I'm trying to clean up a PC running Windows 98SE. After initial discussion with customer, I was pretty sure the machine had a virus (or viruses).

I ran housecall.antivirus.com and found the following 6 viruses (plus duplicates and then some)...

1) Wscript.Kak (removed okay) - used removal tool from www.symantec.com.

2) Worm_Klez (Trojan, was removed on reboot per anti-virus software)

3) Magistr.B (59 infected files!!!) - this was truly the W32.Magistr.39921@mm virus. Software removed all but 2 of them - I'll come back to this in a bit.

4) Magistr.B.Dam (name ?, haven't heard of this one and couldn't find any help on net? - found 5 infected files), all 5 said not-cleanable so I deleted the files per the instructions.

5) JS Kakworm.A (I believe the JS stands for java-script, but I may be wrong. Software found 2 infected files and marked them as non-cleanable, so I deleted them also.)

6) PE ELKern.D (found 3 infected files and cleaned them automatically)

After this, the 2 files mentioned in #3 above said they couldn't be fixed and needed to be deleted (and I did delete them) and manually added back by user (if these files are needed). These 2 files were:
C:\Windows\System\sage.exe
C:\Windows\System\fixmapi.exe

Now there appears to be only 2 small problems left and it looks as if all viruses are gone.

FIRST PROBLEM:
The Windows Welcome Screen (you know, the screen that you get when you first install Windows) displays on every startup. I've unchecked the box in the lower left-hand corner each and every time and it's suppose to not display it the next time you startup, but it does. I can't get rid of this? Any ideas?

SECOND PROBLEM
Upon startup, I get an illegal operation on the Runonce.exe file? Could there still be a virus? I re-ran both Norton (with updates) and housecall.antivirus.com and both show a clean system? Any ideas on this? Could the file be damaged or something? If so, how can I repair it? Is it pointing to a file that I deleted? Do I need this runonce.exe file? Should I delete it in C:\xxx\xxxx (wherever I find it) and in the registry?

Thank you in advance for any assistance that you give.

In reading several other posts out here, I also ran a startup log. I don't know how to read every bit of this info, but in case it helps someone else, I'm posting this info as well:

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 08-20-2002 12:35:27.64a
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.56) - Release Date 3/11/2002

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMonitor"="c:\\windows\\taskmon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SystemTray"="systray.exe"
"EM_EXEC"="c:\\mouse\\system\\em_exec.exe"
"CountrySelection"="pctptt.exe"
"PTSNOOP"="ptsnoop.exe"
"CPQInet"="c:\\compaq\\CPQInet\\CpqInet.exe"
"cpqns"="c:\\compaq\\cpqinet\\cpqnpcss.exe"
"Service Connection"="c:\\cpqs\\bwtools\\sccenter.exe"
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\cpqeadm.exe"
"EACLEAN"="C:\\Program Files\\Compaq\\Easy Access Button Support\\eaclean.exe"
"CompaqPrinTray"="PrinTray.exe"
"CIJ3P2PSERVER"="CIJ3P2PS.EXE"
"cAg0u"="C:\\WINDOWS\\SYSTEM\\03FA7420.hta"
"Keyboard"="C:\\WINDOWS\\OPTIONS\\CABS\\keyboard.exe"
"LoadQM"="loadqm.exe"

==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="c:\\windows\\SYSTEM\\mstask.exe"
"isdbdc"="c:\\compaq\\internet\\isdbdc.exe"

==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

@if exist C:\WININST0.400\SuWarn.Bat call C:\WININST0.400\SuWarn.Bat
@if exist C:\WININST0.400\SuWarn.Bat del C:\WININST0.400\SuWarn.Bat
@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\
@IF ERRORLEVEL 1 PAUSE
@ECHO OFF

C:\ESSAUDIO.COM
@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Works Calendar Reminders.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\MSN Internet Access.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

-=========================-
HKU (.Default) Run - Registry
-=========================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

-==============================-
HKU (.Default) RunOnce - Registry
-==============================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]

-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components

"StubPath"="c:\\windows\\SYSTEM\\ie4uinit.exe"
"StubPath"="c:\\windows\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

@echo off
c:\mouse\mouse.exe
LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:IDECD001 /M:12
C:\ESSAUDIO.COM


-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 1,151 08-19-02 10:44p
-=================-

