your next reply.

FYI, I am usually available online during 5-10 p.m. my time. Now it is 5:35 p.m.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #8 ·
Hello, Dr. M. It's 8:22 a.m. my time. :) But I don't mind a delay in response time since I know we are all in different time zones and I'm sure you also are busy with other things in life. I'm just grateful for your help. Looks like the logs attached properly this time. Also, they saved to the main hard drive, not the desktop (not sure why as I didn't choose that)---please let me know if that's a problem or I should remove them when this process is over.

I work today, so I'll be on for about another half hour, then not for another 12-14 hours after that. And no worries if you can't get to it until tomorrow. As I said, just grateful for the help!

Thanks so much for your time and assistance!
 

Attachments

·
Trusted Advisor & Malware Specialist
Joined
·
3,914 Posts
We have a 10 hours' difference! Thanks for the logs. I'll review them and possibly you will see my instructions later today, or tomorrow this time.

As to where the logs are located: they are located where the FRST too is located. Since you have installed it in your Downloads folder, the logs are also there. I would like you to drag the FRST tool and drop it on to the Desktop.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #10 ·
Indeed, we do! So good evening to you and good morning to me! lol.

Is the FRST tool the folder marked FRST? That is what I found on the hard drive. I will drag that to the desk top for now and await further instructions if that isn't correct.
 

·
Trusted Advisor & Malware Specialist
Joined
·
3,914 Posts
No, according to your logs, the tool is here:

Running from C:\Users\19168\Downloads

Here it is its icon: Purple Violet Magenta Gas Font


Just move it on to the Desktop.

Have a nice day!
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #12 ·
Oh, okay. I thought the C drive was the hard drive. I moved the folder with the logs, but I'll go move that icon back too.

I mentioned I'm not very tech savvy, right? 😁

Have a wonderful evening and thanks again for your help!
 

·
Trusted Advisor & Malware Specialist
Joined
·
3,914 Posts
Since we are starting the cleaning procedure here...

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

======================

Having in mind the above...

McAfee product seems to be cracked. Again, having such programs is the easiest way to infect your computer. You want to protect your computer, but in fact you put it in great risk. I would recommend you to uninstall it, using Revo Uninstaller.
  • Download the Revo Uninstaller (Free Download) and save it on your Desktop.
  • Double click on the exe file created on your Desktop to run the installer, and follow the instructions to install the program.
  • Double click the program's icon to open it.
  • Write in the search area, on the top left, the following program:
Code:
McAfee Total Protection
  • Choose the Uninstall tab from the menu and let the program to create a Restore point.
  • Choose Scan, and then the Advanced mode scan.
  • Select all the McAfee items found, Delete and Next.
  • Let the procedure be completed and click on Finish.
  • Restart the computer.
After that...

Run the FRST again and attach for me fresh logs, Addition and FRST.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #15 ·
Thanks so much! I'm on a quick work break, so really won't start this process before I get off work, since I don't want to rush it and make any errors. I should back everything up before I do this, too, right? (By everything, I mean photos, documents, etc. as per the main guidelines? I have those on a different account on the computer, but it will be the one I'll be working on to follow the instructions above later tonight (or in your case, later tomorrow morning---lol).

Also, when you say the McAfee file is cracked, do you mean malware is on there? Or someone may have hacked into it? Or did I accidentally install a bad one from the internet? I subscribe to McAfee as my anti-virus program (for a yearly fee), so is this something I should also report to them, too?. And will I be able to install a safe version after I uninstall it (I assume this may be something coming up, but just want to be sure I know what I'm doing before taking that off the computer). I pay for the program, so I'm sure you can understand my concern about it being cracked or hacked. :) And also ensuring I can get the services I pay for eventually (and if not, please let me know what anti-virus software you would recommend---I definitely want to keep up with that).

