General discussion

Locked

virus w32.magistr.39921@mm

By Casemaker ·
Hi,
I have this virus on a pc. I loose the mouse when it boots and cannot do anything else. I can't update Macafee either. I have gone to all the sites for removal Norton, Sophos and Mcafee and it is still there after doing what they suggest. I took the HDD out of the machine and put it in another with updated Norton virus. It ran the first time but stil had the virus behavior when I put it back. When I disabled the restore feature and tried to run it on Norton again it locks after memory scan. Please dont tell me to go to a web site and follow instructions I already did that. If you have a proven step by step method or a tool for removal and it works I will give you the points. THANK YOU

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

virus w32.magistr.39921@mm

by Casemaker In reply to virus w32.magistr.39921@m ...

formatting or using HP restore disks are not options. The lady has a lot of files and pictures and such and does not have backups. She is 76 yrs old and no one ever showed her how to backup.

Collapse -

virus w32.magistr.39921@mm

by Joseph Moore In reply to virus w32.magistr.39921@m ...

Ok, Magistr is one of the nastiest viruses out there. You might need to tell the owner of the computer that you migh have to reinstall.
Since you have access to a second computer, and you can add this drive to the 2nd system, you can transfer all important data files from the infected drive onto the drive on the 2nd system. Then you could put the infected drive back in its system, boot of the Windows cd, and install Windows again cleanly. Format the drive and everything. That will take care of the virus.
You would then put the drive back in the 2nd system, move the data files onto it, then put the drive in its own system again and boot.

This might not sound like a very attractive option, but you have to realize that Magistr does a lot of stuff. Modifies System.INI on Win9x machines; changes Win.com also to the point that you have to restore it from the Windows cd. Registry entries made. All kinds of stuff.

Collapse -

virus w32.magistr.39921@mm

by Joseph Moore In reply to virus w32.magistr.39921@m ...

So, here is my suggestion: to avoid the entire reinstall, put the drive in the 2nd system again and do the full Norton anti-virus scan to get rid of it as much as it can.
Next, edit System.INI on the infected drive (while it is in the 2nd system still) and make sure nothing is after shell=Explorer.exe in the [boot] section.
Next, you should replace Win.com file (on a Win9x machine). Please read Technet article Q136630 on how to do that:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q136630
OK. Hopefully, you will be able to boot properly at this point, so put the infected drive in its old system and boot. If it is not booting, then other files were corrupted by Magistr, and you will have to restore them. Personally, if thisis the case, then do the reinstall.
If you CAN boot, then once the Desktop is visible, then follow these instrustions from SARC:

Collapse -

virus w32.magistr.39921@mm

by Joseph Moore In reply to virus w32.magistr.39921@m ...

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane,look for a value that has a random file name with the .exe extension, and that points to the \WinNT\System or \Windows\System folder. This may be the name of a file that was detected as W32.Magistr.39921@mm when you ran the full system scan.
5. Delete any such values that you find.
6. Do one of the following:
If you are running Windows 95/98/Me, click Registry, and then click Exit.
If you are running Windows NT/2000/XP, go on the step 7.

7. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon


8. In the right pane, double-click the following value:

Shell

9. Look in the value data box. It should contain only the text Explorer.exe
10. If it contains any text to the right of Explorer.exe, for example, warm.exe, remove that text so that only Explorer.exe remains, as shown in step 9.

11. Click Registry, and then click Exit.


You probably saw this write up on Magistr, but here is the URL anyway:
http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html


hope this helps

Collapse -

virus w32.magistr.39921@mm

by Casemaker In reply to virus w32.magistr.39921@m ...

Thank You I had to do a restore.

Collapse -

virus w32.magistr.39921@mm

by bohicam1 In reply to virus w32.magistr.39921@m ...

The previous poster is correct in asking you to save all data to a second drive and reinstalling, however, formatting will not solve your problem. As this virus writes itself to the master boot record, the simplest way I have found to take care of this issue is to use a utility called "clearhdd.exe". You can do a search on google.com for it and get it from any drive manufacturer. The simple truth is, this virus renames and corrupts too many system files for a proper repair job. AS you have likely read on the symantec site, the magistr virus will render anti-virus programs inneffective once it has run its course. I am afraid your options are few.
Good luck!

Mike

Collapse -

virus w32.magistr.39921@mm

by Casemaker In reply to virus w32.magistr.39921@m ...

Thank You I had to do a restore.

Collapse -

virus w32.magistr.39921@mm

by mdelyea In reply to virus w32.magistr.39921@m ...

Try downloading from this site http://www.pandasoftware.es/library/pqremove_en.htm (remove any spaces from link). Yes, this program solved my problem with magistr. It worked when others did not.

Collapse -

virus w32.magistr.39921@mm

by Casemaker In reply to virus w32.magistr.39921@m ...

Thank You I had to do a restore.

Collapse -

virus w32.magistr.39921@mm

by Casemaker In reply to virus w32.magistr.39921@m ...

This question was closed by the author

Back to Windows Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums