Fede

DelFix log: # DelFix v1.013 - Logfile created 03/09/2018 at 00:59:12 # Updated 17/04/2016 by Xplode # Username : Federico - MSI # Operating System : Windows 10 Home (64 bits) ~ Activating UAC ... OK ~ Removing disinfection tools ... Deleted : C:\FRST Deleted : C:\AdwCleaner Deleted : C:\TDSSKiller.3.1.0.17_03.09.2018_00.52.38_log.txt Deleted : C:\Users\Public\Desktop\RogueKiller.lnk Deleted : C:\Users\Federico\Downloads\Addition.txt Deleted : C:\Users\Federico\Downloads\adwcleaner_7.2.3.exe Deleted : C:\Users\Federico\Downloads\Fixlog.txt Deleted : C:\Users\Federico\Downloads\FRST.txt Deleted : C:\Users\Federico\Downloads\FRST64.exe Deleted : C:\Users\Federico\Downloads\RogueKiller_setup.exe Deleted : C:\Users\Federico\Downloads\tdsskiller.exe ~ Creating registry backup ... OK ~ Cleaning system restore ... New restore point created ! ~ Resetting system settings ... OK ########## - EOF - ########## I read all the advice and recommendations, again, I can't thank you enough!

Alright, thank you very much for your help Aura, I wouldn't have been able to clean all that trash without you . Have a great day!

This is the content I found in .crusader : <Actions reboot="yes"><Group name="Malware"><File path="C:\Program Files (x86)\gKBuoIQgSIE\k57BF2K.dll" /><Registry path="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF1F1901-098E-4B7E-BDAB-BBAD7AEC2086}\" /><Registry path="HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF1F1901-098E-4B7E-BDAB-BBAD7AEC2086}\" /><Registry path="HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF1F1901-098E-4B7E-BDAB-BBAD7AEC2086}\" /><Registry path="HKU\S-1-5-21-2504677763-501530278-233212964-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-09022018130013049\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF1F1901-098E-4B7E-BDAB-BBAD7AEC2086}\" /><Registry path="HKU\S-1-5-21-2504677763-501530278-233212964-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF1F1901-098E-4B7E-BDAB-BBAD7AEC2086}\" /></Group><Group name="Riskware"><File path="C:\Program Files (x86)\gKBuoIQgSIE\kLpFrnITCH.exe" /></Group><Group name="Riskware"><File path="C:\Program Files (x86)\WNVwerPrGBZQC\DGWMmGg.dll" /><File path="C:\WINDOWS\system32\Tasks\eVSrriCnrZQlODxsGDB2" /></Group><Group name="Riskware"><File path="C:\Program Files (x86)\WNVwerPrGBZQC\QcgSVCW.dll" /></Group><Group id="Remnants"><Folder path="C:\Program Files\RunBooster\" /><File path="C:\WINDOWS\system32\drivers\WinDivert64.sys" rootkit="yes" /><Registry path="HKLM\SYSTEM\CurrentControlSet\Services\WinDivert1.2\" /><Registry path="HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564\" /><Registry path="HKLM\SYSTEM\ControlSet001\Services\WinDivert1.2\" /><Registry path="HKLM\SYSTEM\CurrentControlSet\Services\WinDivert1.2\" /></Group></Actions> Looks weird to me.

Hey! My system seems to work as good as it was working before I installed KMSpico so I think I'm safe now, although I'll probably consider to clean and pave (format and reinstall) in the near future, as you mentioned before. I guess I used all the tools available to me to clean it as deep as possible, and if you have any other suggestion please tell me. I'd like to ask you if in case you know what's the purpose of a .crusader (CRUSADER FILE) in the System32 folder. I'm asking you this because I noticed that the last date modified was today at 13:48 which it was around an hour later I've got infected. Perhaps it has to be there, I was just wondering. On a side note, I realised that I can obtain the Microsoft Office software with my previous university account, so that's great haha :).

Back again! AdwCleaner log: AdwCleaner[C00].txt, AdwCleaner[S00].txt RogueKiller log: threats.txt

Here you go: Quarantine.zip What do you think? I ran many analysis with different anti-malware programs, anti-rootkite scanner, etc etc. It seems pretty clean, but then again I'm quite a newbie on this matter, anything else I should look for by myself?

