Take a Look

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. This forum is for discussing malware problems which takes up all of our time. General dicussions about what do I need and not need are really topics for the Software Forum not here. That tends to eat up a load of our time. And only you should know what you use and do not use. We cannot decide that for you.

One comment, Wild Tangent can go. Uninstall if found in Add/Remove programs.


If you have malware problems then please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Did you read what was stated in my previous post? First ALL the steps in the below sticky thread are to be run.

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

Do you use this Kontiki download stuff?
C:\WINDOWS\kdx\KHost.exe
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab

See: http://startup.iamnotageek.com/srch-KHost.exe.html

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {34A44FCF-50E3-63A5-A8DA-7835752B9571} - (no file)
O4 - HKLM\..\Run: [mefcOI1X] C:\documents and settings\owner\local settings\temp\mefcOI1X.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\system32\BmtZ.exe
O4 - HKLM\..\Run: [6hrzCSo9] C:\documents and settings\owner\local settings\temp\6hrzCSo9.exe
O4 - HKLM\..\Run: [oFrW3EW] cnvmgdev.exe
O4 - HKCU\..\Run: [Zo06ROa7g] polhst3g.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\documents and settings\owner\local settings\temp\mefcOI1X.exe
C:\documents and settings\owner\local settings\temp\6hrzCSo9.exe <--- in fact delete all files that it allows in this temp folder
C:\WINDOWS\system32\BmtZ.exe
C:\WINDOWS\system32\cnvmgdev.exe
C:\WINDOWS\system32\polhst3g.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

HJT logs are almost always needed from normal boot mode.

Right now your log appears to be clean other than the below O16 line which may be part of the Kontiki stuff. Did you look for it in Add/Remove programs? Uninstall if found. Also delete that whole folder you mention you did not delete: C:\WINDOWS\kdx

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab


Are you having any malware problems presently?

 

If you are referring to backweb, have HJT fix the below line:

O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

What specifically are your other issues?

 

Is the below still in your HJT log:

O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe

If so look for it in Add/Remove programs and uninstall if found. Otherwise, have HJT fix this entry and then boot into safe mode and delete the C:\Program Files\Common files\SearchUpgrader folder.

You need to decide which items you use or need at Startup and which you do not. There are tons of things for your printer and AOL in there. We have no idea what you want or like? Do you use AOL? Do you use their Toolbar. Take a look at the log your self and do a search on Google for the processes (the .exe filenames) and get an idea what you may or may not need. As a quick pointer to a couple of unnecessary items at startup, here are a some:

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?

 

Why don't you run like this for awhile a make sure eveything is okay and that you are not missing anything you need?

So other than questions about Startup items, how is everything working?

 

You're welcome! Now that you are clean, check out the below to help keep you that way:

How to Protect yourself from malware!