help with removing hostkill trojan



Tieu
07-09-2005, 11:49 PM
Hi,

Norton shows that my system is infected with Bat.HostKill Trojan. When I
plug my Network cable in, it seems like it receving something from the
Internet and a bunch of I.E. windows poped up asking me to install Service
Pack 3, Service Pack 4...

I updated lastest Virus Definition and scanned the whole system in Safe Mode
but Norton didn't find anything. Then when I switched back to Normal Mode,
and Norton detected HostKill again. I followed instruction on the Norton Site
for HostKill but it didn't help. What are other names of this Trojan detected
as in other AV software? Thanks in advance.

OS: Win2k.

David H. Lipman
07-09-2005, 11:49 PM
From: "Tieu" <Tieu@discussions.microsoft.com>

| Hi,
|
| Norton shows that my system is infected with Bat.HostKill Trojan. When I
| plug my Network cable in, it seems like it receving something from the
| Internet and a bunch of I.E. windows poped up asking me to install Service
| Pack 3, Service Pack 4...
|
| I updated lastest Virus Definition and scanned the whole system in Safe Mode
| but Norton didn't find anything. Then when I switched back to Normal Mode,
| and Norton detected HostKill again. I followed instruction on the Norton Site
| for HostKill but it didn't help. What are other names of this Trojan detected
| as in other AV software? Thanks in advance.
|
| OS: Win2k.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendorís web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Tieu
07-09-2005, 11:49 PM
Hi Dave,

I am trying to get into Internet Options but I got this message: "Your
Current Security Settings Prohibit running ActiveX controls on this page. As
a result, the page may not display correctly." and I only see blank screen.
Can I fix this in windows registry? Thanks again.

Tieu.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%232YD02HcFHA.3492@TK2MSFTNGP14.phx.gbl...
> From: "Tieu" <Tieu@discussions.microsoft.com>
>
> | Hi,
> |
> | Norton shows that my system is infected with Bat.HostKill Trojan. When
I
> | plug my Network cable in, it seems like it receving something from the
> | Internet and a bunch of I.E. windows poped up asking me to install
Service
> | Pack 3, Service Pack 4...
> |
> | I updated lastest Virus Definition and scanned the whole system in Safe
Mode
> | but Norton didn't find anything. Then when I switched back to Normal
Mode,
> | and Norton detected HostKill again. I followed instruction on the Norton
Site
> | for HostKill but it didn't help. What are other names of this Trojan
detected
> | as in other AV software? Thanks in advance.
> |
> | OS: Win2k.
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
> http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart
scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line
Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode. This
> way all the components can be downloaded from each AV vendor's web site.
> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the
PC
> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend,
McAfee, Exit the
> menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
or you can
> download the files and perform a scan in Normal Mode. Once you have
downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE
and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor
related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Tieu
07-09-2005, 11:49 PM
I used there scanners. Each found different viruses and removed them. After
reboot, all comes back again. This's getting crazy now. I guess I have to
erase everything. Thanks again for your help




Here are some Virus/Trojan info:
QHost-1!
LowZone
Downloader.QG
HostKill
HackDefender



> > |
> > | Norton shows that my system is infected with Bat.HostKill Trojan.
When
> I
> > | plug my Network cable in, it seems like it receving something from the
> > | Internet and a bunch of I.E. windows poped up asking me to install
> Service
> > | Pack 3, Service Pack 4...
> > |
> > | I updated lastest Virus Definition and scanned the whole system in
Safe
> Mode
> > | but Norton didn't find anything. Then when I switched back to Normal
> Mode,
> > | and Norton detected HostKill again. I followed instruction on the
Norton
> Site
> > | for HostKill but it didn't help. What are other names of this Trojan
> detected
> > | as in other AV software? Thanks in advance.
> > |
> > | OS: Win2k.
> >
> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
> > Start --> Settings --> Control Panel --> Internet Options --> Delete
Files
> >
> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> > Tools --> Options --> Privacy --> Cache --> Clear
> >
> > Download MULTI_AV.EXE from the URL --
> > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
> >
> > It is a self-extracting ZIP file that contains the Kixtart Script
> Interpreter {
> > http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart
> scripts, one Link
> > (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and
> WGET.EXE. It will
> > simplify the process of using up to 3 different Anti Virus Command Line
> Scanners to remove
> > viruses and various other malware.
> >
> > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
> > This will bring up the initial menu of choices and should be executed in
> Normal Mode. This
> > way all the components can be downloaded from each AV vendor's web site.
> > On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the
> PC
> > On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend,
> McAfee, Exit the
> > menu and Reboot the PC.
> >
> > You can choose to go to each menu item and just download the needed
files
> or you can
> > download the files and perform a scan in Normal Mode. Once you have
> downloaded the files
> > needed for each scanner you want to use, you should reboot the PC into
> Safe Mode [F8 key
> > during boot] and re-run the menu again and choose which scanner you want
> to run in Safe
> > Mode. It is suggested to run the scanners in both Safe Mode and Normal
> Mode.
> >
> > When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help
> > file.
> >
> > To use this utility, perform the following...
> > Execute; Multi_AV.exe { Note: You must use the default folder
C:\AV-CLS }
> > Choose; Unzip
> > Choose; Close
> >
> > Execute; C:\AV-CLS\StartMenu.BAT
> > { or Double-click on 'Start Menu' in C:\AV-CLS }
> >
> > NOTE: You may have to disable your software FireWall or allow WGET.EXE
> and/or FTP.EXE to go
> > through your FireWall to allow them to download the needed AV vendor
> related files.
> >
> > * * * Please report back your results * * *
> >
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
>

