id="info"

Question

Locked

What is kbdsock.dll

By artanyis ·
5sec background. I'm a computer tech and have been working in the field since about 2000, I'm pretty good with all the windows OS's and very good at virus removal.

This is a new one on me...

Okay, got vista ultimate installed, been running perfectly, keep it up dated and all that jazz. Yesterday I got hit with a nasty little rootkit, I removed it and things seemed to be working fine for about an hour, I restarted the pc and explorer.exe crashes on startup with the faulting app as kbdsock.dll. I can not restart the process, anytime I do anything that tries to utilize the explorer.exe it crashes, even with just typing in a path in the run-task in task manager. I have looked on both microsoft and google and several other tech forums, and I can find no information on this past a couple german sites (which I cant read) and a single security threat assessment that lists it as not a threat. All I really need to know is who made this file, can I get a new copy of it, what does it do, what is it associated with. Anyone knows anything I would appreciate some knowledge here.

Almost forgot, safemode works. I have tried disabling everything non essential in the startup (microsoft and otherwise) and still found nothing. I've removed a few drivers of common problem ardware, like video and NICs and again nothing. I'm really at a loss here and would love some help.

This conversation is currently closed to new comments.

19 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I'm pretty sure that it is related to the infection

by Jacky Howe In reply to What is kbdsock.dll

Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download and install the files.

If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

Removing malware from System Restore points:

When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can re-infect you. It's best to remove them.

XP
Press the WinKey + r type sysdm.cpl and press Enter.
Select the System Restore tab and check "Turn off System Restore".


Vista
Press the WinKey + r type sysdm.cpl and press Enter
Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.


After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".
When all is clear you may need to tidy up the Registry. Link is at the bottom.


Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

When you first start Spybot, click on the Mode menu and select Advanced mode. Under the Tools options (bottom left) select View Report. On the screen in the right hand pane, select View report to create a new report. Save the report as it may come in handy later. Spybot will also keep log files in this location in Vista:

C:\ProgramData\Spybot - Search & Destroy\Logs

Spybot will also keep saved log files in this location in XP:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs


Download Malwarebytes Anti-Malware, install it and update it.

<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
<a href="http://malwarebytes.gt500.org/" target="_blank"><u>mbam-rules</u></a>

I would keep scanning with it until it is clean by closing out and rebooting and running it again.

Run this Rootkit Revealer GMer
<a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

FAQ
<a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>


Those applications should be able to get you up and running. Here are some extra tasks if it is not working for you.

Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

and one to turn it off but a System restart is required. Place a Batch file on the USB to turn it off.

reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

Command line removal or create Batch files.

Click Start Run and type cmd and then press Enter.

Execute the following commands in the command line in order to activate the registry editor and Task Manager:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

You could also check these registry entries and change the values from 1 to 0 if they are disabled.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"


If you are still having problems try this.

Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

http://www.combofix.org/

http://www.combofix.org/download.php


By now you should know what the name if the infection is, if you think that it may have infected the MBR try this.

Fixmbr - Repair Master Boot Record and remove Viral activity: XP Win2003

Site
http://www.ambience.sk/fdisk-master-boot-record-windows-linux-lilo-fixmbr.php

Download
http://www.ambience.sk/experiments/MbrFix.exe


Download MbrFix to c:\

Press Winkey + r and type in cmd and press Enter.

now type cd\ and press Enter.

now type MbrFix /drive 0 savembr Backup_MBR_0.bin and press Enter.


now type MbrFix /drive 0 fixmbr /yes and press Enter.

now type exit and press Enter.

Restart the System for it to take effect.


Registry Cleanup:

Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

Cleaner: Windows

When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

You don't have to install all of the add ons or shortcuts just the one to the Desktop.

http://www.ccleaner.com/download

Collapse -

Pay attention...

by artanyis In reply to I'm pretty sure that it i ...

Okay, I thought that the first couple lines would have pointed out that I'm not an idiot and that I might have already tried that.

It would be nice for some real information for once. The file itself is not part of the virus, does not mean that it was not damaged or changed by the virus. Its looking to be part of the updated vista winsock. Which would also make sense to why the network cards are not working. Usualy I can find versions of .dll files for downloads, but cant find this one.

Anyway still need information on the file, and some on repairing the vista winsock, havnt run into that to much.

Collapse -

Don't get your knickers in a knot

by Jacky Howe In reply to Pay attention...

