[DurangoDAWG]

My friend gave me their computer to clean of Spyware, virus, trojans, etc and I have found plenty of each of them. I have run through the programs of CleanUp, CWShredder, AdAware, SpyBot, Ewido, TrojanHunter and AVG and I still have some hidden monsters. Any help would be appreciated. Below is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:52:48 AM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\SpyWare Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Hbjucc] C:\Program Files\Mupft\Dxcih.exe
O4 - HKLM\..\Run: [noC=] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.shar...ver/Install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131603448825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Winkfng - Unknown owner - C:\WINNT\System32\Winkfng.exe (file missing)
O23 - Service: Winkgn - Unknown owner - C:\WINNT\system32\Winkgn.exe (file missing)
O23 - Service: Winkjq - Unknown owner - C:\WINNT\system32\Winkjq.exe (file missing)

[Advertisements]

First of all, you may want to print out this post or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.

I see you are running Kazaa, if this is the free version I strongly suggest we remove it as it is a MAJOR contributor to infections and contains Adware itself. The paid version is purportedly clean.

If you wish to remove it please advise in next post; because improper removal CAN/WILL break your internet access. More info and clean options are available HERE

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

After you are all clean please set these back to the default settings in case I forget to remind you.

Please run HijackThis and click "Scan." Place checks next to the following entries:

O4 - HKLM\..\Run: [Hbjucc] C:\Program Files\Mupft\Dxcih.exe
O4 - HKLM\..\Run: [noC=] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.shar...ver/Install.cab
O23 - Service: Winkfng - Unknown owner - C:\WINNT\System32\Winkfng.exe (file missing)
O23 - Service: Winkgn - Unknown owner - C:\WINNT\system32\Winkgn.exe (file missing)
O23 - Service: Winkjq - Unknown owner - C:\WINNT\system32\Winkjq.exe (file missing)

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Next, delete the following folders (if they exist):

C:\Program Files\Mupft\ <<---- Entire Folder

Also, delete the following files (if they exist):

C:\windows\mrjj.exe

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"

There are always a couple of files that you will not be able to delete..this is normal and expected

Restart your computer and run the Panda Active Scan Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log in a reply to this thread

[jwbirdsong]

First of all, you may want to print out this post or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.

I see you are running Kazaa, if this is the free version I strongly suggest we remove it as it is a MAJOR contributor to infections and contains Adware itself. The paid version is purportedly clean.

If you wish to remove it please advise in next post; because improper removal CAN/WILL break your internet access. More info and clean options are available HERE

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

After you are all clean please set these back to the default settings in case I forget to remind you.

Please run HijackThis and click "Scan." Place checks next to the following entries:

O4 - HKLM\..\Run: [Hbjucc] C:\Program Files\Mupft\Dxcih.exe
O4 - HKLM\..\Run: [noC=] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.shar...ver/Install.cab
O23 - Service: Winkfng - Unknown owner - C:\WINNT\System32\Winkfng.exe (file missing)
O23 - Service: Winkgn - Unknown owner - C:\WINNT\system32\Winkgn.exe (file missing)
O23 - Service: Winkjq - Unknown owner - C:\WINNT\system32\Winkjq.exe (file missing)

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Next, delete the following folders (if they exist):

C:\Program Files\Mupft\ <<---- Entire Folder

Also, delete the following files (if they exist):

C:\windows\mrjj.exe

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"

There are always a couple of files that you will not be able to delete..this is normal and expected

Restart your computer and run the Panda Active Scan Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log in a reply to this thread

[DurangoDAWG]

Thank you in advance for all the help you will be given.

I did the list of items (some items not found when in safe mode). Also during the Panda scan I did not see an autoclean checkbox (looks like not available for free version for spyware). Below is my Panda scan and HJT log.


Incident Status Location

Adware:adware/portalscan No disinfected C:\WINNT\SYSTEM32\winupdt.bin
Spyware:spyware/new.net No disinfected C:\WINNT\NDNuninstall4_88.exe
Adware:adware/sahagent No disinfected C:\WINNT\unstall.exe
Adware:adware/novo No disinfected Windows Registry
Virus:W32/Klez.I Disinfected C:\Program Files\America Online 7.0\download\All\All.mim[All.exe]
Adware:Adware/BrilliantDigitalNo disinfected C:\RECYCLER\S-1-5-21-3675345140-2382750585-1605616401-500\Dc1\bdcore.dll
Spyware:Spyware/New.net No disinfected C:\WINNT\NDNuninstall4_88.exe
Spyware:Spyware/New.net No disinfected C:\WINNT\NDNuninstall4_94.exe
Spyware:Spyware/New.net No disinfected C:\WINNT\NDNuninstall5_48.exe
Spyware:Spyware/Media-motor No disinfected C:\WINNT\unstall.exe
Adware:Adware/Novo No disinfected C:\WINNT\UPD\hsikqvhbws.exe


Logfile of HijackThis v1.99.1
Scan saved at 8:27:18 AM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\SpyWare Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131603448825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

[DurangoDAWG]

Forgot to add about Kazaa. I tried to uninstall using add/remove programs but it comes back with a message box that states:
Error loading C:\WINNT\System32\cd_clint.dll

The specified module could not be found.

