Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

12 replies to this topic

#1 rooomish

rooomish

• Members
• 7 posts
• OFFLINE
•
• Local time:07:40 AM

Posted 09 December 2016 - 08:35 AM

Hello to all.

After many years of clear state my PC is infected with some adware but I do not know, what happened. When I click on Chrome links (especially with right mouse - it pops up  new windows with advertising info.

My Browser also wants to communicate with pixel.onclickads.net (stopped by antivirus Eset), and some pages are underlayed with picture promnotion or banners. Very aggresive.

The same situation is in IE.

No one adware remover and antivirus soft did not solve my problem.

In the attachement you will find the logs from FRST.

This infection is spreaded to other computers on LAN now.

Thank you for help!!!

Roman

Attached Files

Edited by rooomish, 09 December 2016 - 09:23 AM.

m

#2 Bezukhov

Bezukhov

Bleepin' Jazz Fan!

• Members
• 2,570 posts
• OFFLINE
•
• Gender:Male
• Location:Providence, R.I.
• Local time:02:40 AM

Posted 09 December 2016 - 11:17 PM

I'll look into this. Some things to keep in mind:
• Please do not run any tools on your own while we solve this. Some are rather powerful, and using one at the wrong moment can have catastrophic effects. Also please refrain from seeking help for this problem elsewhere. Too many cooks spoils the broth.
• Next, it is important that the instructions given be performed in the order given. We may need one tool to finish its job before another one starts.
• If at any time my instructions are not clear stop and ask for clarification.
• Rather than attach any logs to your post it is better that you copy and paste them instead, except if instructed otherwise.
• Any program that I ask you run should only be run once.
• As soon as your computer is clean I will let you know.
• Please try to complete any tasks and reply in 24 to 48 hours. I will try to do likewise. In the interest of full disclosure I am still a student, and therefore anything I propose must be cleared with an instructor, which may sometimes delay my responses. The upside to this is you'll have two heads looking into your problem.
• Lastly, do not make any changes to your computer from here on out until you get an "All Clear" from me.
One thing you can do for now:

System Summary Information
• Press the windows key  + r on your keyboard at the same time
• Type msinfo32 and press Enter
• Left click on System Summary
• Click FileSave, and name the file Summary
Remember, Attach the Summary file.
To err is Human. To blame it on someone else is even more Human.

#3 rooomish

rooomish
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:07:40 AM

Posted 11 December 2016 - 03:45 PM

Hello. many thanks for reply :-).

This "virus" is even in my home machine just now! And I did not do any special things ...

I do not know if to try to solve the problem in the beginning with the first infected computer at work - from whom I sent FRST logs = I will send you the the log tomorrow  - and use this procedure on other PCs as general solution?

Or we have to go one PC after one ...?

Ok, be back tomorrow with the log from my office computer ...

Thank you!

Roman

#4 Bezukhov

Bezukhov

Bleepin' Jazz Fan!

• Members
• 2,570 posts
• OFFLINE
•
• Gender:Male
• Location:Providence, R.I.
• Local time:02:40 AM

Posted 11 December 2016 - 06:07 PM

Hello. many thanks for reply :-).

This "virus" is even in my home machine just now! And I did not do any special things ...

I do not know if to try to solve the problem in the beginning with the first infected computer at work - from whom I sent FRST logs = I will send you the the log tomorrow  - and use this procedure on other PCs as general solution?
Or we have to go one PC after one ...?

Ok, be back tomorrow with the log from my office computer ...

Thank you!

Roman

First, I can only deal with one computer per thread. And Do Not apply the fix from one computer on any other machine. Right now I'm only going to deal with the computer you posted FRST logs for earlier.

