Questions

What is kbdsock.dll

Tags:
+
0 Votes
Locked

What is kbdsock.dll

artanyis
5sec background. I'm a computer tech and have been working in the field since about 2000, I'm pretty good with all the windows OS's and very good at virus removal.

This is a new one on me...

Okay, got vista ultimate installed, been running perfectly, keep it up dated and all that jazz. Yesterday I got hit with a nasty little rootkit, I removed it and things seemed to be working fine for about an hour, I restarted the pc and explorer.exe crashes on startup with the faulting app as kbdsock.dll. I can not restart the process, anytime I do anything that tries to utilize the explorer.exe it crashes, even with just typing in a path in the run-task in task manager. I have looked on both microsoft and google and several other tech forums, and I can find no information on this past a couple german sites (which I cant read) and a single security threat assessment that lists it as not a threat. All I really need to know is who made this file, can I get a new copy of it, what does it do, what is it associated with. Anyone knows anything I would appreciate some knowledge here.

Almost forgot, safemode works. I have tried disabling everything non essential in the startup (microsoft and otherwise) and still found nothing. I've removed a few drivers of common problem ardware, like video and NICs and again nothing. I'm really at a loss here and would love some help.
  • +
    0 Votes
    Jacky Howe

    Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download and install the files.

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

    From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Removing malware from System Restore points:

    When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can re-infect you. It's best to remove them.

    XP
    Press the WinKey + r type sysdm.cpl and press Enter.
    Select the System Restore tab and check "Turn off System Restore".


    Vista
    Press the WinKey + r type sysdm.cpl and press Enter
    Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.


    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".
    When all is clear you may need to tidy up the Registry. Link is at the bottom.


    Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    When you first start Spybot, click on the Mode menu and select Advanced mode. Under the Tools options (bottom left) select View Report. On the screen in the right hand pane, select View report to create a new report. Save the report as it may come in handy later. Spybot will also keep log files in this location in Vista:

    C:\ProgramData\Spybot - Search & Destroy\Logs

    Spybot will also keep saved log files in this location in XP:

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs


    Download Malwarebytes Anti-Malware, install it and update it.

    <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    <a href="http://malwarebytes.gt500.org/" target="_blank"><u>mbam-rules</u></a>

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Run this Rootkit Revealer GMer
    <a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

    FAQ
    <a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>


    Those applications should be able to get you up and running. Here are some extra tasks if it is not working for you.

    Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
    In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

    If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

    and one to turn it off but a System restart is required. Place a Batch file on the USB to turn it off.

    reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


    If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

    Command line removal or create Batch files.

    Click Start Run and type cmd and then press Enter.

    Execute the following commands in the command line in order to activate the registry editor and Task Manager:

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

    You could also check these registry entries and change the values from 1 to 0 if they are disabled.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"


    If you are still having problems try this.

    Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

    http://www.combofix.org/

    http://www.combofix.org/download.php


    By now you should know what the name if the infection is, if you think that it may have infected the MBR try this.

    Fixmbr - Repair Master Boot Record and remove Viral activity: XP Win2003

    Site
    http://www.ambience.sk/fdisk-master-boot-record-windows-linux-lilo-fixmbr.php

    Download
    http://www.ambience.sk/experiments/MbrFix.exe


    Download MbrFix to c:\

    Press Winkey + r and type in cmd and press Enter.

    now type cd\ and press Enter.

    now type MbrFix /drive 0 savembr Backup_MBR_0.bin and press Enter.


    now type MbrFix /drive 0 fixmbr /yes and press Enter.

    now type exit and press Enter.

    Restart the System for it to take effect.


    Registry Cleanup:

    Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

    Cleaner: Windows

    When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

    You don't have to install all of the add ons or shortcuts just the one to the Desktop.

    http://www.ccleaner.com/download

    +
    0 Votes
    artanyis

    Okay, I thought that the first couple lines would have pointed out that I'm not an idiot and that I might have already tried that.

    It would be nice for some real information for once. The file itself is not part of the virus, does not mean that it was not damaged or changed by the virus. Its looking to be part of the updated vista winsock. Which would also make sense to why the network cards are not working. Usualy I can find versions of .dll files for downloads, but cant find this one.

    Anyway still need information on the file, and some on repairing the vista winsock, havnt run into that to much.

