Jump to content

Removing KMSemulator and some odd threats


Recommended Posts

Hi there,

Recently someone in my family had install sort of hacking program on my laptop to get microsoft word for free. I have deleted it and such, but my windows firewall blocked something so I suspect that it is still in my system. It went by the name of KMS emulator by ratiborus in c:windows\files\bin\kms.exe. Also, the threats that the malwarebtyes scan are quarantined.

I have both the txt for the FRST and malwarebyptes scan.

So is there any staff or experts that can help me figure out what I should do now?

 

 

 

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please post the MBAM log.

I also need to see the FRST.TXT and Addition.txt logs from the Farbar run.

I will review them and advise.

Link to post
Share on other sites

I may have updated some like windows defender, java, flash player and such. I am not sure how badly that will ***** with your work so far, so I had the new and old ones here so that you can check what would needed to be changed.

Sorry for that.

Also, I have turned on system restore. So no need to warn about it like the last person that I checked a tread for.

 

FRST new.txt

Addition new.txt

FRST old.txt

Addition old.txt

Link to post
Share on other sites

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 

start
	CreateRestorePoint:
EmptyTemp:
CloseProcesses:
	HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-936773021-973081921-1146745997-1003\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi => not found
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi => not found
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - <no Path/update_url>
S3 H2OFFT; \SystemRoot\System32\drivers\H2OFFT64.sys [X]
	ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
Task: {1C1E5928-FD9E-4602-9539-1BA733A8867E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\AncestorsLegacy:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\Banished:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\BioshockHD:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\Endless Legend:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\Endless Space 2:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\League of Legends:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\My Digital Editions:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\Stronghold Crusader:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
AlternateDataStreams: C:\Users\luked\OneDrive\Documents\UnrealEngine:${3D0CE612-FDEE-43f7-8ACA-957BEC0CCBA0}.Metadata [194]
FirewallRules: [TCP Query User{DBE85D92-6E4E-4AC9-8A10-0499DABF64D2}C:\windows\files\bin\kmss.exe] => (Block) C:\windows\files\bin\kmss.exe No File
FirewallRules: [UDP Query User{5A084A3E-D306-463A-B4BD-F561D5AFE81F}C:\windows\files\bin\kmss.exe] => (Block) C:\windows\files\bin\kmss.exe No File
	VirusTotal: C:\WINDOWS\OInstall.exe
	Reboot:
End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and let me know what problem persists.

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.