Problems Removing Kazaa

Discussion in 'other security issues & news' started by aishuu, Sep 14, 2002.

Thread Status:
Not open for further replies.
  1. aishuu

    aishuu Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    10
    Location:
    somewhere slightly north of reality
    PC user here.

    I just found out how evil kazaa was- a friend said I'd love it, and needless to say, I'm not talking to her anymore- teaches me to trust people.

    Anyway, I'm having problems REMOVING kazaa. The B3DKiller claims that I'm missing a .dll file... it's driving me nuts, since that annoying purple "connect" thing that's appeared whenever I sign on since I've signed up with Kazaa WON'T GO AWAY. My net connection is slower by the day, and... well, I'm sure you know. I tried the standard CTRL+ALT+DEL to see what programs are running, and it says nothing is, but I see the purply icon there.... and I can quit or shut it down.

    I'm desperate... any idea? Or had kazaa won the battle?

    ~ Aishuu
    o_O
     
  2. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Have you tried running AdAware on your system?
    You can find it from this very site, try here http://www.wilders.org/downloads.htm look under the Lavasoft section.

    Try running this and keep us informed.

    By the way it sounds as if you have Kazaa set to run at startup,it might be worth checking your startup list to disable it.

    Start>Run> type Msconfig>Startup tab, untick anything relating to Kazaa
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And what is in the Add/Remove programs or the program folder of Kazaa itself?
    Did you remove it from there and reboot of course?
    If you started removing it, of course B3DKiller won't find a missing dll to remove so that's ok.
    What Tinribs says to get it out of the autostartup files.
    Not sure about the slowing down, are you getting lot of stuff in or are people connecting to you to grab yours?
    Not sure what a firewall does here, as you're part of the network yourself, giving some access permissions.
    Not sure if your caches collect extra much garbadge and manual cleaning might help a lot, those things.
    Was Kazaa showing up in cont+alt+del before your halfway
    uninstall?
    What happens when you click the icon, is there still a program behind it?
    You are not running Windows ME are you with the system restore happily putting it back (but not complete it seems)

    There is a Kazaa light version, without the spy part in it and true or not true Kazaa would have told the spying would no longer be part of their official version too (i don't know, others do).
    Anything more wrong? Don't let a software come between a good friendship.
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Let's start by having a look at your Startups;

    Download StartupList 1.30 at http://www.lurkhere.com/~nicefiles/index.html

    Doubleclick it, and it will generate a text file that will list all running processes, and all applications that are loaded automatically when you start Windows.

    Go to Edit > select all, copy it and please post the contents here.

    Also do this:

    Download BHODemon, launch the program, and tell us what BHOs it detects.
     
  5. aishuu

    aishuu Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    10
    Location:
    somewhere slightly north of reality
    :eek:

    This is so not good.

    I heard there was a virus going around from the comp expert at work- we're newspaper, though, so we use Macs... wasn't sure if it'd affect PCs... The virus was called WTC Survivor. Now I know I didn't open it, but my mother will open anything with WTC in front of it, even though I gave her the lecture about forwards..

    Apparently, I'm missing a neccessary .dll to install StartupList 1.30 ... now I'm in deep and sinking faster. Anyway I can salvage this? This is the second .dll I've noticed missing... should I just reinstall all my hardhare?

    Note: I already have Adaware and run it weekly.

    ~ Aishuu
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Don't panic, this is no big deal.

    You're probably missing msvbvm60.dll.

    Download the MS visual basic 6.0 runtime files

    Just doubleclick after downloading, and let it install.
    Reboot, and you'll be able to run the list.

    Chill! :D
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    WTC Survivor could hardly have caused your problems since it is a hoax: http://vil.mcafee.com/dispVirus.asp?virus_k=99245 and http://www.symantec.com/avcenter/venc/data/wtc.survivor.hoax.html

    Regards,

    Pieter
     
  8. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    That is correct - sorry for my late reply.

    The missing dll error is probably for the VB 6 run-time files. Just download them at the link posted above, and you'll be able to run B3DKiller.

    You may also want to download Ad-Aware or Spybot S&D to get rid of all the other spyware KaZaA installs.

    -Javacool
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I agree! :)

    If I may be finicky, what I always advise is take a look at the startups first, then disable any dubious entries, and reboot before running Ad-Aware or Spybot.

    They do a more thorough job that way.

    Cheers,
     
  10. aishuu

    aishuu Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    10
    Location:
    somewhere slightly north of reality
    You're all being so kind- that missing .dll file fixed the problem with the BDB killer and the start up. I ran the killer, and that purple thing IS STILL THERE.

    WTC is a virus? I will be having a chat with our comp expert- he handed it out through the whole building via hardcopy... ><

    Suggestions? Ideas?

    ~ Aishuu



    StartupList report, 9/14/02, 9:20:01 PM
    Detected: Windows 98 Gold (Win9x 4.10.199:cool:
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\DELFIN\PROMULGATE\PGMONITR.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\CHECKIT\UTILITIES\TOOLBOX.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\MY DOCUMENTS\DOWNLOAD\STARTUPLIST13\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    CheckIt ToolBox.lnk = C:\Program Files\CheckIt\Utilities\ToolBox.exe
    Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    PromulGate = "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    AIM = C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components

    [{89820200-ECBD-11cf-8B85-00AA005B4383}]
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

    [PerUser_LinkBar_URLs]
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [{7790769C-0471-11d2-AF11-00C04FA35D02}]
    StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:

    [Rename]
    NUL=C:\WINDOWS\TEMP\ADWARE\WEBINSTALL.EXE

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------
    End of report, 5,578 bytes
    Report generated in 0.685 seconds

    StartupList version: 1.30.0
    Started from: C:\MY DOCUMENTS\DOWNLOAD\STARTUPLIST13\STARTUPLIST.EXE

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  11. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Did you run an AntiVirus and Trojan scan?

    tapisrv.exe and rnaapp.exe could associate with Trojan!


    Technodrome
     
  12. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    I'm guessing the "purple thing" is a program named "Bonzi Buddy".

    Ad-Aware and Spybot S&D should detect it...

    -Javacool
     
  13. aishuu

    aishuu Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    10
    Location:
    somewhere slightly north of reality
    Still there.... I ran Ad aware for the fifth time, Kaspersky, Spybot search and destroy, TDS-3... All of them claim nothing is wrong.... but I have this purple thing which I know doesn't belong there.

    It only appears when I connect to the net...

    Any other programs I should try? I really appreciate your help- my comp is running more smoothly, but that purple thing is annoying me.

    ~ Aishuu
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Can you post a screen shot from that "purple thing"?

    regards.

    paul
     
  15. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    This may sound too simple, but go to control panel -> add/remove programs, and see if there's anything suspicious or plain unknown listed there.
     
  16. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    This may sound too simple, but go to control panel -> add/remove programs, and see if there's anything suspicious or plain unknown listed there.
     
  17. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    I can almost guarantee the "purple thing" is Bonzi Buddy.

    Am I correct that its a purple ape/monkey that tries to talk to you and/or offers to help you search, etc on the internet?

    If so, you should be able to remove it by searching for "Bonzi Buddy" in Add/Remove programs.

    Hope this helps.

    -Javacool
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Complete removal instructions for this "ape" can be found at: http://www.pchell.com/support/bonzibuddy.shtml

    Regards,

    Pieter
     
  19. aishuu

    aishuu Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    10
    Location:
    somewhere slightly north of reality
    Checkout, you're a genius. It says I STILL have Kazaa Media Desktop. And no, the purple thing doesn't do anything- just shows up on my taskbar, and says it's connected to the net, which worries me...

    *tries to keep from screaming* Why won't it GO AWAYo_O I've USED all of the above listed... is it destined to haunt me for eternity?