    +
    0 Votes
    Jacky Howe

    Normally when I can't find a reference to a .dll I do a search for it on a similar System and then on Google. There is no reference to the file on my updated Vista System. That is not to say that it couldn't be loaded from another software source. From the little bit of information that I was able to find on kbdsock.dll it appears to load from AppInit_DLLs.


    http://www.threatexpert.com/report.aspx?md5=79c006d3803b915320777483d3ae96c9


    http://www.siteadvisor.com/sites/mynewworldorder.cn/postid?p=2467039


    AppInit_DLLs: C: \ WINDOWS \ system32 \ kbdsock.dll


    HijackThis information:

    AppInit_DLLs Registry value autorun


    Quote:
    O20 - AppInit_DLLs: msconfd.dll

    What to do:
    This Registry value located at

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

    loads a DLL into memory when the user logs in, after which it stays in memory until logoff. Very few legitimate programs use it (Norton CleanSweep uses APITRAP.DLL), most often it is used by trojans or agressive browser hijackers.

    +
    0 Votes
    artanyis

    Sorry about that, been a stressful couple days, anyway, thank yo for the information, its pretty much the same as what I knew but confirmed what I was thinking. I'm still not convinced it's actually part of the virus, but its definitely looking like it. When I remove it it just come back on reboot, and I have system restore off, so I know its not coming from there, but from somewhere else. (more virus I havnt found?) I feel like an idiot for not thinking ot put in a dummy file untill toda, but anyway, that got me booting, but things are still not working right. Ii cant get to pesky little things like the control panel. I'll keep you up to date, but at this point its looking like a reload.

    +
    0 Votes
    artanyis

    Okay... Since I can get the computer to boot (mostly) correctly my AVG started to auto scan, came up immediately with parts of vundo, not an old version of it either, I know that that wasn't there when I started working on this virus, and NIC's havnt been working from the start... this is getting interesting.

    I think I'll hold off on reloading:-)

    +
    0 Votes
    Jacky Howe

    solid to go on now. Vundo can be a PITA.

    +
    0 Votes
    Jacky Howe

    If it is starting in Safe Mode try this you might be able to pick something up, also check the Services.

    Press the WinKey + r and type in <b>msconfig</b> and press Enter. Click on the startup Tab.

    Check the list to find the file that you are looking for, expand the <u>Location</u> column to see where it is loading from in the registry.

    Press the WinKey + r and type in <b>regedt32</b> and click OK. Browse to the key listed in the <u>Location</u> column for Msconfig.

    Delete the key on the right hand side only, that specifically matches that startup file.

    Note the <b>Command</b> folder in msconfig. Browse to the folder, and delete the .exe file.

    :::::eXample:::::

    The Startup TAB of Msconfig will show you the directory where pop.exe loads from:

    <b>Command</b> c:\Windows\system32\pop.exe

    and

    <u>Location</u> will guide you to it's location in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    With the registry editor open find the Run key in the left window. On the right hand pane you'll see each file that is in the Run key, pop.exe will be there. Right click and Delete the entry for pop.exe.

    Browse to the c:\Windows\system32 folder, and select the pop.exe file, hold down the Shift Key and press the Del Key.

    Repeat these steps for each item that you want to remove.

    +
    0 Votes
    artanyis

    Whenever there is a difference between safemode and normal startup msconfig is the first place I hit. I cheat a little and if there is anything there I pop open A2hijackfree because it shows me all the startup files in one convenient place and can link me straight to the registry locations.
    But anyway, I kept going back there to see if there was anything coming up that i had missed, and there wasn't, not the run, runonce or services. I even checked the obscure places like autoexec.bat and .nt but still couldnt find anything.

    Anyway. Ran combofix again and it found another instance of the kbdsock.dll in drivers folder, it killed it and my NICs started working again. But I still cant get to 90% of the user preferences in windows yet... but now that I found pieces of vundo and smitfraud and that crazy kbdsock file, I think I'm on a goud track to getting this thing actually fixed.

    Thanks for the help, if you think of anything else let me know, good chance I've already done it but bouncing ideas is useful.

    BTW, if you work on computers often I recommend A-2 Hijack Free, very useful and easy to use, and best, FREE. This is a link to EMSI's download site, lots of free tools here.

    http://www.emsisoft.com/en/software/download/

    +
    0 Votes
    Jacky Howe

    My approach on my personal System is to run these Batch files to get my base information and create a new Batch file, then modify the file by changing the output text file name so that I can use FC (File Compare) to quickly find any additions to the Registry or Processes. With a bit of planning you can automate the whole proceedure.

