Help please ..

I have just spent 2 weeks recovering a clients computer (Compaq Presario/Intel P4) from some nasties. I have FULLY recovered Windows XP Home Edition and I'm carefully attempting to SEE what is left laying around.

2 files are bothering me. One, found by TDS-3 called Python-2.2.1 in the Manufacturers directory Hewlett-Packard (Yes - it appers that HP INSTALLED this software with THIS computer "for" the user) and another that I can't track down on the hard drive other than there is a Directory called KDX with a file called "khost.ext" that I CANNOT delete. Research has shown me the following:

Name: kdx
Filename: KHost.exe
Location: Unknown
Description: KonTiki Secure Delivery Plug In related. "The Kontiki Delivery Management System (DMS) is a secure delivery network for distribution of video, software, audio, documents, and other digital media. The Kontiki DMS enables enterprises to efficiently publish, secure, deliver and track digital media to employees, partners, and customers"
Startup Type: Currently being identified.

But I CANNOT GET RID OF IT WITH ANY TOOLS THAT I AM AWARE OF?? I have tried the following:

TDS-3
AVG AntiVirus
SpywareBlaster
SpyBot S&D
Microsoft Pest Removal tool
Microsoft AntiVirus
SpySubstract
AboutBuster

And a few that I have NOT mentioned, but NONE OF THEM tells me ANYthing about the mentioned files EXCEPT TDS-3 (python-2.2.1) but TDS-3 mentions NOTHING about KDX. While I'm not surprised because KDX has NOT been determined by the "powers that be" to be a PEST it is still a REAL concern to me.

All I want to do really, is UNinstall it OR be able to DELETE it which I cannot. Any help would be GREATLY appreciated.

Thanks so much in advance - you folks are really a GODsend to/for me.

jazzman1

 

Hi jazzman1,

This may help with explaining what the KHost.exe file is: Kontiki Help They also have uninstall instructions further down on the page.

I'm afraid I am not familiar with Hewlett-Packard that much, or what their install files are. It may be a false/positive, but if you could tell us the name of the file TDS-3 is identifying as Python-2.2.1, that could help us. You can also submit the file to submit@diamondcs.com.au for analysis.

Regards,

snap

 

You mean the Python as in the Python programming language? On a quick look, it seems that version would date from 2002-3 or so.

Blue

 

Hi All
Thanks for your responses. The file that TDS-3 identified was "Python-2.2.1" thats all it said. I have no idea why I would have an Apache Python file on my computer anyway That's what I would really like to know - couldn't be used by Windows XP Home Edition could it?

ADDENDUM:
I have noticed activity on the machine in the middle of the night reported in the Tiny Personal Firewall log that the machine is "reaching out" to some known SPAM IP ADDRESSES (as reported by ARIN). Am I a SPAMMER now? Could it be that a "spam engine" using python somehow has been dropped on me? I don't want to get unreasonably paranoid but I have to ask at this point because I just don't know.

I have also noticed that that a file called "apcuspd.exe", which is a complex UPS monitoring file capable of initiating its own "outbound" contact attempts to get through the firewall too - the firewall blocks it - but I don't even us a UPS nor have I ever installed or used one. Just an observation I thought MAY be good to mention.

I can forward the pages from ARIN if you like as well as the Firewall logs. Let me know.

Thanks for all your help too.
Jazzman1

 

Well, you can get Windows versions of Python. I assume the TDS flag is for multiple filename extensions, which is a fairly common approach by malware but can be benign.

What process is initiating the outbound contact?

Blue

 

You did not install Port Explorer yet?
(free trial www.diamondcs.com.au )
Enables you to look at / block / spy on / log the process and it's sockets so you might be able to see exactly what causes the reaching out and what it does.
Is there just a program looking for updates or other stuff, etc.
Port Explorer will show you in the blink of an eye what is connecting, which applications etc so ease answering Blue's question.