ID a Virus

A Windows 98SE OS will boot to a blank green screen with a small black box
with bubbles. The bubbles look like standard Windows wallpaper. No program
icons, no start bar and the only program running in Task Manager is
devldr16. I have run Norton 2003 Rescue by booting to that CD and it found
no viruses.Is this a virus, worm or Trojan? Or is it a corrupted OS? I ran
scandisk from the A: prompt and it found nothing. Please advise if
additional info is needed.
Thanks for the assistance
Unbundled Loop

On Sat, 28 Jun 2003 20:08:11 -0500, Unbundled Loop <kjakers@msn.com> wrote:

> A Windows 98SE OS will boot to a blank green screen with a small black box
> with bubbles. The bubbles look like standard Windows wallpaper. No program
> icons, no start bar and the only program running in Task Manager is
> devldr16. I have run Norton 2003 Rescue by booting to that CD and it found
> no viruses.Is this a virus, worm or Trojan? Or is it a corrupted OS? I ran
> scandisk from the A: prompt and it found nothing. Please advise if
> additional info is needed.

A search on devldr16 shows that it's a creative labs driver, that provides
sound blaster emulation for dos programs.

According to http://www.utdallas.edu/ir/tcs/tech...rus_id.txt.html
it's also been known to be associated with W32/Magistr.a@MM.

According to http://vil.nai.com/vil/content/v_99040.htm
as well as mass mailing, the payload includes
=========
= W32/Magistr@MM has a payload routine that, on some
= systems, may result in cmos/bios info being erased
= as well as destroying sectors on the hard dis
=========

Can you boot to safe mode, to run msconfig? If so,
try disabling all startup items, so you can hopefully
boot normally, and run an online scan, for more info.

Regards, Dave Hodgins

Yes, I did boot to Safe Mode. It to has a blank green screen with Safe Mode
at the top two corners, nothing in the bottom two corners, no icons, and no
Start bar.


"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message
newsprrh9squkzpegei@nntp...
> On Sat, 28 Jun 2003 20:08:11 -0500, Unbundled Loop <kjakers@msn.com>
wrote:
>
> > A Windows 98SE OS will boot to a blank green screen with a small black
box
> > with bubbles. The bubbles look like standard Windows wallpaper. No
program
> > icons, no start bar and the only program running in Task Manager is
> > devldr16. I have run Norton 2003 Rescue by booting to that CD and it
found
> > no viruses.Is this a virus, worm or Trojan? Or is it a corrupted OS? I
ran
> > scandisk from the A: prompt and it found nothing. Please advise if
> > additional info is needed.
>
> A search on devldr16 shows that it's a creative labs driver, that provides
> sound blaster emulation for dos programs.
>
> According to http://www.utdallas.edu/ir/tcs/tech...rus_id.txt.html
> it's also been known to be associated with W32/Magistr.a@MM.
>
> According to http://vil.nai.com/vil/content/v_99040.htm
> as well as mass mailing, the payload includes
> =========
> = W32/Magistr@MM has a payload routine that, on some
> = systems, may result in cmos/bios info being erased
> = as well as destroying sectors on the hard dis
> =========
>
> Can you boot to safe mode, to run msconfig? If so,
> try disabling all startup items, so you can hopefully
> boot normally, and run an online scan, for more info.
>
> Regards, Dave Hodgins

On Sat, 28 Jun 2003 20:56:51 -0500, Unbundled Loop <kjakers@msn.com> wrote:

> Yes, I did boot to Safe Mode. It to has a blank green screen with Safe Mode
> at the top two corners, nothing in the bottom two corners, no icons, and no
> Start bar.

Try booting from a known clean dos floppy, and running f-prot, with up-to-date
def files.

You can use http://www.epix.net/~artnpeg/F-pup.exe
from Art's page, to simplify the process of creating
an emergency boot disk, and floppy copies of f-prot.

Regards, Dave Hodgins

"Unbundled Loop" <kjakers@msn.com> wrote:

> Yes, I did boot to Safe Mode. It to has a blank green screen with Safe Mode
> at the top two corners, nothing in the bottom two corners, no icons, and no
> Start bar.

Hmmmmm -- this _might_ be due to registry corruption.

You can revert to a previous version of the registry -- this MS
KnowledgeBase article describes the procedure:

http://support.microsoft.com/defaul...kb;EN-US;183887

However, I would not do that until you are fairly sure that this is
really the problem (though, if you have not recently installed any
new hardware or software it should not cause any "problems" beyond
reverting personal settings, MRU lists and the like to thei state as
of the backup point you restore from).

