1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Pointer is going crazy

Discussion in 'Virus & Other Malware Removal' started by 82ABN, Nov 10, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. 82ABN

    82ABN Thread Starter

    Joined:
    Nov 10, 2001
    Messages:
    23
    Hello all! I'm a newbie with a problem.

    A couple of weeks ago my computer was infected with the [email protected] virus. I downloaded a fresh copy of Norton 2001 and it did its job, however, My pointer/cursor is moving at will. Whenever I try to move it, it either stalls or will move to some other part of the screen sometimes highlighting on the way or closing out a window in the process. Does anyone know if this is related to the virus? I read Norton's info regarding this virus and it talks about icons moving, but not the weird pointer movement. I am running WIN98 and ran a complete scan this morning which located nothing.

    Another thing: I followed Norton's instructions about going to the registry editor, but the only thing I could find close to W32.Magistr was a Norton file which reads: "C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET" This seems like something that belongs there to me. I appreciate any assistance.
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't think it's virus related; but magistr does strange things that sometimes the av programs don't detect, such as leaving legitimate, cleaned, files in the startup configuration which really don't belong there.

    Download and run the startuplog.com file you can get from here:

    http://home.earthlink.net/~rmbox/Reticulated/Toys.html

    It will place a startuplog.txt file on your desktop; copy/paste the results of that here, and we'll have a gander at your startup programs and associated registry entries. (stubbpaths.txt is not needed).

    In general, mouse related problems are usually resolved by reinstalling or updating mouse drivers -- and sometimes video drivers as well.
     
  3. 82ABN

    82ABN Thread Starter

    Joined:
    Nov 10, 2001
    Messages:
    23
    Well, it's pretty lengthy, but I suppose you would want to see all of this. I appreciate you taking a look at it.

    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at 11-10-2001 4:55:00.56p
    ___________________________________________________


    StartUp Log for Windows 95/98 - Freeware by rmbox

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.53) - Release Date 8/19/2001


    ____________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    ____________________________________________________

    The following is a list of your current Start-Ups
    ____________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EnsoniqMixer"="starter.exe"
    "Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE /LOADQUIET"
    "TaskMonitor"="c:\\windows\\taskmon.exe"
    "ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
    "SystemTray"="SysTray.Exe"
    "Multi-function Keyboard"="GWHotKey.exe"
    "LoadQM"="loadqm.exe"
    "dplaysvq"="C:\\WINDOWS\\VCM\\dplaysvq.exe"
    "RUNDLL31"="C:\\WINDOWS\\RUNDLL31.EXE"
    "NAV DefAlert"="C:\\PROGRA~1\\NORTON~1\\DEFALERT.EXE"
    "Norton eMail Protect"="C:\\Program Files\\Norton AntiVirus\\POPROXY.EXE"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb03.exe"
    "TIPS"="C:\\PROGRA~1\\MICROS~1\\tips\\mouse\\tips.exe"
    "POINTER"="C:\\PROGRA~1\\MICROS~1\\point32.exe"
    "webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"


    ==============================================


    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Taskbar Display Controls"="RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY"
    "MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"


    ==============================================

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==============================================

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==============================================

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "SchedulingAgent"="c:\\windows\\SYSTEM\\mstask.exe"


    =============================================

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==============================================

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    load=

    ==============================================

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==============================================

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    SET BLASTER=A220 I7 D1 T2
    SET SNDSCAPE=C:\WINDOWS
    C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\
    @IF ERRORLEVEL 1 PAUSE

    @IF ERRORLEVEL 1 PAUSE
    @PATH c:\windows;c:\windows\COMMAND;C:\PROGRA~1\WIN98RK;%PATH%
    SET PATH=%PATH%;C:\PROGRA~1\MCAFEE\MCAFEE~1\MCAFEE~2


    @ECHO OFF
    rem - By Windows Setup - LOADHIGH c:\windows\COMMAND\MSCDEX.EXE /D:CD1

    REM [HEADER]
    @ECHO OFF



    REM [CD-ROM DRIVE]

    REM [MISCELLANEOUS]

    REM [DISPLAY]

    SET CLASSPATH=C:\PROGRAM FILES\HEAT\NAVBAR;%CLASSPATH%


    ==============================================

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    *(No start-ups found)*

    ==============================================

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==============================================