Normally when I can't find a reference to a .dll I do a search for it on a similar System and then on Google. There is no reference to the file on my updated Vista System. That is not to say that it couldn't be loaded from another software source. From the little bit of information that I was able to find on kbdsock.dll it appears to load from AppInit_DLLs.


http://www.threatexpert.com/report.aspx?md5=79c006d3803b915320777483d3ae96c9


http://www.siteadvisor.com/sites/mynewworldorder.cn/postid?p=2467039


AppInit_DLLs: C: \ WINDOWS \ system32 \ kbdsock.dll


HijackThis information:

AppInit_DLLs Registry value autorun


Quote:
O20 - AppInit_DLLs: msconfd.dll

What to do:
This Registry value located at

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

loads a DLL into memory when the user logs in, after which it stays in memory until logoff. Very few legitimate programs use it (Norton CleanSweep uses APITRAP.DLL), most often it is used by trojans or agressive browser hijackers.

Collapse -

About the same

by artanyis In reply to Don't get your knickers i ...

Sorry about that, been a stressful couple days, anyway, thank yo for the information, its pretty much the same as what I knew but confirmed what I was thinking. I'm still not convinced it's actually part of the virus, but its definitely looking like it. When I remove it it just come back on reboot, and I have system restore off, so I know its not coming from there, but from somewhere else. (more virus I havnt found?) I feel like an idiot for not thinking ot put in a dummy file untill toda, but anyway, that got me booting, but things are still not working right. Ii cant get to pesky little things like the control panel. I'll keep you up to date, but at this point its looking like a reload.

Collapse -

randome and diffrent

by artanyis In reply to About the same

Okay... Since I can get the computer to boot (mostly) correctly my AVG started to auto scan, came up immediately with parts of vundo, not an old version of it either, I know that that wasn't there when I started working on this virus, and NIC's havnt been working from the start... this is getting interesting.

I think I'll hold off on reloading:-)

Collapse -

At least you have something

by Jacky Howe In reply to randome and diffrent

solid to go on now. Vundo can be a PITA.

Collapse -

We all get a bit stressed at times

by Jacky Howe In reply to About the same

If it is starting in Safe Mode try this you might be able to pick something up, also check the Services.

Press the WinKey + r and type in <b>msconfig</b> and press Enter. Click on the startup Tab.

Check the list to find the file that you are looking for, expand the <u>Location</u> column to see where it is loading from in the registry.

Press the WinKey + r and type in <b>regedt32</b> and click OK. Browse to the key listed in the <u>Location</u> column for Msconfig.

Delete the key on the right hand side only, that specifically matches that startup file.

Note the <b>Command</b> folder in msconfig. Browse to the folder, and delete the .exe file.

:::::eXample:::::

The Startup TAB of Msconfig will show you the directory where pop.exe loads from:

<b>Command</b> c:\Windows\system32\pop.exe

and

<u>Location</u> will guide you to it's location in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

With the registry editor open find the Run key in the left window. On the right hand pane you'll see each file that is in the Run key, pop.exe will be there. Right click and Delete the entry for pop.exe.

Browse to the c:\Windows\system32 folder, and select the pop.exe file, hold down the Shift Key and press the Del Key.

Repeat these steps for each item that you want to remove.

Collapse -

tried

by artanyis In reply to We all get a bit stressed ...

Whenever there is a difference between safemode and normal startup msconfig is the first place I hit. I cheat a little and if there is anything there I pop open A2hijackfree because it shows me all the startup files in one convenient place and can link me straight to the registry locations.
But anyway, I kept going back there to see if there was anything coming up that i had missed, and there wasn't, not the run, runonce or services. I even checked the obscure places like autoexec.bat and .nt but still couldnt find anything.

Anyway. Ran combofix again and it found another instance of the kbdsock.dll in drivers folder, it killed it and my NICs started working again. But I still cant get to 90% of the user preferences in windows yet... but now that I found pieces of vundo and smitfraud and that crazy kbdsock file, I think I'm on a goud track to getting this thing actually fixed.

Thanks for the help, if you think of anything else let me know, good chance I've already done it but bouncing ideas is useful.

BTW, if you work on computers often I recommend A-2 Hijack Free, very useful and easy to use, and best, FREE. This is a link to EMSI's download site, lots of free tools here.

http://www.emsisoft.com/en/software/download/

Collapse -

Thanks for the link

by Jacky Howe In reply to tried

My approach on my personal System is to run these Batch files to get my base information and create a new Batch file, then modify the file by changing the output text file name so that I can use FC (File Compare) to quickly find any additions to the Registry or Processes. With a bit of planning you can automate the whole proceedure.

Just remember to run the original Batch files if you add any new software.

create a Batch file with these contents, run it to get the base file.

