Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    BORN Ontario child registry data breach affects 3.4 million people

Featured Deal: Get started in AI or make your own with this $19.97 course bundle

Latest Buyer's Guide:    Best VPNs to unblock Stan outside Australia in 2023

Generic User Avatar

Weird activities (even after cloud reset); changes to policies, users, reg, etc.

Started by Naps284 , Sep 12 2023 01:38 AM

  • Please log in to reply
28 replies to this topic

#16 Naps284

Naps284
  • Topic Starter

  • Avatar image
  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Switzerland
  • Local time:03:24 AM

Posted 18 September 2023 - 08:13 AM

Alright, I won't interfere, then.
Thank you :)


BC AdBot (Login to Remove)

 

#17 Naps284

Naps284
  • Topic Starter

  • Avatar image
  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Switzerland
  • Local time:03:24 AM

Posted 18 September 2023 - 11:47 AM

18.09.2023 18:45:16
Files scanned: 1115696
Detected files: 14
Cleaned files: 14
Total scan time 04:13:22
Scan status: Finished
D:\Games\Rebel.Inc.Escalation.v1.3.0.4\Rebel Inc. Escalation_Data\Plugins\x86_64\steam_api64.dll Win64/HackTool.Crack.AH potentially unsafe application cleaned by deleting
 
D:\OneDrive\Documenti\Attivatore Office.cmd BAT/RiskWare.HackTool.WinActivator.A application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-ancestry.exe a variant of Win64/CoinMiner.MW potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-depth.exe a variant of Win64/CoinMiner.MW potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-export.exe a variant of Win64/CoinMiner.MW potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-import.exe a variant of Win64/CoinMiner.MW potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-mark-spent-outputs.exe a variant of Win64/CoinMiner.PZ potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-prune-known-spent-data.exe a variant of Win64/CoinMiner.MW potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-prune.exe a variant of Win64/CoinMiner.MW potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-stats.exe a variant of Win64/CoinMiner.MW potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-blockchain-usage.exe a variant of Win64/CoinMiner.MW potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-gen-trusted-multisig.exe a variant of Win64/CoinMiner.GG potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-wallet-gui.exe a variant of Win64/CoinMiner.MR potentially unwanted application cleaned by deleting
 
D:\Software\Monero GUI Wallet\monero-wallet-rpc.exe a variant of Win64/CoinMiner.GG potentially unwanted application cleaned by deleting
 

Attached Files


#18 dennis_l

dennis_l

  • Avatar image
  • Malware Response Team
  • 2,423 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:UK
  • Local time:02:24 AM

Posted 18 September 2023 - 12:38 PM

Ok that's good.

ESET did some cleanup for us on the Data drive and I'm pleased to see that nothing was detected on the C drive.

The SFC error in the fix related to WindowsDefenderApplicationGuard.wim, but as you use Kaspersky and McAfee, we probably don't need to dwell on that. In any case it may get resolved in a future update.
I should mention that running two antivirus programs at the same time may cause conflicts.
This Kaspersky article offers some guidance.
------------------------------------------------------------------------------------------------------------------------------------------------
There are some unusual files that I suggest we try to remove next.

  • Right click on the FRST icon and select Run as administrator.
  • Highlight all of the information in the text box below then hit the Ctrl + C keys together to copy the text.
  • It is not necessary to paste the information anywhere as FRST will do this for you.
Start::
CreateRestorePoint:
CloseProcesses:
2023-09-06 00:33 - 2023-09-12 08:08 - 003675072 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-wal
2023-09-06 00:33 - 2023-09-06 15:05 - 000032768 _____ C:\WINDOWS\SysWOW64\DnsStorage-shm
2023-09-06 00:33 - 2023-09-06 15:05 - 000032768 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-shm
2023-09-06 00:33 - 2023-09-06 00:33 - 000012288 _____ C:\WINDOWS\SysWOW64\DnsStorage
2023-09-06 00:33 - 2023-09-06 00:33 - 000012288 _____ C:\WINDOWS\SysWOW64\AppRulesStorage
2023-09-06 00:33 - 2023-09-06 00:33 - 000000000 _____ C:\WINDOWS\SysWOW64\DnsStorage-wal
End::
  • Click on the Fix button just once and wait.
  • Please make sure you let the system restart normally. After that let the tool complete its run.
  • When it's finished FRST will generate a log in the location you ran the tool from. (Fixlog.txt).

