Jump to content
Rusty24

Removing KMSemulator and some odd threats

Recommended Posts

Hi there,

Recently someone in my family had install sort of hacking program on my laptop to get microsoft word for free. I have deleted it and such, but my windows firewall blocked something so I suspect that it is still in my system. It went by the name of KMS emulator by ratiborus in c:windows\files\bin\kms.exe. Also, the threats that the malwarebtyes scan are quarantined.

I have both the txt for the FRST and malwarebyptes scan.

So is there any staff or experts that can help me figure out what I should do now?

 

 

 

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please post the MBAM log.

I also need to see the FRST.TXT and Addition.txt logs from the Farbar run.

I will review them and advise.

Share this post


Link to post
Share on other sites

Here are the txt files

My Malwarebytes free program can't seem to see if it i exists or not but my Windows defender firewalls seems to think that KMS is still kicking around.

What is the the MBAM log? Is that the Malwarebytes scan?

Addition.txt

FRST.txt

MalWarebtyes scan.txt

Share this post


Link to post
Share on other sites

I may have updated some like windows defender, java, flash player and such. I am not sure how badly that will ***** with your work so far, so I had the new and old ones here so that you can check what would needed to be changed.

Sorry for that.

Also, I have turned on system restore. So no need to warn about it like the last person that I checked a tread for.

 

FRST new.txt

Addition new.txt

FRST old.txt

Addition old.txt

Share this post


Link to post
Share on other sites

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 

start
	CreateRestorePoint:
EmptyTemp:
CloseProcesses:
	HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-936773021-973081921-1146745997-1003\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi => not found
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi => not found
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - <no Path/update_url>
S3 H2OFFT; \SystemRoot\System32\drivers\H2OFFT64.sys [X]
	ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
Task: {1C1E5928-FD9E-4602-9539-1BA733A8867E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\AncestorsLegacy:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\Banished:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\BioshockHD:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\Endless Legend:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\Endless Space 2:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\League of Legends:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\My Digital Editions:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\Stronghold Crusader:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\UnrealEngine:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
FirewallRules: [TCP Query User{DBE85D92-6E4E-4AC9-8A10-0499DABF64D2}C:\windows\files\bin\kmss.exe] => (Block) C:\windows\files\bin\kmss.exe No File
FirewallRules: [UDP Query User{5A084A3E-D306-463A-B4BD-F561D5AFE81F}C:\windows\files\bin\kmss.exe] => (Block) C:\windows\files\bin\kmss.exe No File
	VirusTotal: C:\WINDOWS\OInstall.exe
	Reboot:
End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and let me know what problem persists.

Share this post


Link to post
Share on other sites

Okay, that is done and the log is there. Is it good or bad? 

So what actions would you advise to do at this point to check if my system still has some issues and maybe some programs to help keep it secure and protected?

Fixlog.txt

Share this post


Link to post
Share on other sites

Looking good.

If all is well you can delete the quarantined files.

Stay Safe.

 

Share this post


Link to post
Share on other sites

Thanks.

I will let you or any other experts or so know in the future if anything pops up.

Share this post


Link to post
Share on other sites

Thank you for your Personal Message.

Glad we could help.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.