David H. Lipman
07-09-2005, 11:49 PM
From: "Tieu" <Hey.D@Not-Spam.Me>

| I used there scanners. Each found different viruses and removed them. After
| reboot, all comes back again. This's getting crazy now. I guess I have to
| erase everything. Thanks again for your help
|
| Here are some Virus/Trojan info:
| QHost-1!
| LowZone
| Downloader.QG
| HostKill
| HackDefender
|

What keeps coming back ? Which infector ?

What anti virus software found what infector ?

What is the fully qualified path to the file that was identified to come back ?

Did you run each in both Normal Mode and in Safe Mode ?

You really need to supply more information.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Phil Weldon
07-09-2005, 11:49 PM
'David H. Lipman' wrote, in part:

"You really need to supply more information."

Do you sometimes feel as if you were a dentist? Perhaps you should come up
with a work sheet to be filled out when a user comes up against an
intractable infection.

Phil Weldon

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eMr%23fcRcFHA.2756@tk2msftngp13.phx.gbl...
> From: "Tieu" <Hey.D@Not-Spam.Me>
>
> | I used there scanners. Each found different viruses and removed them.
> After
> | reboot, all comes back again. This's getting crazy now. I guess I have
> to
> | erase everything. Thanks again for your help
> |
> | Here are some Virus/Trojan info:
> | QHost-1!
> | LowZone
> | Downloader.QG
> | HostKill
> | HackDefender
> |
>
> What keeps coming back ? Which infector ?
>
> What anti virus software found what infector ?
>
> What is the fully qualified path to the file that was identified to come
> back ?
>
> Did you run each in both Normal Mode and in Safe Mode ?
>
> You really need to supply more information.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

David H. Lipman
07-09-2005, 11:49 PM
From: "Phil Weldon" <notdiscosed@example.com>

| 'David H. Lipman' wrote, in part:
|
| "You really need to supply more information."
|
| Do you sometimes feel as if you were a dentist? Perhaps you should come up
| with a work sheet to be filled out when a user comes up against an
| intractable infection.
|
| Phil Weldon

Yes Phil ;-)

Sometimes getting the pertinent data can be like pulling teeth.

I recently answered a question that was...

"I have a list of computer names. Some of which exist and some don't. I have
a script that I run to collect inventory information. My problem is that it
does not handle the non existing servers very well. I would like to include a
test that confirms that the server exists before running the rest of the
script AND if it does not exist skips it and moves on.
TIA
Mike"

My answer:
"nbtstat -a Host_Name | find /c /i "host not found"

If the host doesn't exist, it will return the value= 1
if it does exist it returns the value= 0"

He then replied...
"Thanks David. I should have been more clear. I need this to work within a VB
Script."

So I wasted my time coming up with an answer and testing it.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Tieu
07-09-2005, 11:49 PM
Hi,

Your Multi-AV works great on Win2K. It's not really compatible with Win98 or
XP. When I open it in Win98, a screen flashes and goes away. On with WinXP,
i see a screen as it is in Win2K but when select 1, 2 or 3 to download, it
brings up a shutdown windows. Anyway, this is out of question. Let me get
back to your questions.

MCafee detected: Reg/LowZones (files C:\Winnt\system32\Ransy.Reg, Rany.reg),
Downloader-QG (winnt\system32\update-sp1.htm, update-sp2.htm..), QHost
(c:\b.bat), SDBot, HackDefender (c:\system.exe)
Norton Detected: Randex (c:\dllpt.exe), hostkill9(b.bat), HackDefender
(c:\system.exe)
Trend and Sophos detechted something else.

