[Resolved] Confrentations on my PC {trojans & spyware}

[Psycosis]

When i press CTRL, ALT and DELETE together, and the Close Program Dialog box appears, i have 13 programs/things running on it. Some of which are causing my PC to crash and are stopping some games, aswell as other programs from working, i know this because when i "END" their "TASK", it works, but when i reboot/restart they re-appear. Does anyone know how i could take some of these off....... permanently, and is it safe to do so ?
This is what's on there:

• Explorer
• LoadQM
• Rundll32
• Wkalrem
• Systray
• Ptsnoop
• Rnaapp
• Whagent
• MsgPlus
• Gbtask
• Convsvr

 

[Davey7549]

Psycosis
Welcome to TSG!
The programs you are referring to are starting with the startup group. Go to start/run type in msinfo32 click plus sign in front of software programs and then highlight startup group click edit then click select all then edit again and copy. Come back here and paste the copy so we can advise on which should be removed.
Dave

 

[Psycosis]

Thanks.
Well, i done what you said, but mine was a little different (shown in my attatched image).
So i clicked the plus sign next to Software Enviroment, then clciked Startup Programs then copied the stuff that appeared in the right "frame".
This is it:

EPSON Background Monitor Startup Group C:\ESM2\Stms.exe
Microsoft Works Calendar Reminders Startup Group "C:\Program Files\MSWorks\Calendar\WKCALREM.EXE"
Microsoft Find Fast Startup Group "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE"
Adobe Gamma Loader.exe Startup Group "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" /C
load Win.ini ptsnoop.exe
MSMSGS Registry (Per-User Run) "C:\Program Files\Messenger\msmsgs.exe" /background
ICQ Plus Registry (Per-User Run) C:\PROGRA~1\ICQ\ICQPLUS\vplus.exe
Mirabilis ICQ Registry (Per-User Run) C:\Program Files\ICQ\NDetect.exe
ScanRegistry Registry (Machine Run) c:\windows\scanregw.exe /autorun
TaskMonitor Registry (Machine Run) c:\windows\taskmon.exe
ati Registry (Machine Run)
SystemTray Registry (Machine Run) SysTray.Exe
LoadPowerProfile Registry (Machine Run) Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Gearbox Registry (Machine Run) "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
DXM6Patch_981116 Registry (Machine Run) C:\WINDOWS\p_981116.exe /Q:A
RealTray Registry (Machine Run) C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
Trickler Registry (Machine Run) "c:\program files\gator.com\fsg\fsg.exe"
Detect Registry (Machine Run) C:\Program Files\iNTERNET Turbo 2001\idetect.exe /auto
LoadQM Registry (Machine Run) loadqm.exe
CC2KUI Registry (Machine Run)
sp Registry (Machine Run) regedit -s C:\WINDOWS\sp.dll
MessengerPlus Registry (Machine Run) "C:\Program Files\Messenger\MsgPlus.exe"
webHancer Agent Registry (Machine Run) "C:\Program Files\webHancer\Programs\whAgent.exe"
New.net Startup Registry (Machine Run) rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
LoadPowerProfile Registry (Machine Service) Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
TVWatch Registry (Machine Service) c:\windows\SYSTEM\TVWatch.exe
Detect Registry (Machine Service) C:\Program Files\iNTERNET Turbo 2001\idetect.exe /auto
Serv-U Registry (Machine Service) C:\PROGRAM FILES\SERV-U\ServUDaemon.exe
HC Reminder Registry (Machine Service) hc.exe

LOL..... hope that is what you want

 

[Davey7549]

Ok give me a about a half to throughly review your list and I will post back.
Dave

 

[Psycosis]

Thanks mate.

 

[Davey7549]

OK Psycosis
You have several problems going on here. First off you have some serious Spyware installed that can give you all kinds of problems, and Second there are items in your startup group I do not reconize but may be associated with the spyware.
Fist off here is a list of item you can safely uncheck from your startup group.

