Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
61 - 80 of 83 Posts

·
Trusted Advisor & Malware Specialist
Joined
·
3,915 Posts
Hello.

Many apologies for the delayed reply. Real life is not easy at all. :)

Since it's been a while, I would like you to do the following, in case you are still dealing with any issues:

1. Report briefly the remaining issues (1... 2.... 3...).

2. Fresh FRST logs, Addition and FRST.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #62 ·
Hello, Dr. M!

No worries and I agree----real life can be a real bear (mine has been lately, too!) I hope things settle down soon for both of us!

1. Still want to make sure the unauthorized remote access did not put anything nefarious on this computer (virus, malware, or other issues.

I've attached the fresh FRST logs. :) Thank you so much for your help! And I I hope you have a wonderful weekend.
 

Attachments

·
Trusted Advisor & Malware Specialist
Joined
·
3,915 Posts
Hi.

Thanks for the new logs.

The computer is clean from malware and there is no sign of any active infection.

Before I'll ask you for some additional checks and a simple maintenance, please let me know if you would like to keep these:

WebAdvisor by McAfee
McAfee® Personal Security

I know that you passed through different thoughts about them, but now you have to take a decision. Since you reset the computer, it is possibly these products to be there as pre-installed software. It's up to you if you keep or remove them, but please let me know.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #64 ·
Oh, that is good news!

I would like to remove them. When I get a clean bill of health for the computer, I plan to go Bitdefender eventually. Until then I'll use Windows Defender. So no need for McAfee. I believe they were both preinstalled, but they were messing up Windows Defender, so let's remove them.
 

·
Trusted Advisor & Malware Specialist
Joined
·
3,915 Posts
OK, you mean you will go with BitDefender or Microsoft Defender?

To remove the McAfee products:
  • Press Windows logo key on the keyboard and the letter i to go to Settings.
  • From the menu at the left select Apps and then Apps and Features.
  • Find the 2 McAfee products, click on the 3 dots at the right and select Uninstall.
  • Restart the computer.
Let me know how the procedure went.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #66 ·
I plan to keep Microsoft Defender for now. But once we have this process completed, I will subscribe to Bitdefender. I still have a McAfee Total Protection subscription paid through June 2023), but I've decided not to use it. I will just keep MS Defender and then in June 2023, subscribe to BitDefender and install it at that time. For now, I will stick with Microsoft Defender.

I will follow your instructions now and will report back upon completion. :)
 

·
Trusted Advisor & Malware Specialist
Joined
·
3,915 Posts
Great. Now let me see fresh FRST logs, which I'll review for you tomorrow.

Although it's your choice, stay with Microsoft Defender is a good choice too. Since you decided to try it, perhaps you will change your mind at the end. :)
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #69 ·
Yes, I may stay with it; time will tell. It is nice they have it installed automatically.

I ran another set of logs, as requested, and have attached them here. Thank you so much for your help! I hope you have/had a great evening and rest and look forward to hearing from you tomorrow (or whenever you are able to get back online).

Apologies if you just meant you needed time to review the previous ones attached. I ran another set just to be sure. :)
 

Attachments

·
Trusted Advisor & Malware Specialist
Joined
·
3,915 Posts
Hello.

Let's move on.