I'm not sure how to advise you to determine that what you are seeing
really is due to registry corruption -- it's often as much one of
those "gut feeling" things as anything.

I recently saw a machine that turned out to have a bad disk sector
near the end USER.DAT (part of the registry). Surprisingly though,
Windows started just fine, despite the disk system error being
"obvious" if you booted to DOS and tried to copy that file. Well,
by fine, I mean without complaining or raising any error, because it
clearly had "lost" some rather critical user settings. Once the
"silent" disk error was discovered this was easily fixed by booting
to DOS, renaming USER.DAT, marking it system and hidden so it would
not be moved by future defrags and thus "protecting" the bad sector
from getting back into "usable" free disk space and restoring the
registry (as per the above) to the most recent backup before the
problem started. The trick in that case was discovering the disk
error, as the assumption that something that critical to the proper
functioning of the system would be brought to your attention was, as
is so often the case with MS systems, quite unreasonable...

About a week later I saw another machine that was not quite working
properly in Safe Mode, and was really screwed under a normal system
boot. Again, it turned out to be a corrupted registry -- this time
SYSTEM.DAT. It seemed, from looking through the file with a hex
viewer, that SYSTEM.DAT _had been_ (it certainly was not in that
state when I first got the machine to look at) cross-linked with an
INI file. My guess was that this "fault" was cuased due to a crash
(or perhaps more accurately, due to memory corruption before, but
leading to, the crash) and incorrectly "fixed" by the automatic
scandisk/chkdsk "run in auto-fix mode" during the subsequent system
restart. Again, no warning from the OS that, in reading through the
single most critical configuration file on the whole machine, it had
struck a patch of utter gibberish that was clearly not supposed to
be there...

The symptoms that led me to eventually track both these down were
very indistinct (and very different between the two cases) -- mostly
things that were "just wrong" and should not (be able to) work the
way they were. For example, on the second machine mentioned above,
a Toshiba laptop with built-in AccuPoint and an 800x600 LCD screen,
Windows insisted there was only a PS/2 connected mouse, could not be
made to see the AccuPoint for what it really was (though it worked
well-enough as an AccuPoint appears minimally like a PS/2-connected
two-button mouse), could not see a real PS/2 mouse plugged into the
PS/2 port (even with the AccuPoint disabled in the BIOS or with
"dual" or "auto-detect" mode set), and neither the video adapter
type (which was wrong but luckily worked on the actual adapter in
the machine in the 640x480 mode that it insisted on running), nor
its mode, could not be changed.


--
Nick FitzGerald

I will try David's Antivirus solution first. If I don't get a positive
result I'll move on to Nick's registry fix. These outcomes will determine
whether I come groveling for additional help.
Thank you to the group!

