Norton can't remove kmsemulator.exe (trojan.gen.2)

Norton Security | Norton Internet Security
1

Hello

 

I have Norton Internet Security 2012. I get from somewhere kmsemulator.exe, Norton find, block and remove this Trojan but every time when I restart computer this Trojan come back ! How remove this Trojan fully one time for ever ? If I scan fully computer Norton don't find any viruses. I have only one hard drive in laptop, DVD is empty, no any pendrive or memorycard, only internet connections by wifi.

 

Direct link to full size image: http://img811.imageshack.us/img811/1512/kmsemulator.jpg

 

2

Hello

 

I have Norton Internet Security 2012. I get from somewhere kmsemulator.exe, Norton find, block and remove this Trojan but every time when I restart computer this Trojan come back ! How remove this Trojan fully one time for ever ? If I scan fully computer Norton don't find any viruses. I have only one hard drive in laptop, DVD is empty, no any pendrive or memorycard, only internet connections by wifi.

 

Direct link to full size image: http://img811.imageshack.us/img811/1512/kmsemulator.jpg

 

3

https://www.virustotal.com/file/a2ffd0bc5e055e519fd3006bfdae422327d8e01310eae528267014c54293bfa4/analysis/

 

Quads

4

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-28 19:43:55
-----------------------------
19:43:55.374    OS Version: Windows x64 6.1.7601 Service Pack 1
19:43:55.374    Number of processors: 2 586 0x4802
19:43:55.374    ComputerName: OLEK-KOMPUTER  UserName: Olek
19:44:11.317    Initialize success
19:44:27.806    AVAST engine defs: 12052800
19:45:28.017    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000073
19:45:28.032    Disk 0 Vendor: ST912082 3.AL Size: 114473MB BusType: 3
19:45:28.068    Disk 0 MBR read successfully
19:45:28.073    Disk 0 MBR scan
19:45:28.082    Disk 0 Windows 7 default MBR code
19:45:28.130    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
19:45:28.151    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       114371 MB offset 206848
19:45:28.226    Disk 0 scanning C:\Windows\system32\drivers
19:45:47.757    Disk 0 MBR has been saved successfully to "C:\Users\Olek\Desktop\MBR.dat"
19:45:47.759    The log file has been saved successfully to "C:\Users\Olek\Desktop\aswMBR.txt"
19:46:05.220    Service scanning
19:46:50.170    Modules scanning
19:46:50.203    Disk 0 trace - called modules:
19:46:50.237    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll nvstor.sys
19:46:50.245    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002d6f5f0]
19:46:50.258    3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> \Device\00000073[0xfffffa8002b09060]
19:46:52.264    AVAST engine scan C:\Windows
19:46:55.706    AVAST engine scan C:\Windows\system32
19:52:12.038    AVAST engine scan C:\Windows\system32\drivers
19:52:35.535    AVAST engine scan C:\Users\Olek
20:03:52.542    AVAST engine scan C:\ProgramData
20:06:16.662    Scan finished successfully
20:08:26.254    Disk 0 MBR has been saved successfully to "C:\Users\Olek\Desktop\MBR.dat"
20:08:26.332    The log file has been saved successfully to "C:\Users\Olek\Desktop\aswMBR.txt"

5

I think that problem was resolved. This Trojan use c:\windows\autokms\ folder, inside is autokms.exe, autokms.ini, autokms.log. I delete autokms.exe and kmsemulator.exe was no created. Autokms.ini include some setting for this Trojan:

 

[SettingsID]
ID=2.1.6
[AutoKMS]
ActAttempts=10
ActivateWindows=False
AutoRemoveKMSEmulator=False
AutoRemoveKMSHost=False
KMSServer=127.0.0.1
Logging=True
UseKMSEmulator=True
KMSPID=
[Paths]
AutoKMS=C:\Windows\AutoKMS
AutoRearm=C:\Windows\AutoRearm
KMSEmulator=C:\Windows

 

autokms.log include some details about activity and work trojan, i copy short pice of log file:

 

AutoKMS Ran At 2012-05-26 16:35:06.
Started KMSEmulator.exe
Attempting To Activate Office 2010.
Office 2010 Is Not Installed!
Stopped KMSEmulator.
------------------------------------
AutoKMS Ran At 2012-05-26 21:07:05.
Failed To Copy Or Start KMSEmulator.exe
------------------------------------
AutoKMS Ran At 2012-05-27 19:35:43.
Failed To Copy Or Start KMSEmulator.exe
------------------------------------
AutoKMS Ran At 2012-05-28 17:36:26.
Failed To Copy Or Start KMSEmulator.exe
------------------------------------
AutoKMS Ran At 2012-05-28 19:40:35.
Failed To Copy Or Start KMSEmulator.exe

Why norton internet seciurity don't remove sourece of Trojan ? norton only remove kmsemulator.exe what is a result of work autokms.exe !

 

Also in windows reg is lot of key for autokms.exe

 

 

6

Moved to own thread for better exposure.