Jump to content

leonass

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

 Content Type 

Posts posted by leonass

    How to remove kms-r@1n

    in Resolved Malware Removal Logs

    Posted

    Fix result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
    Ran by Developer (18-05-2018 13:37:36) Run:1
    Running from C:\Users\Developer\Desktop
    Loaded Profiles: Developer & SSASTELEMETRY & SSISScaleOutWorker140 & SQLTELEMETRY & MSSQLServerOLAPService & SSISTELEMETRY140 & MSSQLFDLauncher & SSISScaleOutMaster140 & MSSQLSERVER & MsDtsServer140 (Available Profiles: Developer & Guest & SSASTELEMETRY & SSISScaleOutWorker140 & SQLTELEMETRY & MSSQLServerOLAPService & SSISTELEMETRY140 & MSSQLFDLauncher & SSISScaleOutMaster140 & MSSQLSERVER & MsDtsServer140)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start
    CloseProcesses:
    CreateRestorePoint:
    C:\Windows\KMS-R@1n.exe
    C:\Windows\System32\SppExtComObj.Exe
    IFEO\OSppSvc.exe: [Debugger] KMS-R@1nHook.exe
    GroupPolicy: Restriction ? <==== ATTENTION
    R2 KMS-R@1n; C:\Windows\KMS-R@1n.exe [26112 2018-02-17] () [File not signed]
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\3082
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\1055
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\1049
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\1046
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\1045
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\1040
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\1036
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\1033
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\SysWOW64\1029
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\3082
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\1055
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\1049
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\1046
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\1045
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\1040
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\1036
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\1033
    2018-05-17 14:51 - 2018-02-17 15:05 - 000000000 ____D C:\WINDOWS\system32\1029
    Task: {4BA7F836-2EFB-474F-A010-235CE99740F1} - System32\Tasks\R@1n-KMS\Office16ProPlus => wmic [Argument = path SoftwareLicensingProduct where (ID="d450596f-894d-49e0-966a-fd39ed4c4c64") call Activate]
    Task: {993E83F0-06F1-4007-B69F-4A0B370D95F6} - System32\Tasks\R@1n-KMS\Office16ProjectPro => wmic [Argument = path SoftwareLicensingProduct where (ID="4f414197-0fc2-4c01-b68a-86cbb9ac254c") call Activate]
    Task: {D29FB1CF-B076-4BBF-8455-5E4D3226BC34} - System32\Tasks\R@1n-KMS\Office16VisioPro => wmic [Argument = path SoftwareLicensingProduct where (ID="6bf301c1-b94a-43e9-ba31-d494598c47fb") call Activate]
    Task: {F36CA1B2-6549-45E4-9D77-1D0DF83F94B5} - System32\Tasks\R@1n-KMS\Windows63Professional => wmic [Argument = path SoftwareLicensingProduct where (ID="c06b6981-d7fd-4a35-b7b4-054742b7af67") call Activate]
    FirewallRules: [{0F16A61D-BDC3-4F6E-95A3-9CC85B9CCD6F}] => (Allow) LPort=6160
    FirewallRules: [{C697D279-C158-4B72-A713-1D0C175F13AD}] => (Allow) C:\Windows\KMS-R@1n.exe
    FirewallRules: [{B07B7977-A6D5-4CDD-B8B3-57C9BCC9FF3D}] => (Allow) C:\Windows\KMS-R@1n.exe
    Hosts:
    EmptyTemp:
    CMD: ipconfig /flushDNS
    end

