Jump to content

Attempted to use KMSPico, computer is now infected

seaweber

By seaweber
in Resolved Malware Removal Logs

 Share

Recommended Posts

Android8888

Android8888

Posted
Posted

Hello @seaweber and :welcome:

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

Your computer is highly infected with malware and the main infection is a SmartService rootkit. This is a nasty infection so you will need to strictly follow up some procedures in the order listed to get your computer clean and safe.

Okay, let's start.


In Normal mode do this please:

Right click on the FRST64 icon and select Run as administrator to start the tool;
Highlight and copy the following text and paste it inside the 'Search' box area of FRST;

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::


Once done, click on the Fix button. A file called Fixlog.txt should appear on your computer Desktop;
Please attach that log in your next reply for my review and wait for further instructions.

Thank you.

Android8888

Link to post
Share on other sites
Android8888

Android8888

Posted
Posted

Hello @seaweber

 

6 hours ago, seaweber said:

Thank you so much for offering your help.

You're welcome! :)

 

6 hours ago, seaweber said:

I'd like to note that you asked me to do this in normal mode, yet I can only boot into safe mode without BSODing, so I hope this is sufficient. 

Yes that was sufficient. It worked perfectly.

 

Now please read carefully the following instructions and if you don't understand something, please STOP and ask before proceed!

You will have to run a scan with FRST from the Windows Recovery Environment (RE).

But first you will need to have access to another (clean) computer and a USB Flash Drive (4 GB size it's good).

Please note: The USB Flash Drive can only be inserted in the infected computer if it is either shutdown, or in the Windows RE (Recovery Environment). Otherwise, the infection will mess with the files on the USB Flash Drive.

 

Preparing the USB Flash Drive (on a clean computer)

  • Plug-in the USB Flash Drive on a clean computer and format it before using it ('Quick Format' is enough);
  • Access the Internet and download FRST 64-bit from a clean computer (Don't use the FRST64.exe file from the infected computer);
  • Move the executable (FRST64.exe) on the USB Flash Drive.

 

Boot in the Recovery Environment (RE) (on the infected computer)

  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer;
    • Once you've seen your BIOS splash screen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears;
    • Use the arrow keys to select Repair your computer, and press on Enter;
    • Select your keyboard layout (US, French, etc.) and click on Next;
    • Click on Command Prompt to open the command prompt; to open the command prompt; to open the command prompt; to open the command prompt;

      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.

  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums.
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.

  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums.
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.


Note: Once in the Windows RE, plug the USB Flash Drive in the computer.

You will have to reach and select the Command Prompt icon in Advanced Options in the Recovery Environment.
 
Once in the Command Prompt

  • In the command prompt, type notepad and press on Enter;
  • Notepad will open. Click on the File menu and select Open;
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad;
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter;
  • Note: Replace the letter e with the drive letter of your USB Flash Drive;
  • FRST will open;
  • Click on Yes to accept the disclaimer;
  • Click on the Scan button and wait for the scan to complete;
  • A log called FRST.txt will be saved on your USB Flash Drive;
  • Please attach that log in your next reply.


Please attach the FRST.txt log, restart the computer in Normal mode and let me know how is the machine behavior now.

Thank you.

Android8888

Link to post
Share on other sites
Android8888

Android8888

Posted
Posted (edited)

Good.

But we are not finished yet. We need to ensure the computer is totally clean and free of malware.

Now please run the following scans in Normal mode:

 

  • Open Malwarebytes;
  • On the left pane select Settings;
  • Select the Protection tab;
  • Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both 'On' and leave all other settings to default.
  • Go back to DashBoard and select the blue Scan Now tab;
  • When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
  • Please attach the log in your next reply.


Next,

  • Download AdwCleaner and move it to your computer Desktop;
  • Right-click on AdwCleaner.exe and select Run as Administrator;
  • Click Yes to accept the User Account Control security warning that may appear;
  • Click on the blue button 'I AGREE';
  • Click on the Scan Now button;
  • Let the scan complete. Once it's done, make sure that every item listed is checked and click on the Clean & Repair button;
  • Click on the Clean & Restart Now button;
  • After the restart, a log will open when logging in. Please attach that log in your next reply.


Next,
Follow the instructions below and execute a scan on your system with FRST, and provide the two logs in your next reply.

  • Right-click on the executable and select Run as Administrator;
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Please attach both FRST.txt and Addition.txt in your next reply;


To summarize, please attach the following files:
Malwarebytes (quarantine log).
AdwCleaner clean log. It can be found in C:\AdwCleaner\AdwCleaner[Cxx].txt (where 'xx' is a number, the highest number is the most recent and the one I need to see).
FRST.txt
Addition.txt

Edited by Android8888
Link to post
Share on other sites
  • 1 month later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.