Alright, good to know Oh I guess it's this: Fix result of Farbar Recovery Scan Tool (x64) Version: 01.09.2018 03 Ran by Federico (02-09-2018 18:22:13) Run:1 Running from C:\Users\Federico\Downloads Loaded Profiles: Federico (Available Profiles: Federico) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: InternetURL: C:\Users\Federico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BznMMQqmAG.url -> CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION S1 enqospst; \??\C:\WINDOWS\system32\drivers\enqospst.sys [X] S1 lljxzpwk; \??\C:\WINDOWS\system32\drivers\lljxzpwk.sys [X] S1 soxttfdw; \??\C:\WINDOWS\system32\drivers\soxttfdw.sys [X] Task: {3A24147F-B698-4C9D-BC5C-117DE842A7AA} - \S-1-5-21-1333393564-1384030928-1108208256-1651\{NZTEUIDY-XKT-WKAE-LL1G-TEN31OH4AGE6} -> No File <==== ATTENTION Task: {42F00B85-3C52-4F1D-BAE8-CD6046AF325E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {6984A1B4-0641-4F16-B50A-D86979CB8A52} - \S-1-5-21-1333393564-1384030928-1108208256-1651\{NZTEUIDY-XKT-WKAE-LL1G-TEN31OH4AGE6} -> No File <==== ATTENTION Task: {6D1784D4-3EDE-44B4-9567-97D835D6B22C} - System32\Tasks\S-1-5-21-1281178409-1004616319-1389079509-6678\{SOL23I11-X3WT-HK6F-SANS-DVMI2UT1N1K} => C:\Users\Federico\AppData\Roaming\amd64_microsoft-windows-ucx-classextension_31bf3856ad364e35_10.0.17134.228_none_a6a5cb47f54600db\xactengine2_5.exe Task: {831544B7-9900-48D2-BA76-09BDF8C25D32} - \eVSrriCnrZQlODxsGDB2 -> No File <==== ATTENTION AlternateDataStreams: C:\Users\Public\AppData:CSM [234] C:\Program Files (x86)\DSZR C:\Program Files (x86)\gKBuoIQgSIE C:\Program Files (x86)\wunGYWhMeqNU2 C:\Program Files (x86)\vEuomKaIU C:\Program Files (x86)\JQNLggXpPPpITxfrDoR C:\Program Files (x86)\IqRJEPTxCjUn C:\Program Files (x86)\KMSPico 10.2.1 Final C:\Program Files\Common Files\AppLoaderPM.xml C:\ProgramData\vAtgRIojrOIejiVB C:\ProgramData\zVmiMcGqez C:\ProgramData\ntuser.pol C:\Users\Federico\ntuser.pol C:\Users\Federico\Downloads\KMSPico 10.2.1 [DazTeam.TW].zip C:\Users\Federico\Documents\rfwrfw.odt C:\Users\Federico\AppData\Local\D3DSCache C:\Users\Federico\AppData\Local\installer.dat C:\Users\Federico\AppData\LocalLow\sVjUbDSCYVtow C:\Users\Federico\AppData\Roaming\qn3fshecnhv C:\Users\Federico\AppData\Roaming\o4nln5rvea5 C:\Users\Federico\AppData\Roaming\ky13rmueaaa C:\Users\Federico\AppData\Roaming\azcdbcieul3 C:\Users\Federico\AppData\Roaming\u3cptwk0ryt C:\Users\Federico\AppData\Roaming\fzwq5wf13kg C:\Users\Federico\AppData\Roaming\c3fjake3s0u C:\Users\Federico\AppData\Roaming\5emja25xphs C:\Users\Federico\AppData\Roaming\Windows MUI Service C:\Users\Federico\AppData\Roaming\amd64_microsoft-windows-ucx-classextension_31bf3856ad364e35_10.0.17134.228_none_a6a5cb47f54600db C:\WINDOWS\uninstaller.dat C:\WINDOWS\SysWOW64\lqwfezm EmptyTemp: ***************** Processes closed successfully. Error: (0) Failed to create a restore point. C:\Users\Federico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BznMMQqmAG.url => moved successfully "HKLM\SOFTWARE\Policies\Google" => removed successfully "HKLM\System\CurrentControlSet\Services\enqospst" => removed successfully enqospst => service removed successfully "HKLM\System\CurrentControlSet\Services\lljxzpwk" => removed successfully lljxzpwk => service removed successfully "HKLM\System\CurrentControlSet\Services\soxttfdw" => removed successfully soxttfdw => service removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3A24147F-B698-4C9D-BC5C-117DE842A7AA}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A24147F-B698-4C9D-BC5C-117DE842A7AA}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\S-1-5-21-1333393564-1384030928-1108208256-1651\{NZTEUIDY-XKT-WKAE-LL1G-TEN31OH4AGE6} => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{42F00B85-3C52-4F1D-BAE8-CD6046AF325E}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{42F00B85-3C52-4F1D-BAE8-CD6046AF325E}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6984A1B4-0641-4F16-B50A-D86979CB8A52}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6984A1B4-0641-4F16-B50A-D86979CB8A52}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\S-1-5-21-1333393564-1384030928-1108208256-1651\{NZTEUIDY-XKT-WKAE-LL1G-TEN31OH4AGE6} => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6D1784D4-3EDE-44B4-9567-97D835D6B22C}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6D1784D4-3EDE-44B4-9567-97D835D6B22C}" => removed successfully