1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
AV: McAfee VirusScan (Enabled - Up to date) {F682A51C-4EAD-6A3A-F460-B9C1D4A2DB09}
FW: McAfee Firewall (Enabled) {CEB92439-04C2-6B62-DF3F-10F42A719C72}
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] ->
U3 aspnet_state; no ImagePath
2022-09-15 20:06 - 2022-09-15 20:06 - 000000000 ____D C:\Users\MsSquirrel\AppData\Roaming\McAfee
2022-09-15 20:06 - 2022-09-15 20:06 - 000000000 ____D C:\Users\MsSquirrel\AppData\Local\CEF
2022-09-10 21:45 - 2022-09-10 21:45 - 011609272 _____ (McAfee, LLC) C:\Users\19168\Downloads\MCPR (1).exe
2022-09-10 21:22 - 2022-09-10 21:23 - 083534280 _____ (McAfee, LLC) C:\Users\19168\Downloads\McAfee_Installer_serial_lB84rflgdhohGIU6RtHRjg2_key_affid_1494_akey.exe
2022-09-10 21:03 - 2022-09-10 21:03 - 011609272 _____ (McAfee, LLC) C:\Users\19168\Downloads\MCPR.exe
2022-09-10 20:48 - 2022-09-10 20:48 - 003692768 _____ (McAfee, LLC) C:\Users\19168\Downloads\WSSInstallHelper.exe
2022-09-10 20:48 - 2022-09-10 20:48 - 000170439 _____ C:\Users\19168\Downloads\dataConfig.cab
2022-09-10 20:48 - 2022-09-10 20:48 - 000017045 _____ C:\Users\19168\Downloads\daConfig.cab
2022-09-10 20:48 - 2022-09-10 20:48 - 000000000 ____D C:\Users\19168\Downloads\Scripts
2022-09-10 20:40 - 2022-09-10 20:40 - 083534280 _____ (McAfee, LLC) C:\Users\19168\Downloads\McAfee_Installer_serial_YzQ9zQyuWE5ZJkqqC9PTcA2_key_affid_1494_akey.exe
2022-09-17 10:57 - 2020-09-30 13:22 - 000000000 ____D C:\Program Files\McAfee
2022-09-16 20:22 - 2020-09-30 13:22 - 000000000 ____D C:\Program Files\Common Files\McAfee
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

2. Malwarebytes scan
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

3. Question about Office

Is Microsoft Office running fine? I'm asking because there is a line about it in the fix and I wonder if it needs investigation.


In your next reply, please post:
  1. The fixlog.txt
  2. The Malwarebytes report
  3. Your reply about Office
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #71 ·
Thank you, Dr. M.

I've attached the FRST fix log.

The malware bytes info is below:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/18/22
Scan Time: 12:13 PM
Log File: 042250b4-3786-11ed-840a-f80dac1b9e20.json

-Software Information-
Version: 4.5.14.210
Components Version: 1.0.1767
Update Package Version: 1.0.60233
License: Expired

-System Information-
OS: Windows 11 (Build 22000.978)
CPU: x64
File System: NTFS
User: LAPTOP-U71RKGHV\19168

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 313168
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 3 hr, 9 min, 32 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

I have not signed into Microsoft Office or the OneDrive, which may be why that is showing up. But I will sign in now. I will edit this to report if there are problems, if necessary. :)
 

Attachments

·
Trusted Advisor & Malware Specialist
Joined
·
3,915 Posts
Hi!

The fix ran effectively, and the Malwarebytes log is clean. The computer is malware free and safe to use.

If no other issues/questions/concerns...

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #73 · (Edited)
Hello and thanks for your help. When I ran the program and followed the instructions, it kicked me to a completely white screen upon completion. I lost my taskbar and main desktop---it was just completely blank. I'm not sure why. I had to sign in and out a few times (once as administrator) to get it clear. Is everything okay or is that weird?

Also, some of the FRST files are still on the desktop---not sure if that is weird or not, either. Here is the info (which it took me a while to find because the copy and paste didn't work due to the white screen, but I located it on the hard drive :)

# Run at 9/19/2022 1:53:45 PM
# KpRm (Kernel-panik) version 2.9.3
# Website https://kernel-panik.me/tool/kprm/
# Run by 19168 from C:\Users\MsSquirrel\Downloads
# Computer Name: LAPTOP-U71RKGHV
# OS: Windows 10 X64 (22000)
# Number of passes: 1

- Checked options -

~ Registry Backup
~ Delete Tools
~ Restore System Settings
~ UAC Restore
~ Delete Restore Points
~ Create Restore Point
~ Delete Quarantines

- Create Registry Backup -

~ [OK] Hive C:\WINDOWS\System32\config\SOFTWARE backed up
~ [OK] Hive C:\Users\19168\NTUSER.dat backed up

[OK] Registry Backup: \KPRM\backup\2022-09-19-13-53-45

- Delete Tools -
 

·
Trusted Advisor & Malware Specialist
Joined
·
3,915 Posts
You didn't let the tool to complete its job, that is why the the FRST logs/items are still on the Desktop or elsewhere. Sometimes KpRm looks like it freezes, but it runs actually. Try to run it once again and give it time, even if you see the white screen. If, for example, 20 minutes pass and there is still there, please let me know and I'll give you other instructions to remove anything needed.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #75 · (Edited)
Thank you, Dr. M. I'm sorry I didn't realize it was still running with the white screen.

