hello,

this is my first time here in your forum.

there’s something running on my pc’s process. it’s called kbdrv32.com. whenever i’m inserting my usb flash drive, it now had a hidden file which is 1.bat and its autorun.inf
i’ve run my antivirus. nothing was found

when i search it in google, here is the ONLY result:
http://www.prevx.com/filenames/625109982533686287-X1/KBDRV322ECOM.html

it said that it is a virus. is it a virus? bec. i don’t believe what Prevx said because its the first time i’ve heard of this antivirus.

Download Flash Disinfector and save it onto your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.

As for kbdrv32.com, Prevx says it’s cloaked malware.

Hi dark_blue,

Your computer is infected with cloaked malware. The file called KBDRV32.COM is considered unsafe and there may be other infections on your PC. Download HJT from here : http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe
Add a logfile txt to your next posting for analysis,

polonus

hello, here is the result of HijackThis (attached)

my laptop is also infected w/ this kbdrv32.com (but it has no symptoms like when inserting a usb flash, there’s a 1.bat thing).

An analysis of your HJT log (attachment #2) shows :

A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft’s windowsupdate site to download the newest version of the service pack.

Platform: Windows XP SP2 (WinNT 5.01.2600)

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

C:\WINDOWS\services.exe
This entry is not running from the System32 folder. This process runs normally in c:\windows\system32!
This entry was classified as bad.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\services.exe
Same as the above.

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\2.bin\ASKSBAR.DLL (file missing)
Unnecessary (deactivated) entry that can be fixed. See this link … http://www.benedelman.org/spyware/instal lations/askjeeves-banner/

O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\2.bin\ASKSBAR.DLL (file missing)
Unnecessary (deactivated) entry that can be fixed.

O4 - HKLM..\Run: [snppro] C:\WINDOWS\vsnppro.exe
http://spywarefiles.prevx.com/RRGDIA1635064/VSNPPRO.EXE.html
If you have a Sonix camera or other Sonix products, this one might be ok. If not, this one can be fixed.

O4 - HKLM..\Run: [Memeo Share] D:\DVD ripper ü\Memeo Share\MemeoLauncher.exe --silent
http://www.processlibrary.com/directory/files/memeolauncher/
Unknown application. If you have a backup utility, this one should be ok.

O4 - Startup: kbdrv32.com
As noted in above posts … http://www.prevx.com/filenames/625109982533686287-X1/KBDRV322ECOM.html

O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\WINDOWS\system32\shdocvw.dll
http://msdn.microsoft.com/en-us/library/aa741313(VS.85).aspx
There are some vulnerabilities in SP1 and below but you have SP2 and should be ok.
http://antivirus.about.com/od/virusdescriptions/a/bofra.htm

I am sorry but I have to go. I do not have time to do the one for the laptop now but will do it later tonight if no one does it before I return.

An analysis of the laptop HJT log :

It seems that you don’t use an anti-virus scanner or your scanner is not active. (NAV?)

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

The below entries were marked questionable but research seems to check out most of them as good except for the 2 marked as BAD.

C:\Program Files\Toshiba Registration\Registration.exe
http://toshiba-registration.software.informer.com/ This one should not be bad if your laptop is Toshiba.

O4 - HKLM..\Run: [jswtrayutil] “C:\Program Files\Jumpstart\jswtrayutil.exe”
http://www.prevx.com/filenames/X2503399194776069887-0/JSWTRAYUTIL2EEXE.html
Tray Utility for QSS for Wireless. Is this what you use?

O4 - HKCU..\Run: [1145860967] C:\Program Files\Toshiba Registration\Registration.exe /r “C:\Program Files\Toshiba Registration\Registration.rpd”
This one should not be bad if your laptop is Toshiba.

O4 - Startup: kbdrv32.com
BAD as noted in above posts.

O23 - Service: Norton2009 Reset (.norton2009Reset) - Unknown owner - C:\Program Files\Norton2009Reset.exe
http://www.prevx.com/filenames/X315792894696582061-0/NORTON2009RESET2EEXE.html
BAD

O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
http://www.prevx.com/filenames/X2503399194776069887-0/JSWTRAYUTIL2EEXE.html
Tray Utility for QSS for Wireless. Is this what you use?