Problems with kmsemulator

HI!

I have KMSemulator on my computer that is infected and I can’t get rid of it. I tired with stop sign AV (having a licensed version) and it still pops up. I came to the certain point of curing with the stop sign time and now they are silenced for 3 days already and I would like to get rid of that problem.
I followed yout procedure posted in Logs to assist in cleaning malware and came to the point where I ran OTL. I attached the OTL.txt file and I can’t attach Extras.txt because it wasn’t created.

Please help! what to do now???

Tabitha

Here is also aswMBR.exe log file

Let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O20 - AppInit_DLLs: (c:\progra~2\zoomex\sprote~1.dll) - File not found
O20 - AppInit_DLLs: (c:\progra~2\browse~1\sprote~1.dll) - File not found
O20 - AppInit_DLLs: (c:\progra~2\websea~1\sprote~1.dll) - File not found
O20 - AppInit_DLLs: (c:\progra~2\simple~1\sprote~1.dll) - File not found
[2013.12.07 01:33:05 | 000,000,292 | ---- | M] () -- C:\Windows\tasks\AutoKMS.job
[2013.12.07 01:32:37 | 000,151,552 | ---- | M] () -- C:\Windows\kmsemulator.exe._eac_qt_

:Files
C:\ProgramData\InstallMate\{18DF9D0C-A046-40BB-A250-E864C33CBFFA}

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thank you thank you thank you!

I did all as written in your instructions. Attached are otl and adwcleaner.

Waiting for your reply

sending yo a big HUG

Tabitha

How is the computer behaving now ? Any problems

Hi!

Sorry for late reply. I tried to ran Stop Sign again to see if computer is clean and is still working. Stop Sign found many infected files. I am totally confused. What should I do.
Tomorrow I am travelling to the Netherlands and I will be absent for 4 days. If you have any idea what to do, please HELP!

Thanks

Tabitha

Does stop sign have a log that you can attach so that I can see what it is finding

I am sending to you one now. This is the last log that was successful. The scan that is running at the moment is stil at only 78%.

Thanks

Tabitha

No indication of an infection on that snapshot, what did stopsign call the infection ?

MY StopSign finally completed the scan. Attached is last log file and copy of scan results with the list of found infections and threats.

I can’t express my gratitude and appreciation for your work.

Waiting for your reply.

Hug and thanks

Tabitha

Forgot to add scan results!

Here they are

Not a problem they were quarantined files from our fixes and a couple of setup files that you would have had to run yourself to activate them :slight_smile:

Is the computer behaving itself ?

I will remove all the quarantined stuff when you are happy

Hi!

good to hear about quarantine. Computer is slow from time to time. Stop Sign was running extremely slow, very unusual and occupied all the CPU time.
Now it is better :slight_smile:

Well I am happy with the removal. How are you going to do that. It is very late her in Europe and I am staying up late already. I will wait for your answer about the removal for another 30 min. After that I will got silence because of the travel and catch up with you tomorrow night.

Thanks and a big HUG
Tabitha

OK cleanup :slight_smile:

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run AdwCleaner and select uninstall

Delete AswMBR from the desktop

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Hi!

I am doing the steps. It will take some time. I will get to you tomorrow, when all is done and I arive at my new location.

One more question :slight_smile: WHat do I do with Stop Sign. Do I keep it or uninstall it, do I run scans or will the software that you recommended do the job.

Hug
Tabitha

Hi!

After a good night sleep (also thanks to you who helped me solve my comp problem) I turned my notebook on today and it looks FINE :).

I will keep you informed for another 24 hours.

Thanks sending you HUG
Tabitha

Stopsign is your antivirus although I have no real information about it http://www.stop-sign.com/ Obviously on this forum we would recommend uninstalling it and using Avast instead :slight_smile:

CryptoPrevent will set your system so that any encryption malware (as currently known) will be blocked from execution
Malwarebytes is an on demand malware scanner for things that an antivirus will not detect

Thank you again!

My licence for Stop Sign is paid until july next year and I will definitely consider changing to Avast. Especially after this great experience with you.

Sending you gratitude and appreciation and a big HUG

Tabitha

P.S.: MY computer runs smoothly and I am happy with it.

My pleasure :slight_smile: