Clkoptimizer and Narrator

If you have run all steps from READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal then do the below.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Also for the VX2 problem (you may have the new type) do the below to get ready to fix it:

Download the below tools (but only run what I tell you to run):

Pocket KillBox

VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP

Extract all the files from the Generic Tool into its own folder ( like c:\FindIt )
Then run find.bat. Post the log it creates back here as an attachment. Make sure you wait long enough. The log will popup when it completes.

 

First look in Add/Remove programs for an uninstall related to WildTangen and use it if found.

Okay here is the first part of the clean up! My next message will be part 2.

PART 1:
If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huhtng.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: SDWin32 Class - {340B7310-B7E6-48C0-A600-6D73A5C33237} - C:\WINDOWS\system32\fmwgy.dll
O2 - BHO: SDWin32 Class - {DB56D7ED-70F7-473A-889C-5DC730F8B781} - C:\WINDOWS\system32\ottlj.dll
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huhtng.exe
C:\WINDOWS\system32\fmwgy.dll
C:\WINDOWS\system32\ottlj.dll
C:\Program Files\WildTangent <--- the whole folder if it still exists

Now reboot in normal mode and post a new HJT log. And tell us how things are working.


The below two are up to you but they are not necessary and my personal preference is for no automatic updates. I'll do them myself when I want and install only what I want and need.

backweb-8876480.exe is a process that comes with the Logitech products software. It manages the automatic update check as well as providing you with new for the latest offers and products from Logitech. This is a non-essential process.
LDMConf.exe - Installed with the software for Logitech products. Automatically checks for software upgrades AND new products, services and special offerings from Logitech

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

 

PART 2: Make sure you do the other steps in Part 1 first

Here is a list of files that we need to delete using Killbox (directions on how to are later - just read thru first before doing anything)

C:\WINDOWS\SYSTEM32\cycopu.dllom
C:\WINDOWS\SYSTEM32\eoebap.dll
C:\WINDOWS\SYSTEM32\hzhwqu.exe
C:\WINDOWS\SYSTEM32\papbvu.dat
C:\WINDOWS\SYSTEM32\wiwrku.exe
C:\Documents and Settings\All USers\Start Menu\Programs\Startup\huhtng.exe


And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Delete on Reboot.

Now you are going to repeat the below steps for every file. Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\SYSTEM32\cycopu.dllom

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files

DO NOT Allow your machine to Reboot until the last item has been entered:

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.

Reboot in normal mode. Tell me if you get any error messages on reboot and tell me the exact messages. (I expect there will be some related to some of the filenames above).

Now get another find.bat log and also post a new HijackThis log.

 

Okay let'e try again with some different options and a different approach. This time we will boot to safe mode first and want your connection to the internet phyiscally unplugged (pull the cable). Thus you need to print these instructions or save them in a notepad file. I also want you to make sure no browsers are opened until I request it.

So print now, disconnect (unplug), and reboot in safe mode now before continuing.

Copy and paste the below quoted information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg

Now doubleClick on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.

Here is a list of files that we need to delete using Killbox (directions on how to are later - just read thru first before doing anything)

C:\WINDOWS\SYSTEM32\cycopu.dll
C:\WINDOWS\SYSTEM32\eoebap.dll
C:\WINDOWS\SYSTEM32\hzhwqu.exe
C:\WINDOWS\SYSTEM32\papbvu.dat
C:\WINDOWS\SYSTEM32\wiwrku.exe
C:\Documents and Settings\All USers\Start Menu\Programs\Startup\huhtng.exe

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Delete on Reboot.

Now you are going to repeat the below steps for every file. Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\SYSTEM32\cycopu.dll

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Delete on Reboot is selected
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files

DO NOT Allow your machine to Reboot until the last item has been entered (Please tell me if you get any error messages especially one about Pending Operations being canceled).

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.

Reboot in normal mode. Tell me if you get any error messages on reboot and tell me the exact messages. (I expect there will be some related to some of the filenames above).

Now before reconnecting you internet connection and before opening a browser do the below:
- get another find.bat log and get a new HijackThis log (call these before.txt and hjtbefore.txt)

Now reconnect your interent connection and open a browser. Then exit the browser and repeat:
- get another find.bat log and get a new HijackThis log (call these after.txt and hjtafter.txt)

Now come back here and post the results of all the steps, any error messages, and the four logs. It will take two messages because you can only attach 2 files per message.

IMPORTANT: DO NOT REBOOT AFTER POSTING. This could cause the problem to mutate possibly making the logs not valid.

 

Okay! Talk with ya tomorrow!

 

Delete all files in your C:\windows\prefetch folder and then empty your Recycle Bin.


How is everything working? Your logs look clean now.

 

Are you saying that when you enter www.majorgeeks.com in your address field and click go, it does not come up unless you click refresh multiple times? Is this always true? Does it happen for other addresses. Have you tried entering this instead: 67.19.72.100

Those two other files can more than like be deleted. They are not part of the default windows system files. You could take a different approach to be safe. Either rename them and leave them were they are. Or move them to a temporay holding folder before deciding whether you need them or not.

Try this using Windows Explorer right click on the files and select Rename.
Rename------secure.exe to secure.xxx
and-------------uninstaller.xxx to uninstaller.xxx

Thank your sister for the complement.

 

You're welcome Djay! Happy to help! Check going to www.majorgeeks.com now. It may be that you were experiencing so problems we were having. Let me know if you still have problems loading our home page.

 

Glad to here things are running better.

As far as email attachments being corrupted, I don't believe that is a malware issue. You may want to check in the Software Forum for help on that one. Have you tried sending a compressed ZIP file to someone to see if it arrives okay? ZIP files have CRCs that verify their integrity.