We checked up the file KVBOOT.SYS and found it hazardous.
The file KVBOOT.SYS must be deleted from the system immediately.
Kill the process KVBOOT.SYS and remove KVBOOT.SYS from the Windows startup.
Malware Analysis of KVBOOT.SYS
Full path on a computer: %SysDir%\drivers\Kvboot.sys
Detected by UnHackMe:
KVBOOT.SYS
Default location: %SysDir%\drivers\Kvboot.sys
Removal Results: Success
Number of reboot: 1
KVBOOT.SYS is known as:
Trojan.Small.2816, Hacktool.Rootkit, RTKT_AGNT.AB, Rootkit.20106, RKIT.AntiARP, HackTool.XSpoof.a, Trojan.HT-XSpoof.2816, Win-Trojan.Xspoof.2816, W32.Malware_fam.NB
KVBOOT.SYS hash:
- MD5: 77c806ffef43a59b92cb8ec8279b7bee
How to quickly detect KVBOOT.SYS presence?
![]( "Registry")
Registry:
![]( "Files")
Files:
Registry:- HKLM\System\CurrentControlSet\Services\KVBOOT\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
- HKLM\System\CurrentControlSet\Services\KVBOOT\Type: 0×00000001
- HKLM\System\CurrentControlSet\Services\KVBOOT\Start: 0×00000000
- HKLM\System\CurrentControlSet\Services\KVBOOT\ErrorControl: 0×00000000
- HKLM\System\CurrentControlSet\Services\KVBOOT\ImagePath: “system32\DRIVERS\Kvboot.sys”
- HKLM\System\CurrentControlSet\Services\KVBOOT\DisplayName: “KVBOOT”
- HKLM\System\CurrentControlSet\Services\KVBOOT\Group: “Boot Bus Extender”
- HKLM\System\CurrentControlSet\Services\LDAPSVC\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
- HKLM\System\CurrentControlSet\Services\LDAPSVC\Parameters\ServiceDll: “%SystemRoot%\system32\LDAPSVC.dll”
- HKLM\System\CurrentControlSet\Services\LDAPSVC\Type: 0×00000020
- HKLM\System\CurrentControlSet\Services\LDAPSVC\Start: 0×00000002
- HKLM\System\CurrentControlSet\Services\LDAPSVC\ErrorControl: 0×00000000
- HKLM\System\CurrentControlSet\Services\LDAPSVC\ImagePath: “%SystemRoot%\system32\svchost.exe -k LDAPSVC”
- HKLM\System\CurrentControlSet\Services\LDAPSVC\DisplayName: “LDAP Service”
- HKLM\System\CurrentControlSet\Services\LDAPSVC\ObjectName: “LocalSystem”
Files:- %WinDir%\inf\atm.ldb
- %WinDir%\inf\atm.PNF
- %SysDir%\drivers\Kvboot.sys
- %SysDir%\drivers\xArpProto.sys
- %SysDir%\LDAPSVC.dll