Unbundled Loop

"Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message
news:3efe5e0e@clear.net.nz...
> "Unbundled Loop" <kjakers@msn.com> wrote:
>
> > Yes, I did boot to Safe Mode. It to has a blank green screen with Safe
Mode
> > at the top two corners, nothing in the bottom two corners, no icons, and
no
> > Start bar.
>
> Hmmmmm -- this _might_ be due to registry corruption.
>
> You can revert to a previous version of the registry -- this MS
> KnowledgeBase article describes the procedure:
>
> http://support.microsoft.com/defaul...kb;EN-US;183887
>
> However, I would not do that until you are fairly sure that this is
> really the problem (though, if you have not recently installed any
> new hardware or software it should not cause any "problems" beyond
> reverting personal settings, MRU lists and the like to thei state as
> of the backup point you restore from).
>
> I'm not sure how to advise you to determine that what you are seeing
> really is due to registry corruption -- it's often as much one of
> those "gut feeling" things as anything.
>
> I recently saw a machine that turned out to have a bad disk sector
> near the end USER.DAT (part of the registry). Surprisingly though,
> Windows started just fine, despite the disk system error being
> "obvious" if you booted to DOS and tried to copy that file. Well,
> by fine, I mean without complaining or raising any error, because it
> clearly had "lost" some rather critical user settings. Once the
> "silent" disk error was discovered this was easily fixed by booting
> to DOS, renaming USER.DAT, marking it system and hidden so it would
> not be moved by future defrags and thus "protecting" the bad sector
> from getting back into "usable" free disk space and restoring the
> registry (as per the above) to the most recent backup before the
> problem started. The trick in that case was discovering the disk
> error, as the assumption that something that critical to the proper
> functioning of the system would be brought to your attention was, as
> is so often the case with MS systems, quite unreasonable...
>
> About a week later I saw another machine that was not quite working
> properly in Safe Mode, and was really screwed under a normal system
> boot. Again, it turned out to be a corrupted registry -- this time
> SYSTEM.DAT. It seemed, from looking through the file with a hex
> viewer, that SYSTEM.DAT _had been_ (it certainly was not in that
> state when I first got the machine to look at) cross-linked with an
> INI file. My guess was that this "fault" was cuased due to a crash
> (or perhaps more accurately, due to memory corruption before, but
> leading to, the crash) and incorrectly "fixed" by the automatic
> scandisk/chkdsk "run in auto-fix mode" during the subsequent system
> restart. Again, no warning from the OS that, in reading through the
> single most critical configuration file on the whole machine, it had
> struck a patch of utter gibberish that was clearly not supposed to
> be there...
>
> The symptoms that led me to eventually track both these down were
> very indistinct (and very different between the two cases) -- mostly
> things that were "just wrong" and should not (be able to) work the
> way they were. For example, on the second machine mentioned above,
> a Toshiba laptop with built-in AccuPoint and an 800x600 LCD screen,
> Windows insisted there was only a PS/2 connected mouse, could not be
> made to see the AccuPoint for what it really was (though it worked
> well-enough as an AccuPoint appears minimally like a PS/2-connected
> two-button mouse), could not see a real PS/2 mouse plugged into the
> PS/2 port (even with the AccuPoint disabled in the BIOS or with
> "dual" or "auto-detect" mode set), and neither the video adapter
> type (which was wrong but luckily worked on the actual adapter in
> the machine in the 640x480 mode that it insisted on running), nor
> its mode, could not be changed.
>
>
> --
> Nick FitzGerald
>
>

On Sat, 28 Jun 2003 20:56:51 -0500, "Unbundled Loop" <kjakers@msn.com>
wrote:

>Yes, I did boot to Safe Mode. It to has a blank green screen with Safe Mode
>at the top two corners, nothing in the bottom two corners, no icons, and no
>Start bar.

Have you maladjusted the vertical control on your monitor perhaps?

Bart

On that special day, Bart Bailey, (bartman@nethere.net) said...

> >Yes, I did boot to Safe Mode. It to has a blank green screen with Safe Mode
> >at the top two corners, nothing in the bottom two corners, no icons, and no
> >Start bar.
>
> Have you maladjusted the vertical control on your monitor perhaps?

He can easily check this by hitting the "Window" key on the keyboard,
which activates the Start button, so that the start menu should go up.
Another working key combination is Ctrl-Esc.


Gabriele Neukam

Gabriele.Neukam@t-online.de


--
Ah, Information. A good, too valuable theses days, to give it away, just
so, at no cost.

Folks,
I'm sunk. I can hit the "Windows" key and I get 32kernel error which locks
the system up. I have found no viruses and the restore of the registry
yielded no results. I'd guess a low level format and reloading the OS may be
next?
Unbundled Loop

"Gabriele Neukam" <Gabriele.Neukam@t-online.de> wrote in message
news:bdn94o$nf1$04$1@news.t-online.com...
> On that special day, Bart Bailey, (bartman@nethere.net) said...
>
> > >Yes, I did boot to Safe Mode. It to has a blank green screen with Safe
Mode
> > >at the top two corners, nothing in the bottom two corners, no icons,
and no
> > >Start bar.
> >
> > Have you maladjusted the vertical control on your monitor perhaps?
>
> He can easily check this by hitting the "Window" key on the keyboard,
> which activates the Start button, so that the start menu should go up.
> Another working key combination is Ctrl-Esc.
>
>
> Gabriele Neukam
>
> Gabriele.Neukam@t-online.de
>
>
> --
> Ah, Information. A good, too valuable theses days, to give it away, just
> so, at no cost.

Bitstring <8tKLa.147$4U3.99636@news.uswest.net>, from the wonderful
person Unbundled Loop <kjakers@msn.com> said
>Folks,
>I'm sunk. I can hit the "Windows" key and I get 32kernel error which locks
>the system up. I have found no viruses and the restore of the registry
>yielded no results. I'd guess a low level format and reloading the OS may be
>next?

Try a repair install first - no point throwing away your user data and
installed applications if you don't need to. Boot from CD, take install,
and when it gives you the choice, repair the current installation.

--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.