If you're using a USB thumb drive to shuttle files between the two computers, please do this to that thumb drive:

We need to vaccinate the USB drive to prevent infection:

• Insert your USB flash drive into the clean / working computer
• Double-click on USBVaccineSetup.exe to install the program
• Choose if you would like the program to run at all times, and for all newly inserted USB drives
• Click Next then Finish to complete the installation, the program will launch
• Select your USB drive from the list, then click Vaccinate USB
note: optionally you can click Vaccinate computer as well, this disables removable items from automatically running on the system entirely
• A message should appear that your USB drive was vaccinated. If not please report the error in your next post
Going over your logs I noticed that you have uTorrent installed.
• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

CKScanner
• Double click CKScanner
• Select Search For Files
• Once completed select Save List to File
• ckfiles.txt document will be placed on your Desktop
• Copy and paste the results of that report in your reply
Now we use FRST:
• Press the windows key  + r on your keyboard at the same time. Type in notepad and press Enter
• Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt. Save it in the same place as FRST64.exe.
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Folder: C:\WINDOWS\system32\cs
Folder: C:\WINDOWS\system32\0409
Folder: C:\WINDOWS\SKB
File: C:\GLOB(0x2c46be4)
File: C:\GLOB(0x2c1371c)
File: C:\GLOB(0x2bea754)
File: C:\GLOB(0x2a5572c)

• Run FRST64.exe and press the Fix button just once and wait
• If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
• When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
So let me know if that USB drive is vaccinated and copy and paste the results of ckfiles.txt and fixlist.txt in your next reply.
To err is Human. To blame it on someone else is even more Human.

#5 rooomish

rooomish
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:07:40 AM

Posted 12 December 2016 - 03:45 AM

Hello.

Ok, the vaccination was not succesful  - Create process failed - error code 5. Access denied.

Here are the logs.