After having talked to my sister, who is more tech savvy than I am, I also want to add that when I originally purchased this computer, it came with a McAfee trial (pre-installed, with purchase). I think that was McAfee Total Protection, but it may have been another version. I originally subscribed from the link that was part of that trial version, upon expiration of same. Since then, I have had to reset my computer a few times. Once, a few months back, I had to call McAfee to try to explain that I had a paid version, not the trial version, and needed it reinstalled. That person walked me through the process----and now I'm wondering if maybe I didn't reach the "real" McAfee? I can't remember how I found them, but I think it was a google internet search. I do remember they offered to download it for me using remote access, but I gave a hard no on that (I'm not that tech savvy, but I'm not stupid)----but they seemed legit. She said she could see I had a subscription----and that I had paid for it (it had been renewed only a month or two prior on auto renewal). And she walked me through downloading it. So now I'm concerned about the entire program---according to my sister, "cracked programs" are pirated? But how on earth would I have gotten that on here since I pay for it and do not use my computer for anything illegal (I work in law enforcement and would NEVER buy or use anything pirated or illegal! I'm horrified to even know this could have happened---and concerned). Is it possible I didn't reach the actual McAfee and somehow the person was just trying to gain access? That seems weird, though, too, since I haven't had any weird credit card or banking stuff since then and I do buy things on line and such. Or could it have been hijacked onto my computer if I clicked a weird link or something inadvertantly?

Also, this is a bit rambling and I apologize for that. I'm horrified and upset right now (not at you---I'm very thankful for you and your help), but just knowing this happened and having no idea how it did. And how can I avoid it happening again if I don't know how it originally happened? I 100% assure you I have never, and would never, download or purchase known pirated or illegal ANYTHING. But I do need to make sure I have the program that I pay for (which should be the legit McAfee....right?)

Sorry for all the questions. And thank you so much for your patience. I will be back to follow your instructions this evening (my time).

(Apologies for the very late response. I tried unsuccessfully to get on the website for hours last night and was unable to do so----looks like there was an update. I usually can respond after work my time (your morning or nighttime). So the above was my original message, then some edits as I freaked out and did research.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #16 ·
Okay, I downloaded Revo Uninstaller (free download) as instructed above. But when I type in "McAfee Total Protection" it says the program is not found. There is a McAfee Total Protection in the list with the registered mark (the "R" with a circle around it)----and I want to make sure I'm picking the right thing to delete. So is the one with the "registered" mark next to it the one I should click as it's the only one in the list? I know that's probably a dumb question, but being as I pay for a subscription, I'm wondering if the one I'm seeing might be the legit one I pay for and whatever we are trying to remove may be something else? I did an internet search and got a way to type the R symbol with the circle around it, but before choosing that want to double-check it's what I should be doing since it wasn't listed in the example above (sorry, at this point I'm very paranoid about inadvertently doing something wrong and making things worse.

Thanks so much for your help. I'll wait for your answer before proceeding, as instructed. (And hopefully tonight I'll be able to work on this more timely after your response---assuming the website stays up! :)
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #17 ·
So sorry for another post, but I can't see a way to edit the earlier one. I've attached a picture to show you what I see. So in one, you'll see if I enter "McAfee" and type a space, it says there is not program, but in the other, if I type in "McAfee" and put the "R in circle" symbol, then it pulls up a program from the list.

I had to delete the pictures I was trying to show you as they had unintended personal information in them (sorry---really NOT tech savvy---in fact, when I told my sister there had been a "cracked" program and she explained to me what it was her comment was, "I don't even think you'd know how to access something like that..." and she was correct! Let me know if the pictures would help and I'll post them for you.
 

·
Trusted Advisor & Malware Specialist
Joined
·
3,914 Posts
Hi, SqirrelwBanjo.

It seems that my last post upset you, and I didn't mean to do that. :)

There are 2 McAfee products installed in your computer:

WebAdvisor by McAfee
McAfee® Total Protection

The first one is free. The second one is based on a subscription. If you have a subscription (usually for 2 years) then everything is fine. But there is this line in your logs:

2022-09-02 08:58 - 2022-09-02 08:58 - 083534280 _ (McAfee, LLC) C:\Users\19168\Downloads\McAfee_Installer_serial_y7Zwc6MW1JiLSKoEztODcw2_key_affid_1494_akey (1).exe

The above shows that on September 2nd, you downloaded this file which has to do with the product and its serial. A usual, legal installer doesn't have a name which includes the words serial or key etc.