I also don't see the Kazaa folder under Program Files - so I am not sure if what is left is a ghost, but I would like to remove it from the system (knowing it can be a cause of problems)

[jwbirdsong]

Well you're LOG is looking pretty good; let's do a couple of things to clean up and then see what we can find about about Kazaa.

To remove New.net please follow these steps

1. Click on Start, Control Panel, click on Add/Remove Programs
2. Look through the installed programs for an entry called New.Net or NewDotNet.
3. If there is no uninstall program listed then do the following:
* Go to www.newdotnet.com/removal.html
* Scroll down to Procedure 4 and follow the removal instructions.

Reboot your computer.



First of all, you may want to print out this post or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please run HijackThis and click "Scan." Place checks next to the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

You may also optionally check the following entries for removal: They are ALL programs that are NOT needed at start up and can be run anytime you need them

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Next, delete the following folders (if they exist):
C:\WINNT\UPD

Also, delete the following files (if they exist):
C:\WINNT\SYSTEM32\winupdt.bin
C:\WINNT\unstall.exe
C:\WINNT\NDNuninstall4_88.exe
C:\WINNT\NDNuninstall4_94.exe
C:\WINNT\NDNuninstall5_48.exe
C:\WINNT\unstall.exe

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"

There are always a couple of files that you will not be able to delete..this is normal and expected


Restart your computer and download Bobbi Fleckman's Regsearch from HERE unzip it to your desktop, or anywhere else you'ld like to keep it; and double click on Regsearch.exe>type kazaa into the TOP section (search for) make sure the bottom section is blank and click OK...Copy and paste the resulting log back here along with a new HijackThis log.

[DurangoDAWG]

I went through the list as directed. Just an FYI, when I downloaded the uninstall New.Dot and tried to run Ewido yelled at me for possible malicious code (but I ran it as directed).

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.2

; Results at 11/13/2005 3:59:40 PM for strings:
; 'kazaa'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260240CF-5AD9-4A62-A0CB-A0963F852894}]
@="KazaaMan Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260240CF-5AD9-4A62-A0CB-A0963F852894}\ProgID]
@="KazaaConnect.KazaaMan.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260240CF-5AD9-4A62-A0CB-A0963F852894}\VersionIndependentProgID]
@="KazaaConnect.KazaaMan"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55A3781E-5251-4894-AA7D-DF389C5795A9}]
@="IKazaaMan"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan]
@="KazaaMan Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan\CurVer]
@="KazaaConnect.KazaaMan.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan.1]
@="KazaaMan Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BFD09628-386E-42E6-9EFF-D0FDC15BB36C}\1.0]
@="KazaaConnect 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA]

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\Bandwidth]

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\Bandwidth\in]

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\Bandwidth\LastEstimate]

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\Bandwidth\out]

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\CloudLoad]

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\CloudLoad]
"ShareDir"="C:\\Program Files\\Kazaa\\My Shared Folder"

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\CloudLoad]
"ExeDir"="C:\\Program Files\\Kazaa"

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\ConnectionInfo]

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\ConnectionInfo]
"KazaaNet"=hex:01,e7,78,0b,18,50,0d,42,00,bb,78,71,43,fa,9e,0d,18,5a,0d,41,00,\

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\LocalContent]

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\LocalContent]
"DownloadDir"="C:\\Program Files\\Kazaa\\My Shared Folder"

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\LocalContent]
"DatabaseDir"="C:\\Program Files\\Kazaa\\Db"

[HKEY_LOCAL_MACHINE\SOFTWARE\KaZaA\Settings]

[HKEY_LOCAL_MACHINE\SOFTWARE\KOptimizer]
"UninstallContentPath"="C:\\Program Files\\Kazaa\\Content"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\D:\InstallShield\Kazaa]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\D:\InstallShield\Kazaa\kazaa.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\D:\InstallShield\Kazaa\kazaa.exe]
"Path"="C:\\Program Files\\Kazaa"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\D:\InstallShield\Kazaa\kazaa.exe]
@="C:\\Program Files\\Kazaa\\D:\\InstallShield\\Kazaa\\kazaa.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2756524-E9F9-4AC1-AF4E-15F3460ACB3E}]
"DisplayName"="Kazaa Media Desktop 2.0.2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Sharman Networks Ltd\Kazaa Media Desktop 2.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Sharman Networks Ltd\Kazaa Media Desktop 2.0\2.0.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Sharman Networks Ltd\Kazaa Media Desktop 2.0.2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Sharman Networks Ltd\Kazaa Media Desktop 2.0.2\2.0.2]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Advanced]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\InstantMessaging]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Kazaa Media Desktop]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Kazaa Media Desktop\Settings]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\LocalContent]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\LocalContent]
"DownloadDir"="C:\\Program Files\\Kazaa\\My Shared Folder"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\LocalContent]
"Dir0"="012345:C:\\Program Files\\Kazaa\\Content"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Promotions]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Promotions\Broadband]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Promotions\Broadband]
"BBDbLoc"="C:\\Program Files\\Kazaa\\Db\\bb.db"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Promotions\Broadband]
"NullImageLoc"="C:\\Program Files\\Kazaa\\broadband.gif"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\ResultsFilter]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Search]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Settings]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Settings]
"Quarantine"="C:\\Program Files\\Kazaa\\Quarantine"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Settings]
"HelpDir"="C:\\Program Files\\Kazaa\\Help"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Skins]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Skins]
"SkinsDir"="C:\\Program Files\\Kazaa\\Skins"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\SOCKS]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Transfer]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\Transfer]
"DlDir0"="C:\\Program Files\\Kazaa\\My Shared Folder"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Kazaa\UserDetails]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Kazaa Media Desktop]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

; End Of The Log...

Logfile of HijackThis v1.99.1
Scan saved at 4:09:02 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\SpyWare Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131603448825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

[jwbirdsong]

Forgot to mention the fact some programs may flag the fix from newnet. Good call running it anyway.

JUST TO BE safe Please Download LSPFix from http://www.cexx.org/lspfix.htm and IF you lose internet connection (you won't) Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of any file that show in the remove column. Reboot.

Please Download BFU from HERE unzip it to it's OWN folder. Pick any name or location you can remember.

Download BFU-KazaaBeGone script HERE unzip them to the same folder you just made for BFU.

Run BFU and using the folder icon at the "Script to execute" window; choose Kazaa 2.0.2.bfu script. Check the box to "show log after script ends" Hit execute. Save this log as 202.txt (or whatever)
Repeat above but choose 2.0.bfu and safe that log as 20.txt (or whatever) It may well be empty but you showed signs of both so we'll see.

paste both copies back to reply here.

While you have hidden files showing you may want to do a search for

*kazaa*

files and save that to note pad so you can delete them after we get you all clean.

[DurangoDAWG]

OK - I did something wrong. I downloaded LSPFix and ran it and removed the files and click finished and it deleted some files and registry values. I then rebooted the PC and now I do not have internet connection. It is not giving me an IP address. I am thinking I shouldn't have removed those files.

[jwbirdsong]

You were only to run the LSP fix IF you lost internet connection after removing Kazaa.
The files you removed were all in the remove column??

Edited by jwbirdsong, 13 November 2005 - 07:36 PM.

[DurangoDAWG]

The files removed were in the found and I moved them to the remove then finish - I know - dumb move. I have been able to restablish an IP from my router but IE is not working. I will try to re-install IE and see what happens.

[jwbirdsong]

That won't work...did you get the link I sent you in PM??

[jwbirdsong]

This should get you back up again http://windowsxp.mvps.org/winsock.htm

Includes instruction/tutorial on the WinsockXPfix (that the link I PMed you) tutorial 2 is a little clearer but tutorial #1 is a little more in depth

[jwbirdsong]

connectivity fixed in chat...

[DurangoDAWG]

I am back online (thank you) and below are the two txt files from BTU.

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 7:19:51 PM, on 11/13/2005

Warning: unknown command 'OptionUseBitBucket' on line #6
Failed: FolderDelete C:\Program Files\DelFin (folder not found)
Failed: FolderDelete C:\Program Files\Kazaa (folder not found)
Failed: FolderDelete C:\Program Files\SaveNow (folder not found)
Failed: FolderDelete C:\WINNT\BDE (folder not found)
Failed: FolderDelete C:\Documents and Settings\Owner\Start Menu\Programs\DelFin Media Viewer (folder not found)
Failed: FolderDelete C:\Documents and Settings\Owner\Start Menu\Programs\KaZaA Media Desktop (folder not found)
Script completed.

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 7:20:45 PM, on 11/13/2005

Warning: unknown command 'OptionUseBitBucket' on line #6
Failed: FolderDelete C:\Program Files\DelFin (folder not found)
Failed: FolderDelete C:\Program Files\FirstLook (folder not found)
Failed: FolderDelete C:\Program Files\Kazaa (folder not found)
Failed: FolderDelete C:\Program Files\NewDotNet (folder not found)
Failed: FolderDelete C:\Program Files\SaveNow (folder not found)
Failed: FolderDelete C:\WINNT\BDE (folder not found)
Failed: FolderDelete C:\Documents and Settings\Owner\Start Menu\Programs\DelFin Media Viewer (folder not found)
Failed: FolderDelete C:\Documents and Settings\Owner\Start Menu\Programs\Kazaa Media Desktop (folder not found)
Failed: FolderDelete C:\WINNT\system32\AdCache (folder not found)
Script completed.



i happened to run Panda again and it came up with 2 spywares

Incident Status Location

Adware:adware/portalscan No disinfected C:\PROGRAM FILES\COMMON FILES\Slmss
Adware:adware/novo No disinfected Windows Registry

[jwbirdsong]

this one should be a folder but maybe not
C:\PROGRAM FILES\COMMON FILES\Slmss
You can delete it. I think the virus scan is just flagging on the folder name.

Then use the regsearch to search for novo in the registry post search log