Is this a virus or what..

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I've had a computer on line today for a few hours as I do nearly every
day.   At some point I left for a few hours.  Next time I look at this
machine (I use a kvm between several machines) I see a black screen
with a rectangular (about 1/ in by 1/3 in) face.  Or at least 2 dots
in a rectangle that look like they might represent eyes and a couple
of lines close together that could pass for a mouth.  Its an ascii
looking drawing.  Cursor is blinking right next to it on the right.

The object appears about 1/3 screen width from bottom left inward.

Any attempt to boot gets past the bios display and then up comes the
little face.  Pressing any keys causes it to jump to the top and
settle back down.

The machine is running an uptodate sevice pack 1 (not sp2) and is a
winxp pro, but from a cd that was released before sp2.

I thought I migh try rewriting the boot record since what ever this is
is active before an OS is running, but thought first maybe a good idea
to find out if this is a known virus/worm or whatever.  The machine is
shut down and I'm wondering if my other 5 machines on same network are
in jepordy now.

I have an older symantec sytem works (2004) installed on that machine
with todays virus updates, but not sure how to use them to scan the
machine from a floppy or recue cd.

Re: Is this a virus or what..


Quoted text here. Click to load it

Can you take a screen shot an upload it somewhere so we can look at

Ian Kenefick

Re: Is this a virus or what..

Harry Putnam wrote:
Quoted text here. Click to load it

I am not aware of a virus or worm that does specifically what you
mention. It may be the guy inside the monitor is trying to get out!

I suspect that someone may be playing a "joke" but not sure whom.

Question:  Can you get into the BIOS?
Question:  Did you lock the terminal when you left?
Question:  Did anyone knowledgeable have physical access to the machine?
Question:  Is the floppy drive or CD drives empty?
Question:  Are you using an encrypted KVM?
Question:  Is the KVM isolated from the Internet?

I would be very careful about rewriting anything. I suspect "someone"
placed an entry in your boot.ini (c:\)

Whatever it is, it sounds like something loading before the boot.ini
calls the win OS.  There is the IO.sys or the MSDOS.sys (typically a 0
byte hidden system file)that is called before boot.ini but suspect the
jokester probably placed something in or replaced the boot.ini calling a
local file. This is a hidden system file.  Hopefully they just added an
entry versus replacing file, but if kvm was accessed remotely they
probably replaced this file.

Please bear in mind, these are guesses.  Boot off the windows CD ROM and
  select boot to command safe mode and look at those files.  If that
ain't it, good luck, You may end up rebuilding the system.  Some time
ago I read about a hack where the bios was flashed with code doing
something similar (might have been a virus can't remember now), but that
was long ago, the details are dimmed with time, and I would think
someone would need to know an awful lot about your system to do this
successfully.  Since you see the Bios display I doubt this is the issue,
but simple check would be to enter into the bios on bootup, if it
appears normal, look at the init files above.

While this type of sick humor ain't funny if your the victim, I kind of
got a chuckle thinking of how to do it, sorry bout that.


Re: Is this a virus or what..

Boy do I feel stupid.... I put this question on the
microsoft.public.windowsxp.generl group too.

A fellow there said to make sure I didn't leave a floppy in.

When I saw his answer I knew immediately I'd done a very stupid thing
and forgot to check that...

Oh well, my wife got a good horse laugh out of it....

There was a blank floppy in the drive..

Re: Is this a virus or what..

On Fri, 01 Apr 2005 10:42:24 +0000, Harry Putnam wrote:

Quoted text here. Click to load it

I'd check further than that.  All that should have happened was a failure
to boot to the OS with a message of an improper boot disk and to remove
the disk.  I'd be looking for a back door trojan.

Re: Is this a virus or what..

Candi Simms wrote:

Quoted text here. Click to load it
Or the junkie-virus...

Re: Is this a virus or what..


Quoted text here. Click to load it

find for free what you need to check 'n clean your machine,... and
than... protect it,... and keep it protected

-- - soft reviews:
  freeware to Protect & Clean your PC
  freeware Office tools & Webbuilding aid
+ the Internet Addiction Test ;-)

Site Timeline