Is this a virus or what..

Discussion in 'Computer Security' started by Harry Putnam, Apr 1, 2005.

  1. Harry Putnam

    Harry Putnam Guest

    I've had a computer on line today for a few hours as I do nearly every
    day. At some point I left for a few hours. Next time I look at this
    machine (I use a kvm between several machines) I see a black screen
    with a rectangular (about 1/ in by 1/3 in) face. Or at least 2 dots
    in a rectangle that look like they might represent eyes and a couple
    of lines close together that could pass for a mouth. Its an ascii
    looking drawing. Cursor is blinking right next to it on the right.

    The object appears about 1/3 screen width from bottom left inward.

    Any attempt to boot gets past the bios display and then up comes the
    little face. Pressing any keys causes it to jump to the top and
    settle back down.

    The machine is running an uptodate sevice pack 1 (not sp2) and is a
    winxp pro, but from a cd that was released before sp2.

    I thought I migh try rewriting the boot record since what ever this is
    is active before an OS is running, but thought first maybe a good idea
    to find out if this is a known virus/worm or whatever. The machine is
    shut down and I'm wondering if my other 5 machines on same network are
    in jepordy now.

    I have an older symantec sytem works (2004) installed on that machine
    with todays virus updates, but not sure how to use them to scan the
    machine from a floppy or recue cd.
    Harry Putnam, Apr 1, 2005
    #1
    1. Advertising

  2. On Fri, 01 Apr 2005 02:14:40 GMT, Harry Putnam <>
    wrote:

    >I've had a computer on line today for a few hours as I do nearly every
    >day. At some point I left for a few hours. Next time I look at this
    >machine (I use a kvm between several machines) I see a black screen
    >with a rectangular (about 1/ in by 1/3 in) face. Or at least 2 dots
    >in a rectangle that look like they might represent eyes and a couple
    >of lines close together that could pass for a mouth. Its an ascii
    >looking drawing. Cursor is blinking right next to it on the right.
    >
    >The object appears about 1/3 screen width from bottom left inward.
    >
    >Any attempt to boot gets past the bios display and then up comes the
    >little face. Pressing any keys causes it to jump to the top and
    >settle back down.
    >
    >The machine is running an uptodate sevice pack 1 (not sp2) and is a
    >winxp pro, but from a cd that was released before sp2.
    >
    >I thought I migh try rewriting the boot record since what ever this is
    >is active before an OS is running, but thought first maybe a good idea
    >to find out if this is a known virus/worm or whatever. The machine is
    >shut down and I'm wondering if my other 5 machines on same network are
    >in jepordy now.
    >
    >I have an older symantec sytem works (2004) installed on that machine
    >with todays virus updates, but not sure how to use them to scan the
    >machine from a floppy or recue cd.


    Can you take a screen shot an upload it somewhere so we can look at
    it?
    --

    Regards,
    Ian Kenefick
    www.ik-cs.com/got-a-virus.htm
    Ian JP Kenefick, Apr 1, 2005
    #2
    1. Advertising

  3. Harry Putnam

    winged Guest

    Harry Putnam wrote:
    > I've had a computer on line today for a few hours as I do nearly every
    > day. At some point I left for a few hours. Next time I look at this
    > machine (I use a kvm between several machines) I see a black screen
    > with a rectangular (about 1/ in by 1/3 in) face. Or at least 2 dots
    > in a rectangle that look like they might represent eyes and a couple
    > of lines close together that could pass for a mouth. Its an ascii
    > looking drawing. Cursor is blinking right next to it on the right.
    >
    > The object appears about 1/3 screen width from bottom left inward.
    >
    > Any attempt to boot gets past the bios display and then up comes the
    > little face. Pressing any keys causes it to jump to the top and
    > settle back down.
    >
    > The machine is running an uptodate sevice pack 1 (not sp2) and is a
    > winxp pro, but from a cd that was released before sp2.
    >
    > I thought I migh try rewriting the boot record since what ever this is
    > is active before an OS is running, but thought first maybe a good idea
    > to find out if this is a known virus/worm or whatever. The machine is
    > shut down and I'm wondering if my other 5 machines on same network are
    > in jepordy now.
    >
    > I have an older symantec sytem works (2004) installed on that machine
    > with todays virus updates, but not sure how to use them to scan the
    > machine from a floppy or recue cd.


    I am not aware of a virus or worm that does specifically what you
    mention. It may be the guy inside the monitor is trying to get out!

    I suspect that someone may be playing a "joke" but not sure whom.

    Question: Can you get into the BIOS?
    Question: Did you lock the terminal when you left?
    Question: Did anyone knowledgeable have physical access to the machine?
    Question: Is the floppy drive or CD drives empty?
    Question: Are you using an encrypted KVM?
    Question: Is the KVM isolated from the Internet?

    I would be very careful about rewriting anything. I suspect "someone"
    placed an entry in your boot.ini (c:\)

    Whatever it is, it sounds like something loading before the boot.ini
    calls the win OS. There is the IO.sys or the MSDOS.sys (typically a 0
    byte hidden system file)that is called before boot.ini but suspect the
    jokester probably placed something in or replaced the boot.ini calling a
    local file. This is a hidden system file. Hopefully they just added an
    entry versus replacing file, but if kvm was accessed remotely they
    probably replaced this file.

