Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

kissesmee

27 Posts

5308

February 18th, 2005 12:00

trojan dropper virus- & Video card

I ran a scan on my computer and it found a Trojan Dropper virus. Not all antivirus scans have detected it. But I have absolutley NO IDEA how to remove it. I have an anti-virus from Charter Comm. and I also had several different ones run a scan and only one of them detected the virus. The one from Charter. What can I do to delete it? Also how do I know I need a new video card? All my games work fairly well. But supposedly when we did a test on the Direct X it said It wasn't working.

DELL-Chris M

Community Manager

 • 

54.4K Posts

February 18th, 2005 12:00

kissesmee,

(I) Run the Disk Cleanup utility
* Click Start- Run and in the Open box, type cleanmgr
* Click OK
* Use the drop down menu arrow to select the drive you want to clean. Usually C:
* Click OK
* Insert a check on everything
* Click OK
* Click Yes

(II) Run this free virus scan
* Go here:
http://housecall.trendmicro.com/
* Under Scan Your PC, click Scan Now. It's Free!
* Choose United States
* Click Go
* Give it time to download the latest virus data files
* Insert a check to your Local Disk C:
* Insert a check to Autoclean
* Click Scan
* If a virus is found, notify this board

(III) Run this other free virus scan
* Go here:
http://www.symantec.com/securitycheck
* Click GO
* Under Virus Detection, click START
* If a virus is found, notify me

(IV) Run the free Microsoft Malicious Software Removal Tool
* Go here:
http://www.microsoft.com/security/malwareremove/default.mspx
* Click, Skip the details and run the tool
* Click, Check My PC for Infection
* Click Agree
* Click Continue

Midnight Star

4.8K Posts

February 21st, 2005 22:00

kissesmee,

After you do what Dell-ChrisM suggests, if your still having a problem, post up a HiJackThis log for analysis - and we'll see if something is running on your system that shouldn't be.

-

Mike.

kissesmee

27 Posts

February 21st, 2005 23:00

What is a Highjack this log?
 
from: Computer Illiterate  :robotvery-happy:

Midnight Star

4.8K Posts

February 22nd, 2005 02:00

kissesmee,

HiJackThis is a program that helps us to see what's running, and is started at each bootup on a computer system. That way we can see exactly what running on it, that shouldn't be - like viruses, trojans and spyware.

When it's run, it'll produce a log that you can post, not just here, but anywhere where others are able to analyse it (other HiJackThis forums), and determine what you might need to do, or delete from your system to 'clean' it up.

The reason I suggested it, is, many times, most anti-virus and anti-spyware software will miss something.

-

Mike.

 

kissesmee

27 Posts

February 22nd, 2005 03:00

This is what i got from one of the scans. Virus Status: Infected!
Your computer is infected with at least one known threat.   document.writeln(" " + iFilesScanned + " files scanned, " + iFilesScannedInfected + " file(s) infected on your disk drives.

") 88963 files scanned, 3 file(s) infected on your disk drives.

    

No viruses were detected in memory.

Your computer is free of known threats.  Virus Detection does not check compressed files.

Your computer appears safe for now.  For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.

No viruses were detected in memory.

The scan was cancelled before finishing. To restart the scan, click here.

Your computer is free of known threats.  Virus Detection does not check compressed files.

Your computer appears safe for now.  For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.

Warning! The scan detected a virus that is active in your computer's memory.

The scan ended to prevent further infection. 

You should shut down your computer immediately and restart it with an antivirus rescue disk or similar tool.

No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.

No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse.

Note: The scan was cancelled before finishing. There may be more infected files on this computer.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.

A scan has not been run. To start Virus Detection, click here.

//Dump the virus list here. var i; for (i=5; i"); document.writeln(arrDetails ); document.writeln(""); } C:\Program Files\Common Files\epjnccce\ejprpellrt\jbehrnnnd.exe is infected with SecurityRisk.Downldr C:\Program Files\Common Files\epjnccce\crcrbnlc\bdejrnhb.exe is infected with SecurityRisk.Downldr C:\Documents and Settings\eileen\Local Settings\Temp\p2psetup.exe is infected with Adware.P2PNetworking

Another one says: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AEE.A

TROJ_AEE.A

Description: 
This Trojan arrives on a system as a .CAB package and is usually installed on a system as an ActiveX object. It attempts to connect to the following Web sites to download executable files into the affected system:

  • www.gogle.com
  • 200..49.50

However, as of this writing, these Web sites are already inaccessible.

kissesmee

27 Posts

February 22nd, 2005 03:00

This was also part of the first part.

C:\Program Files\Common Files\epjnccce\ejprpellrt\jbehrnnnd.exe is infected with SecurityRisk.Downldr

C:\Program Files\Common Files\epjnccce\crcrbnlc\bdejrnhb.exe is infected with SecurityRisk.Downldr

C:\Documents and Settings\eileen\Local Settings\Temp\p2psetup.exe is infected with Adware.P2PNetworking

 

Midnight Star

4.8K Posts

February 22nd, 2005 03:00

kissesmee,

Do you have any anti-virus programs on your system to help us out?

-

Mike.

 

kissesmee

27 Posts

February 22nd, 2005 03:00

Apparently it's F-Secure. I got it through "Charter High Speed" my cable company. It detected this virus "Trojan-Dropper.Win32.Agent.az" and apparently 9 others. But it can't disinfect, or delete. It gives me to option to rename, but I wouldn't know what to do with that. I really can't get any help from this company (cable). Thanks for your help.
 
Signed
** lost in computer viruses**

Midnight Star

4.8K Posts

February 24th, 2005 15:00

kissesmee,
 
Help me to see what's running on your system...
 

Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.1. Now, let's do the following: 
   
  1.  Click " Scan
  2.  Click " Save log
   
  Notepad will pop-up with a copy of your system long, then: 
   
  1.  " Edit | Select all
  2.  " Edit | Copy
   
  Next, let's " Reply" back to this post, then: 
   
  1.  Right-click on the message body. 
  2.  Select " Paste
   
  Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).
 
-
 
If your having a problem getting the 1.99.1 version to run properly on your system, try downloading and running the previous version; HiJackThis 1.98.2.
 

Download mwav.exe from MicroWorld, then:
 
1.  Double-click the mwav.exe icon to run it ( it'll self extract).
2.  Click " Scan".
3.  When it completes, post back the results from the 'Virus log information' pane.
 
 
Mike.
 

kissesmee

27 Posts

February 26th, 2005 02:00

Logfile of HijackThis v1.99.1
Scan saved at 11:28:40 PM, on 2/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\DOCUME~1\MARCOS~1\LOCALS~1\Temp\Rar$EX01.062\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RecoverFromReboot.SS] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "eileen"
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4430/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

***I hope this works*** thanks for your help :o)

Midnight Star

4.8K Posts

February 26th, 2005 03:00

kissesmee,

Let's start off by deleting those files that the previous online scan found, if they're still present, then completing the steps below and posting back the results from the MWAV log.


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\Common Files\epjnccce

files...

C:\Documents and Settings\eileen\Local Settings\Temp\p2psetup.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".


Go to Add/Remove programs and remove(uninstall) the following, if present:

WildTangent

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.


Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done ' cleaning' off your system, we're going to ' flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the " Backups" folder, for HiJackThis, if present.


Run HiJackThis and click " Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\WildTangent

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".


Post back a new log, and let me know how everything goes.

-

Mike

View More

View All

No Events found!

Top