Original:

wmic /output:C:\process.txt process get description,executablepath


Modified:

wmic /output:C:\processnew.txt process get description,executablepath


eXample of FC in a batch file:

fc c:\process.txt c:\processnew.txt > c:\processCHK.txt


There are seven Run Keys that could be used by a Virus. Some of the Keys may not exist so there will be no output unless something creates them.

------------------

reg query hklm\Software\Microsoft\Windows\CurrentVersion\Run /s > C:\runKeys.txt

reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunServices /s >> C:\runKeys.txt

reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /s >> C:\runKeys.txt

reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /s >> C:\runKeys.txt

reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce /s >> C:\runKeys.txt

reg query hkcu\Software\Microsoft\Windows\CurrentVersion\Run /s >> C:\runKeys.txt

reg query hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce /s >> C:\runKeys.txt

goto end

:END

-----------------


Another area to check as executable files can be run by Winlogon when Windows starts.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s > C:\winlogon.txt

Look for the name Debugger as this registry key will allow the redirection of the excution of one application to another.


InprocServer32

In the registry under HKCR\CLSID you'll find a list of all registered COM objects. Those that come from DLLs have InprocServer32 key under their {CLSID} key. A path to the file, which is loaded as a COM object, will be located in this key.

reg query hkcr\clsid\ /v InprocServer32 /s > C:\inprocS32.txt



Shell Open Command

The (Default) value could be changed to load a suspect file every time an .exe file is executed on the system.

reg query hkcr\exefile\shell /s > C:\shell.txt

Note: if this registry setting is anything other than "%1" %* modify it by right clicking.



A BHO is a COM in-process server registered under a certain registry key. Upon startup, Internet Explorer looks up that key and loads all the objects whose CLSID is stored there.

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s > C:\BHO.txt


Look for the name Debugger as this registry key will allow the redirection of the excution of one application to another.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s > c:\ImageFeX.txt


This will create a list of Services:

It is a location that can be added to start a threat as a Service on the system.

wmic /output:C:\services.txt service list brief

or you can use

sc query > serviceslist.txt

or you can use this but it will create a file around 500KB.

reg query HKLM\SYSTEM\CurrentControlSet\Services /s > C:\services.txt


Check to see if anything has been added to AppInit_DLLs which would normally not have an entry.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /s > C:\AppInit_DLLs.txt


You should also run a tool which can enumerate Alternate Data Streams (ADS). Some root kit threats employ these techniques and they will not be seen with the DIR command.

EG: streams -s c:\ > adsresults.txt

http://download.sysinternals.com/Files/Streams.zip

Manually navigating the Registry can be cumbersome on an infected System especially when you have several Keys to check. Running the original batch files on an infected System will soon give you several output files that can be used as a reference.


Check for open ports EG: Default Zeus ports 3128, 5222, 5223, 5269, and 8010

netstat -ano >netstate.txt

The ?n option tells netstat to display numbers in its output, not the names of machines and protocols, and instead shows IP addresses and TCP or UDP port numbers. The ?a indicates to display all connections and listening ports. The ?o option tells netstat to show the processID number of each program interacting with a TCP or UDP port.

you can type NETSTAT -O to get a list of all the owning process ID associated with each connection:

Manually navigating the Registry can be cumbersome on an infected System especially when you have several Keys to check. Running the original batch files on an infected System will soon give you several output files that can be used as a reference.

netstat -anp tcp :1433

URLZone and Zeus appear to run from the same location.

The malware sets itself with a ?Debugger? value to the file ?userinit.exe?. This ensures that every time the file ?userinit.exe? runs, the malware will run instead.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s > C:\winlogon.txt


Look for a new string with the name Debugger as this will allow the redirection of the excution of one application to another.

For example you can create a new key called notepad.exe and then create a new string with the name Debugger and value C:\WINDOWS\system32\calc.exe

Now if you try to run notepad, the calculator will be launched instead.


EdiT: tidy up

Collapse -

thnx

by artanyis In reply to I'm pretty sure that it i ...

Back to the top.
Thnx for the information.
I have been intending to set up some batch files to keep track of system changes on my machines since about 2004 when I was still taling my MCSE / MCSA classes... never got around to it.

Anyway, the ports were something I had compleatly overlooked, but unfortuantly no unusal ports opened.

So here is where it stands at the moment.
I have a dummy file with no permissions replacing kbdsock.dll and while the dummy file is there system starts up fine, but no access to the control panel or any of the utilities/preferances underneath. But they work in safemode. There is nothing out of place in any of the startup or autorun locations. aside from the drivers what is diffrent between safemode and normal? I've already tried putting it in diagnostic startup and it made no diffrence.

Back to Malware Forum
19 total posts (Page 1 of 2)   01 | 02   Next

Security Forums