    Please bear in mind, these are guesses. Boot off the windows CD ROM and
    select boot to command safe mode and look at those files. If that
    ain't it, good luck, You may end up rebuilding the system. Some time
    ago I read about a hack where the bios was flashed with code doing
    something similar (might have been a virus can't remember now), but that
    was long ago, the details are dimmed with time, and I would think
    someone would need to know an awful lot about your system to do this
    successfully. Since you see the Bios display I doubt this is the issue,
    but simple check would be to enter into the bios on bootup, if it
    appears normal, look at the init files above.

    While this type of sick humor ain't funny if your the victim, I kind of
    got a chuckle thinking of how to do it, sorry bout that.

    winged
    winged, Apr 1, 2005
    #3
  4. Harry Putnam

    Harry Putnam Guest

    winged <> writes:

    Boy do I feel stupid.... I put this question on the
    microsoft.public.windowsxp.generl group too.

    A fellow there said to make sure I didn't leave a floppy in.

    When I saw his answer I knew immediately I'd done a very stupid thing
    and forgot to check that...

    Oh well, my wife got a good horse laugh out of it....

    There was a blank floppy in the drive..
    Harry Putnam, Apr 1, 2005
    #4
  5. Harry Putnam

    Candi Simms Guest

    On Fri, 01 Apr 2005 10:42:24 +0000, Harry Putnam wrote:

    > winged <> writes:
    >
    > Boy do I feel stupid.... I put this question on the
    > microsoft.public.windowsxp.generl group too.
    >
    > A fellow there said to make sure I didn't leave a floppy in.
    >
    > When I saw his answer I knew immediately I'd done a very stupid thing
    > and forgot to check that...
    >
    > Oh well, my wife got a good horse laugh out of it....
    >
    > There was a blank floppy in the drive..


    I'd check further than that. All that should have happened was a failure
    to boot to the OS with a message of an improper boot disk and to remove
    the disk. I'd be looking for a back door trojan.
    Candi Simms, Apr 1, 2005
    #5
  6. Harry Putnam

    John Guest

    Candi Simms wrote:

    > On Fri, 01 Apr 2005 10:42:24 +0000, Harry Putnam wrote:
    >
    >
    >>winged <> writes:
    >>
    >>Boy do I feel stupid.... I put this question on the
    >>microsoft.public.windowsxp.generl group too.
    >>
    >>A fellow there said to make sure I didn't leave a floppy in.
    >>
    >>When I saw his answer I knew immediately I'd done a very stupid thing
    >>and forgot to check that...
    >>
    >>Oh well, my wife got a good horse laugh out of it....
    >>
    >>There was a blank floppy in the drive..

    >
    >
    > I'd check further than that. All that should have happened was a failure
    > to boot to the OS with a message of an improper boot disk and to remove
    > the disk. I'd be looking for a back door trojan.
    >

    Or the junkie-virus...
    John, Apr 1, 2005
    #6
  7. On Fri, 01 Apr 2005 02:14:40 GMT, Harry Putnam <>
    wrote:

    >I've had a computer on line today for a few hours as I do nearly every
    >day. At some point I left for a few hours. Next time I look at this
    >machine (I use a kvm between several machines) I see a black screen
    >with a rectangular (about 1/ in by 1/3 in) face. Or at least 2 dots
    >in a rectangle that look like they might represent eyes and a couple
    >of lines close together that could pass for a mouth. Its an ascii
    >looking drawing. Cursor is blinking right next to it on the right.
    >
    >The object appears about 1/3 screen width from bottom left inward.
    >
    >Any attempt to boot gets past the bios display and then up comes the
    >little face. Pressing any keys causes it to jump to the top and
    >settle back down.
    >
    >The machine is running an uptodate sevice pack 1 (not sp2) and is a
    >winxp pro, but from a cd that was released before sp2.
    >
    >I thought I migh try rewriting the boot record since what ever this is
    >is active before an OS is running, but thought first maybe a good idea
    >to find out if this is a known virus/worm or whatever. The machine is
    >shut down and I'm wondering if my other 5 machines on same network are
    >in jepordy now.
    >
    >I have an older symantec sytem works (2004) installed on that machine
    >with todays virus updates, but not sure how to use them to scan the
    >machine from a floppy or recue cd.


    find for free what you need to check 'n clean your machine,... and
    than... protect it,... and keep it protected
    http://www.nondisputandum.com/html/system_cleaning.html
    http://www.nondisputandum.com/html/anti_spyware.html
    http://www.nondisputandum.com/html/anti_virus.html
    g'luck

    --
    www.nondisputandum.com - soft reviews:
    freeware to Protect & Clean your PC
    freeware Office tools & Webbuilding aid
    + the Internet Addiction Test ;-)
    NonDisputandum.com, Apr 1, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil B

    Virus, Virus, Virus.....

    Phil B, Sep 22, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    552
    DaveW
    Sep 22, 2003
  2. DS

    Virus in virus?

    DS, Feb 8, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    499
  3. Dangermouse

    virus or not virus

    Dangermouse, Oct 12, 2005, in forum: Computer Support
    Replies:
    5
    Views:
    530
    ellis_jay
    Oct 13, 2005
  4. Peter Maurice Cram

    Norton virus protection shutsdown - virus?

    Peter Maurice Cram, Sep 11, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    617
    WebWalker
    Sep 12, 2004
  5. brenda

    Virus Virus

    brenda, Oct 15, 2007, in forum: Computer Support
    Replies:
    11
    Views:
    923
    Desk Rabbit
    Oct 16, 2007
Loading...

Share This Page