Help please ..

Discussion in 'Trojan Defence Suite' started by jazzman1, Mar 10, 2005.

Thread Status:
Not open for further replies.
  1. jazzman1

    jazzman1 Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    5
    Location:
    Pasadena, CA
    I have just spent 2 weeks recovering a clients computer (Compaq Presario/Intel P4) from some nasties. I have FULLY recovered Windows XP Home Edition and I'm carefully attempting to SEE what is left laying around.

    2 files are bothering me. One, found by TDS-3 called Python-2.2.1 in the Manufacturers directory Hewlett-Packard (Yes - it appers that HP INSTALLED this software with THIS computer "for" the user) and another that I can't track down on the hard drive other than there is a Directory called KDX with a file called "khost.ext" that I CANNOT delete. Research has shown me the following:

    Name: kdx
    Filename: KHost.exe
    Location: Unknown
    Description: KonTiki Secure Delivery Plug In related. "The Kontiki Delivery Management System (DMS) is a secure delivery network for distribution of video, software, audio, documents, and other digital media. The Kontiki DMS enables enterprises to efficiently publish, secure, deliver and track digital media to employees, partners, and customers"
    Startup Type: Currently being identified.

    But I CANNOT GET RID OF IT WITH ANY TOOLS THAT I AM AWARE OF?? I have tried the following:

    TDS-3
    AVG AntiVirus
    SpywareBlaster
    SpyBot S&D
    Microsoft Pest Removal tool
    Microsoft AntiVirus
    SpySubstract
    AboutBuster

    And a few that I have NOT mentioned, but NONE OF THEM tells me ANYthing about the mentioned files EXCEPT TDS-3 (python-2.2.1) but TDS-3 mentions NOTHING about KDX. While I'm not surprised because KDX has NOT been determined by the "powers that be" to be a PEST it is still a REAL concern to me.

    All I want to do really, is UNinstall it OR be able to DELETE it which I cannot. Any help would be GREATLY appreciated.

    Thanks so much in advance - you folks are really a GODsend to/for me.

    jazzman1
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi jazzman1,

    This may help with explaining what the KHost.exe file is: Kontiki Help They also have uninstall instructions further down on the page.

    I'm afraid I am not familiar with Hewlett-Packard that much, or what their install files are. It may be a false/positive, but if you could tell us the name of the file TDS-3 is identifying as Python-2.2.1, that could help us. You can also submit the file to submit@diamondcs.com.au for analysis.

    Regards,

    snap
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    You mean the Python as in the Python programming language? On a quick look, it seems that version would date from 2002-3 or so.

    Blue
     
  4. jazzman1

    jazzman1 Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    5
    Location:
    Pasadena, CA
    Hi All
    Thanks for your responses. The file that TDS-3 identified was "Python-2.2.1" thats all it said. I have no idea why I would have an Apache Python file on my computer anywayo_O o_O That's what I would really like to know - couldn't be used by Windows XP Home Edition could it?

    ADDENDUM:
    I have noticed activity on the machine in the middle of the night reported in the Tiny Personal Firewall log that the machine is "reaching out" to some known SPAM IP ADDRESSES (as reported by ARIN). Am I a SPAMMER now? Could it be that a "spam engine" using python somehow has been dropped on me? I don't want to get unreasonably paranoid but I have to ask at this point because I just don't know.

    I have also noticed that that a file called "apcuspd.exe", which is a complex UPS monitoring file capable of initiating its own "outbound" contact attempts to get through the firewall too - the firewall blocks it - but I don't even us a UPS nor have I ever installed or used one. Just an observation I thought MAY be good to mention.

    I can forward the pages from ARIN if you like as well as the Firewall logs. Let me know.

    Thanks for all your help too.
    Jazzman1 :rolleyes:
     
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Well, you can get Windows versions of Python. I assume the TDS flag is for multiple filename extensions, which is a fairly common approach by malware but can be benign.

    What process is initiating the outbound contact?

    Blue
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You did not install Port Explorer yet?
    (free trial www.diamondcs.com.au )
    Enables you to look at / block / spy on / log the process and it's sockets so you might be able to see exactly what causes the reaching out and what it does.
    Is there just a program looking for updates or other stuff, etc.
    Port Explorer will show you in the blink of an eye what is connecting, which applications etc so ease answering Blue's question.
     
Thread Status:
Not open for further replies.