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\kmspico\devcomponents.dotnetbar2.dll
c:\program files\kmspico\dm.bin
c:\program files\kmspico\unins000.dat
c:\program files\kmspico\unins000.exe
c:\program files\kmspico\unins001.dat
c:\program files\kmspico\unins001.exe
c:\program files\kmspico\uninshs.exe
c:\program files\kmspico\vestris.resourcelib.dll
c:\program files\kmspico\windivert.dll
c:\program files\kmspico\windivert.sys
c:\program files\kmspico\cert\installall.cmd
c:\program files\kmspico\cert\kmscert2010\access\accessvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\access\accessvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\access\accessvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excelvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\excel\excelvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\excel\excelvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groovevlreg32.reg
c:\program files\kmspico\cert\kmscert2010\groove\groovevlreg64.reg
c:\program files\kmspico\cert\kmscert2010\groove\groovevlregwow.reg
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopathvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\infopath\infopathvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\infopath\infopathvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenotevlreg32.reg
c:\program files\kmspico\cert\kmscert2010\onenote\onenotevlreg64.reg
c:\program files\kmspico\cert\kmscert2010\onenote\onenotevlregwow.reg
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlookvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\outlook\outlookvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\outlook\outlookvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpointvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpointvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpointvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectprovlreg32.reg
c:\program files\kmspico\cert\kmscert2010\projectpro\projectprovlreg64.reg
c:\program files\kmspico\cert\kmscert2010\projectpro\projectprovlregwow.reg
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstdvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstdvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstdvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak2.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak2.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak2.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak2.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplusvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\proplus\proplusvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\proplus\proplusvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publishervlreg32.reg
c:\program files\kmspico\cert\kmscert2010\publisher\publishervlreg64.reg
c:\program files\kmspico\cert\kmscert2010\publisher\publishervlregwow.reg
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasicsvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasicsvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasicsvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standardvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\standard\standardvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\standard\standardvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiovlreg32.reg
c:\program files\kmspico\cert\kmscert2010\visio\visiovlreg64.reg
c:\program files\kmspico\cert\kmscert2010\visio\visiovlregwow.reg
c:\program files\kmspico\cert\kmscert2010\word\wordvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\word\wordvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\word\wordvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\pkeyconfig-office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\accessvl_kms_client_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\accessvl_kms_client_pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\accessvl_kms_client_ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\proplus.reg
c:\program files\kmspico\cert\kmscert2013\visiopro\visio.reg
c:\program files\kmspico\cert\kmscert2016\client-issuance-bridge-office.xrm-ms
c:\program files\kmspico\cert\kmscert2016\client-issuance-root-bridge-test.xrm-ms
c:\program files\kmspico\cert\kmscert2016\client-issuance-root.xrm-ms
c:\program files\kmspico\cert\kmscert2016\client-issuance-stil.xrm-ms
c:\program files\kmspico\cert\kmscert2016\client-issuance-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\client-issuance-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\pkeyconfig-office.xrm-ms
c:\program files\kmspico\cert\kmscert2016\access\accessvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\access\accessvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\access\accessvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\excel\excelvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\excel\excelvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\excel\excelvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\mondo\mondovl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\mondo\mondovl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\mondo\mondovl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\onenote\onenotevl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\onenote\onenotevl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\onenote\onenotevl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\outlook\outlookvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\outlook\outlookvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\outlook\outlookvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\powerpoint\powerpointvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\powerpoint\powerpointvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\powerpoint\powerpointvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\projectpro\projectprovl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\projectpro\projectprovl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\projectpro\projectprovl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\projectstd\projectstdvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\projectstd\projectstdvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\projectstd\projectstdvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\proplus\proplusvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\proplus\proplusvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\proplus\proplusvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\publisher\publishervl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\publisher\publishervl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\publisher\publishervl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\standard\standardvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\standard\standardvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\standard\standardvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\visiopro\visioprovl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\visiopro\visioprovl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\visiopro\visioprovl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\visiostd\visiostdvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\visiostd\visiostdvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\visiostd\visiostdvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscert2016\word\wordvl_kms_client-ppd.xrm-ms
c:\program files\kmspico\cert\kmscert2016\word\wordvl_kms_client-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscert2016\word\wordvl_kms_client-ul.xrm-ms
c:\program files\kmspico\cert\kmscertw10\pkeyconfig.xrm-ms
