icon virus?

[daffyskier]

Hey cyber patrollers, I think I may have picked up a virus. All my destop icons run away when I try to clik them. Rats! I knew I should not have opened up that .exe from my sister. A virus, right?

I need to use this old Gateway p-5 200 with windows 95 until I get my new laptop, probably six weeks. Suggestions, guys?

Help!

 

[rhettman5]

you have this :Magistr virus

go here to get help, a free antivirus online check, follow instructions to cure : http://housecall.antivirus.com/housecall/start_corp.asp

post back with results ..Welcome to Tech Support Guy !...Rhett

 

[daffyskier]

Thanks for the clue, Rhettman! I scanned my disc with the online service you suggested and deleted the infected files. The only thing that looked important that was infected was the "vendor.exe" file. I deleted it too and now upon booting up I get a message that says the system cannot find that file. Then when I click OK it says to restore the file or unassociate that file with WIN.INI. (does that make sense enough?)

Everything seems to be running OK except for that little glitch, my icons don't "run away" from my cursor and a second scan showed no infected files. Thanks so much to this great site and to you Rhettman.

What is that "vendor.exe" thing? Is it important?

Daf

 

[Rollin' Rog]

If the reference is in win.ini, it will likely be coming from the load= or run= lines

Normally they are "empty", just

run=
load=

You can edit them by going to start and running win.ini so that it opens in notepad. You could also just run msconfig and uncheck the line using the win.ini tab.

If you had magistr, be aware that even after cleaning we somtimes see strange files left in the startup list which do not belong. If you are experiencing any other unusual behavior, we can have a look at what's there by running msinfo32 and clicking on "software environment" and "startup programs". Then click edit>select all>edit>copy and paste the copied text in a reply.

 

[daffyskier]

Well there seems to be a problem...I did remove the text from WIN.INI as suggested and no longer get that annoying message upon rebooting...BUT: when I try to run msconfig OR msinfo32, I get a message that it can't find the file or one of its components, make sure the path is correct and the required libraries are available. Did I lose some files?

 

[ezymony]

try leaving the 32 off msinfo see if it works

 

[daffyskier]

Thanks, no dice. Also have tried msconfig and msinfo and msinfo32 in safe mode, same message. Wow there is a deafening silence out there! Have I fouled things up a lot? Please be brutally honest.

 

[ezymony]

someone will be here to help just a matter of time

 

[Bryan]

There's nothing wrong with your PC. Msinfo32.exe and Msconfig.exe weren't included with W95. They were new features added to W98 and Windows ME. Anyway, if your error message is gone at boot up and the virus has been cleaned up, you should be ok now.

To be safe, if you want us to take a look at your Startup process and see if your truly clean now, go <a href=http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html> here</a> and download Startlog.com

Once it's downloaded, double left click on it to execute it. You'll then see the log appear on the screen at the end. Just close the window. Now you should see the Startup.log file on your Desktop. Right click on it and rename it Startup.txt

Then come back to this thread and click on "PostReply". Then at the bottom next to "Attach File", click on "Browse" and attach the Startup.txt file from your Desktop to a reply here.

BTW, when you rename it you'll get a warning, just reply with "Yes" and rename it anyway. And we don't need to see "StubPath.txt". You can just delete that file from the Desktop

 

[daffyskier]

Here is the text, thanks, it wouldnt attach even after I renamed. Looks to an amateur eye like nothing out of the ordinary?

-Daf
------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 01-15-2002 8:40:02.62a
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.54) - Release Date 12/12/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"MSWHEEL"="C:\\WINDOWS\\SYSTEM\\mswheel.exe"
"TIPS"="C:\\MSINPUT\\tips\\mouse\\tips.exe"
"POINTER"="C:\\MSINPUT\\POINT32.EXE"
"Multi-function Keyboard"="GWHotKey.exe"
"BillMinder"="C:\\QWSE\\BILLMIND.EXE"
"VoyetraAudioStation2"="C:\\VOYETRA\\AS2\\AS2TRAY.EXE"
"hpsjbmgr"="C:\\SCANJET\\hpsjbmgr.exe"
"mgavrtclexe"="C:\\WINDOWS\\MCBin\\AV\\Rt\\mgavrtcl.exe"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Display Controls"="RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"telepath"="TELEPATH.101\\tpexe.exe"
"SchedulingAgent"="mstask.exe"
"mgavrtclexe"="C:\\WINDOWS\\MCBin\\AV\\Rt\\mgavrte.exe"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file




PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;;C:\QTW\bin

REM [CD-ROM Drive]

REM [Display]

REM [Sound, MIDI, or Video Capture Card]

REM [Mouse]

REM [Miscellaneous]






==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\Iomega Startup Options.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Iomega Watch.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Zip Disk Icons.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler.exe

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

@="DL__auto_file"
(.dl_ trojan executable file - RegPath = HKCR\.dl_)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Display Controls"="RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

@echo off

REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 95
REM but will be available prior to and after Windows 95 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.

REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DPIPE~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;;C:\QTW\BIN
windir=C:\WINDOWS


==========================================================================
__________________________________________________________________________

- End -

 

[daffyskier]

Thanks to all who have helped, this is a great service. Now I'm going to go click on any banners on the techguy homepage and see if I can vote for this site somewhere for something. Unless anyone sees problems in that startup, I'm saying my problem is solved. Thanks guys!

-Daf

 

[Rollin' Rog]

Sorry about the bum steer on msinfo32 and msconfig. The Win95 part of your post slipped by me.

Anyway the good news is you have a virus clean profile and a pretty trim one at that.

My only recommendation would be that you disable Find Fast as a performance measure. This MS program is useless for most people and only results in conflicts, slow downs and excessive disk usage.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q199787

Only other question I would have concerns

PowerReg Scheduler.exe This is the only good reference I can find for it...

http://www2.whidbey.net/djdenham/Uncheck.htm

I would try removing the startup shortcut from the c:\windows\start menu\programs\startup folder

 

[daffyskier]

Keep on rollin'!

Took your advice on Power Reg Scheduler, but not on find fast since there's no "MS Office" in Add/Remove programs (Word, excel etc. are all listed separately). Maybe 'cause I have Office 97 or Win 95? So I'm going to leave well enough alone.

Thanks once again to all who helped. BTW this Gateway has been flawless, nary a hardware problem in nearly five years. I'll be a little sad to put her out to pasture.

 

[daffyskier]

Well, housecall must have missed something, the virus came back on Wed. I downloaded an "anti-Magistr" program, but it didn't seem to work either. Finally had to download Nortn AV and let it do its work. Norton found one more infected file (acrobat reader) and allowed me to repair the file (Housecall only had delete option). No trace of the virus since.

So my vote goes to Norton as the best AV I've tried, and it's free for thirty days.

 

[Rollin' Rog]

Thanks for the follow-up, Daffy'. Find Fast comes with Office 97 as well, but it's up to you of course. There should be something in the Control Panel for it and of course the shortcut link in the programs/startup folder.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q158705

Be careful about opening old emails and attachments. Magistr could be hiding in one of them, be sure to scan all if you haven't.