HBKiller virus problem, non-detectable by anti-virus

[mtechong]

Hi all,

First time poster here. I've Googled around for this virus but can't find anything understandable about it as the page I found was in Indonesian and online translators still don't make it understandable.

I have this problem with a virus called HBKiller_#1. It manifests in the Internet Explorer title bar I.e. Google - HBKiller In The House!!!

I've found a file in the C: root directory called HBKiller_#1.html which seems to be constantly updated as every time I check it the date modified is exactly the current date and time. I've deleted it, but it comes back after a few seconds. Looking through my running processes, when I end wscript.exe and delete the HBKiller_#1.html file, the file doesn't come back but the Internet explorer title bar still contains the HBKiller phrase.

One of the most concerning aspects of this virus is that it's copying itself to any USB storage device that is plugged into my laptop.

I originally ran my anti-virus (McAfee) and it didn't pick up anything. Windows Defender also didn't find anything. I ran HJT and it found the process, looks it was WAS running on the wscript.exe process. I selected it and clicked fix, but the issue in IE still remained. It seems that the process only runs when IE is run.

I've run through the 8 step removal instructions. However, neither Malwarebytes nor SuperAntiSpyware picked it up.

I've attached my log files.

Appreciate the feedback and help!

Mark

 

[vpcoded]

The actions of your virus/spyware seems to work the same ways as one i came across a while back called P2Pnetworking.exe it was hell to rid of I finialy did this threw deleting REG values that belonged to it. The self installing deal i belive will be found in the RUN current verson key below. but to find all values with that name you can click edit at the top left and click find and type the name of the virus in there and keep pressing F3 to find the next value with that name. Take it easy and go slow in the registry you can cause big problems. I would think if you do not know much in regedit then I would reccomend running the HiJackThis again afterwards doing a registry scan with some ututlity. and and it will find that there is a missing path with that for how ever long it takes its self to reinstall.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce

 

[mtechong]

Finally found the removal process on another website.

It seems that the virus was a variant of a USB worm that was roaming around in 2007/2008. I cleaned out the registry and disabled all autoplay functions, so far things are looking good.

Cheers
Mark

 

[tehren68]

hi mtechong.

can you tell me how to delete this virus?

regards.
tehren

 

[Durai]

Hi, mtechong,
Can u provide me the link of another website, as i can remove virus from my pc? Thanks In Advance.

Hi, mtechong,
Can u provide me the link of another website, as i can remove virus from my pc? Thanks In Advance.

 

[mtechong]

1. Finding potential processes running

- Press CTRL, ALT and DELETE key together. You will open the Windows Task Manager.
- Click the Processes tab, and comb through the list and see whether there is a program called wscript.exe is running. If you find it, click on it and click End Process.
- After that you can close the Task Manager window.

2. Finding the virus (for those who were not detected by the antivirus - for Microsoft Windows)

- Go to My Computer
- Click Tools at the top bar --> Folder Options
- When you come to the Folder Options window, click on the View tab
- Look for Hidden files and folders
- Tick Show hidden files and folders
- Tick Show system files
- Press OK
- Once the window is closed, click on your C drive once.
- Go to C:\WINDOWS\system32. Once you are in there, look for whether there is a filename called HBKiller.js
- If you can't find it in C (like I did), look in C:\Windows
- If you still can't find it, don't worry, press F3 at the top row of your keyboard (in case you don't know) and the search bar will be on your left. Click on All files and folders, and type in the file name HBKiller.js

If you don't find any file in there, congratulations, you are one step out of it.
You can jump to step (4)

3. You found the virus

- Click on the file you found and press SHIFT key and DELETE key
- It will ask you "Are you sure you want to delete (the file name)". Click Yes
- If you find more than one location that has HBKiller.js, then you need to repeat the steps in (3)

4. Editing the Windows Register (do it with full of caution!)

- Click Start --> Run
- Type regedit and press ENTER
- You will come to the Registry Editor window
- On your left there will be the registry directories. Look for:
HKEY_LOCAL_MACHINE --> Software --> Microsoft --> Windows --> Current Version --> Run
- If there is a HBKiller.js in there, delete the entry.
- Then you need to look for:
HKEY_CURRENT_USER --> Software --> Microsoft --> Internet Explorer --> Main
- If you see the Window Title has "HBKiller In The House!!!" you should delete that entry.
- You can now close the Registry Editor window

5. Stop all auto runs in future (recommended move)

- Click on Start --> Run
- Type gpedit.msc and press ENTER
- You will come to the Group Policy window
- Go to User Configuration --> Administrative Templates --> System
- Look for Turn off Autoplay and double click it. You will come to Turn Off Autoplay Properties window.
- Click Enable and select All drives from the drop-down combo box.
(It is suggested to turn it off to avoid further potential virus infections in future)
- You can now close the Group Policy window

6. Stopping auto run virus programs (if have)

- Click on Start --> Run - Type msconfig and press ENTER. You will come to the System Configuration Utility window
- Click on the Startup tab, and look for any programs that runs under HBKiller.js
- If you find then, uncheck the checkbox on the left of the file
- Click Apply
- Click Close
- When you close the window it will ask you whether to restart or not. Click on Exit without Restart.