c:\program files\kmspico\cert\kmscertw10\core\core-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\core\core-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\education\education-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\education\education-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\enterprise\enterprise-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\enterprise\enterprise-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\enterprises\enterprises-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\enterprises\enterprises-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\enterprises\enterprises-volume-gvlk-2-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw10\enterprises\enterprises-volume-gvlk-2-ul.xrm-ms
c:\program files\kmspico\cert\kmscertw10\professional\professional-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw10\professional\professional-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw6\pkeyconfig.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-ul-phn.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-bypass-rac-private.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-bypass-rac-public.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-bypass-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-bypass-ul.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-kms-pl.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-kms-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-kms-ul-phn.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-kms1-pl.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-kms1-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw6\enterprise\security-licensing-slc-component-sku-enterprise-vl-kms1-ul-phn.xrm-ms
c:\program files\kmspico\cert\kmscertw7\embedded\pkeyconfig-embedded.xrm-ms
c:\program files\kmspico\cert\kmscertw7\embedded\security-spp-component-sku-embedded-pl.xrm-ms
c:\program files\kmspico\cert\kmscertw7\embedded\security-spp-component-sku-embedded-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw7\embedded\security-spp-component-sku-embedded-ul-phn.xrm-ms
c:\program files\kmspico\cert\kmscertw7\embedded\security-spp-component-sku-embedded-vlba-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw7\embedded\security-spp-component-sku-embedded-vlba-ul.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\pkeyconfig.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-ul-phn.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-vl-bypass-rac-private.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-vl-bypass-rac-public.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-vl-bypass-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-vl-bypass-ul.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-vlkms1-pl.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-vlkms1-ul-oob.xrm-ms
c:\program files\kmspico\cert\kmscertw7\professional\security-spp-component-sku-professional-vlkms1-ul-phn.xrm-ms
c:\program files\kmspico\cert\kmscertw8\pkeyconfig.xrm-ms
c:\program files\kmspico\cert\kmscertw8\core\core-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\core\core-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\coren\coren-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\coren\coren-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\coresinglelanguage\coresinglelanguage-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\coresinglelanguage\coresinglelanguage-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\enterprise\enterprise-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\enterprise\enterprise-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\enterprisen\enterprisen-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\enterprisen\enterprisen-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\professional\professional-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\professional\professional-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\professionaln\professionaln-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\professionaln\professionaln-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\professionalwmc\professionalwmc-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw8\professionalwmc\professionalwmc-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\pkeyconfig.xrm-ms
c:\program files\kmspico\cert\kmscertw81\core\core-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\core\core-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\coreconnectedsinglelanguage\coreconnectedsinglelanguage-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\coreconnectedsinglelanguage\coreconnectedsinglelanguage-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\embeddedindustry\embeddedindustry-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\embeddedindustry\embeddedindustry-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\enterprise\enterprise-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\enterprise\enterprise-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\professional\professional-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\professional\professional-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\professionalwmc\professionalwmc-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\professionalwmc\professionalwmc-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\serverdatacenter\serverdatacenter-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\serverdatacenter\serverdatacenter-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\serverstandard\serverstandard-volume-gvlk-1-ul-oob-rtm.xrm-ms
c:\program files\kmspico\cert\kmscertw81\serverstandard\serverstandard-volume-gvlk-1-ul-rtm.xrm-ms
c:\program files\kmspico\driver\cert.cmd
c:\program files\kmspico\driver\certeldi.pfx
c:\program files\kmspico\driver\openvpn.cer
c:\program files\kmspico\driver\tap-windows-9.21.0.exe
c:\program files\kmspico\driver\tap-windows-9.9.2_3.exe
c:\program files\kmspico\driver\uninstalldriver.cmd
c:\program files\kmspico\icons\error.png
c:\program files\kmspico\icons\information.png
c:\program files\kmspico\icons\question.png
c:\program files\kmspico\icons\warning.png
c:\program files\kmspico\logs\autopico.log
c:\program files\kmspico\logs\kmseldi.log
c:\program files\kmspico\logs\service_kms.log
c:\program files\kmspico\scripts\disablesmartscreen.reg
c:\program files\kmspico\scripts\enablesmartscreen.cmd
c:\program files\kmspico\scripts\enablesmartscreen.reg
c:\program files\kmspico\scripts\install_service.cmd
c:\program files\kmspico\scripts\log.cmd
c:\program files\kmspico\scripts\removeexceptionswd.reg
c:\program files\kmspico\scripts\restore_watermark.cmd
c:\program files\kmspico\scripts\silent.cmd
c:\program files\kmspico\scripts\uninstall_service.cmd
c:\program files\kmspico\sounds\affirmative.mp3
c:\program files\kmspico\sounds\begin.mp3
c:\program files\kmspico\sounds\complete.mp3
c:\program files\kmspico\sounds\diagnostic.mp3
c:\program files\kmspico\sounds\enterauthorizationcode.mp3
c:\program files\kmspico\sounds\incomingtransmission.mp3
c:\program files\kmspico\sounds\inputfailed.mp3
c:\program files\kmspico\sounds\inputok.mp3
c:\program files\kmspico\sounds\processing.mp3
c:\program files\kmspico\sounds\transfer.mp3
c:\program files\kmspico\sounds\verified.mp3
c:\program files\kmspico\sounds\warning.mp3
c:\program files\kmspico\tokensbackup\keys.txt
c:\program files\kmspico\tokensbackup\office\pkeyconfig-office.xrm-ms
c:\program files\kmspico\tokensbackup\windows\data.dat
c:\program files\kmspico\tokensbackup\windows\pkeyconfig.xrm-ms
c:\program files\kmspico\tokensbackup\windows\tokens.dat
c:\program files\kmspico\tokensbackup\windows\cache\cache.dat
c:\windows\system32\kmspico_setup.exe
c:\windows\syswow64\kmspico_setup.exe
scanner sequence 3.ZZ.11.TUAPUZ
----- EOF -----

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Roman (12-12-2016 09:35:52) Run:1
Running from C:\Users\Roman\Desktop
Loaded Profiles: Roman (Available Profiles: Roman)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Folder: C:\WINDOWS\system32\cs
Folder: C:\WINDOWS\system32\0409
Folder: C:\WINDOWS\SKB
File: C:\GLOB(0x2c46be4)
File: C:\GLOB(0x2c1371c)
File: C:\GLOB(0x2bea754)
File: C:\GLOB(0x2a5572c)
*****************

========================= Folder: C:\WINDOWS\system32\cs ========================

2016-12-04 03:52 - 2016-12-04 03:52 - 3129856 _____ (Microsoft Corporation) C:\WINDOWS\system32\cs\AuthFWSnapIn.Resources.dll
2016-12-04 03:52 - 2016-12-04 03:52 - 0056320 _____ (Microsoft Corporation) C:\WINDOWS\system32\cs\AuthFWWizFwk.Resources.dll
2016-12-04 03:52 - 2016-12-04 03:52 - 0259072 _____ (Microsoft Corporation) C:\WINDOWS\system32\cs\fhuxpresentation.Resources.dll

====== End of Folder: ======

========================= Folder: C:\WINDOWS\system32\0409 ========================

====== End of Folder: ======

========================= Folder: C:\WINDOWS\SKB ========================

2016-12-04 03:53 - 2016-12-08 16:12 - 0000000 ____D () C:\WINDOWS\SKB\LanguageModels
2016-12-03 15:36 - 2016-12-04 03:53 - 0734160 _____ () C:\WINDOWS\SKB\LanguageModels\lm.cs.dat
2016-12-08 16:12 - 2016-12-02 21:07 - 0009280 _____ () C:\WINDOWS\SKB\LanguageModels\lm.en.dat
2016-12-08 16:12 - 2016-12-02 21:07 - 0016240 _____ () C:\WINDOWS\SKB\LanguageModels\lm.en-001.dat
2016-12-08 16:12 - 2016-12-02 21:07 - 0833136 _____ () C:\WINDOWS\SKB\LanguageModels\lm.en-AU.dat
2016-12-08 16:12 - 2016-12-02 21:07 - 0835792 _____ () C:\WINDOWS\SKB\LanguageModels\lm.en-CA.dat
2016-12-08 16:12 - 2016-12-02 21:07 - 0829808 _____ () C:\WINDOWS\SKB\LanguageModels\lm.en-GB.dat
2016-12-08 16:12 - 2016-12-02 21:07 - 0402176 _____ () C:\WINDOWS\SKB\LanguageModels\lm.en-grammar.dat
2016-12-08 16:12 - 2016-12-02 21:07 - 0830976 _____ () C:\WINDOWS\SKB\LanguageModels\lm.en-US.dat

====== End of Folder: ======

========================= File: C:\GLOB(0x2c46be4) ========================

File not signed
MD5:
Creation and modification date: 2016-12-03 09:56 - 2016-12-03 09:56
Size: 0000000
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:

====== End of File: ======

========================= File: C:\GLOB(0x2c1371c) ========================

File not signed
MD5:
Creation and modification date: 2016-12-03 09:56 - 2016-12-03 09:56
Size: 0000000
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:

====== End of File: ======

========================= File: C:\GLOB(0x2bea754) ========================

File not signed
MD5:
Creation and modification date: 2016-12-03 09:56 - 2016-12-03 09:56
Size: 0000000
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:

====== End of File: ======

========================= File: C:\GLOB(0x2a5572c) ========================

File not signed
MD5:
Creation and modification date: 2016-12-03 09:56 - 2016-12-03 09:56
Size: 0000000
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:

====== End of File: ======

==== End of Fixlog 09:35:52 ====

Thank you :-).

Roman

#6 rooomish

rooomish
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:07:40 AM

Posted 12 December 2016 - 07:04 AM

Well I tried to install and use the Panda USB Vaccine again after all and now it is installed and USB is vaccined now.

#7 Bezukhov

Bezukhov

Bleepin' Jazz Fan!

• Members
• 2,570 posts
• OFFLINE
•
• Gender:Male
• Location:Providence, R.I.
• Local time:02:40 AM

Posted 13 December 2016 - 08:00 PM

First, I suspect that this Windows 10 installation is a pirated version. This is likely the cause of your problems. It's a lot of work cracking an Operating System, and I doubt all that effort was done out of the kindness someone's heart. To clean this involves removing the program responsible for the crack. I have no idea what the results of that will be.

We need to create a restore point.