Please copy the contents from this text file and paste into your next reply.

--------------------------------------------------------------------------------------------------------------------------------

As a final check I'd now like you to run a scan with AdwCleaner.
Please download AdwCleaner.

  • Close all open programs and browsers
  • Right click on the icon and select Run as administrator
  • Click Scan Now
  • When the scan has finished AdwCleaner shows you all detected PUPs and adware.
  • If any are found, select them and click Quarantine. (I would suggest that you do not select Pre-installed applications for now, or any other items you wish to keep.)
  • AdwCleaner prompts you to save and close your work before continuing. Click Continue.
  • After cleaning, you are prompted to restart your device. Click Restart now to complete the cleanup process.

Once your computer has restarted ...

  •     If it doesn't open automatically, please start AdwCleaner.
  •     Click on View Log File button (This log can also be found in the Log Files tab).
  •     A Notepad file will open containing the results.
  •     Click Skip Basic Repair (if the option appears)
  •     Please post the contents of the file in your next reply.

Also please provide an update on computer performance and advise if any issues remain.


#19 Naps284

Naps284
  • Topic Starter

  • Avatar image
  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Switzerland
  • Local time:03:24 AM

Posted 18 September 2023 - 01:17 PM

Actually, I was pretty sure that I had uninstalled McAfee. It doesn't show up in the start menu anymore, and not even in the list of programs (control panel).
Did I do something wrong?


#20 Naps284

Naps284
  • Topic Starter

  • Avatar image
  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Switzerland
  • Local time:03:24 AM

Posted 18 September 2023 - 01:21 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-09-2023
Ran by Nathan (18-09-2023 20:18:50) Run:3
Running from C:\Users\Nathan\Desktop\Bleeping computer forum help\FRST
Loaded Profiles: Nathan
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start::
CreateRestorePoint:
CloseProcesses:
2023-09-06 00:33 - 2023-09-12 08:08 - 003675072 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-wal
2023-09-06 00:33 - 2023-09-06 15:05 - 000032768 _____ C:\WINDOWS\SysWOW64\DnsStorage-shm
2023-09-06 00:33 - 2023-09-06 15:05 - 000032768 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-shm
2023-09-06 00:33 - 2023-09-06 00:33 - 000012288 _____ C:\WINDOWS\SysWOW64\DnsStorage
2023-09-06 00:33 - 2023-09-06 00:33 - 000012288 _____ C:\WINDOWS\SysWOW64\AppRulesStorage
2023-09-06 00:33 - 2023-09-06 00:33 - 000000000 _____ C:\WINDOWS\SysWOW64\DnsStorage-wal
End::
*****************
 
Restore point was successfully created.
Processes closed successfully.
Could not move "C:\WINDOWS\SysWOW64\AppRulesStorage-wal" => Scheduled to move on reboot.
Could not move "C:\WINDOWS\SysWOW64\DnsStorage-shm" => Scheduled to move on reboot.
Could not move "C:\WINDOWS\SysWOW64\AppRulesStorage-shm" => Scheduled to move on reboot.
Could not move "C:\WINDOWS\SysWOW64\DnsStorage" => Scheduled to move on reboot.
Could not move "C:\WINDOWS\SysWOW64\AppRulesStorage" => Scheduled to move on reboot.
Could not move "C:\WINDOWS\SysWOW64\DnsStorage-wal" => Scheduled to move on reboot.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 18-09-2023 20:20:45)
 
C:\WINDOWS\SysWOW64\AppRulesStorage-wal => Could not move
C:\WINDOWS\SysWOW64\DnsStorage-shm => Could not move
C:\WINDOWS\SysWOW64\AppRulesStorage-shm => Could not move
C:\WINDOWS\SysWOW64\DnsStorage => Could not move
C:\WINDOWS\SysWOW64\AppRulesStorage => Could not move
C:\WINDOWS\SysWOW64\DnsStorage-wal => Could not move
 
==== End of Fixlog 20:20:45 ====

Attached Files


#21 Naps284

Naps284
  • Topic Starter

  • Avatar image
  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Switzerland
  • Local time:03:24 AM

Posted 18 September 2023 - 01:30 PM

The scan with AdwCleaner didn't detect anything except 5 preinstalled programs, so it didn't prompt me to reboot.