So...

You need to verify that you have a McAfee subscription, meaning that you own a key.

If not, you will need to uninstall McAfee® Total Protection. If this is the case, please also uninstall WebAdvisor too.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #19 ·
Hi, SqirrelwBanjo.

It seems that my last post upset you, and I didn't mean to do that. :)

There are 2 McAfee products installed in your computer:

WebAdvisor by McAfee
McAfee® Total Protection

The first one is free. The second one is based on a subscription. If you have a subscription (usually for 2 years) then everything is fine. But there is this line in your logs:

2022-09-02 08:58 - 2022-09-02 08:58 - 083534280 _ (McAfee, LLC) C:\Users\19168\Downloads\McAfee_Installer_serial_y7Zwc6MW1JiLSKoEztODcw2_key_affid_1494_akey (1).exe

The above shows that on September 2nd, you downloaded this file which has to do with the product and its serial. A usual, legal installer doesn't have a name which includes the words serial or key etc.

So...

You need to verify that you have a McAfee subscription, meaning that you own a key.

If not, you will need to uninstall McAfee® Total Protection. If this is the case, please also uninstall WebAdvisor too.

Hi, Dr. M:

I'm upset, but not at you or because of anything you said. Please know how much I appreciate all you are doing to help me! The upset comes from not knowing how this could have happened. So, is the WebAdvisor by McAfee the one with the key thing? So, after I reset my computer, I went to my McAfee page and downloaded my total protection. What I do recall is a pop up with the WebAdvisor asking if I wanted to install it and I thought it was part of my subscription so I clicked to do that. It sounds like I may have inadvertently clicked on a malware or pirated version? But I do recall the WebAdvisor being a pop up (this was all after resetting and reinstalling). I thought it was part of the total protection, which is why I clicked it. So now this is making more sense to me as to HOW it go there. I'm just horrified ANYTHING illegal would be on my computer.

So, should I go ahead and uninstall BOTH of the McAfee programs or just the WebAdvisor at this point? I'll do either (even if i have to reinstall my subscription one), just to make sure everything is okay.

I'm confused as to how I would know I own a key. In the past, I have purchased anti-virus and home office (like MS word) from a place that had either a disc or card and that always had a key code to enter in ----and it stayed the same each time. But with this one, I went to McAfee's site (or what I thought was their site) and downloaded it. I was not given a key. They did have a serial number that came up (this had happened when I had to reset before), but the CSR had told me that changed each time (which seemed odd, but ----I did write a couple of them down they are 15 characters long. But they were listed as "serial numbers" not key and I was told they were randomly generated. Would it help if I showed you screenshots of my subscription page? I can definitely do that, too.

I'm so very sorry if I came across as upset at you. I am upset with the situation, but that is NOT your fault. You are just the messenger. And I was horrified to think you might think I purposefully downloaded illegal stuff, because I'd never do that. I know you don't know me, but people who do know that. So if I came off as upset, it was definitely at this situation ----and I just want to ensure it doesn't happen again----so getting educated on this is VERY helpful. I'm grateful for you----truly! :)

Thank you again so much for the help and patience. I appreciate your assistance and time very much! Please let me know which one (or both) that I should uninstall and I will do that asap.

p.s. Also, I'm pretty sure my subscription auto-renews every year, not very two years.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #20 · (Edited)
Also, how can I verify I have a key with the subscription? Again, apologies for the stupidity of these questions. I know I'm not very tech savvy.

I just went to my account and I don't see anything about a key. It shows I'm renewed; five devices protected, has my email, payment info, etc, on for auto renewal and expires in June 2023. But I don't see anything about a key in there. So does that mean this is a bogus McAfee? It was the official (I think) website I logged in on---Rakuetn offered some money back for purchases there.
 
1 - 20 of 83 Posts
Top