Is this a virus or what..

I've had a computer on line today for a few hours as I do nearly every
day. At some point I left for a few hours. Next time I look at this
machine (I use a kvm between several machines) I see a black screen
with a rectangular (about 1/ in by 1/3 in) face. Or at least 2 dots
in a rectangle that look like they might represent eyes and a couple
of lines close together that could pass for a mouth. Its an ascii
looking drawing. Cursor is blinking right next to it on the right.

The object appears about 1/3 screen width from bottom left inward.

Any attempt to boot gets past the bios display and then up comes the
little face. Pressing any keys causes it to jump to the top and
settle back down.

The machine is running an uptodate sevice pack 1 (not sp2) and is a
winxp pro, but from a cd that was released before sp2.

I thought I migh try rewriting the boot record since what ever this is
is active before an OS is running, but thought first maybe a good idea
to find out if this is a known virus/worm or whatever. The machine is
shut down and I'm wondering if my other 5 machines on same network are
in jepordy now.

I have an older symantec sytem works (2004) installed on that machine
with todays virus updates, but not sure how to use them to scan the
machine from a floppy or recue cd.

Harry Putnam

On Fri, 01 Apr 2005 02:14:40 GMT, Harry Putnam <>
wrote:

>I've had a computer on line today for a few hours as I do nearly every
>day. At some point I left for a few hours. Next time I look at this
>machine (I use a kvm between several machines) I see a black screen
>with a rectangular (about 1/ in by 1/3 in) face. Or at least 2 dots
>in a rectangle that look like they might represent eyes and a couple
>of lines close together that could pass for a mouth. Its an ascii
>looking drawing. Cursor is blinking right next to it on the right.
>
>The object appears about 1/3 screen width from bottom left inward.
>
>Any attempt to boot gets past the bios display and then up comes the
>little face. Pressing any keys causes it to jump to the top and
>settle back down.
>
>The machine is running an uptodate sevice pack 1 (not sp2) and is a
>winxp pro, but from a cd that was released before sp2.
>
>I thought I migh try rewriting the boot record since what ever this is
>is active before an OS is running, but thought first maybe a good idea
>to find out if this is a known virus/worm or whatever. The machine is
>shut down and I'm wondering if my other 5 machines on same network are
>in jepordy now.
>
>I have an older symantec sytem works (2004) installed on that machine
>with todays virus updates, but not sure how to use them to scan the
>machine from a floppy or recue cd.

Can you take a screen shot an upload it somewhere so we can look at
it?
--

Regards,
Ian Kenefick
www.ik-cs.com/got-a-virus.htm

Harry Putnam wrote:
> I've had a computer on line today for a few hours as I do nearly every
> day. At some point I left for a few hours. Next time I look at this
> machine (I use a kvm between several machines) I see a black screen
> with a rectangular (about 1/ in by 1/3 in) face. Or at least 2 dots
> in a rectangle that look like they might represent eyes and a couple
> of lines close together that could pass for a mouth. Its an ascii
> looking drawing. Cursor is blinking right next to it on the right.
>
> The object appears about 1/3 screen width from bottom left inward.
>
> Any attempt to boot gets past the bios display and then up comes the
> little face. Pressing any keys causes it to jump to the top and
> settle back down.
>
> The machine is running an uptodate sevice pack 1 (not sp2) and is a
> winxp pro, but from a cd that was released before sp2.
>
> I thought I migh try rewriting the boot record since what ever this is
> is active before an OS is running, but thought first maybe a good idea
> to find out if this is a known virus/worm or whatever. The machine is
> shut down and I'm wondering if my other 5 machines on same network are
> in jepordy now.
>
> I have an older symantec sytem works (2004) installed on that machine
> with todays virus updates, but not sure how to use them to scan the
> machine from a floppy or recue cd.

I am not aware of a virus or worm that does specifically what you
mention. It may be the guy inside the monitor is trying to get out!

I suspect that someone may be playing a "joke" but not sure whom.

Question: Can you get into the BIOS?
Question: Did you lock the terminal when you left?
Question: Did anyone knowledgeable have physical access to the machine?
Question: Is the floppy drive or CD drives empty?
Question: Are you using an encrypted KVM?
Question: Is the KVM isolated from the Internet?