Uncheck the following.
EPSON Background Monitor Startup Group C:\ESM2\Stms.exe
Microsoft Works Calendar Reminders Startup Group "C:\Program Files\MSWorks\Calendar\WKCALREM.EXE"
Microsoft Find Fast Startup Group "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE"
MSMSGS Registry (Per-User Run) "C:\Program Files\Messenger\msmsgs.exe" /background
Mirabilis ICQ Registry (Per-User Run) C:\Program Files\ICQ\NDetect.exe
DXM6Patch_981116 Registry (Machine Run) C:\WINDOWS\p_981116.exe /Q:A
RealTray Registry (Machine Run) C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
LoadQM Registry (Machine Run) loadqm.exe
HC Reminder Registry (Machine Service) hc.exe

Now for the spyware
Many of the items listed in the startup which I do not recognize may be associated with the spyware so we will leave them there for the time being.

Now uncheck these spyware items in the startup group.
Trickler registry
Sp registry
WebHancer
New.net

The process for removing items from start is
Go to start/run type in MS config click start-up and then uncheck the boxes I have listed as not required and the Spyware stuff.

Click apply then ok and restart your system.

Now get back on the net and go to http://www.lavasoftusa.com/downloads.html and download the
AdAware main program. Once you have the program downloaded
unzipped and ready to go let me know and we will go to the next step of cleaning up the spyware mess. [/b]Do not run AdAware yet since there is some add/remove program stuff to do.[/b]
Dave

Sounds daunting but we will do this one at a time.

 

[Psycosis]

OK, thanks, i'm gonna restart now. BRB.

 

[Rollin' Rog]

New.net and Webhancer should both be removed through add/remove programs before running ad-aware. I would do them one at a time and reboot after each removal. They are sometimes troublesome and a bad uninstall can leave you without internet connectivity. I would download this zip file and run it if you have problems reconnecting:

http://www.lavasoft.de/aaw/binary/whndnfix.zip

After you download ad-aware and install it, also download the current reflist.exe. Unzip that and copy it to the ad-aware programs folder.

When you run ad-aware after removing new.net and webhancer, be sure to do a deep memory and registry scan and select all drives on which you have installed programs.

Check all the items for selection and click the "make backup" tab.

Be advised that Gator will no longer run after removing it's spyware component.

Reboot after finishing the ad-aware removal and run it again to ensure a completely clean scan.

I don't know whether it will spot and clean the sp.dll. Let us know and I will give more instructions regarding that.

Here is a general explanation of what it is, I will follow up with registry editing instructions later.

http://groups.google.com/groups?hl=en&[email protected]

 

[Psycosis]

OK, i done it and rebooted, but when i go to http://www.lavasoftusa.com/downloads.html it just displays Connection Timed Out

 

[Davey7549]

Psycosis
I see that. The server must be temporarily down at lavasofts site.
Also I see Rollin rog jumped and made some suggestions on what to do. He is one of our resident Virus and spyware Gurus.
Read through what he suggests and do the parts that you can until Lavasoft comes back up.
Dave

Also that CC2KUI is Comet Curser spyware and should also be unchecked in MSconfig

 

[Psycosis]

Thanks, both of you, I have done it all

 

[Davey7549]

Psycosis
Good, you were able to add/remove the programs with no problem.
Now while we are waiting for lavasoft to come back up why not go to this site and run a full virus scan on your system.
http://housecall.antivirus.com/housecall/start_corp.asp
Let us know what it finds if anything.
Dave

Edit: Do Rogs first he and I posted at the same time.

 

[Rollin' Rog]

If you found Comet Cursor in Add/Remove, you can remove it from there. Ad-aware, when it comes back up should remove any remnants.

In the mean time lets get rid of sp.dll

From start, run regedit

>> click in order:

+ Hkey_Local_Machine
+ Software
+ Microsoft
+ Windows
+ CurrentVersion

RUN or RUN- (if you have unchecked it in msconfig)

Look for the reference to sp.dll in the right hand pane and right click on it and delete it.

Reboot and do a find Files Search for sp.dll (it should be in Windows). Delete it.

You may have to reset your search page options manually. You can also use the Registry Editor's Edit>Find function to search for references to jethomepage.com and change to what you want.

 

[Psycosis]

Okie dokie, is all done, running the virus scan now. Thanks. BTW, my dad says thankyou very much and your time is much appreciated.

 

[Davey7549]

Psycosis
No problem thats what we are here for. I presume you followed Rog's proceedure in cleaning up. Also I see lavasoft is still down last time I checked. After you download ad-aware and install it, also download the current reflist.exe. Unzip that and copy it to the ad-aware programs folder.
That will be very important to remove all that spyware stuff. You may be suprised at what it will find.
Keep us posted.
Dave