Ctrl-Alt-Del Apps analysis please

Discussion in 'malware problems & news' started by polo, Dec 5, 2002.

Thread Status:
Not open for further replies.
  1. polo

    polo Guest

    Can someone analyse these apps and tell me what they are when you do Ctrl-Alt-Del for a Win98 machine. A lot of these were pre-installed when bought. Any dodgy trojans, etc?

    Explorer
    Msmsgs
    Rnaapp
    Gmt
    WebCel
    Cmesys
    Proxy
    Mrc9144
    Offers
    Reminder
    Loadqm
    Cpunumber
    Remind32
    MsWheel
    Stimon
    Ddeproc
    Instantaccess
    Starter
    Systray
    Aticwd32
    Ptsnoop
    Winampa
    Systimer
    Defscangui
    Yklgnegl
    Mk9805

    My Win95 machine only has 3 at startup! Explorer, Systray and Resource Meter!
     
  2. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Hi Polo,
    first,
    is this a used PC you purchased ...from a friend, stranger, relative ?

    bill ;)
     
  3. polo

    polo Guest

    No, it's from a proper computer store.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi polo,

    As eyespy asks, a key piece of information is knowing where you got / bought the PC. If it's right from a vendor than there is not a very big chance that there is any malware installed on it. But, if the PC is second hand, it could be...

    A better way to determine if any of those objects are Trojans or other bad software is to run a special tool that will give us a lot more information than just the basic file names you've listed.

    If you could go to the site linked below and download the "StartupList 1.4" utility, install it, run it, and then post here the full text of what it finds, we could better assist you.

    http://www.lurkhere.com/~nicefiles/index.html

    Edit: Ah, it does come from a computer store. Good!! Then perhaps a better question is, do you really need or want the PC to run so many apps at startup? You could still post a startuplist here, and we could advise as to unneeded apps, which you could shutdown to save time and system load.

    Best Wishes,
    LowWaterMark
     
  5. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Hi Polo

    I said o my god when I saw that list. :eek: , It takes a decade to start up your puter, right ?
    I mean if I were you.....I went unchecking them on msconfig. But Systray.exe I still left there. Experience how it works, recheck them if not working properly.
    Loadqm.exe is "another jewel" from microsoft.....impossible to get rid of it, atleast you use msn messenger...

    There is one more thing I noticed at first sight: there are no antivirus nor firewall at all at start up o_O


    friendliest -Ari
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    We do need a Startuplist log badly.

    At first glance you do have Gator and Webcelerator foistware, and what does appear to be a worm or trojan: Yklgnegl
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I've always found that unchecking it in Msconfig/Startup effectively neuters it without a prob.
    And of course you could have your firewall block it as an extra precaution.
     
  8. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    PTsnoop-----backdoor Trojan ??

    Polo,
    for starters...download a trial copy of Trojan Hunter here, especially if you are using the new PC now !!

    http://www.wilders.org/anti_trojans.htm

    and maybe a trial version of another Antivirus located at Wilders downloads as well !
    Be sure to uninstall other antivirus/antitrojan software first, before installing the new software !!

    regards,
    bill ;)
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Seems like it, Tony.

    eyespy,

    no offense ;), but IMHO the implemented techniques plus a far bigger database does lead me to recommend downloading and installing a trial from TDS3, grab the latest radius from the DCS website, install it and perform a full deep system scan.

    Polo,

    Looking forward to your follow up!

    regards.

    paul
     
  10. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Agreed ....
    that would be my first choice. I was just considering that Polo might be unfamiliar with A/T software and TDS may throw you a "sharp learning curve" some times !!

    regards,
    bill :)
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Bill,

    "sharp learning curve" - not really ;). One just have to follow the excellent basic instructions as provided by our highly valued mod Jan :cool:.

    regards.

    paul
     
  12. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    FanJ did do an excellent job there !!
    Point taken !! :D

    bill ;)
     
  13. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Tony,



    I´m afraid I have to say negative sir, well you used to be right though, ´till msn released the newest version [version 5.0] of the IM. Now everytime you uncheck or remove or rename loadqm, the messenger reloads loadqm and when it comes to ZA.....loadqm attempts to gain access no matter how many times you have blocked it earlier. I call that progress of msn.....


    friendliest -Ari
     
  14. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    By the way........

    Ptsnoop.exe is not necessary a trojan, it is as well some program for helping dialup connection.....

    Ptsnoop.exe file is installed with modems. The file watches the COM ports for activity and allocates system resources to open the port.

    -Ari
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I have Messenger 5.0 running on Win 98 SE, and although it won't allow you to rename or delete Loadqm.exe any more, you can for sure disable or remove the startup entry through Msconfig, or by editing the Registry manually.

    On reboot LoadQM won't load, and will therefore not try to access the Net any longer either.
     
  16. polo

    polo Guest

    Ptsnoop is I think is a software app for HSP "soft" modems which I have... I know I have Gator - see my thread about Audiogalaxy / Gator in Privacy. Gator is NOT listed in Add/Remove programs so how do I remove?

    I am aware of safehex - I tend to use DOS scanners : F-prot, AVP. I have been here for sometime - not amateurish. The PC has been in use for 3 years.

    The only infection I've ever had is that Yaha.E worm which I removed with KAV and double checked with Sophos' removal tool - see worms forum.
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi polo,

    Feel free to grab a copy of Spybot S&D in our downloads section
    That program will take care of Gator after you disabled CMEsys and rebooted.

    Regards,

    Pieter
     
  18. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Tony,

    Well I really wish it was that way you keep on telling, I still have to say negative, sorry, it won´t work here......win 98, but all computers are different you know .....the content and how have you tweaked it......I rename loadqm.exe but it will come back as I told ......

    Have a good weekend Tony. I celebrate my fatherlands, Finland´s, 85 th birthday tonight, but without alcohol though.

    -Ari


    ps. I use "RegProt" and I do not want to allow any start up apps more, I also check out everytime I start up if there are those "jewels" running, then I kill them from memory, but this is just for visible apps under ctrl+alt+del .
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I think you may not be hearing what I'm saying:

    I know LoadQM will be re-installed if it's removed or renamed, and I told you so.

    But get rid of its startup entry, and I can assure you it won't run.


    And I wish you a fine weekend, and a great holiday as well! :)
     
  20. curious

    curious Registered Member

    Joined:
    Dec 5, 2002
    Posts:
    1
    Location:
    Alaska
  21. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Welcome aboard Curious !

    That site I call a Pearl, all information bout starting apps :) very nice indeed, Thank you.

    -Ari
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yup, that's for sure!

    It's also the largest one, holding close to 1900 entries, and it gets updated on a weekly basis as well.
     
Loading...
Thread Status:
Not open for further replies.