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -====================-
    StubPaths - Registry (Partial Listing)
    -====================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
    "RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "OldRealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"=""
    "OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "StubPath"=""
    "StubPath"=""
    "StubPath"="C:\\Progra~1\\Online~1\\MSN\\msnmig.exe"
    "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE /U"

    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-

    REM DOS MOUSE DRIVER ADDED BY MICROSOFT INTELLIPOINT MOUSE SETUP
    LH C:\PROGRA~1\MICROS~1\MOUSE\mouse.exe
    @ECHO OFF

    REM NOTES:
    REM DOSSTART.BAT IS RUN WHENENVER YOU CHOOSE "RESTART THE COMPUTER
    REM IN MS-DOS MODE" FROM THE SHUTDOWN MENU IN WINDOWS. IT ALLOWS
    REM YOU TO LOAD PROGRAMS THAT YOU MIGHT NOT WANT LOADED IN WINDOWS,
    REM (BECAUSE THEY HAVE FUNCTIONAL EQUIVALENTS) BUT THAT YOU DO
    REM WANT LOADED UNDER MS-DOS. THE TWO PRIMARY CANDIDATES FOR
    REM THIS ARE MSCDEX AND A REAL MODE DRIVER FOR THE MOUSE YOU SHIP
    REM WITH YOUR SYSTEM. COMMANDS THAT YOU WANT PRESENT IN BOTH WINDOWS
    REM AND MS-DOS SHOULD BE PLACED IN THE AUTOEXEC.BAT IN THE
    REM \IMAGE DIRECTORY OF YOUR REFERENCE SERVER. PLEASE NOTE THAT FOR
    REM MSCDEX YOU WILL NEED TO LOAD THE CORRESPONDING REAL-MODE CD
    REM DRIVER IN CONFIG.SYS. THIS DRIVER WON'T BE USED BY WINDOWS 98
    REM BUT WILL BE AVAILABLE PRIOR TO AND AFTER WINDOWS 98 EXITS.
    REM
    REM THIS FILE IS ALSO HELPFUL IF YOU WANT TO F8 BOOT INTO MS-DOS 7.0
    REM BEFORE WINDOWS LOADS AND ACCESS THE CD-ROM. ALL YOU HAVE TO DO
    REM IS PRESS F8 AND THEN RUN DOSSTART TO LOAD MSCDEX AND YOUR REAL
    REM MODE MOUSE DRIVER (NO NEED TO REMEMBER THE COMMAND LINE PARAMETERS
    REM FOR THESE TWO FILES.
    REM
    REM - YOU MUST EXPLICITLY SPECIFY THE CD ROM DRIVE LETTER FOR MSCDEX.
    REM - THE STRING FOLLOWING THE /D: STATEMENT MUST EXPLICITLY MATCH
    REM THE STRING IN CONFIG.SYS FOLLOWING YOUR CD-ROM DEVICE DRIVER.

    REM MSCDEX.EXE /D:OEMCD001 /L:D


    LOADHIGH c:\windows\COMMAND\MSCDEX.EXE /D:CD1
    C:\SBPCI\APINIT.COM

    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-


    ==============================================

    - Supplemental Environment Information -

    TMP=c:\windows\TEMP
    TEMP=C:\windows\TEMP
    winbootdir=C:\WINDOWS
    COMSPEC=C:\WINDOWS\COMMAND.COM
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\WIN98RK;C:\WINDOWS;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\MCAFEE\MCAFEE~1\MCAFEE~2
    CLASSPATH=C:\PROGRAM FILES\HEAT\NAVBAR;
    windir=C:\WINDOWS


    ==============================================

    - End -
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, I think I see the problem, you have this line being executed as a run command:

    "dplaysvq"="C:\\WINDOWS\\VCM\\dplaysvq.exe"

    Nothing should ever be running from the VCM (Version Conflict Manager) directory -- these are just backedup files.

    What has happened here is Magistr infected, altered the name, and configured this file to run at startup. Your antivirus cleaned the file, but does not know it doesn't belong.

    To correct this, go to Start and run regedit

    Navigate to:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
    rentVersion\Run]

    To do this, click in order:

    + Hkey_Local_Machine
    + Software
    + Microsoft
    + Windows
    +CurrentVersion
    RUN

    Highlight the RUN key and right click on and delete the

    "dplaysvq"="C:\\WINDOWS\\VCM\\dplaysvq.exe"

    entry in the right hand pane.

