Jump to content

KMSpico

ryzrn

By ryzrn
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

ryzrn

ryzrn

Posted
  • Author
Posted

The only thing I have done with the download settings is change the location that the files are stored in from the drive .C: to the E: drive. On the Opera GX browser the only 2 settings for downloads are: Change the path and Ask where to save each file before downloading.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

There is a lot of work ahead here.  FIRST thing you must do is square away the setting in Opera for the Downloads.  Gett all settings in Opera squared away.

In the meantime, or for the duration, if this is a Windows 10 system, use just the EDGE browser so that you do not get tripped up.

I can help you here to look for actual malware.   and if some is really found, then we can deal with that.

The Opera browser is your main responsibility to get it to behave / to be sure all its settings are standard.

.

A nrmal consumer / home consumer ought to never ever need any "kmspico".  Especially if this is some sort of tool to get around licensing.

We do not condone piracy.  at the same time, we are not license police.  But any dangerous file detected is apt to be removed.

Also be awaware thst this type of free stuff is often bundled with malicious malware & worse.

.

First things needed is a decent diagnostic report.  Use the EDGE browser   ( and not Opera)  for downloading.

Please download the Farbar Recovery Scan Tool 64-bit and save it to your desktop.

 

Right-click on FRST64.exe     and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

 

_Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.

Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

 

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

 

Click Yes when the  *disclaimer* appears in FRST.

The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

 

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).

Press Scan button and wait.

 

image.png.5d47975010636d1d032768cefa8d6625.png

 

 

The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 

Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

 

Please attach these 2 files to your next reply.

Thank you.

 

Link to post
Share on other sites
ryzrn

ryzrn

Posted
  • Author
Posted

More info about KMSpico on my PC. I ran Kaspersky Antivirus on my computer and it seems like it deleted it but not completely, that was around 2-3 weeks ago, when it was in the process of deleting the malware, I tried accessing the task manager, the file explorer and it didn't give me permission to open both. After a week I was granted by a message that I should rename the file "Program" to "Program-1" since it can cause problems to some applications. The file seems to have a connection to the KMSpico virus, since when I open the %temp% folder it is located in "C:\PROGRA~1\KMSpico\temp".

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Thanks for the FRST reports.  At a opportune moment, you need to go thrun Windows' Settings in the Device Manager area to check on two ( 2 ) devices.

Name: Synaptics PS/2 Port Pointing Device
Description: Synaptics PS/2 Port Pointing Device
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Synaptics
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
.

The FRST reports show there are 4 Windows policy settings that should not be there.  One of which restricts the Explorer open function on web browser functionality.  This latter one is likely to be at the root cause of the troubles with the Opera browser.  These settings, along with some other unwanted things, will be removed by the custom script below.

We also want to re-insure that all browser temporary cache files are emptied, as well as clearing all Temp areas.

The system will be rebooted after the script has run.

This custom script is for  RYZRN  only / for this machine only.

 

NOTE-1:  In addition, This fix will also run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRST64.exe   tool   which you have on your DESKTOP folder.

Please save the (attached file named) FIXLIST.txt   to the  DESKTOP  folder   


Start the Windows Explorer and then, to the Desktop   folder.


RIGHT click on  FRSTE64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Just a NOTE:  We will  need to sort out just which Antivirus program is the real resident antivirus. I see that Kaspersky iSecure AND Bitdefender are running.

We need to get all that sorted;  and to only have 1 of them.  So be sure to tell me, which one of these is paid for that you will keep.

Having 2 or more antivirus programs does indeed cause conflicts and deadlocks at the worst possible time.  This must be sorted out & cured.  You advise me which one you want to keep and I will guide you on cleanup.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks.  The run is a good run.  Lets do some other scans to do more checks on this computer.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please select the " FULL "  scan option.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

On the message-window from Bitdefender, notice that the file is in a QUARANTINE area.

The item is in jail  ( as one may phrase it).

The result from the Microsoft Safety Scanner is good.

As a next step, to checkout your system a bit more, a new scan with Sophos.

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....




The Virus Removal Tool scans the following areas of your computer:

  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

That is very good to see  and to know.   There are no viruses here.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks.  We are done with the Sophos Virus Removal Tool v.2.8.0

You should uninstall Sophos.

The SecurityCheck tool pointed out several applications that need updating.  Check up & follow up on each one.

Notepad++ (64-bit x64) v.7.9.1 Warning! Download Update

WinRAR 5.91 (64-bit) v.5.91.0 Warning! Download Update

Microsoft Teams v.1.3.00.30866 Warning! Download Update
Viber v.14.3.0.52 Warning! Download Update

Spotify v.1.1.47.684.g136419d9 Warning! Download Update

Google Chrome v.87.0.4280.88 Warning! Download Update

It has flagged 1 potentially undesirable application

---------------------------- [ UnwantedApps ] -----------------------------
Smart Game Booster 5.0 v.5.0.1 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it .

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.