I scanned in SafeMode first then Normal Mode.

Now, when I reboot my computer, Norton gives warning message for Randex Worm
(file ddlpt.exe. I have manually go to Process Listing to deleted this file)

I run Mcafee scan again, and as you expect, LowZones, Downloader-QG are on
the list.

I did reinstalled one Win2K computer though and it got infected with Randex
and hostkill next day. I guess the Trojans spread over the local network.
WinXp and Win98 are ok.

Thanks again.






"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:u$pWsyScFHA.1404@TK2MSFTNGP09.phx.gbl...
> From: "Phil Weldon" <notdiscosed@example.com>
>
> | 'David H. Lipman' wrote, in part:
> |
> | "You really need to supply more information."
> |
> | Do you sometimes feel as if you were a dentist? Perhaps you should come
up
> | with a work sheet to be filled out when a user comes up against an
> | intractable infection.
> |
> | Phil Weldon
>
> Yes Phil ;-)
>
> Sometimes getting the pertinent data can be like pulling teeth.
>
> I recently answered a question that was...
>
> "I have a list of computer names. Some of which exist and some don't. I
have
> a script that I run to collect inventory information. My problem is that
it
> does not handle the non existing servers very well. I would like to
include a
> test that confirms that the server exists before running the rest of the
> script AND if it does not exist skips it and moves on.
> TIA
> Mike"
>
> My answer:
> "nbtstat -a Host_Name | find /c /i "host not found"
>
> If the host doesn't exist, it will return the value= 1
> if it does exist it returns the value= 0"
>
> He then replied...
> "Thanks David. I should have been more clear. I need this to work within a
VB
> Script."
>
> So I wasted my time coming up with an answer and testing it.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

David H. Lipman
07-09-2005, 11:49 PM
From: "Tieu" <Hey.D@Not-Spam.Me>

| Hi,
|
| Your Multi-AV works great on Win2K. It's not really compatible with Win98 or
| XP. When I open it in Win98, a screen flashes and goes away. On with WinXP,
| i see a screen as it is in Win2K but when select 1, 2 or 3 to download, it
| brings up a shutdown windows. Anyway, this is out of question. Let me get
| back to your questions.
|
| MCafee detected: Reg/LowZones (files C:\Winnt\system32\Ransy.Reg, Rany.reg),
| Downloader-QG (winnt\system32\update-sp1.htm, update-sp2.htm..), QHost
| (c:\b.bat), SDBot, HackDefender (c:\system.exe)
| Norton Detected: Randex (c:\dllpt.exe), hostkill9(b.bat), HackDefender
| (c:\system.exe)
| Trend and Sophos detechted something else.
|
| I scanned in SafeMode first then Normal Mode.
|
| Now, when I reboot my computer, Norton gives warning message for Randex Worm
| (file ddlpt.exe. I have manually go to Process Listing to deleted this file)
|
| I run Mcafee scan again, and as you expect, LowZones, Downloader-QG are on
| the list.
|
| I did reinstalled one Win2K computer though and it got infected with Randex
| and hostkill next day. I guess the Trojans spread over the local network.
| WinXp and Win98 are ok.
|
| Thanks again.

The software is a series of Kixtart scripts that are for the Win32 family and the software
is from the vendors and execpt for Sophos should wotrk on Win9x/ME and NT based OS' and
Sophos only works under NT based OS'. I have tested the scripted process under various
Operating Systems and it works just fine so the problems you experienced could be indicative
of other problems with your systems. The scripted process is compatible with Win98 and
WinXP and has been tested on both to work as expected to work.

Randex is a worm (virus) and can spread via a network. Hostkill is a Trojan and has to be
installed on a computer it will not replicate or spread on its own ability.

Randex -- http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.html

BAT.Hostkill -- http://securityresponse.symantec.com/avcenter/venc/data/bat.hostkill.html

You indicated Batch file (.BAT) and Registry files (.REG) and they should be deleted by the
AV scanners. If not you will have to delete them. If they are contained in archive files
(ZIP, CAB, etc) then delete the archive files that house the .BAT and/or .REG files.

It can greatly help if you attach the LOG fuiles associated with the AV scanners. You can
put them in a ZIP file and attach them to your reply.

You listed a range of malware. Some like the SDBot worm can cause Trojans to be dowloaded
and installed depending on the variant.

Download Pocket KillBox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Extract killbox.exe from the ZIP file.
Execute; KillBox.exe

Click on Tools --> Select; Delete Temp Files.

