Running icons

[Guest]

Got a weird one here....My mothers Hp notebook with windows ME has a strange problem...The icons on her desktop move when the mouse pointer gets anywhere near them, like one of those joke programs...she did a virus scan and found somthing like ***/coke virus (the *** being somthing i cant remember right now) anyway she deleted the file McAfee suggested she delte , now the icons dont move, they "quiver and shake" when the mouse pointer gets near them...any ideas? anyone ever hear of this type of thing? Shes 60 years old and this is really geting to her. Id like to help.

PS this is my first post here i usually use one of the other online forums..thought id give you folks a shot at this one....thanks in advance KT

 

[Toejam31]

Hi, KT ...

After thinking about this for a while, I suspect that your mother has more than one virus infecting her machine.

I have heard of six different variants of the Coke.exe virus, but none of them "move" the icons on the screen.

What it <i>does</i> sound like is a variant of the I-Worm.Magistr worm, which a very dangerous polymorphic memory resident Win32 worm combined with virus infection routines. It spreads through infected emails and infects Windows .exe files.

The virus was found in-the-wild around the middle of March 2001. So if your mother had not been keeping her Anti-Virus files up-to-date (which is typical of many users), her Anti-Virus program might not have correctly identified the worm, and it might still be in her machine.

One of the symptoms of the worm is that it gets access to the Windows desktop and does not allow the user access to the desktop icons. When the mouse cursor is moved to an icon, the virus moves the icon away from the cursor. It looks as if the icons are trying to "escape" the cursor.

This is not good, as the payload for this worm is that one month after infecting the computer the worm overwrites all disk files with the text "YOUARESHIT" on all local and network drives. Under Win9x the virus also erases the CMOS, Flash and hard drive data.

The virus then displays the message:

Another haughty bloodsucker.......
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF [-peep-]

McAfee recommends removing the worm by updating to the latest <A HREF="http://www.mcafeeb2b.com/naicommon/download/dats/find.asp" target="_new">engine and DAT files</A>.

However ...

WinME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and McAfee will be unable to delete these files. Here are the instructions explaining how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility:

1. Right click the My Computer icon on the Desktop, and choose Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.

NOTE: The Restore Utility will now be disabled.

10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.

NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

The worm can have different names, such as: I-Worm.Magistr, Magistr, PE_MAGISTR.A, W32.Magistr.24876@mm, W32/Disemboweler, W32/Magistr-a, I-Worm.Magistr.b, and W32/Magistr@MM.

Another variant, called W32/Magistr.dam3 covers .exe files that have been corrupted. These files are not repairable. They should be deleted and restored from backup ... or by reinstalling the operating system.

That's my best guess. Good luck!

Toejam31

<font color=red>My Rig:</font color=red> <A HREF="http://www.anandtech.com/mysystemrig.html?rigid=6847" target="_new"><font color=green>Toejam31's Tantalizing Tantric Toy</font color=green></A>
____________________________________________________________

<font color=purple>"Procrastination on your part does not constitute an emergency on my part."</font color=purple>

 

[Zoron]

Agreed, Toe.. it definately is a virus. Most likely the Magistr worm. Best thing to do would be to completely wipe and reload the system (to make sure all infected files are gone). If you use a reload CD, make sure that you first power the machine off because as Toe mentioned, the virus is memory resident and may reinfect files if you simply reboot.

These days you have to be very careful with email. Even an attachment from a trusted source can be infected with a virus. If you receive an email from someone, and it has a file attachment as an .exe, .vbs, .scr, .pif, or .bat (for example), the best thing to do is delete the email. You could also contact the person that sent you the email to ask if they actually did send it to you. (These viruses send themselves out to everyone on your contact list WITHOUT your knowledge). Do NOT open an attachment unless you are absolutely sure it's safe... picture files are fine... but be wary of anything else. Make sure you have a good anti-virus package that scans incoming and even outgoing email... and make sure it's kept up-to-date on a weekly basis. I know it's a royal pain, but it will save you a lot of headaches down the road. Good luck!