    Just remember to run the original Batch files if you add any new software.

    create a Batch file with these contents, run it to get the base file.

    Original:

    wmic /output:C:\process.txt process get description,executablepath


    Modified:

    wmic /output:C:\processnew.txt process get description,executablepath


    eXample of FC in a batch file:

    fc c:\process.txt c:\processnew.txt > c:\processCHK.txt


    There are seven Run Keys that could be used by a Virus. Some of the Keys may not exist so there will be no output unless something creates them.

    ------------------

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\Run /s > C:\runKeys.txt

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunServices /s >> C:\runKeys.txt

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /s >> C:\runKeys.txt

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /s >> C:\runKeys.txt

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce /s >> C:\runKeys.txt

    reg query hkcu\Software\Microsoft\Windows\CurrentVersion\Run /s >> C:\runKeys.txt

    reg query hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce /s >> C:\runKeys.txt

    goto end

    :END

    -----------------


    Another area to check as executable files can be run by Winlogon when Windows starts.

    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s > C:\winlogon.txt

    Look for the name Debugger as this registry key will allow the redirection of the excution of one application to another.


    InprocServer32

    In the registry under HKCR\CLSID you'll find a list of all registered COM objects. Those that come from DLLs have InprocServer32 key under their {CLSID} key. A path to the file, which is loaded as a COM object, will be located in this key.

    reg query hkcr\clsid\ /v InprocServer32 /s > C:\inprocS32.txt



    Shell Open Command

    The (Default) value could be changed to load a suspect file every time an .exe file is executed on the system.

    reg query hkcr\exefile\shell /s > C:\shell.txt

    Note: if this registry setting is anything other than "%1" %* modify it by right clicking.



    A BHO is a COM in-process server registered under a certain registry key. Upon startup, Internet Explorer looks up that key and loads all the objects whose CLSID is stored there.

    reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s > C:\BHO.txt


    Look for the name Debugger as this registry key will allow the redirection of the excution of one application to another.

    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s > c:\ImageFeX.txt


    This will create a list of Services:

    It is a location that can be added to start a threat as a Service on the system.

    wmic /output:C:\services.txt service list brief

    or you can use

    sc query > serviceslist.txt

    or you can use this but it will create a file around 500KB.

    reg query HKLM\SYSTEM\CurrentControlSet\Services /s > C:\services.txt


    Check to see if anything has been added to AppInit_DLLs which would normally not have an entry.

    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /s > C:\AppInit_DLLs.txt


    You should also run a tool which can enumerate Alternate Data Streams (ADS). Some root kit threats employ these techniques and they will not be seen with the DIR command.

    EG: streams -s c:\ > adsresults.txt

    http://download.sysinternals.com/Files/Streams.zip

    Manually navigating the Registry can be cumbersome on an infected System especially when you have several Keys to check. Running the original batch files on an infected System will soon give you several output files that can be used as a reference.


    Check for open ports EG: Default Zeus ports 3128, 5222, 5223, 5269, and 8010

    netstat -ano >netstate.txt

    The ?n option tells netstat to display numbers in its output, not the names of machines and protocols, and instead shows IP addresses and TCP or UDP port numbers. The ?a indicates to display all connections and listening ports. The ?o option tells netstat to show the processID number of each program interacting with a TCP or UDP port.

    you can type NETSTAT -O to get a list of all the owning process ID associated with each connection:

    Manually navigating the Registry can be cumbersome on an infected System especially when you have several Keys to check. Running the original batch files on an infected System will soon give you several output files that can be used as a reference.

    netstat -anp tcp :1433

    URLZone and Zeus appear to run from the same location.

    The malware sets itself with a ?Debugger? value to the file ?userinit.exe?. This ensures that every time the file ?userinit.exe? runs, the malware will run instead.

    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s > C:\winlogon.txt


    Look for a new string with the name Debugger as this will allow the redirection of the excution of one application to another.

    For example you can create a new key called notepad.exe and then create a new string with the name Debugger and value C:\WINDOWS\system32\calc.exe

    Now if you try to run notepad, the calculator will be launched instead.


    EdiT: tidy up

    +
    0 Votes
    artanyis

    Back to the top.
    Thnx for the information.
    I have been intending to set up some batch files to keep track of system changes on my machines since about 2004 when I was still taling my MCSE / MCSA classes... never got around to it.

    Anyway, the ports were something I had compleatly overlooked, but unfortuantly no unusal ports opened.

    So here is where it stands at the moment.
    I have a dummy file with no permissions replacing kbdsock.dll and while the dummy file is there system starts up fine, but no access to the control panel or any of the utilities/preferances underneath. But they work in safemode. There is nothing out of place in any of the startup or autorun locations. aside from the drivers what is diffrent between safemode and normal? I've already tried putting it in diagnostic startup and it made no diffrence.

    +
    0 Votes
    Jacky Howe

    running in Safe Mode, loads a minimal set of drivers, for the Operating System. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.


    Boot into Safe Mode.

    Click Start, Run and type in <b>cmd</b> then press Enter.

    Type in <b>regsvr32 /u kbdsock.dll </b> and see if on a reboot it will spit the dummy. It may also give an indication as to what can't be loaded.


    It maybe a bit late but these tools also come in handy.

    Download these tools to help you find out what is causing the problems

    Process Explorer

    Under View, Select Columns, Process Performance, choose e.g. IO Write Bytes, IO Read Bytes. Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.


    FileMon

    This monitoring tool lets you see all file system activity in real-time.

    Process Monitor

    Monitor file system, Registry, process, thread and DLL activity in real-time.


    Sysinternals Process Utilities

    http://technet.microsoft.com/en-us/sysinternals/cb56073f-62a3-4ed8-9dd6-40c84cb9e2f5.aspx

    Feel free to mark my answers as helpful if you think that you have benefitted from my input.

    +
    0 Votes
    artanyis

    I would like to thank you for the help, but I ran out of time, I have work that I need to get done using this computer so I went ahead and wiped it clean and loaded Windows 7 on it. I've needed to setup a windows 7 machine anyway, so this works out fine.

    For future referance if you ever see this one again, its a *****. From what I could tell kbdsock.dll adds itself to the winsock and to the appinit string. There is also a file that gets added which is winupdatex86, this gets started by being added to the userinit, it will replace windows explorer. After that the smss and csrss processes get infected by vundo.

    The virus progression went like this, I downloaded a virus loaded program (thats what I get for cutting corners) it creats several files and instances that I dont see, after one reboot it created the kbdsock.dll, at this point its not noticable but there are pop-ups for fake viruses. Next it creats the winupdatex86 file, taskmanager, control panel, device manager and MMC are no longer working. Regedit let me get the task manager working again. when i removed the winupdatex86.exe and its suppliment files and thats when the major problems started. Apperantly kbdsock and explorer dont get along so well. Anyway, this is a bad root kit. I thank you for your help.

    +
    0 Votes
    Jacky Howe

    if you zeroed the drive. Thanks for the information.

    +
    0 Votes
    artanyis

    I found the same thing on 2 different customers PC's. It's a Hoaxware / downloader / rootkit / annoying POS called antivirus 2010. There is a post from bleeping computers about it. construction wise its basicly like a mix of smitfraud and vundo (not exactly uncommon) but its main unique feature is that it replaces the explorer.exe and adds a file to the winsock to allow the downloader to work. This little bugger was designed to work on XP, where it works as it should and only takes a few min to get rid of, but on vista it cripples the OS and becomes almost unremovable. So, if you see antivirus 2010 rougeware, that's what crippled my pc sp effectively.

    +
    0 Votes
    Jacky Howe

    for the heads up.

    +
    0 Votes
    AlexNet0

    I have the same thing on a customers PC.
    I found and removed several DLLs pulling the drive on another computer, and in the registry I found a list of entries for these files, the one you are asking about included, under the local machine hive, microsoft/windows NT/appinit key.

    here is the string that was referenced there.
    C:\WINDOWS\system32\kbdsock.dll,gewiluje.dll c:\windows\system32\lazogiya.dll

    my guess is that these are under enviromental variables in advanced system information.

    +
    0 Votes
    artanyis

    AlexNet, is the machine you fond it on XP, Vista, or 7? I've seen it a few times in XP now where it repopulates itself from the system restore, I'm not sure what was triggering it to pull itself back out of system restore but if you clear out the system restore than combofix is the simplest way to remove it.

    There are also a few browser hijacks associated with it in the ones I've seen. In XP it doesnt seem to be to major of a malware, but in vista, if you read all of the posts, it was crippling because of new explorer file it was forcing to load. I haven't seen it in a 7 environment yet, and don't think i want to.

    +
    0 Votes
    dmiles

    kbdsock.dll is a harmful program.
    It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
    If that does not help, then ask us for help in the Spyware removal forum.

    Name: kbdsock
    Filename: kbdsock.dll
    Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS

    Command: C:\WINDOWS\system32\kbdsock.dll
    Startup Type: AppInit_DLLs
    HijackThis Category: O20
    HijackThis Line:

    O20 ? AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll

    DDS Line:

    AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll

    Combofix/RSIT Line:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    ?AppInit_DLLS?=?C:\WINDOWS\system32\kbdsock.dll?

    Description: trojan also known as Trojan.Win32.Agent.deot [Kaspersky Lab]

    How to remove: use HijackThis + Kaspersky virus removal tool

  • +
    0 Votes
    Jacky Howe

    Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download and install the files.

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

    From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Removing malware from System Restore points:

    When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can re-infect you. It's best to remove them.

    XP
    Press the WinKey + r type sysdm.cpl and press Enter.
    Select the System Restore tab and check "Turn off System Restore".


    Vista
    Press the WinKey + r type sysdm.cpl and press Enter
    Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.


    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".
    When all is clear you may need to tidy up the Registry. Link is at the bottom.


    Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    When you first start Spybot, click on the Mode menu and select Advanced mode. Under the Tools options (bottom left) select View Report. On the screen in the right hand pane, select View report to create a new report. Save the report as it may come in handy later. Spybot will also keep log files in this location in Vista:

    C:\ProgramData\Spybot - Search & Destroy\Logs

    Spybot will also keep saved log files in this location in XP:

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs


    Download Malwarebytes Anti-Malware, install it and update it.

    <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    <a href="http://malwarebytes.gt500.org/" target="_blank"><u>mbam-rules</u></a>

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Run this Rootkit Revealer GMer
    <a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

    FAQ
    <a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>


    Those applications should be able to get you up and running. Here are some extra tasks if it is not working for you.

    Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
    In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

    If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

    and one to turn it off but a System restart is required. Place a Batch file on the USB to turn it off.

    reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


    If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

    Command line removal or create Batch files.

    Click Start Run and type cmd and then press Enter.

    Execute the following commands in the command line in order to activate the registry editor and Task Manager:

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

    You could also check these registry entries and change the values from 1 to 0 if they are disabled.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"


    If you are still having problems try this.

    Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

    http://www.combofix.org/

    http://www.combofix.org/download.php


    By now you should know what the name if the infection is, if you think that it may have infected the MBR try this.

    Fixmbr - Repair Master Boot Record and remove Viral activity: XP Win2003

    Site
    http://www.ambience.sk/fdisk-master-boot-record-windows-linux-lilo-fixmbr.php

    Download
    http://www.ambience.sk/experiments/MbrFix.exe


    Download MbrFix to c:\

    Press Winkey + r and type in cmd and press Enter.

    now type cd\ and press Enter.

    now type MbrFix /drive 0 savembr Backup_MBR_0.bin and press Enter.


    now type MbrFix /drive 0 fixmbr /yes and press Enter.

    now type exit and press Enter.

    Restart the System for it to take effect.


    Registry Cleanup:

    Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

    Cleaner: Windows

    When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

    You don't have to install all of the add ons or shortcuts just the one to the Desktop.

    http://www.ccleaner.com/download

    +
    0 Votes
    artanyis

    Okay, I thought that the first couple lines would have pointed out that I'm not an idiot and that I might have already tried that.

    It would be nice for some real information for once. The file itself is not part of the virus, does not mean that it was not damaged or changed by the virus. Its looking to be part of the updated vista winsock. Which would also make sense to why the network cards are not working. Usualy I can find versions of .dll files for downloads, but cant find this one.

    Anyway still need information on the file, and some on repairing the vista winsock, havnt run into that to much.

    +
    0 Votes
    Jacky Howe

    Normally when I can't find a reference to a .dll I do a search for it on a similar System and then on Google. There is no reference to the file on my updated Vista System. That is not to say that it couldn't be loaded from another software source. From the little bit of information that I was able to find on kbdsock.dll it appears to load from AppInit_DLLs.


    http://www.threatexpert.com/report.aspx?md5=79c006d3803b915320777483d3ae96c9


    http://www.siteadvisor.com/sites/mynewworldorder.cn/postid?p=2467039


    AppInit_DLLs: C: \ WINDOWS \ system32 \ kbdsock.dll


    HijackThis information:

    AppInit_DLLs Registry value autorun


    Quote:
    O20 - AppInit_DLLs: msconfd.dll

    What to do:
    This Registry value located at

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

    loads a DLL into memory when the user logs in, after which it stays in memory until logoff. Very few legitimate programs use it (Norton CleanSweep uses APITRAP.DLL), most often it is used by trojans or agressive browser hijackers.