Choose; OK

In the Full Path of File to Delete box, type the entire following line exactly

c:\dllpt.exe

Select; Replace on Reboot

put a check in the box "Use Dummy"

Click The Red circle and a white X

When prompted to Replace on Reboot, click YES

If prompted to Reboot Now, Click No



In the Full Path of File to Delete box, type the entire following line exactly

c:\system.exe

Select; Replace on Reboot

put a check in the box "Use Dummy"

Click The Red circle and a white X

When prompted to Replace on Reboot, click YES

If prompted to Reboot Now, Click YES


Allow the PC to shutdown and reboot then rescan the system


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Tieu
07-09-2005, 11:49 PM
Dave,

All computers are under control now. Your AV tool is great. I will keep it
for future rescue. Thanks again for your help.

Tieu.



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23bxUd0rcFHA.4040@TK2MSFTNGP14.phx.gbl...
> From: "Tieu" <Hey.D@Not-Spam.Me>
>
> | Hi,
> |
> | Your Multi-AV works great on Win2K. It's not really compatible with
Win98 or
> | XP. When I open it in Win98, a screen flashes and goes away. On with
WinXP,
> | i see a screen as it is in Win2K but when select 1, 2 or 3 to download,
it
> | brings up a shutdown windows. Anyway, this is out of question. Let me
get
> | back to your questions.
> |
> | MCafee detected: Reg/LowZones (files C:\Winnt\system32\Ransy.Reg,
Rany.reg),
> | Downloader-QG (winnt\system32\update-sp1.htm, update-sp2.htm..), QHost
> | (c:\b.bat), SDBot, HackDefender (c:\system.exe)
> | Norton Detected: Randex (c:\dllpt.exe), hostkill9(b.bat), HackDefender
> | (c:\system.exe)
> | Trend and Sophos detechted something else.
> |
> | I scanned in SafeMode first then Normal Mode.
> |
> | Now, when I reboot my computer, Norton gives warning message for Randex
Worm
> | (file ddlpt.exe. I have manually go to Process Listing to deleted this
file)
> |
> | I run Mcafee scan again, and as you expect, LowZones, Downloader-QG are
on
> | the list.
> |
> | I did reinstalled one Win2K computer though and it got infected with
Randex
> | and hostkill next day. I guess the Trojans spread over the local
network.
> | WinXp and Win98 are ok.
> |
> | Thanks again.
>
> The software is a series of Kixtart scripts that are for the Win32 family
and the software
> is from the vendors and execpt for Sophos should wotrk on Win9x/ME and NT
based OS' and
> Sophos only works under NT based OS'. I have tested the scripted process
under various
> Operating Systems and it works just fine so the problems you experienced
could be indicative
> of other problems with your systems. The scripted process is compatible
with Win98 and
> WinXP and has been tested on both to work as expected to work.
>
> Randex is a worm (virus) and can spread via a network. Hostkill is a
Trojan and has to be
> installed on a computer it will not replicate or spread on its own
ability.
>
> Randex --
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.html
>
> BAT.Hostkill --
http://securityresponse.symantec.com/avcenter/venc/data/bat.hostkill.html
>
> You indicated Batch file (.BAT) and Registry files (.REG) and they should
be deleted by the
> AV scanners. If not you will have to delete them. If they are contained
in archive files
> (ZIP, CAB, etc) then delete the archive files that house the .BAT and/or
..REG files.
>
> It can greatly help if you attach the LOG fuiles associated with the AV
scanners. You can
> put them in a ZIP file and attach them to your reply.
>
> You listed a range of malware. Some like the SDBot worm can cause Trojans
to be dowloaded
> and installed depending on the variant.
>
> Download Pocket KillBox
> http://www.bleepingcomputer.com/files/spyware/KillBox.zip
>
> Extract killbox.exe from the ZIP file.
> Execute; KillBox.exe
>
> Click on Tools --> Select; Delete Temp Files.
>
> Choose; OK
>
> In the Full Path of File to Delete box, type the entire following
line exactly
>
> c:\dllpt.exe
>
> Select; Replace on Reboot
>
> put a check in the box "Use Dummy"
>
> Click The Red circle and a white X
>
> When prompted to Replace on Reboot, click YES
>
> If prompted to Reboot Now, Click No
>
>
>
> In the Full Path of File to Delete box, type the entire following
line exactly
>
> c:\system.exe
>
> Select; Replace on Reboot
>
> put a check in the box "Use Dummy"
>
> Click The Red circle and a white X
>
> When prompted to Replace on Reboot, click YES
>
> If prompted to Reboot Now, Click YES
>
>
> Allow the PC to shutdown and reboot then rescan the system
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>


help with removing hostkill trojan