    And how do I take a screenshot? I've never done it before.

    ~ Aishuu
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    BonziBuddy has a banana icon in the systray when playing, not his purple ape face. Former versions might have had or the detop icon. Starting it, it would give you a swinging purple ape over your screen doing all kinds of things.

    If he's on your system, there is a folder on your system in windows\msagent
    hars in which he is as bonzi.acs
    And in program files\BonziBuddy or such a kind of name.
    Once msagent itself is installed on a system, it can't be removed completely but for bonzi you might be able to uninstall his desktop service programs.

    I don't think it was bonzi as he was not in the startup programs, nor the additional descriptions, and if he had been in the contr+alt+del you would have seen such a name.

    I never installed kazaa so i don't know the systray icon of that, and visiting their web site i did not see any purple colored logo of t too.

    For screenshots you might like the Traction Screen Grab Pro which is the easiest and free http://www.traction-software.co.uk/screengrabpro/
    Start the , press F8 and get the part you want, save with a name you can remember and paste it here in the forum.

    Had to edit this as my posting became damaged while somebody else was posting in the tread and my former repair of it was lost with the next person posting :)

    Your screenshot is thre in the meantime: you see, nothing like bonzi in that :)

    Wonder HOW you uninstalled Kazaa, with add/remove?
     

    Attached Files:

  21. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    My apologies - I haven't really installed the latest versions of Bonzi Buddy :D (because it always seems to infest the system in every way possible).

    -Javacool
     
  22. aishuu

    aishuu Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    10
    Location:
    somewhere slightly north of reality
    Okay, I think I managed a screenshot... this is my bar: see that purple thing? I WANT IT GONE!!!

    ~ Aishuu
     

    Attached Files:

  23. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Bizarre. I thought of one other thing - have you run sysedit and taken a look at the sys.ini file for example? If there is a line there with the words "kazaa" or anything similar - back up the file first, and then just zap that line and save. and reboot.

    Another thought - go to System in the Control Panel. Then look at the Device Manager tab. Look in "Network Adapters", "Other Devices", and maybe even "System Devices" (wouldn't hurt)....see if there is anything strange there. Do you dial-up or are you using a broadband connection to the net? If using dial-up, also go to "Dial-Up Networking" and see if there is anything under properties there that looks funny.

    That screen shot looks like a purple megaphone maybe? When you click on that does anything come up?

    John
    Luv2BSecure
     
  24. aishuu

    aishuu Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    10
    Location:
    somewhere slightly north of reality
    The System in the control panel looked normal. I even went to remove Kazaa from the control panel (very bad, I know) and I got an error message. cd_clint.dll was the errored file.

    :doubt: This is getting very frustrating. I had heard kazaa was evil... I had no idea it was satanic.

    ~ Aishuu
     
  25. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Found this on the net.....I have no way of knowing how savvy you are with computers, but here is a list of what "belongs" to Kazaa:
    C:\Program Files\Kazaa\
    C:\Windows\Start Menu\Programs\KaZaA\
    C:\Windows\Desktop\Kazaa Media Desktop.lnk
    C:\Windows\Desktop\My Shared Folder.lnk
    C:\Windows\Desktop\Kazaa Promotions.lnk
    HKEY_CURRENT_USER\Software\Kazaa
    HKEY_LOCAL_MACHINE\Software\Kazaa
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\KaZaA Media Desktop_is1


    Obviously the easiest way to fix the registry entries is to go to "run" from the start menu and type in "regedit"....go to "EDIT" and "FIND" and type in Kazza. Normally I wouldn't suggest a manual regedit unless I knew you knew what you were doing. But, in this case, do the above and anywhere it says "Kazaa" - DELETE. Then hit "F3" to continue searching for more Kazaa entries until you have cycled around.

    All of the above and all everybody else has suggested is all I can think of. Good luck and let us know how it goes.

    John
    Luv2BSecure
     
Loading...
Thread Status:
Not open for further replies.