AutoKMS.exe virus

Good morning,


Here is teh scenario.  A user brought their HP Pavilion laptop to me.  I opened it up and the first thing that happened was an error message that "windows Explorer was starting and stopping"  and then all of the icons on the screen disappeared and the screen went blank.

first thing I did was go to task manager and found the cmd.exe.  I added the hidden administrator and then I from a blog I read , in the cmd.exe  I copied the explorer.exe file to another location, renamed the file and the then copied the renamed file back to the c:\Windows location  name is  PAL.exe.  

From the task manager I went to regedit.exe and at HKLM\Software\Microsoft\WindowsNT\Current Version \WinLogon  and for the shell I change the explorer.exe to PAL.exe.    I then logged off the machine and logged back on.

Now my icons are all there but when I try to go to the Start Menu and select "All Programs"  I get that error message that the windows explorer is stopping.  Also, My "Pin to Start menu items" are missing.  

Another thing I tried was to copy explorer.exe from another 64 bit machine.  This didn't work so I reverted back to my PAL.exe file.  

2 questions--1. is there a valid registry cleaner I can use to get this machine up and running?
2. What is the proper method for getting a good copy of explorer.exe, and if I do will this fix my "All Programs" issue or is there just another tweak in the registry I need to make to fis this Windows Explorer is stopping issue?
LamrskiAsked:
Who is Participating?
 
PhateonCommented:
AutoKMS is mostly not a virus. It is a popular software while "validates" (cracks) latest MS Office installations. KMS stands for Key Management Service. It is normally found in C:\Windows\AutoKMS.exe.

Try booting to the "last known good configuration" or if you could try to "restore to a previous restore point".

If you own the CD for your operating system, perform a "repair installation". None of the available registry cleaners can help you as they are built to find erroneous data.

Please backup all your data before you run the repair.
0
 
Sudeep SharmaTechnical DesignerCommented:
If this is virus/malware or torjan then any registry cleaner or registry fixer would not work.

You would need to clean the system with the well known tools.

I would recommend to scan the system with the tools mentioned below and in the sequence they are mentioned and post the logs

Make sure you DO NOT REBOOT the system after running tools in point 1 & 2.

1. RogueKiller/TheKiller
2. MalwareBytes
3. TDSSKIller

I would also recommend you to go through the articles from Younghv and RPG for the links of the tools and for the future reference

Basic Malware Troubleshooting
http://www.experts-exchange.com/A_1940.html

Rogue-Killer-What-a-great-name
http://www.experts-exchange.com/A_4922.html

Stop-the-Bleeding-First-Aid-for-Malware
http://www.experts-exchange.com/A_5124.html

Run MalwareBytes in Quick Mode and if that required reboot, then reboot the system and run tools mentioned in point 1 and 2 but this time run MalwareBytes in Full Systen Scan.

So in your next reply post the RogueKiller logs, MBAM logs and TDSSKIller Logs

Sudeep
0
 
LamrskiAuthor Commented:
Thank you for for your answer .  I found out that this verison  of MS Office that the user was using was a "hacked" version.  I ended up backing up the data from the machine and then I installed a fresh install of windows 7 home premium.  I pruchased avalid copy of MS Office.   Now all is good thank you for your help.  It is much appreciated!!
lamrski
0
 
LamrskiAuthor Commented:
BTW, there were no restore points available.  and I had rebboted so many times that the  "LKGC"  would not work even if I tried.  Thank youi though.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.