• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos1

Norton can't remove kmsemulator.exe (trojan.gen.2)

Hello

I have Norton Internet Security 2012. I get from somewhere kmsemulator.exe, Norton find, block and remove this Trojan but every time when I restart computer this Trojan come back ! How remove this Trojan fully one time for ever ? If I scan fully computer Norton don't find any viruses. I have only one hard drive in laptop, DVD is empty, no any pendrive or memorycard, only internet connections by wifi.

Direct link to full size image: http://img811.imageshack.us/img811/1512/kmsemulator.jpg

Replies

Kudos0

Re: Norton can't remove kmsemulator.exe (trojan.gen.2)

Hello

I have Norton Internet Security 2012. I get from somewhere kmsemulator.exe, Norton find, block and remove this Trojan but every time when I restart computer this Trojan come back ! How remove this Trojan fully one time for ever ? If I scan fully computer Norton don't find any viruses. I have only one hard drive in laptop, DVD is empty, no any pendrive or memorycard, only internet connections by wifi.

Direct link to full size image: http://img811.imageshack.us/img811/1512/kmsemulator.jpg

Kudos0

Re: Norton can't remove kmsemulator.exe (trojan.gen.2)

Please do not run any tools unless instructed to do so. 

  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything. 

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )

  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

It could be that Norton is deleting the file but it is getting recreated by a deeper darker running piece of malware that just rebuilds it.

Please read carefully

1. Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT / Yes
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back, Don't have the program fix anything.

Quads

Kudos0

Re: Norton can't remove kmsemulator.exe (trojan.gen.2)

Kudos0

Re: Norton can't remove kmsemulator.exe (trojan.gen.2)

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-28 19:43:55
-----------------------------
19:43:55.374    OS Version: Windows x64 6.1.7601 Service Pack 1
19:43:55.374    Number of processors: 2 586 0x4802
19:43:55.374    ComputerName: OLEK-KOMPUTER  UserName: Olek
19:44:11.317    Initialize success
19:44:27.806    AVAST engine defs: 12052800
19:45:28.017    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000073
19:45:28.032    Disk 0 Vendor: ST912082 3.AL Size: 114473MB BusType: 3
19:45:28.068    Disk 0 MBR read successfully
19:45:28.073    Disk 0 MBR scan
19:45:28.082    Disk 0 Windows 7 default MBR code
19:45:28.130    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
19:45:28.151    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       114371 MB offset 206848
19:45:28.226    Disk 0 scanning C:\Windows\system32\drivers
19:45:47.757    Disk 0 MBR has been saved successfully to "C:\Users\Olek\Desktop\MBR.dat"
19:45:47.759    The log file has been saved successfully to "C:\Users\Olek\Desktop\aswMBR.txt"
19:46:05.220    Service scanning
19:46:50.170    Modules scanning
19:46:50.203    Disk 0 trace - called modules:
19:46:50.237    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll nvstor.sys
19:46:50.245    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002d6f5f0]
19:46:50.258    3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> \Device\00000073[0xfffffa8002b09060]
19:46:52.264    AVAST engine scan C:\Windows
19:46:55.706    AVAST engine scan C:\Windows\system32
19:52:12.038    AVAST engine scan C:\Windows\system32\drivers
19:52:35.535    AVAST engine scan C:\Users\Olek
20:03:52.542    AVAST engine scan C:\ProgramData
20:06:16.662    Scan finished successfully
20:08:26.254    Disk 0 MBR has been saved successfully to "C:\Users\Olek\Desktop\MBR.dat"
20:08:26.332    The log file has been saved successfully to "C:\Users\Olek\Desktop\aswMBR.txt"

Accepted Solution
Kudos0

Re: Norton can't remove kmsemulator.exe (trojan.gen.2)

I think that problem was resolved. This Trojan use c:\windows\autokms\ folder, inside is autokms.exe, autokms.ini, autokms.log. I delete autokms.exe and kmsemulator.exe was no created. Autokms.ini include some setting for this Trojan:

[SettingsID]
ID=2.1.6
[AutoKMS]
ActAttempts=10
ActivateWindows=False
AutoRemoveKMSEmulator=False
AutoRemoveKMSHost=False
KMSServer=127.0.0.1
Logging=True
UseKMSEmulator=True
KMSPID=
[Paths]
AutoKMS=C:\Windows\AutoKMS
AutoRearm=C:\Windows\AutoRearm
KMSEmulator=C:\Windows

autokms.log include some details about activity and work trojan, i copy short pice of log file:

AutoKMS Ran At 2012-05-26 16:35:06.
Started KMSEmulator.exe
Attempting To Activate Office 2010.
Office 2010 Is Not Installed!
Stopped KMSEmulator.
------------------------------------
AutoKMS Ran At 2012-05-26 21:07:05.
Failed To Copy Or Start KMSEmulator.exe
------------------------------------
AutoKMS Ran At 2012-05-27 19:35:43.
Failed To Copy Or Start KMSEmulator.exe
------------------------------------
AutoKMS Ran At 2012-05-28 17:36:26.
Failed To Copy Or Start KMSEmulator.exe
------------------------------------
AutoKMS Ran At 2012-05-28 19:40:35.
Failed To Copy Or Start KMSEmulator.exe

Why norton internet seciurity don't remove sourece of Trojan ? norton only remove kmsemulator.exe what is a result of work autokms.exe !

Also in windows reg is lot of key for autokms.exe

Kudos0

Re: Norton can't remove kmsemulator.exe (trojan.gen.2)

Moved to own thread for better exposure.

Replies are locked for this thread.