ryzrn Posted January 10, 2021 ID:1431498 Share Posted January 10, 2021 Im using an Opera GX browser and every time that I download something its located in E:\downloads\scoped_dir{numbers}. Also I have noticed that every file that I download I need to run with administrator. Link to post Share on other sites More sharing options...
ryzrn Posted January 10, 2021 Author ID:1431500 Share Posted January 10, 2021 I bought a new PC recently and it has the KMSpico virus. I have noticed that the temp folder is located in C:\PROGRA~1\KMSpico\temp Help! Link to post Share on other sites More sharing options...
ryzrn Posted January 10, 2021 Author ID:1431502 Share Posted January 10, 2021 It also creates these folders Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 10, 2021 ID:1431503 Share Posted January 10, 2021 Hello Ryzm. It seems that you really need to dig thru the Settings of the Opera browser; looking very closely at its Download section options. Have you looked there ? This sounds like a glitch of some sort of the browser itself. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 10, 2021 ID:1431504 Share Posted January 10, 2021 Hello. You have 2 separate topic threads. Is all of this on just one single Windows PC ? ( please do not create any other new topic at this point } Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 10, 2021 ID:1431506 Share Posted January 10, 2021 2nd reply for this Sunday afternoon. This link is just one potential how-to article regarding the Opera browser setting for Download folder Change the Default Folder for Your Downloads in Opera - CCM Link to post Share on other sites More sharing options...
ryzrn Posted January 10, 2021 Author ID:1431508 Share Posted January 10, 2021 The only thing I have done with the download settings is change the location that the files are stored in from the drive .C: to the E: drive. On the Opera GX browser the only 2 settings for downloads are: Change the path and Ask where to save each file before downloading. Link to post Share on other sites More sharing options...
ryzrn Posted January 10, 2021 Author ID:1431509 Share Posted January 10, 2021 Im wondering if scoped_dir is some kind of malware or an Opera browser thing, cause some people say its a malware and some its because of Opera. Link to post Share on other sites More sharing options...
ryzrn Posted January 10, 2021 Author ID:1431510 Share Posted January 10, 2021 Both topics are on one PC. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 10, 2021 ID:1431513 Share Posted January 10, 2021 There is a lot of work ahead here. FIRST thing you must do is square away the setting in Opera for the Downloads. Gett all settings in Opera squared away. In the meantime, or for the duration, if this is a Windows 10 system, use just the EDGE browser so that you do not get tripped up. I can help you here to look for actual malware. and if some is really found, then we can deal with that. The Opera browser is your main responsibility to get it to behave / to be sure all its settings are standard. . A nrmal consumer / home consumer ought to never ever need any "kmspico". Especially if this is some sort of tool to get around licensing. We do not condone piracy. at the same time, we are not license police. But any dangerous file detected is apt to be removed. Also be awaware thst this type of free stuff is often bundled with malicious malware & worse. . First things needed is a decent diagnostic report. Use the EDGE browser ( and not Opera) for downloading. Please download the Farbar Recovery Scan Tool 64-bit and save it to your desktop. Right-click on FRST64.exe and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run. _Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._ Click YES when prompted by Windows U A C prompt to allow it to run. Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway. Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. Click Yes when the *disclaimer* appears in FRST. The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use. Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked). Press Scan button and wait. The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files. Please attach these 2 files to your next reply. Thank you. Link to post Share on other sites More sharing options...
ryzrn Posted January 11, 2021 Author ID:1431575 Share Posted January 11, 2021 Sorry for the long wait, here it is FRST.txt Addition.txt Link to post Share on other sites More sharing options...
ryzrn Posted January 11, 2021 Author ID:1431577 Share Posted January 11, 2021 More info about KMSpico on my PC. I ran Kaspersky Antivirus on my computer and it seems like it deleted it but not completely, that was around 2-3 weeks ago, when it was in the process of deleting the malware, I tried accessing the task manager, the file explorer and it didn't give me permission to open both. After a week I was granted by a message that I should rename the file "Program" to "Program-1" since it can cause problems to some applications. The file seems to have a connection to the KMSpico virus, since when I open the %temp% folder it is located in "C:\PROGRA~1\KMSpico\temp". Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 11, 2021 ID:1431608 Share Posted January 11, 2021 (edited) Thanks for the FRST reports. At a opportune moment, you need to go thrun Windows' Settings in the Device Manager area to check on two ( 2 ) devices. Name: Synaptics PS/2 Port Pointing Device Description: Synaptics PS/2 Port Pointing Device Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318} Manufacturer: Synaptics Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. Name: Standard PS/2 Keyboard Description: Standard PS/2 Keyboard Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318} Manufacturer: (Standard keyboards) Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. . The FRST reports show there are 4 Windows policy settings that should not be there. One of which restricts the Explorer open function on web browser functionality. This latter one is likely to be at the root cause of the troubles with the Opera browser. These settings, along with some other unwanted things, will be removed by the custom script below. We also want to re-insure that all browser temporary cache files are emptied, as well as clearing all Temp areas. The system will be rebooted after the script has run. This custom script is for RYZRN only / for this machine only. NOTE-1: In addition, This fix will also run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The custom Fix script is going to be used by the FRST64.exe tool which you have on your DESKTOP folder. Please save the (attached file named) FIXLIST.txt to the DESKTOP folder Start the Windows Explorer and then, to the Desktop folder. RIGHT click on FRSTE64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. Just let it do its thing. Do let me know how things are overall, after all this. Sincerely. Fixlist.txt Edited January 11, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 11, 2021 ID:1431611 Share Posted January 11, 2021 Just a NOTE: We will need to sort out just which Antivirus program is the real resident antivirus. I see that Kaspersky iSecure AND Bitdefender are running. We need to get all that sorted; and to only have 1 of them. So be sure to tell me, which one of these is paid for that you will keep. Having 2 or more antivirus programs does indeed cause conflicts and deadlocks at the worst possible time. This must be sorted out & cured. You advise me which one you want to keep and I will guide you on cleanup. Link to post Share on other sites More sharing options...
ryzrn Posted January 11, 2021 Author ID:1431634 Share Posted January 11, 2021 I cannot find the synaptics driver nor the keyboard in my device manager folder. Do I need to disconnect my printer? Link to post Share on other sites More sharing options...
ryzrn Posted January 11, 2021 Author ID:1431642 Share Posted January 11, 2021 Also, I found that Kaspersky Secure Connection was still installed, I deleted it and it told me to reboot my PC, I clicked reboot later, do I first need to reboot my PC and then run the script or is it okay just to run it now? Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 11, 2021 ID:1431645 Share Posted January 11, 2021 As to the printer, go ahead and disconnect it. You do need to go ahead and do the custom script run with the FRST Fix procedure. That is the top priority. Link to post Share on other sites More sharing options...
ryzrn Posted January 11, 2021 Author ID:1431656 Share Posted January 11, 2021 It has finished, here is the fixlog. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 11, 2021 ID:1431719 Share Posted January 11, 2021 Thanks. The run is a good run. Lets do some other scans to do more checks on this computer. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Please select the " FULL " scan option. Let me know the result of this. The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
ryzrn Posted January 12, 2021 Author ID:1431802 Share Posted January 12, 2021 It has finished. While it was scanning BitDefender detected this too. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 12, 2021 ID:1431846 Share Posted January 12, 2021 On the message-window from Bitdefender, notice that the file is in a QUARANTINE area. The item is in jail ( as one may phrase it). The result from the Microsoft Safety Scanner is good. As a next step, to checkout your system a bit more, a new scan with Sophos. Download Sophos Free Virus Removal Tool and save it to your desktop.If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Link to post Share on other sites More sharing options...
ryzrn Posted January 12, 2021 Author ID:1431888 Share Posted January 12, 2021 Sophos has finished scanning. It says that 0 threats were detected, here's a screenshot with it. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 12, 2021 ID:1431927 Share Posted January 12, 2021 That is very good to see and to know. There are no viruses here. I would like you to run a tool named SecurityCheck to inquire on the current-security-update status of some applications. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
ryzrn Posted January 13, 2021 Author ID:1432047 Share Posted January 13, 2021 Sorry for the wait, here it is SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 13, 2021 ID:1432070 Share Posted January 13, 2021 Thanks. We are done with the Sophos Virus Removal Tool v.2.8.0 You should uninstall Sophos. The SecurityCheck tool pointed out several applications that need updating. Check up & follow up on each one. Notepad++ (64-bit x64) v.7.9.1 Warning! Download Update WinRAR 5.91 (64-bit) v.5.91.0 Warning! Download Update Microsoft Teams v.1.3.00.30866 Warning! Download Update Viber v.14.3.0.52 Warning! Download Update Spotify v.1.1.47.684.g136419d9 Warning! Download Update Google Chrome v.87.0.4280.88 Warning! Download Update It has flagged 1 potentially undesirable application ---------------------------- [ UnwantedApps ] ----------------------------- Smart Game Booster 5.0 v.5.0.1 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it . Link to post Share on other sites More sharing options...
Recommended Posts