    The real name of the file is: dplaysvr.exe

    I'm not sure what it does (haven't looked in to it), but I think it is a DirectX application of some kind.

    Anyway you should also delete or just rename dplaysvq.exe in the VCM folder.


    ==================
    Now comes the hard part. I hold my breath when bringing this to people's attention. You have a nasty bit of "spyware" called Webhancer installed. It is tricky and dangerous to uninstall, even using Add/remove. Loss of internet connectivity can result. Best results have been obtained using Lavasoft's Ad-aware:


    http://www.lavasoftusa.com/

    (read the "Getting started" and FAQ pages before running it)

    You can read about Webhancer here:

    http://www.cexx.org/webhancer.htm

    If you remove it and find yourself unable to connect to the internet afterwards, I would suggest replacing the wsock32.dll file and applying this fix: (might be a good idea to make a copy of it)

    Winsock2 Fix;
    Please note if you are going to do this you must have installation cd or cab files.
    -Go to add and remove program | windows setup tab| take the check mark out of COMMUNICATION | click apply | when asked to reboot say no. -Click start | run | type regedit follow the path HKEY LOCAL MACHINES | system | current control set | services | winsock2 -Right clickl select delete. -Go to add remove programs | windows setup | put check in COMMUNICATIONS | when asked to reboot say no. -Check network verify ther is no duplicate adapters and only what is required is there. -Reboot and try to browse.
     
  5. rmboxx

    rmboxx

    Joined:
    Aug 17, 2000
    Messages:
    54
    RUNDLL31.EXE :eek:
     
  6. 82ABN

    82ABN Thread Starter

    Joined:
    Nov 10, 2001
    Messages:
    23
    Thanks. I will give that a try... I'm not familiar with "spyware". What is the danger of leaving it alone?
     
  7. 82ABN

    82ABN Thread Starter

    Joined:
    Nov 10, 2001
    Messages:
    23
    What is the problem here?
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Darn how'd I miss that :rolleyes: thanks Rmboxx!

    Just follow the same instructions I gave you above and also right click and delete the entry for:

    "RUNDLL31"="C:\\WINDOWS\\RUNDLL31.EXE"

    Don't know how Norton missed it either. It is not a legitimate file.

    Also after doing that, find and delete the file itself.

    While your in the Windows directory, make sure you have a copy of:

    rundll32.exe

    If you don't you should be having other problems as well, such as not being able to launch control panel applets.
     
  9. 82ABN

    82ABN Thread Starter

    Joined:
    Nov 10, 2001
    Messages:
    23
    OK. I got the rundll31 off. I also deleted the dplaysvq from the registry, but when I try and delete it from the system, I get a message saying that I can't because it's in use. I tryed deleting it from the Windows explorer. Is there a better way?
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    After the registry entry has been deleted, reboot and try the file deletion again. It should no longer be in use.

    If necessary we can do it in DOS, but it shouldn't be.
     
  11. 82ABN

    82ABN Thread Starter

    Joined:
    Nov 10, 2001
    Messages:
    23
    BTW, I do have rundll32. I had to reinstall WIN98 to get it after my attack. Norton was unable to fix that file and I couldn't find a place to download only that file.
     
  12. 82ABN

    82ABN Thread Starter

    Joined:
    Nov 10, 2001
    Messages:
    23
    OK. that allowed me to delete it. Thanks alot. Now as far as the spyware... does keeping the file outweigh the risk you mentioned of deleting the file? I'm not familiar with spyware.
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It's hard for me to quantify the risk. You might try searching the forum for past Webhancer threads (there should be many) and decide for yourself.

    Most people who have had problems either just deleted the file or in some cases relied on Add/remove.

    Older versions of Ad-aware also caused some issues.

    And you will find one sorry thread where someone with Win2k used Ad-aware and it failed.

    Aside from the "spying' issue, it seems occasionally to be the source of some blue screens and invalid page faults.
     
  14. 82ABN

    82ABN Thread Starter

    Joined:
    Nov 10, 2001
    Messages:
    23
    I really appreciate all the help. I'm not sure what the culprit was, but my pointer has, so far, stopped it's fits. I will definitely be checking this forum daily from now on.

    Rick
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're welcome :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/58173

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice