[-was- corrupted TEMP + TMP env variables] KMSpico Temp Folder?

[BubblyBread]

Hi, 

So I have been wondering what this folder is because it takes up 15gb on my C drive. I'm not sure what it is and why it's taking up so much space? Please can someone help me? Here is what I got when I used the Farbar recovery scan tool and some screenshots.

Thanks 

Addition.txt FRST.txt

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

[BubblyBread]

Hi,

Here are my results

 

mbst-grab-results.zip

[Maurice Naggar]

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

Next action step:
Disable ( turn OFF ) Fast Startup
https://www.windowscentral.com/how-disable-windows-10-fast-startup]/url]

Then restart the computer

I will note that the rogue folders were seemingly created late night of 15 May.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program : is FRST64.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folde

Fixlist.txt<-- - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will reset the Winsock & the Hosts file. It will also run scans with MS Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera + Brave caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

I will recheck on you much later ( late ) this evening.

Edited May 16 by Maurice Naggar

[BubblyBread]

Hi 

Here is the file

Fixlog.txt

[Maurice Naggar]

The custom run is beneficial. The Windows System File Checker ( SFC ) has made some corrections. Windows Resource Protection found corrupt files and successfully repaired them.
It looks as if the rogue chrome_ sub-folders were removed.
We do have to run additional scans ( it will take a few rounds over this evening, and then more tomorrow).
This next one is the first.
ALSO, by the way, this is very important. The "malware" had put exclusions onto Windows Defender such that these folders were "EXEMPT"
from being monitored.
C:\Windows\SECOH-QAD.dll
C:\Windows\SECOH-QAD.exe
C:\Program Files\KMSpico
C:\Windows\SysWOW64\WMIScriptingAPI
C:\Users\*\Documents\Celemony\Separations
Those exclusions have been removed.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

[Maurice Naggar]

other NOTE: On a later round, we will go about removing any other chrome_url_fetcher_
and any other chrome_componentunpacker

[BubblyBread]

Here are the results

msert.log

[Maurice Naggar]

A very good cleanup of malware by MS Safety Scanner.

Scan Results:
-------------
Threat Detected: HackTool:Win64/AutoKMS and Removed!
  Action: Remove, Result: 0x00000000
    file://C:\Windows\SECOH-QAD.exe
        SigSeq: 0x00002667551B9E2C
    file://C:\Windows\SECOH-QAD.dll
        SigSeq: 0x00002667DE39BADC
	Results Summary:
----------------
Found HackTool:Win64/AutoKMS and Removed!

 

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program : is FRST64.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folde

Fixlist.txt<-- - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This run will look for any remaining sub-folders "chrome_url_" & "chrome_componentunpacker".  It will also run a Quick scan with MS Defender antivirus. Depending on the speed of your computer this fix may take 15-20 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. Plus, look on the Desktop. Find and then Attach a report file Klearemlog.txt

 

 

[BubblyBread]

Here is the file

Klearemlog.txt

[Maurice Naggar]

Also, please look on the Downloads folder. I need the report-file named Fixlog.txt

Also, how is the system at this point ?

[BubblyBread]

Hello, 

 

Here are my results. Also, the system feels like the exact same as it was before. nothing has changed. 

Fixlog.txt

[Maurice Naggar]

There were malwares removed by the MS Safety Scanner !!

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[BubblyBread]

Here is the scan log 

ESET Scan log.txt

[Maurice Naggar]

Thank you. It is great to see that fine result from the ESET Onlinescanner.
One other scan here.

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

[BubblyBread]

The scan finished, and there were no threats 

[Maurice Naggar]

Now a different scan with another security scanner.  ( We need to do more checking.)

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\jHANA\DESKTOP\KVRT.exe will now show in the run box.



add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\HANA\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230520_113000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply

[BubblyBread]

I keep getting error when i do the C:\Users\HANA\Desktop\KVRT.exe -dontencrypt on the run program

[BubblyBread]

Wait ignore the reply, I've managed to get it to work 

[BubblyBread]

Here are the scan results

report_2023.05.19_22.05.51.txt

[Maurice Naggar]

Thanks. That is a fine result. Next steps.

Malwarebytes can detect and remove most malware with no further actions required for free.

Please download, install, update Malwarebytes
https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773
and post back the log as shown below.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

(  2  )

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

(  3  )

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

[BubblyBread]

Here are the results from both of the scans 

Malwarebytes Threat Scan.txt Malwarebytes Threat Scan 1.txt AdwCleaner[C00].txt AdwCleaner[C01].txt AdwCleaner[S00].txt

[Maurice Naggar]

Malwarebytes has cleaned 2 leftovers of the hacktool Kmspico. Now just a fresh report so I can then review.

Your machine has the FRST64 report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRST64 and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

•  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
• Press the Scan button.

• It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
• Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
• Close Notepad IF those show up on Notepad.
• Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.

[BubblyBread]

Here are the scan results. Also, the KMSpico Folder temp keeps remaking itself. All the files that used to be in that kmspico folder are all in FRST quarantine. I don't know what to do with the files in quarantine in the FRST. 

Addition.txt FRST.txt

[Maurice Naggar]

What is in C:\FRST\Quarantine is not active. It is like secure jail. So no need to focus on that.

IF you see a C:\KMSPICO that you can delete.

What is in C:\Program files\KMSPICO   you can delete all files contained under KMSPICO

This is a good point to emphasize not playing online games or games in general, while the case is on-going.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications.
Apply these principles now from the following How-to
How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

Open an elevated CMD Command-prompt window 

On the Taskbar Search box, type in

cmd.exe

click the line for "run as administrator"

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that Powershell prompt,  Copy & Paste this command

del /s /q "C:\program files\kmspico\*.*"

press Enter-key on keyboard   Wait for it to finish all its work.

Next  On that Powershell prompt,  Copy & Paste this command

rd /s /q "C:\program files\kmspico"

press Enter-key on keyboard   Wait for it to finish all its work.

Edited May 20 by Maurice Naggar