C:\WINDOWS\System32\Tasks\S-1-5-21-1281178409-1004616319-1389079509-6678\{SOL23I11-X3WT-HK6F-SANS-DVMI2UT1N1K} => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\S-1-5-21-1281178409-1004616319-1389079509-6678\{SOL23I11-X3WT-HK6F-SANS-DVMI2UT1N1K}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{831544B7-9900-48D2-BA76-09BDF8C25D32}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{831544B7-9900-48D2-BA76-09BDF8C25D32}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\eVSrriCnrZQlODxsGDB2" => removed successfully C:\Users\Public\AppData => ":CSM" ADS removed successfully C:\Program Files (x86)\DSZR => moved successfully C:\Program Files (x86)\gKBuoIQgSIE => moved successfully C:\Program Files (x86)\wunGYWhMeqNU2 => moved successfully C:\Program Files (x86)\vEuomKaIU => moved successfully C:\Program Files (x86)\JQNLggXpPPpITxfrDoR => moved successfully C:\Program Files (x86)\IqRJEPTxCjUn => moved successfully C:\Program Files (x86)\KMSPico 10.2.1 Final => moved successfully C:\Program Files\Common Files\AppLoaderPM.xml => moved successfully C:\ProgramData\vAtgRIojrOIejiVB => moved successfully C:\ProgramData\zVmiMcGqez => moved successfully C:\ProgramData\ntuser.pol => moved successfully C:\Users\Federico\ntuser.pol => moved successfully C:\Users\Federico\Downloads\KMSPico 10.2.1 [DazTeam.TW].zip => moved successfully C:\Users\Federico\Documents\rfwrfw.odt => moved successfully C:\Users\Federico\AppData\Local\D3DSCache => moved successfully C:\Users\Federico\AppData\Local\installer.dat => moved successfully C:\Users\Federico\AppData\LocalLow\sVjUbDSCYVtow => moved successfully C:\Users\Federico\AppData\Roaming\qn3fshecnhv => moved successfully C:\Users\Federico\AppData\Roaming\o4nln5rvea5 => moved successfully C:\Users\Federico\AppData\Roaming\ky13rmueaaa => moved successfully C:\Users\Federico\AppData\Roaming\azcdbcieul3 => moved successfully C:\Users\Federico\AppData\Roaming\u3cptwk0ryt => moved successfully C:\Users\Federico\AppData\Roaming\fzwq5wf13kg => moved successfully C:\Users\Federico\AppData\Roaming\c3fjake3s0u => moved successfully C:\Users\Federico\AppData\Roaming\5emja25xphs => moved successfully C:\Users\Federico\AppData\Roaming\Windows MUI Service => moved successfully "C:\Users\Federico\AppData\Roaming\amd64_microsoft-windows-ucx-classextension_31bf3856ad364e35_10.0.17134.228_none_a6a5cb47f54600db" => not found C:\WINDOWS\uninstaller.dat => moved successfully C:\WINDOWS\SysWOW64\lqwfezm => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 8151040 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13951038 B Java, Flash, Steam htmlcache => 492 B Windows/system/drivers => 3062288 B Edge => 143570 B Chrome => 505062690 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 0 B LocalService => 0 B NetworkService => 148122 B NetworkService => 0 B Federico => 44665832 B RecycleBin => 0 B EmptyTemp: => 548.5 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 18:22:28 ====

Hello Aura, So after clicking on the Fix button a message indeed came up but to restart my computer and it didn't open any log in Notepad, should I do it again? On a side note, there is any way to be completely sure that your sytem is clean or the only way is to reset or reinstall Windows? Thank you

Hello Aura , First of all, thank you for using your time on helping me, I really appreciate it. FRST logs: FRST_02-09-2018 17.41.12.txt, Addition_02-09-2018 17.41.12.txt Malwarebytes logs: malwaredetection.txt, malwaredetection2.txt. If you have any other question or request, please let me know .

Hello everyone, Well, as you may have read from the title my computer have been infected by the KMSpico malware and consequently, dozens of trojans, viruses, etc. have been installed. The reason why I installed KMSpico is quite obvious... so let's skip that part, I've already learned my lesson. Now, I installed Malwarebytes and run an analysis. It detected 658 threats, so you can imagine how unsafe I felt after that even though they've been removed. What I'd like to know is if you could guide me on how to make sure my machine is indeed completely clean from all the trash that was installed, e.g. cryptocurrency miners, adware, browser hijackers, and other potentially unwanted programs. Here I'll attach the results I've got from Malwarebytes: malwaredetection.txt, malwaredetection2.txt. Thank you in advance for your help, Regards