    +
    0 Votes
    artanyis

    Sorry about that, been a stressful couple days, anyway, thank yo for the information, its pretty much the same as what I knew but confirmed what I was thinking. I'm still not convinced it's actually part of the virus, but its definitely looking like it. When I remove it it just come back on reboot, and I have system restore off, so I know its not coming from there, but from somewhere else. (more virus I havnt found?) I feel like an idiot for not thinking ot put in a dummy file untill toda, but anyway, that got me booting, but things are still not working right. Ii cant get to pesky little things like the control panel. I'll keep you up to date, but at this point its looking like a reload.

    +
    0 Votes
    artanyis

    Okay... Since I can get the computer to boot (mostly) correctly my AVG started to auto scan, came up immediately with parts of vundo, not an old version of it either, I know that that wasn't there when I started working on this virus, and NIC's havnt been working from the start... this is getting interesting.

    I think I'll hold off on reloading:-)

    +
    0 Votes
    Jacky Howe

    solid to go on now. Vundo can be a PITA.

    +
    0 Votes
    Jacky Howe

    If it is starting in Safe Mode try this you might be able to pick something up, also check the Services.

    Press the WinKey + r and type in <b>msconfig</b> and press Enter. Click on the startup Tab.

    Check the list to find the file that you are looking for, expand the <u>Location</u> column to see where it is loading from in the registry.

    Press the WinKey + r and type in <b>regedt32</b> and click OK. Browse to the key listed in the <u>Location</u> column for Msconfig.

    Delete the key on the right hand side only, that specifically matches that startup file.

    Note the <b>Command</b> folder in msconfig. Browse to the folder, and delete the .exe file.

    :::::eXample:::::

    The Startup TAB of Msconfig will show you the directory where pop.exe loads from:

    <b>Command</b> c:\Windows\system32\pop.exe

    and

    <u>Location</u> will guide you to it's location in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    With the registry editor open find the Run key in the left window. On the right hand pane you'll see each file that is in the Run key, pop.exe will be there. Right click and Delete the entry for pop.exe.

    Browse to the c:\Windows\system32 folder, and select the pop.exe file, hold down the Shift Key and press the Del Key.

    Repeat these steps for each item that you want to remove.

    +
    0 Votes
    artanyis

    Whenever there is a difference between safemode and normal startup msconfig is the first place I hit. I cheat a little and if there is anything there I pop open A2hijackfree because it shows me all the startup files in one convenient place and can link me straight to the registry locations.
    But anyway, I kept going back there to see if there was anything coming up that i had missed, and there wasn't, not the run, runonce or services. I even checked the obscure places like autoexec.bat and .nt but still couldnt find anything.

    Anyway. Ran combofix again and it found another instance of the kbdsock.dll in drivers folder, it killed it and my NICs started working again. But I still cant get to 90% of the user preferences in windows yet... but now that I found pieces of vundo and smitfraud and that crazy kbdsock file, I think I'm on a goud track to getting this thing actually fixed.

    Thanks for the help, if you think of anything else let me know, good chance I've already done it but bouncing ideas is useful.

    BTW, if you work on computers often I recommend A-2 Hijack Free, very useful and easy to use, and best, FREE. This is a link to EMSI's download site, lots of free tools here.

    http://www.emsisoft.com/en/software/download/

    +
    0 Votes
    Jacky Howe

    My approach on my personal System is to run these Batch files to get my base information and create a new Batch file, then modify the file by changing the output text file name so that I can use FC (File Compare) to quickly find any additions to the Registry or Processes. With a bit of planning you can automate the whole proceedure.

    Just remember to run the original Batch files if you add any new software.

    create a Batch file with these contents, run it to get the base file.

    Original:

    wmic /output:C:\process.txt process get description,executablepath


    Modified:

    wmic /output:C:\processnew.txt process get description,executablepath


    eXample of FC in a batch file:

    fc c:\process.txt c:\processnew.txt > c:\processCHK.txt


    There are seven Run Keys that could be used by a Virus. Some of the Keys may not exist so there will be no output unless something creates them.