    *****************

    Processes closed successfully.
    Error: (0) Failed to create a restore point.
    C:\Windows\KMS-R@1n.exe => moved successfully
    C:\Windows\System32\SppExtComObj.Exe => moved successfully
    "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\OSppSvc.exe" => removed successfully
    C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
    C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
    C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
    KMS-R@1n => Service stopped successfully.
    "HKLM\System\CurrentControlSet\Services\KMS-R@1n" => removed successfully
    KMS-R@1n => service removed successfully
    C:\WINDOWS\SysWOW64\3082 => moved successfully
    C:\WINDOWS\SysWOW64\1055 => moved successfully
    C:\WINDOWS\SysWOW64\1049 => moved successfully
    C:\WINDOWS\SysWOW64\1046 => moved successfully
    C:\WINDOWS\SysWOW64\1045 => moved successfully
    C:\WINDOWS\SysWOW64\1040 => moved successfully
    C:\WINDOWS\SysWOW64\1036 => moved successfully
    C:\WINDOWS\SysWOW64\1033 => moved successfully
    C:\WINDOWS\SysWOW64\1029 => moved successfully
    C:\WINDOWS\system32\3082 => moved successfully
    C:\WINDOWS\system32\1055 => moved successfully
    C:\WINDOWS\system32\1049 => moved successfully
    C:\WINDOWS\system32\1046 => moved successfully
    C:\WINDOWS\system32\1045 => moved successfully
    C:\WINDOWS\system32\1040 => moved successfully
    C:\WINDOWS\system32\1036 => moved successfully
    C:\WINDOWS\system32\1033 => moved successfully
    C:\WINDOWS\system32\1029 => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4BA7F836-2EFB-474F-A010-235CE99740F1}" => removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4BA7F836-2EFB-474F-A010-235CE99740F1}" => removed successfully
    C:\WINDOWS\System32\Tasks\R@1n-KMS\Office16ProPlus => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\R@1n-KMS\Office16ProPlus" => removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{993E83F0-06F1-4007-B69F-4A0B370D95F6}" => removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{993E83F0-06F1-4007-B69F-4A0B370D95F6}" => removed successfully
    C:\WINDOWS\System32\Tasks\R@1n-KMS\Office16ProjectPro => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\R@1n-KMS\Office16ProjectPro" => removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D29FB1CF-B076-4BBF-8455-5E4D3226BC34}" => removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D29FB1CF-B076-4BBF-8455-5E4D3226BC34}" => removed successfully
    C:\WINDOWS\System32\Tasks\R@1n-KMS\Office16VisioPro => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\R@1n-KMS\Office16VisioPro" => removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F36CA1B2-6549-45E4-9D77-1D0DF83F94B5}" => removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F36CA1B2-6549-45E4-9D77-1D0DF83F94B5}" => removed successfully
    C:\WINDOWS\System32\Tasks\R@1n-KMS\Windows63Professional => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\R@1n-KMS\Windows63Professional" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0F16A61D-BDC3-4F6E-95A3-9CC85B9CCD6F}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C697D279-C158-4B72-A713-1D0C175F13AD}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B07B7977-A6D5-4CDD-B8B3-57C9BCC9FF3D}" => removed successfully
    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.

    ========= ipconfig /flushDNS =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========= End of CMD: =========


    =========== EmptyTemp: ==========

    BITS transfer queue => 6578176 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 31016962 B
    Java, Flash, Steam htmlcache => 1377 B
    Windows/system/drivers => 4145865 B
    Edge => 3584 B
    Chrome => 330434891 B
    Firefox => 400883600 B
    Opera => 0 B

    Temp, IE cache, history, cookies, recent:
    Default => 0 B
    Users => 0 B
    ProgramData => 0 B
    Public => 0 B
    systemprofile => 0 B
    systemprofile32 => 0 B
    LocalService => 0 B
    LocalService => 0 B
    NetworkService => 1228 B
    NetworkService => 0 B
    Developer => 86338292 B
    UpdatusUser => 0 B
    Guest => 6112 B
    SSASTELEMETRY => 0 B
    SSISScaleOutWorker140 => 0 B
    SQLTELEMETRY => 0 B
    MSSQLServerOLAPService => 0 B
    SSISTELEMETRY140 => 0 B
    MSSQLFDLauncher => 0 B
    SSISScaleOutMaster140 => 0 B
    MSSQLSERVER => 0 B
    MsDtsServer140 => 0 B

    RecycleBin => 0 B
    EmptyTemp: => 819.6 MB temporary data Removed.

    ================================


    The system needed a reboot.

    ==== End of Fixlog 13:38:55 ====

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.