We checked some samples of XARPPROTO.SYS and detected the file XARPPROTO.SYS as threat.
Remove the XARPPROTO.SYS file from your computer right now.
Removal tool: http://www.unhackme.com
Malware Analysis of XARPPROTO.SYS
Full path on a computer: %SysDir%\drivers\xArpProto.sys
Detected by UnHackMe:
XARPPROTO.SYS
Default location: %SysDir%\drivers\xArpProto.sys
Removal Results: Success
Number of reboot: 1
XARPPROTO.SYS is known as:
Trojan.Xspoof.18560
XARPPROTO.SYS hash:
- MD5: 79b80970ab0de1f9545df9c4c627ce5e
How to quickly detect XARPPROTO.SYS presence?
Image may be NSFW.
Clik here to view.
Registry:
Clik here to view.
Registry:- HKLM\System\CurrentControlSet\Services\KVBOOT\Type: 0×00000001
- HKLM\System\CurrentControlSet\Services\KVBOOT\Start: 0×00000000
- HKLM\System\CurrentControlSet\Services\KVBOOT\ErrorControl: 0×00000000
- HKLM\System\CurrentControlSet\Services\KVBOOT\ImagePath: “system32\DRIVERS\Kvboot.sys”
- HKLM\System\CurrentControlSet\Services\KVBOOT\DisplayName: “KVBOOT”
- HKLM\System\CurrentControlSet\Services\KVBOOT\Group: “Boot Bus Extender”
- HKLM\System\CurrentControlSet\Services\LDAPSVC\Parameters\ServiceDll: “%SystemRoot%\system32\LDAPSVC.dll”
- HKLM\System\CurrentControlSet\Services\LDAPSVC\Type: 0×00000020
- HKLM\System\CurrentControlSet\Services\LDAPSVC\Start: 0×00000002
- HKLM\System\CurrentControlSet\Services\LDAPSVC\ErrorControl: 0×00000000
- HKLM\System\CurrentControlSet\Services\LDAPSVC\ImagePath: “%SystemRoot%\system32\svchost.exe -k LDAPSVC”
- HKLM\System\CurrentControlSet\Services\LDAPSVC\DisplayName: “LDAP Service”
- HKLM\System\CurrentControlSet\Services\LDAPSVC\ObjectName: “LocalSystem”
Image may be NSFW.
Clik here to view.Files:
Clik here to view.
Files:- %WinDir%\inf\atm.ldb
- %WinDir%\inf\atm.PNF
- %SysDir%\drivers\Kvboot.sys
- %SysDir%\drivers\xArpProto.sys
- %SysDir%\LDAPSVC.dll