Log file:



​# -------------------------------

# Malwarebytes AdwCleaner 8.4.0.0
# -------------------------------
# Build:    08-30-2022
# Database: 2023-07-19.3 (Cloud)
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    09-18-2023
# Duration: 00:00:07
# OS:       Windows 11 (Build 22631.2199)
# Scanned:  32109
# Detected: 5
 
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries found.
 
***** [ Chromium URLs ] *****
 
No malicious Chromium URLs found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries found.
 
***** [ Firefox URLs ] *****
 
No malicious Firefox URLs found.
 
***** [ Hosts File Entries ] *****
 
No malicious hosts file entries found.
 
***** [ Preinstalled Software ] *****
 
Preinstalled.LenovoIMController   Folder   C:\ProgramData\LENOVO\IMCONTROLLER 
Preinstalled.LenovoIMController   Folder   C:\Users\Nathan\AppData\Local\LENOVO\IMCONTROLLER 
Preinstalled.LenovoIMController   Folder   C:\Windows\LENOVO\IMCONTROLLER 
Preinstalled.LenovoIMController   Folder   C:\Windows\System32\Tasks\LENOVO\IMCONTROLLER 
Preinstalled.LenovoIMController   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\Lenovo Dependency Package_is1 
 
 
 
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
 

#22 dennis_l

dennis_l

  • Avatar image
  • Malware Response Team
  • 2,423 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:UK
  • Local time:02:24 AM

Posted 18 September 2023 - 01:41 PM

Ok good.
I suspected those files would be rather stubborn to remove.
Please boot into Safe Mode and try the FRST fix from post #18 again.
Windows 10/11 Safe mode.

  • Open the Settings app by pressing the Windows key + I.
  • Click Update & Security and then Recovery.
  • Underneath Advanced startup, click Restart now.
  • The Choose an option screen appears.
  • Click Troubleshoot and then Advanced options.
  • Select Startup Settings and then Restart.
  • When your computer re-boots there will be various startup options listed.
  • Press F5 to start your computer in Safe Mode with Networking.

------------------------------------------------------------------------------------
McAfee is showing enabled in the Security Center and there are some other entries showing, although it's not a running process.
It tends not to uninstall very cleanly, so we will do a manual cleanup of the remnants.

  • Right click on FRST and select Run as administrator.
  • Copy and then paste the following in the Search: box.
SearchAll: McAfee
  • Click the Search Files button.
  • When completed click OK and a Search.txt document will open on your desktop.
  • Attach the report to your reply. If the file is too large Zip and upload the file here

.Is the computer running ok now?


#23 Naps284

Naps284
  • Topic Starter

  • Avatar image
  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Switzerland
  • Local time:03:24 AM

Posted 18 September 2023 - 01:54 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-09-2023
Ran by Nathan (18-09-2023 20:50:29) Run:4
Running from C:\Users\Nathan\Desktop\Bleeping computer forum help\FRST
Loaded Profiles: Nathan
Boot Mode: Safe Mode (with Networking)
==============================================
 
fixlist content:
*****************
Start::
CreateRestorePoint:
CloseProcesses:
2023-09-06 00:33 - 2023-09-12 08:08 - 003675072 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-wal
2023-09-06 00:33 - 2023-09-06 15:05 - 000032768 _____ C:\WINDOWS\SysWOW64\DnsStorage-shm
2023-09-06 00:33 - 2023-09-06 15:05 - 000032768 _____ C:\WINDOWS\SysWOW64\AppRulesStorage-shm
2023-09-06 00:33 - 2023-09-06 00:33 - 000012288 _____ C:\WINDOWS\SysWOW64\DnsStorage
2023-09-06 00:33 - 2023-09-06 00:33 - 000012288 _____ C:\WINDOWS\SysWOW64\AppRulesStorage
2023-09-06 00:33 - 2023-09-06 00:33 - 000000000 _____ C:\WINDOWS\SysWOW64\DnsStorage-wal
End::
*****************
 
Error: Restore point can only be created in normal mode.
Processes closed successfully.
C:\WINDOWS\SysWOW64\AppRulesStorage-wal => moved successfully
C:\WINDOWS\SysWOW64\DnsStorage-shm => moved successfully
C:\WINDOWS\SysWOW64\AppRulesStorage-shm => moved successfully
C:\WINDOWS\SysWOW64\DnsStorage => moved successfully
C:\WINDOWS\SysWOW64\AppRulesStorage => moved successfully
C:\WINDOWS\SysWOW64\DnsStorage-wal => moved successfully
 
 
The system needed a reboot.
 