• Right click the Start button then Control Panel > System. On the left pane choose System Protection.
• In the System Properties Window, under Protection Settings choose the drive OS(C:)(System). It will turn Blue.
• Click the Configure below.
• In this new Window System Protection for OS(C:) make sure System Protection is turned on.
• Beneath that use the slider to set the amount of disk space you want to use, 5 to 10 percent is a usual. Now click OK.
• Back to the System Properties Window. At the bottom click Create to make a Restore
•  point immediately.

If by any chance you are greeted with any Error Messages when doing the above, let me know.

I need to look at one particular file

• Press the windows key  + r on your keyboard at the same time. Type in notepad and press Enter
• Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt. Save it in the same place as FRST64.exe.
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

File: c:\program files\kmspico\driver\tap-windows-9.21.0.exe


• Run FRST64.exe and press the Fix button just once and wait
• If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
• When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

We need to remove some programs with Revo Uninstaller Free:

Note: Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.
Note: If the program you want to uninstall is not listed by Revo, let me know and we will try an alternate method of removal.

note: there is no need to click anything on that page, the download will start automatically
• Double click Revo Uninstaller to run it
• From the list of programs double click on the listed programs, there might be two with this name. Or anything similar, to remove it:
KMSpico

• When prompted if you want to uninstall click Yes
• Be sure the Moderate option is selected then click Next
• The program will run, If prompted again click Yes
• When the built-in uninstaller is finished click on Next
• Once the program has searched for leftovers click Next
• Check the items in bold only on the list then click Delete
note: you may have to expand some folders by clicking the "+" mark
• When prompted click on Yes and then on Next
• Put a check on any folders that are found and select Delete
• When prompted select Yes then Next
• Once done click Finish

• Double click CKScanner
• Select Search For Files
• Once completed select Save List to File
• ckfiles.txt document will be placed on your Desktop
• Copy and paste the results of that report in your reply

1)Let me know if a restore point was made.
2) The results of fixlog.txt.
3) If you were able to remove those programs, and what effect that had.
4) The results of ckfiles.txt

To err is Human. To blame it on someone else is even more Human.

#8 rooomish

rooomish
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:07:40 AM

Posted 14 December 2016 - 04:31 AM

Hello

Restore point was made with succesful.

I am not first user of this PC, but if the version of Win10 is cracked, it has to be long time (many months)

and problems with "virus" is only one week old.

In uninstall windows was 2 versions of KMS . The first with number version 9.x.x was uninstalled without problem, The second without any nuber is not possible uninstall - missing the uninstall information. So I am adding the results, then I try to reboot windows and try to uninstall it again. I hope, that Win will boot normally.

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Roman (14-12-2016 10:13:13) Run:2
Running from C:\Users\Roman\Desktop
Loaded Profiles: Roman (Available Profiles: Roman)
Boot Mode: Normal
==============================================

fixlist content:
*****************
File: c:\program files\kmspico\driver\tap-windows-9.21.0.exe
*****************

========================= File: c:\program files\kmspico\driver\tap-windows-9.21.0.exe ========================

File is digitally signed
MD5: 05230AFDEEB13718E926FD654DE63F12
Creation and modification date: 2015-12-08 09:56 - 2014-07-17 14:35
Size: 0225448
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:

====== End of File: ======

==== End of Fixlog 10:13:13 ====

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\windows\system32\kmspico_setup.exe
c:\windows\syswow64\kmspico_setup.exe
scanner sequence 3.AA.11.KOLBHB
----- EOF -----

Thank you, Roman

#9 rooomish

rooomish
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:07:40 AM

Posted 14 December 2016 - 04:40 AM

Well, I am back after restart, in Revio is still listed the second version of KMS Pico and still unable to uninstall - missing uninstall info.

The result of CK scanner is the same as before:

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\windows\system32\kmspico_setup.exe
c:\windows\syswow64\kmspico_setup.exe
scanner sequence 3.AA.11.KOLBHB
----- EOF -----

#10 Bezukhov

Bezukhov

Bleepin' Jazz Fan!

• Members
• 2,570 posts
• OFFLINE
•
• Gender:Male
• Location:Providence, R.I.
• Local time:02:40 AM

Posted 16 December 2016 - 01:59 PM

I have a few questions.
1) Can you identify any other sites you're being redirected to, besides pixel.onclickads.net?
3) Does this problem happen in Firefox?

