Like an idiot I downloaded a program from a P2P that was supposed to be old Atari Games, Games.exe.

Upon executing the program, it tried to contact an outside site. My Tiny Personal Firewall program caught it, so I denied access to the web.

I had run a scan with Norton with current definitions and it said everything was fine bit I guess it wasn't.

Now if I try to delete the program it tells me that it can't because windows is using the program. I tried deleting from DOS and it said access was denied.

I have tried a couple of other anti virus programs and they will not load up for some reason or they find nothing wrong.

McAfee will not install unless I take off my firewall, but if I do that then the program will be able to contact the outside site which I assume will then load in a trojan.

HELP!!!!!!
John

Let's see where it is loading from, download, unzip and run StartupList. copy and paste the results in a reply.

StartupList

I did an online scan on Pandasoft and it said that I have 2 viruses on my computer the trj/spy/justin virus and the backdoor delf.bz virus. They were unable to remove the viruses.

here is the info from the startlist.

StartupList report, 3/7/03, 3:18:34 AM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 Gold (Win9x 4.10.1998)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MPRMMON.EXE
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\SYSTEM\M2AUDMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOWNLOAD FILES\PROGRAMS\WINZIP96\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

---------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
Update Grokster.lnk = C:\PROGRA~1\GROKSTER\WiseUpdt.exe

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

mmpti = C:\WINDOWS\SYSTEM\m1mmpti.exe
SystemTray = SysTray.Exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
SENTRY = C:\WINDOWS\SENTRY.exe
CMESys = "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
Trickler = "c:\program files\morpheus\fsg_3210.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
Microsoft Tray = D:\DOWNLOADS\GAMES.EXE

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

winmodem = WINMODEM.101\wmexe.exe
rmmon = C:\WINDOWS\SYSTEM\mprmmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
PersFw = "C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE"

---------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

---------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 7/3/2003, 2:47:20)

[Rename]
NUL=D:\DOWNLO~1\GAMES.EXE
NUL=C:\WINDOWS\ISNSYS.DLL

---------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\windows\googletoolbar_en_1.1.70-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

---------------------

Enumerating Download Program Files:

[Macromedia Shockwave Director Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[eConn Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ECONNECT.DLL
CODEBASE = http://econnect.libereco.net/econnect.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.7.150/2471f7b87c7b631db006/netzip/RdxIE601.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\MCAFEE.COM\FREESCAN\MCFSCAN.DLL
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4251/mcfscan.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

---------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

---------------------
End of report, 5,191 bytes
Report generated in 0.545 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Any help appreciated
John

Click Start > Run > type msconfig and click OK
Click the Startup tab and uncheck:
Microsoft Tray = D:\DOWNLOADS\GAMES.EXE
Click apply/ok and reboot. Delete the file.

What files did Panda list as Delf and Justin?

You dont need to "share" via p2p to play all your favorite atari classics. Search google for stella.

This is spyware;
Trickler = "c:\program files\morpheus\fsg_3210.exe

http://www.cexx.org/gator.htm

Thanks for the help. I did another Pandasoft Online scan and this time it got rid of both viruses. So i junked norton and I will be paying for Panda when the evaluation period ends.

The games.exe was the delf.bz and the trojan spy justin infected a windows system file. glad they are gone now.

Thanks for the startup list program and I didn't know about the config startup option. I disabled a bunch of junk that was slowing the computer.

JMalone