7. Start > Run > Regedit
Then go to
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Explorer > MountPoints2 >

Then you will see a list of random numbers and jargon looking a little like "{07852ef4-9baf-11db-a10c-806d6172696f}" - This refers to your hard drives. The more you have the more random things you will have in this list. A partition counts as a seperate drive.

Now go in these "drives" to
Shell > AutoRun > command
You will see a file called "default" with some code next to it saying ”C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .HBKiller.js”. or similar.

Open the file and delete all the "wscript.exe .HBKiller.js” part. I dunno if you need the rest but this will kill it anyway.
Do this for every drive you have within the "Mountpoints2" subtree.
Also go into:
Shell > AutoPlay > command
Shell > Explore > command
Shell > Open > command
Shell > Scan for Biros > command
Shell > Scan with Manok > command
Shell > Scan with Rempit > command

And open the default file and delete “wscript.exe HBKiller.js”

8. Restarting your PC
- Before restart, make sure that you empty your recycle bin
- Restart your PC
- You will see a windows prompt that you have changed your system configurations. Check on the checkbox not to remind you anymore and press ok.

 

[candy77]

the HBKiller_#1.html keep coming in my C and D drive eventhough I delete it. I've done all the steps by mtechong and it's possible I might not complete in step #7.

 

[Durai]

Thanks mtechong. i follow all ur steps. It's works. No "hbkiller" in my C:drive anymore. Thanks A lot.

 

[mtechong]

the HBKiller_#1.html keep coming in my C and D drive eventhough I delete it. I've done all the steps by mtechong and it's possible I might not complete in step #7.

Hi Candy, it might help to run hijackthis once you've completed the steps just to be 100% sure it's all gone. One thing to note, if you have USB devices connected to your computer, they will be automatically infected if you do not clean it off your your PC. Also, if you clean if from your PC and your USB device is still infected, your PC will become infected again when you attach it.

 

[tehren68]

hbkiller

why in explorer the "hbkiller in the house!!!" still appear..

 

[soonqs]

script : c:\HBKiller.js

Hi, mtechong,
Thank you for providing the solution in removing the HBKiller virus ,after folow the steps apply,my pc running with no HBKiller html appear ,but when I try to click on my c drive folder
there is error as : script : c:\HBKiller.js
line : 253
char : 1
error : automation server can't create object
code : 800A01AD
source : microsoft jscript runtime error
follow by an ok button
I have check the registry some area still appear again HBKiller.js even I delete it .
I can access drive by Click Start --> Run and type c:\
hope to get some feedback regarding this problem

thank you.

 

[buis83]

Unable to open my local c: drive

Hi mtechong,

1st thanks for the solution to this problem.
I've followed all the steps and my computer seems to be clear of HBKiller.js or HBKIller. html after restarting. However, i do come across a problem where i cannot open my local C: drive once click on it, It will pop out wit a dialog stated:

WINDOW SCRIPT HOST
X Can not find script file "c:/HBKiller.js"

And follow by an OK button.
Now I can only access the C: drive by going to Start--> Run --> c:/
However, everytime when i done so, even there is no appearence of HBKiller.js or HBKIller. html on my local C: drive when search, but there is reappearing of wscript.exe.HBKiller.js or HBKiller.js related registrys in a specific hard drive.

So am wondering do you have the similar problem on that?? Do you know how to resolve this issue??
If yes, could you pls kindly advise me on that. I will be greatly appreciated!!
Hope to hear from you.

Many Thanks

 

[xiongling]

Hi mtechong,

I have tried your steps lots of times but it doesn't really help to clear off the hbkiller always when I start up my pc. I can't get to find the HBKiller.js file in C:/Windows/system32, it doesn't exists. Thus, I ignore the 2nd step and complete the rest of the steps for few times but the problem still there. Can I know any other best way to remove the HBKiller from my PC?

By the way, always when I start up my pc, there will be a bsserver.exe error pop out and the HBKiller#1.html file will appear back. Can I know am I need to solve the bsserver.exe error problem before I can solve the HBKiller problem?

Hope to hear from you.

Thanks,
Xiong Ling