One other issue that should be addressed.

Using more than one anti-virus program is not advisable.

Why? The primary concern with doing so is due to Windows resource management and significant conflicts that can arise especially when they are running in real-time protection mode simultaneously. Even if one of them is disabled for use as a stand-alone on demand scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are initiated, each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "false positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that threat. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you may encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found after it has already been neutralized.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of another and may insist that it be removed prior to installation. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms as described above while trying to use it. In some cases, one of the anti-virus programs may even get disabled by the other.

To avoid these problems, use only one anti-virus solution.

Right now Malwarebytes,ESET Smart Security Premium and Zemana are running running simultaneously. Two should be removed, one of them being Zemana. A worthy program, but it's not listed as a primary Antivirus. If, and only if, ESET is shown the door, then please make sure your Windows Firewall is enabled.
• Hold down the Windows key  and press "X". Select "Control Panel" in the menu.
• Depending on how your Control Panel is set up:
• Click System and Security--->Windows Firewall then on the left hand panel pick Turn Windows Firewall on or off.
• Or you might see the Windows Firewall icon at the bottom of the window. Choose that, then on the left pick Turn Windows Firewall on or off.
• Make sure the circles are filled in for the sections Turn on Windows Firewall.
Remove Zemana as follows:
• Right click the Start Button.
• Click Search, then type in Programs and Features in the box.
• Choose Programs and Features at the top of the list.
• Right click the Zemana entry and then click Uninstall/Change.
For the moment we're still in the Diagnostic phase of the process. Two more tests to run.

First, you have myriad Chrome extensions installed. Let's run Chrome without them, and see what happens.
• Click the Start button, scroll down to Google Chrome in the App list.
• Drag the Google Chrome entry to your Desktop, creating a Shortcut.
• Right click on that new Shortcut and choose Properties at the bottom.
• Replace the text in the Target box with this text:
• To see if your are extensions are disabled:
• Click on the menu icon in the upper right hand corner of your Chrome browser and click More tool menu entry.
• If Extensions is grayed out and you cant select it, the flag was successfully applied.
• Close any open Chrome Windows, then run Chrome from the new Shortcut. Let me know if the redirects cease.
Now we see what happens in safe mode.
• Restart your PC. When you get to the sign-in screen, hold the Shift key down while you select Power > Restart.
• After your PC restarts to the Choose an option screen, select Troubleshoot > Advanced options > Startup Settings > Restart.
• After your PC restarts, you'll see a list of options. Select 5 or F5 for Safe Mode with Networking.
• Try all your installed browsers and see what happens.
So let me know how these tests turned out.

Edited by Bezukhov, 17 December 2016 - 11:19 AM.

To err is Human. To blame it on someone else is even more Human.

#11 rooomish

rooomish
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:07:40 AM

Posted 19 December 2016 - 09:06 AM

Hello!

So thank you very much fo assistance, I suppose that I am virus clear now. On the end, it was the mixture of two symptoms which I observe at one moment. 1. )The right click popping windows and 2.) underlying the web page by pixel.onclickads.net.

The first problem was removed probably during recommended process with Malwarebytes - I checked if I am infected only by checking the underlayed advertisement on webpage. And yes you are right, the problem with underlayed advertisement is only on one my favorite news page - it means that they decided (and I did not noticed it before) to change the advertisement strategy or they have hacked the pages (i do not thing so). For reference see please www.e15.cz.

Thank you very much! Roman

#12 Bezukhov

Bezukhov

Bleepin' Jazz Fan!

• Members
• 2,570 posts
• OFFLINE
•
• Gender:Male
• Location:Providence, R.I.
• Local time:02:40 AM

Posted 19 December 2016 - 11:57 AM

Your welcome, and good luck going forward.

One article I'd like for you to read:

To err is Human. To blame it on someone else is even more Human.

#13 Elise

Elise

Bleepin' Blonde

• 60,742 posts
• OFFLINE
•
• Gender:Female
• Location:Romania
• Local time:08:40 AM

Posted 19 December 2016 - 01:44 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."