Here is the new report:

# Run at 9/21/2022 9:28:07 PM
# KpRm (Kernel-panik) version 2.9.3
# Website https://kernel-panik.me/tool/kprm/
# Run by 19168 from C:\Users\MsSquirrel\Downloads
# Computer Name: LAPTOP-U71RKGHV
# OS: Windows 10 X64 (22000)
# Number of passes: 1

- Checked options -

~ Registry Backup
~ Delete Tools
~ Restore System Settings
~ UAC Restore
~ Delete Restore Points
~ Create Restore Point
~ Delete Quarantines

- Create Registry Backup -

~ [OK] Hive C:\WINDOWS\System32\config\SOFTWARE backed up
~ [OK] Hive C:\Users\19168\NTUSER.dat backed up

[OK] Registry Backup: \KPRM\backup\2022-09-21-21-28-07

- Delete Tools -

No tools found

- Restore System Settings -

[OK] Reset WinSock
[OK] FLUSHDNS
[OK] Hide Hidden file.
[OK] Show Extensions for known file types
[OK] Hide protected operating system files

- Restore UAC -

[OK] Set EnableLUA with default (1) value
[OK] Set ConsentPromptBehaviorAdmin with default (5) value
[OK] Set ConsentPromptBehaviorUser with default (3) value
[OK] Set EnableInstallerDetection with default (0) value
[OK] Set EnableSecureUIAPaths with default (1) value
[OK] Set EnableUIADesktopToggle with default (0) value
[OK] Set EnableVirtualization with default (1) value
[OK] Set FilterAdministratorToken with default (0) value
[OK] Set PromptOnSecureDesktop with default (1) value
[OK] Set ValidateAdminCodeSignatures with default (0) value

- Clear Restore Points -

~ [OK] RP named KpRm created at 09/19/2022 20:56:08 deleted
[OK] All system restore points have been successfully deleted

- Create Restore Point -

[OK] System Restore Point created

- Display System Restore Point -

~ RP named KpRm created at 09/22/2022 04:29:53

-- KPRM finished in 132.24s --
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #76 · (Edited)
Yikes, though! When I minimize my browser window everything is white again---like there is nothing on the desktop at all. I definitely ran the program---and then it eventually said it was done and so I hit okay and copied and pasted. But now it's a blank white screen. I made sure to go very slowly through the directions and followed them step by step (except the run as administrator, which wasn't an option given to me. When I right clicked, it asked for my admin passcode, which I provided, and then went through the steps.

Anyway, I had to do a hard stop again and there is still stuff on there. But I know for certain I clicked run, then okay (as instructed), which gave me the log. It's the same thing I did last time. Am I supposed to copy and paste and then just wait for 20 minutes for the white screen to disappear (if so, I didn't do that, but I had already copied and pasted---it's when I minimized the browser window that the desktop and task bar were whitewashed---didn't even see the date and time at the bottom of the computer or anything).

What's still there following the hard restart are attached (screenshot).

Thanks for your help. :)
 

Attachments

·
Trusted Advisor & Malware Specialist
Joined
·
3,915 Posts
Hi.

I see a couple of folders, not the actual tools. If you look inside the folders, do you see the FRST tool or the KpRm tool? If not, just delete everything you see (in your attachment) and you are fine.

Did you get a white screen again?
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #78 ·
Hello, Dr. M!

No, I don't see the tools. :) Same with the stuff on the C drives. Looks like it's nesting folders, but no tools.

I did get the white screen. So I ran the tool, and then hit okay when it said it was done. Then, when I minimized my browser to attach the logs, I got a white screen and my desktop (including the task bar at the bottom and area showing date/time/etc. disappeared. It was completely white. That happened both times. But when I did a hard shut down (holding down the power button and starting the computer again), it was gone and the desk top looked normal. Should I be worried about that?

I so appreciate all your help with these issues. And I hope you had a good work week and a wonderful weekend, too!
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #80 ·
No current questions. :)

I really appreciate all the time and help you provided. Is there a way to donate a little something to you as a token of appreciation?

I hope you have a wonderful weekend and thank you again so much!
 
61 - 80 of 83 Posts
Top