    ------------------

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\Run /s > C:\runKeys.txt

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunServices /s >> C:\runKeys.txt

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /s >> C:\runKeys.txt

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /s >> C:\runKeys.txt

    reg query hklm\Software\Microsoft\Windows\CurrentVersion\RunOnce /s >> C:\runKeys.txt

    reg query hkcu\Software\Microsoft\Windows\CurrentVersion\Run /s >> C:\runKeys.txt

    reg query hkcu\Software\Microsoft\Windows\CurrentVersion\RunOnce /s >> C:\runKeys.txt

    goto end

    :END

    -----------------


    Another area to check as executable files can be run by Winlogon when Windows starts.

    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s > C:\winlogon.txt

    Look for the name Debugger as this registry key will allow the redirection of the excution of one application to another.


    InprocServer32

    In the registry under HKCR\CLSID you'll find a list of all registered COM objects. Those that come from DLLs have InprocServer32 key under their {CLSID} key. A path to the file, which is loaded as a COM object, will be located in this key.

    reg query hkcr\clsid\ /v InprocServer32 /s > C:\inprocS32.txt



    Shell Open Command

    The (Default) value could be changed to load a suspect file every time an .exe file is executed on the system.

    reg query hkcr\exefile\shell /s > C:\shell.txt

    Note: if this registry setting is anything other than "%1" %* modify it by right clicking.



    A BHO is a COM in-process server registered under a certain registry key. Upon startup, Internet Explorer looks up that key and loads all the objects whose CLSID is stored there.

    reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s > C:\BHO.txt


    Look for the name Debugger as this registry key will allow the redirection of the excution of one application to another.

    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s > c:\ImageFeX.txt


    This will create a list of Services:

    It is a location that can be added to start a threat as a Service on the system.

    wmic /output:C:\services.txt service list brief

    or you can use

    sc query > serviceslist.txt

    or you can use this but it will create a file around 500KB.

    reg query HKLM\SYSTEM\CurrentControlSet\Services /s > C:\services.txt


    Check to see if anything has been added to AppInit_DLLs which would normally not have an entry.

    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /s > C:\AppInit_DLLs.txt


    You should also run a tool which can enumerate Alternate Data Streams (ADS). Some root kit threats employ these techniques and they will not be seen with the DIR command.

    EG: streams -s c:\ > adsresults.txt

    http://download.sysinternals.com/Files/Streams.zip

    Manually navigating the Registry can be cumbersome on an infected System especially when you have several Keys to check. Running the original batch files on an infected System will soon give you several output files that can be used as a reference.


    Check for open ports EG: Default Zeus ports 3128, 5222, 5223, 5269, and 8010

    netstat -ano >netstate.txt

    The ?n option tells netstat to display numbers in its output, not the names of machines and protocols, and instead shows IP addresses and TCP or UDP port numbers. The ?a indicates to display all connections and listening ports. The ?o option tells netstat to show the processID number of each program interacting with a TCP or UDP port.

    you can type NETSTAT -O to get a list of all the owning process ID associated with each connection:

    Manually navigating the Registry can be cumbersome on an infected System especially when you have several Keys to check. Running the original batch files on an infected System will soon give you several output files that can be used as a reference.

    netstat -anp tcp :1433

    URLZone and Zeus appear to run from the same location.

    The malware sets itself with a ?Debugger? value to the file ?userinit.exe?. This ensures that every time the file ?userinit.exe? runs, the malware will run instead.

    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s > C:\winlogon.txt


    Look for a new string with the name Debugger as this will allow the redirection of the excution of one application to another.

    For example you can create a new key called notepad.exe and then create a new string with the name Debugger and value C:\WINDOWS\system32\calc.exe

    Now if you try to run notepad, the calculator will be launched instead.


    EdiT: tidy up

    +
    0 Votes
    artanyis

    Back to the top.
    Thnx for the information.
    I have been intending to set up some batch files to keep track of system changes on my machines since about 2004 when I was still taling my MCSE / MCSA classes... never got around to it.

    Anyway, the ports were something I had compleatly overlooked, but unfortuantly no unusal ports opened.

    So here is where it stands at the moment.
    I have a dummy file with no permissions replacing kbdsock.dll and while the dummy file is there system starts up fine, but no access to the control panel or any of the utilities/preferances underneath. But they work in safemode. There is nothing out of place in any of the startup or autorun locations. aside from the drivers what is diffrent between safemode and normal? I've already tried putting it in diagnostic startup and it made no diffrence.

    +
    0 Votes
    Jacky Howe

    running in Safe Mode, loads a minimal set of drivers, for the Operating System. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.


    Boot into Safe Mode.

    Click Start, Run and type in <b>cmd</b> then press Enter.