[rename]
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\CORECOMP.INI
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\CTL3D32.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\75CCB6.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD1.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\ISUNINST.EXE
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD2.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\DLGPANL1.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\DLGPANL2.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\LICENSE.TXT
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\INSTSCAN.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\N32CALL.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\NAVEX32A.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\NAVINS~1.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\NAVKRNLK.VXD
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\NSPLUGIN.INI
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\NSPLUGIN.EXE
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\S32NAVK.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\VIRSCAN1.DAT
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\VIRSCAN2.DAT
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\VIRSCAN3.DAT
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\VIRSCAN4.DAT
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\VALUE.SHL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\75CCB2.DLL
NUL=C:\WINDOWS\TEMP\_INS5176._MP
NUL=C:\WINDOWS\TEMP\ZDATAI51.DLL
NUL=C:\WINDOWS\TEMP\_WUTL951.DLL
-=================-
WININIT.INI File - (c:\windows\wininit.ini)
(name) (type) (size)(modified)(time)
wininit ini 43 08-20-02 12:34a
-=================-

[rename]
NUL=c:\windows\TEMP\GLB1A2B.EXE
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\CURVES~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=c:\windows\TEMP
TEMP=C:\windows\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;c:\windows;c:\windows\COMMAND
COMSPEC=C:\COMMAND.COM
windir=C:\WINDOWS

File - c:\WinBoot.ini
File - c:\windows\Wininit.ini
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -

Follow-up...

Okay, using the Startup Log, I see that "kak.hta" is in the autoexec.bat file. I found the instructions at www.symantec.com related to the Wscript.Kakworm virus that I removed earlier. I don't think this was hurting anything, but I cleaned it out of the autoexce file anyway per the instructions.

However, the same 2 problems continue? Please help.

It's looks like trojan planted following list:

1. HKLM Run - Registry
"CIJ3P2PSERVER"="CIJ3P2PS.EXE"
"cAg0u"="C:\\WINDOWS\\SYSTEM\\03FA7420.hta"

9. AUTOEXEC.BAT File - (c:\autoexec.bat)
@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta

Thanks DBPowerWCRulez, but I have a question:

In line 1, do I simply just delete both of these items in the registry or do I modify them to say something else? If you know the proper removal instructions, please state them or point me in the right direction.

In line 9, I deleted both of these lines in the c:\autoexec.bat file.

Do you think fixing the registry (line 1) will fix both of the problems I'm still having with the Runonce.exe Illegal operation and the Welcome to Windows message showing up every time?

for future use try dowloading startup control panel from cnet.com
it quires the autoexec regestry and all start up locations for your and gives you a graphic user interface that gives you the program calling the script and location and a simple check and uncheck interface so that it is not actually deleting the line its only reming it out so if you do need to re-enable it you can recheckmark it it also alows you to right click the entry and delete it but i dont recomend until after several reboots and your sure you dont need teh file.

as far as thees removal tools go

i hope you realize you almost always have to run them from dos or safe mode..

Hello,
I never heard about a computer corrupted with so many viruses at the same time !!!!
I see many answer in this question, as trojans are so difficult to remove, why don't you try a product which is doing it alone for you ? as TrojanRemover listed here in a post n° 1856..........

Imp:

I couldn't believe the software found this many viruses. I had see the post for the TrojanRemover on another post so I have already downloaded the software. I won't get home until late tonight, but it'll be the first thing I try. However, I have a feeling that the 2 problems that this PC is still experiencing aren't going to go away?

I'll report back (hopefully by midnight tonight:) and let you know. If the Trojan Remover doesn't fix the 2 errors, I'm wondering if I should post this help in the Win9x section now?

To: Imp

I installed the TrojanRemover 4.8, ran it, and it didn't detect anything. I think the actual file that was infected was removed previously and apparently this software doesn't see anything wrong in item 1 (see response 1/Startup log above)?

So I manually removed these from the registry.

However, both of the problems stated in my initial post still show up?

Anyone else have any ideas?

UPDATE:
I decided to simply remove the file Welcome.exe from C:\Windows - this stopped the Welcome screen from coming back permanently!!!

However, I still can't figure out the Runonce.exe illegal operation? (which also says invalid page fault?)

HI there, The runonce.exe could be anywhere in the regs file. so you run the Regedit and FIND the runonce.exe to see any suspectable line which not touching with others (used for system files and softwares)

Post it back here for your runonce.exe list of registery only finds the suspectable line.