A file that won't go away

Been trying to help out a friend with XP. He has a file (kazaa lite download thing) that won't allow itself to be deleted. In use by something even in safe mode.

He sent a copy of a Hijack This log and I would love to have some of you folks who know this stuff better than I do take a look - see if you spot any baddies that need to go away.

LOG:

Logfile of HijackThis v1.97.7
Scan saved at 22:43:26, on 09/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kazaa Lite\kazaalite.kpp
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,30
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://offers.conten****ch.com/audit/inclu...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8A9B457-A0BE-4BAB-B6BC-CCF9D2894B23}: NameServer = 195.92.195.94 195.92.195.95

 

Hi Newt
You know im not a log read per say,, nor an XP person,, gee I wont allow any filesharing near this pc either..and ive no exp with kazza or kazza lite..

First of have them unzip hijackthis and put in a permanate folder
ie they ofen run it from wthin a zip program.. some even choose to open it instead of downloading gee..
Zing looks suspious
this one can go but do it with msconfig
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

I see no badware,, I would remove all 0-16's and disable a few things with msconfig..

check in addremove for p2p something and uninstall it ,,er anything suspious

I suppose you tried the obvious with kazza lite ?
are you saying kazza lite wont uninstall ?
install again and see if it will then uninstall
and unchecking its startups then restarting the PC you still cant delete the files and the startups come back..
I suppose youve seen the Kazza remover,, dont know what it would do with the lite version
KazaaBegone at http://www.merijn.org/downloads.html

be sure to coution them and download lspfix first

Regards
Lonny

 

I'm sure you have him do a full virus scan, but the 2 that are suspicious are smss.exe and lsass.exe. Even though these are legimate files, depending on their location, numerous worms create these.

worm1

 

Just checking, but have you tried deleting the file from the
Kazaa program itself? Was it a complete download?
You may want to snoop around in Kazaa and delete it from
there. I don't use Kazaa or Klite so that's as much help I can
give with that.
Also take a look at this link:
http://www.theeldergeek.com/delete_undeletable_file.htm

 

Why do people keep on using Kazaa???

http://www.wired.com/news/business/0,1367,61852,00.html?tw=wn_bizhead_2

As far as file sharing programs go, there are plenty of alternatives.

Johanna

 

indmusic touched on a good point. Was the download complete? And is it still in any list within kazaa? Make sure it's removed from the traffic window, delete it from the kazaa playlist, close kazaa then close it from the tray and you should be able to delete it from the folder also.

 

Gee Newt fill us in

 

Strange, I've had to drag this out of the archives twice today. It may help, further, I hope it helps....

If it's a download in progress or a corrupted one, see my thread in this past post:[Taskman; using control\alt\del end task on explorer.exe method]

http://www.windowsbbs.com/showthread.php?s=&threadid=23349&highlight=explorer+shell

========
Had to find a fix when my Husband would do this.

 

Thanks all. I had forgotten about this thread but some excellent info in it and hopefully the fella with the problem has followed along. I did send him the link.

I'll get with him for an update and post it here.