    Type in <b>regsvr32 /u kbdsock.dll </b> and see if on a reboot it will spit the dummy. It may also give an indication as to what can't be loaded.


    It maybe a bit late but these tools also come in handy.

    Download these tools to help you find out what is causing the problems

    Process Explorer

    Under View, Select Columns, Process Performance, choose e.g. IO Write Bytes, IO Read Bytes. Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.


    FileMon

    This monitoring tool lets you see all file system activity in real-time.

    Process Monitor

    Monitor file system, Registry, process, thread and DLL activity in real-time.


    Sysinternals Process Utilities

    http://technet.microsoft.com/en-us/sysinternals/cb56073f-62a3-4ed8-9dd6-40c84cb9e2f5.aspx

    Feel free to mark my answers as helpful if you think that you have benefitted from my input.

    +
    0 Votes
    artanyis

    I would like to thank you for the help, but I ran out of time, I have work that I need to get done using this computer so I went ahead and wiped it clean and loaded Windows 7 on it. I've needed to setup a windows 7 machine anyway, so this works out fine.

    For future referance if you ever see this one again, its a *****. From what I could tell kbdsock.dll adds itself to the winsock and to the appinit string. There is also a file that gets added which is winupdatex86, this gets started by being added to the userinit, it will replace windows explorer. After that the smss and csrss processes get infected by vundo.

    The virus progression went like this, I downloaded a virus loaded program (thats what I get for cutting corners) it creats several files and instances that I dont see, after one reboot it created the kbdsock.dll, at this point its not noticable but there are pop-ups for fake viruses. Next it creats the winupdatex86 file, taskmanager, control panel, device manager and MMC are no longer working. Regedit let me get the task manager working again. when i removed the winupdatex86.exe and its suppliment files and thats when the major problems started. Apperantly kbdsock and explorer dont get along so well. Anyway, this is a bad root kit. I thank you for your help.

    +
    0 Votes
    Jacky Howe

    if you zeroed the drive. Thanks for the information.

    +
    0 Votes
    artanyis

    I found the same thing on 2 different customers PC's. It's a Hoaxware / downloader / rootkit / annoying POS called antivirus 2010. There is a post from bleeping computers about it. construction wise its basicly like a mix of smitfraud and vundo (not exactly uncommon) but its main unique feature is that it replaces the explorer.exe and adds a file to the winsock to allow the downloader to work. This little bugger was designed to work on XP, where it works as it should and only takes a few min to get rid of, but on vista it cripples the OS and becomes almost unremovable. So, if you see antivirus 2010 rougeware, that's what crippled my pc sp effectively.

    +
    0 Votes
    Jacky Howe

    for the heads up.

    +
    0 Votes
    AlexNet0

    I have the same thing on a customers PC.
    I found and removed several DLLs pulling the drive on another computer, and in the registry I found a list of entries for these files, the one you are asking about included, under the local machine hive, microsoft/windows NT/appinit key.

    here is the string that was referenced there.
    C:\WINDOWS\system32\kbdsock.dll,gewiluje.dll c:\windows\system32\lazogiya.dll

    my guess is that these are under enviromental variables in advanced system information.

    +
    0 Votes
    artanyis

    AlexNet, is the machine you fond it on XP, Vista, or 7? I've seen it a few times in XP now where it repopulates itself from the system restore, I'm not sure what was triggering it to pull itself back out of system restore but if you clear out the system restore than combofix is the simplest way to remove it.

    There are also a few browser hijacks associated with it in the ones I've seen. In XP it doesnt seem to be to major of a malware, but in vista, if you read all of the posts, it was crippling because of new explorer file it was forcing to load. I haven't seen it in a 7 environment yet, and don't think i want to.

    +
    0 Votes
    dmiles

    kbdsock.dll is a harmful program.
    It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
    If that does not help, then ask us for help in the Spyware removal forum.

    Name: kbdsock
    Filename: kbdsock.dll
    Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS

    Command: C:\WINDOWS\system32\kbdsock.dll
    Startup Type: AppInit_DLLs
    HijackThis Category: O20
    HijackThis Line:

    O20 ? AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll

    DDS Line:

    AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll

    Combofix/RSIT Line:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    ?AppInit_DLLS?=?C:\WINDOWS\system32\kbdsock.dll?

    Description: trojan also known as Trojan.Win32.Agent.deot [Kaspersky Lab]

    How to remove: use HijackThis + Kaspersky virus removal tool