ohnoaiv

there are still weird things that happen, such as my internet connection still working with LockDown mode enabeld on Mullvad VPN even after disconnecting from the vpn. if you think the logs look good, Ill absolutely take your word for it, though.

understandable. the reason for my paranoia was a previous infection that was able to disable my windows antivirus. i had noticed startup programs with hash-like stings of text as the name and no icon, and also had several fradulent charges attempted on numerous virtual cc's i had stored on here. it may be paranoia, but im hoping theres a way to verify system .dll files havent been tampered with. as well as that the persistence the previous malware had gained, is no longer around. Ive been trying to find guides and syntax for powershell to disable remote wmi and any other RDC.

I do have that enabled. I have it disabled, now, however i only received the one threat notification and have not seen anything since in that regard. I have been monitoring network connections and have seen that two process have active TCP connections to a handful of IPv4 adresses. one of those is a System process and the other being svchost.exe(netsvcs -p) There are also a few svchost.exe(RCPSS -p) services with unspecified ipv4/6 addresses. is there a way to verify that there are no active remote wmi sessions that are hidden? Using commands such as get-localuser in powershell just return syntax errors.

Had what i suspect to be a rootkit installed on my PC about a month ago and spread malware on my network; however i may be wrong. No files were downloaded on my device, but i believe the IPv6/TCP windows exploit was utilized to gain root access via remote WMI commands/scripting (CVE-2024-38063) as the time frame of this starting was August 26th. I had ipv6 enabled, no vpn, AV disabled, and was playing Escape From Tarkov damn near constantly for those 13 days since that CVE publication. I had a friend in the Cyber Security field make me a copy of windows 10 boot usb. I now run Windows 10 Pro (Privacy?) after installing this copy. Seems to be a version of windows 10 pro with anonymity maximized. the install process of this version was odd, only had the option to select the drive i wanted to target for installation. I have a paid license i havent yet linked to the this installation yet. I used Asus Secure erase 3 times on each drive before installing. I reset CMOS however, did not flashback bios. Using same hardware, but have not used suspected infectious USB drives or peripherals yet. I am seeing two different Local user acocunts at login but cannot find a trace of it. both named "private" which was the original local account name generted. before updating windows, i did not need a password to login. After udating windows, i was instructed my password expired and was now seeing the two accounts both named "private" I have already ran recent scans with an updated FRST64, FSS, and Security Check by Galx24, one full custom scan (all drives all options) MWB, and 3 quick scans MWB in the past 6 hours. Before using the VPN i received a notification from MWB. Ive used ADWcleaner on the desktop as well. No network card, no onbaord wifi/bluetooth only ethernet. Yet immediatly when connecting to internet something installs MiniPort WAN drivers. Have a bit of different software installed, now. Attached are the scan results for FRST, FSS, Security Check, and the event log for the Exploit detection. AdwCleaner[S00].txt AdwCleaner_Debug.log FRST.txt FSS.txt Malwarebytes Exploit Blocked Report 2024-09-22 002516.txt SecurityCheck.txt Shortcut.txt Addition.txt AdwCleaner[C00].txt