==== End of Fixlog 20:50:29 ====

Attached Files


#24 Naps284

Naps284
  • Topic Starter

  • Avatar image
  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Switzerland
  • Local time:03:24 AM

Posted 18 September 2023 - 02:05 PM

Here is the Search.txt file:

Attached Files


#25 dennis_l

dennis_l

  • Avatar image
  • Malware Response Team
  • 2,423 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:UK
  • Local time:02:24 AM

Posted 18 September 2023 - 02:16 PM

Thanks -got it.

I'll prepare a script to remove McAfee tomorrow morning.


#26 Naps284

Naps284
  • Topic Starter

  • Avatar image
  • Members
  • 17 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Switzerland
  • Local time:03:24 AM

Posted 18 September 2023 - 02:16 PM

Alright!
Thank you :)


#27 dennis_l

dennis_l

  • Avatar image
  • Malware Response Team
  • 2,423 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:UK
  • Local time:02:24 AM

Posted 19 September 2023 - 04:28 AM

Here's the script to remove McAfee.

  • Right click on the FRST icon and select Run as administrator.
  • Highlight all of the information in the text box below then hit the Ctrl + C keys together to copy the text.
  • It is not necessary to paste the information anywhere as FRST will do this for you.
Start::
CreateRestorePoint:
CloseProcesses:
AV: McAfee VirusScan (Enabled - Up to date) {F682A51C-4EAD-6A3A-F460-B9C1D4A2DB09}
FW: McAfee Firewall (Enabled) {CEB92439-04C2-6B62-DF3F-10F42A719C72}
C:\Windows\System32\Tasks_Migrated\McAfee Remediation (Prepare)
C:\Windows\System32\Tasks_Migrated\McAfeeLogon
C:\Windows\System32\Tasks_Migrated\McAfee\McAfee Auto Maintenance Task Agent
C:\Windows\System32\Tasks_Migrated\McAfee\McAfee Idle Detection Task
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee HIPS Driver.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~0BBD9DDB-F12A-43EF-9213-ED84DB2253E9~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~10271CA5-FDE6-4562-BD08-8DA931CA6E50~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~2BEB5910-DA0A-4916-8025-065EBE7924F7~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~61F857BA-7D4E-4BEE-B5AF-2EF2DF4980DC~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~74FCDCDB-56F3-4513-B852-3987D5CEE927~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~85D20F9C-E4B0-46D7-9296-2F14CBFB1AA1~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~88DC92DA-FD5E-4E99-9873-DE8678FB96FC~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~9BE5553B-A06D-48C2-8F3E-888C71CD9140~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~B44D0791-E05A-46C5-BE1F-B2EA1E2F7A89~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~B59B6C80-314B-4C3E-ADF6-E13EBA34A25A~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~C85BAC20-6C94-49C0-AB6E-B0AB3A86575F~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~CC41DFB8-BBF8-4699-AE6A-2728FA6732AB~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~DC9BD563-1785-45B0-BD90-A65F8FC57EE4~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~DF218D18-04D9-4627-B77C-5F168616FF54~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~E4EA0528-515E-49B3-B1A9-732E37FC9E65~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~E9409534-1655-4247-B1BC-9347A6FEF499~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~F0889FAE-AF57-4D01-816E-8D9CDC119020~amd64~~22.12.0.211.5.cat
C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\McAfee-VSCore~FA3E1285-499D-4C1E-8513-F686EC156850~amd64~~22.12.0.211.5.cat
C:\Users\Nathan\myCloud\mcafee_trial_setup_433.0207.3919_key.exe
C:\Users\Nathan\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fdhgeoginicibhagdmblfikbgbkahibd
C:\ProgramData\Lenovo\Vantage\Addins\LenovoSecurityAddin\1.0.0.97\McAfeeSdkApi.dll
C:\ProgramData\Lenovo\Vantage\Addins\LenovoSecurityAddin\1.0.0.97\McAfeeSdkApi.dll.config
C:\ProgramData\Lenovo\Vantage\AddinData\LenovoSystemUpdateAddin\session\Repository\mcafeehotfix714
C:\ProgramData\Lenovo\ImController\SystemPluginData\LenovoSystemUpdatePlugin\session\Repository\mcafeehotfix714
2021-02-10 11:27 - 2023-08-30 11:25 _____ C:\Windows\System32\Tasks_Migrated\McAfee
2021-09-24 14:29 - 2022-02-16 21:42 ___RS C:\Users\Nathan\Documents\McAfee Vaults
2023-09-05 00:55 - 2023-09-05 00:55 _____ C:\Users\Nathan\AppData\Roaming\McAfee
2021-02-10 11:26 - 2023-09-06 00:20 _____ C:\ProgramData\McAfee
2023-08-30 15:48 - 2023-08-30 15:48 _____ C:\ProgramData\Lenovo\Vantage\AddinData\LenovoSystemUpdateAddin\session\Repository\mcafeehotfix714
2023-08-30 14:23 - 2023-08-30 14:23 _____ C:\ProgramData\Lenovo\ImController\SystemPluginData\LenovoSystemUpdatePlugin\session\Repository\mcafeehotfix714
DeleteValue: HKEY_USERS\S-1-5-21-739449780-1690936981-217154247-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched|McAfee.McAgent
DeleteValue: HKEY_USERS\S-1-5-21-739449780-1690936981-217154247-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView|McAfee.McAgent
DeleteValue: HKEY_USERS\S-1-5-21-739449780-1690936981-217154247-1001\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData|McAfee.McAgent
DeleteValue: HKEY_USERS\S-1-5-21-739449780-1690936981-217154247-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\McAfee\MSC\mcuihost.exe
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\McAfeeExtn
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee  
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee
DeleteKey: HKEY_USERS\S-1-5-21-739449780-1690936981-217154247-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\DefaultAccount\Cloud\{190671ea-a1b7-4b0d-a12b-7219f90f7240}$windows.data.apps.appleveltileinfo$appleveltilelist\windows.data.apps.appleveltileinfo$w~mcafee.mcagent
DeleteKey: HKEY_USERS\S-1-5-21-739449780-1690936981-217154247-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\DefaultAccount\Current\{190671ea-a1b7-4b0d-a12b-7219f90f7240}$windows.data.apps.appleveltileinfo$appleveltilelist\windows.data.apps.appleveltileinfo$w~mcafee.mcagent
DeleteKey: HKEY_USERS\S-1-5-21-739449780-1690936981-217154247-1001\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\McAfee.McAgent
End::
  • Click on the Fix button just once and wait.
  • Please make sure you let the system restart normally. After that let the tool complete its run.
  • When it's finished FRST will generate a log in the location you ran the tool from. (Fixlog.txt).

Please copy the contents from this text file and paste into your next reply.


#28 dennis_l

dennis_l

  • Avatar image
  • Malware Response Team
  • 2,423 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:UK
  • Local time:02:24 AM

Posted 22 September 2023 - 03:46 AM

Did you manage to run the fix?
If I don't hear back from you in the next 2 days, I will assume that you no longer need help and this topic will be closed.

 


#29 dennis_l

dennis_l

  • Avatar image
  • Malware Response Team
  • 2,423 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:UK
  • Local time:02:24 AM

Posted Today, 02:38 AM

I'm assuming that everything is ok now, as I haven't heard back from you.
This tool will remove the software we used.
KpRm by Kernel-panik

  •     Download KpRm and save it to your Desktop
  •     Right click on the icon and select Run as administrator.
  •     Click Yes on the Disclaimer.
  •     Place a check mark in Delete Tools and Create Restore Point.
  •     Under Delete Quarantine, check Delete in 7 days.
  •     Click Run.
  •     Click OK in the All operations are completed box.
  •     It will create and open a log report.
  •     KpRm will delete itself from you Desktop and you can either save or remove the report that was generated.

These articles offer good advice and information for the future.
Keep your computer secure at home
How your system gets infected.
Ransomware advice.
Choosing Secure Passwords.
Thank you for contacting us at Bleeping Computer.

 

Dennis


Back to Virus, Trojan, Spyware, and Malware Removal Help


3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·