Changed mail info on boot up

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

paulm

Thread Starter
Joined
Oct 26, 2001
Messages
6
After getting a virus my mail info in the win mail folder is changed from my host to local host and my log on nale is also changed. This from the basic boot up and before launching outlook. I am unable to find where this is comming from.
 

paulm

Thread Starter
Joined
Oct 26, 2001
Messages
6
I followed your suggestion and downloaded Startup log. Clicked on it and the dos window blinked on and then off in less than one second. Tried running it under dos and got a msg saying it must run under win32.

Downloaded rx pak and read those read me file also. I am missing something fundimental I expect but cannot get it to run nor can I open a log file etc. Nothing after attempts to reboot either.

The virus I got was PE_MAGISTR.B.

Thank you for the help and please what am I doing wrong. I used to be proficent in dos but that was a long time ago.

Paul
 

paulm

Thread Starter
Joined
Oct 26, 2001
Messages
6
Well I got it to work. I was missing a exe file that somehow was missing. So here is the requested file

I hope this will help. Once I get this fixed I am going to take some snapshots as baseline for future info.

Paul


---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 10-27-2001 12:39:35.36p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.53) - Release Date 8/19/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"PCCIOMON.EXE"="\"C:\\Program Files\\Trend PC-cillin 2000\\PCCIOMON.EXE\""
"pop3trap.exe"="\"C:\\Program Files\\Trend PC-cillin 2000\\pop3trap.exe\""
"WebTrap.exe"="\"C:\\Program Files\\Trend PC-cillin 2000\\WebTrap.exe\""
"SxgTkBar"="SxgTkBar.exe"
"PLXSTART"="C:\\PROGRA~1\\PLEXTO~1\\PLXSTART.EXE"
"PLXTASK"="C:\\PROGRA~1\\PLEXTO~1\\PLXTASK.EXE"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"ZipMagic"="C:\\Program Files\\Ontrack\\ZipMagic\\zm32.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Offers"="\"C:\\Program Files\\Gator.com\\OfferCompanion\\Offers.exe\""
"Memory"="C:\\WINDOWS\\SYSTEM\\memory.exe"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"

*(RegPath not found..)*

==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"PCCIOMON.EXE"="\"C:\\Program Files\\Trend PC-cillin 2000\\PCCIOMON.EXE\""
"Machine Debug Manager"="C:\\WINDOWS\\SYSTEM\\MDM.EXE"
"ZipMagic"="C:\\Program Files\\Ontrack\\ZipMagic\\zm32.exe"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=


==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file


C:\VIAUDIO\VIAUDIO.COM
SET BLASTER=A220 I5 D1 P330

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Acrobat Assistant.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.exe.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\eBot.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Start GetRight.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-====================-
StubPaths - Registry (Partial Listing)
-====================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS

File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,484
Hiya

Okay,

I have had a look through the list and one thing that I think is odd, but others may prove me wrong here, is this:

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=
I didn't miss off load=. Its not in your list. Hmmmm?

Anyway, looking online I couldn't find much on PE_Magistr.b, but there is this from Symantic.

http://www.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html

Also Known As: I-Worm.Magistr.b, W32.Magistr.B@mm, W32/Magistr.b@MM

Your System.ini seems okay in my eyes.

Have you run an online scan?

http://housecall.antivirus.com/housecall/start_corp.asp

Regards

eddie
 

paulm

Thread Starter
Joined
Oct 26, 2001
Messages
6
I added a load= and did no harm or good.

I went to the semantic link you sent and followed info there and found 3 damaged dll's and repaired them. Also looked manually as suggested and still have the problem.

I only had the virus for less than one hour and used housecall to make first fix. Now running pccillin with good success. Got it (virus)from a trusted friend and we exchange lots of attachments and I was too quick to open.

What about the 'stub paths' near the end of the startup log?, I am using microsoft outlook.

In any event your comments and suggestions are extremely welcome and I have already gained lots of new info. Too bad we have not found the problem yet however.

Thank You

Paul
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top