I would be very careful about rewriting anything. I suspect "someone"
placed an entry in your boot.ini (c:\)

Whatever it is, it sounds like something loading before the boot.ini
calls the win OS. There is the IO.sys or the MSDOS.sys (typically a 0
byte hidden system file)that is called before boot.ini but suspect the
jokester probably placed something in or replaced the boot.ini calling a
local file. This is a hidden system file. Hopefully they just added an
entry versus replacing file, but if kvm was accessed remotely they
probably replaced this file.

Please bear in mind, these are guesses. Boot off the windows CD ROM and
select boot to command safe mode and look at those files. If that
ain't it, good luck, You may end up rebuilding the system. Some time
ago I read about a hack where the bios was flashed with code doing
something similar (might have been a virus can't remember now), but that
was long ago, the details are dimmed with time, and I would think
someone would need to know an awful lot about your system to do this
successfully. Since you see the Bios display I doubt this is the issue,
but simple check would be to enter into the bios on bootup, if it
appears normal, look at the init files above.

While this type of sick humor ain't funny if your the victim, I kind of
got a chuckle thinking of how to do it, sorry bout that.

winged

winged <> writes:

Boy do I feel stupid.... I put this question on the
microsoft.public.windowsxp.generl group too.

A fellow there said to make sure I didn't leave a floppy in.

When I saw his answer I knew immediately I'd done a very stupid thing
and forgot to check that...

Oh well, my wife got a good horse laugh out of it....

There was a blank floppy in the drive..

On Fri, 01 Apr 2005 10:42:24 +0000, Harry Putnam wrote:

> winged <> writes:
>
> Boy do I feel stupid.... I put this question on the
> microsoft.public.windowsxp.generl group too.
>
> A fellow there said to make sure I didn't leave a floppy in.
>
> When I saw his answer I knew immediately I'd done a very stupid thing
> and forgot to check that...
>
> Oh well, my wife got a good horse laugh out of it....
>
> There was a blank floppy in the drive..

I'd check further than that. All that should have happened was a failure
to boot to the OS with a message of an improper boot disk and to remove
the disk. I'd be looking for a back door trojan.

Candi Simms wrote:

> On Fri, 01 Apr 2005 10:42:24 +0000, Harry Putnam wrote:
>
>
>>winged <> writes:
>>
>>Boy do I feel stupid.... I put this question on the
>>microsoft.public.windowsxp.generl group too.
>>
>>A fellow there said to make sure I didn't leave a floppy in.
>>
>>When I saw his answer I knew immediately I'd done a very stupid thing
>>and forgot to check that...
>>
>>Oh well, my wife got a good horse laugh out of it....
>>
>>There was a blank floppy in the drive..
>
>
> I'd check further than that. All that should have happened was a failure
> to boot to the OS with a message of an improper boot disk and to remove
> the disk. I'd be looking for a back door trojan.
>
Or the junkie-virus...

On Fri, 01 Apr 2005 02:14:40 GMT, Harry Putnam <>
wrote:

>I've had a computer on line today for a few hours as I do nearly every
>day. At some point I left for a few hours. Next time I look at this
>machine (I use a kvm between several machines) I see a black screen
>with a rectangular (about 1/ in by 1/3 in) face. Or at least 2 dots
>in a rectangle that look like they might represent eyes and a couple
>of lines close together that could pass for a mouth. Its an ascii
>looking drawing. Cursor is blinking right next to it on the right.
>
>The object appears about 1/3 screen width from bottom left inward.
>
>Any attempt to boot gets past the bios display and then up comes the
>little face. Pressing any keys causes it to jump to the top and
>settle back down.
>
>The machine is running an uptodate sevice pack 1 (not sp2) and is a
>winxp pro, but from a cd that was released before sp2.
>
>I thought I migh try rewriting the boot record since what ever this is
>is active before an OS is running, but thought first maybe a good idea
>to find out if this is a known virus/worm or whatever. The machine is
>shut down and I'm wondering if my other 5 machines on same network are
>in jepordy now.
>
>I have an older symantec sytem works (2004) installed on that machine
>with todays virus updates, but not sure how to use them to scan the
>machine from a floppy or recue cd.

find for free what you need to check 'n clean your machine,... and
than... protect it,... and keep it protected
http://www.nondisputandum.com/html/system_cleaning.html
http://www.nondisputandum.com/html/anti_spyware.html
http://www.nondisputandum.com/html/anti_virus.html
g'luck

--
www.nondisputandum.com - soft reviews:
freeware to Protect & Clean your PC
freeware Office tools & Webbuilding aid
+ the Internet Addiction Test