Hi everyone,

I am looking for help identifing a current virus as well as tips to identify future viruses.

My current situation, two Windows NT 4.0 SP6 systems with identical problem. Both have been operating fine for several months. Both system had Norton Anti-virus installed and updated with Dec. 13 2001 definitions. Today both systems displayed the same blue screen of death.

So the symtoms are:
Boot up system, everything seems OK.
Can log on and start using software (If quick enough).
After systems has been running for less then a minute an blue screen of death appears. This particular BSoD is unlike any other I have seen. Here is the short of it:

***STOP: (Along string of HEX addresses)
CPUID:Genuine Intel 6.8.6 irql:1f SYSVER 0xf0000565

There is then three columns - Dll Base - DateStmp - Name

There is about 50 or 60 entries in these columns.
Under the Dll Base column and the DateStmp column is simply hex address.
Under the Name column is a list of files. There is only one exe file called ntoskrnl.exe. The rest of the files are all DLL and SYS files.

The last section of the BSoD reads:

Beginning dump of physical memory
Physical memory dump complete. Contact your system administrator or
technical support group.


So if anyone can identify this virus for me I would be very grateful. And, any advice or suggestions on how to go about identifing an unknown virus would be very welcomed. Yes I did spend hours and hours on Symantec website trying to find it. But with over 53,000 viruses I don't think I will live long enough to read through them all.

Thanks in advance for any help you may be able to offer.

And it did this on the 16th of this month, if so can not remember the particular virus name but the one i am thinking of causes a BSoD only on the 16th of every month you can find this at www.sarc.com, (http://www.sarc.com,) or a more reliable site is http://housecall.antivirus.com and it is free, also (insert plug here) my web page is at www.dmsetup.org (http://www.dmsetup.org)

Originally posted by Windoze:
Hi everyone,

I am looking for help identifing a current virus as well as tips to identify future viruses.

My current situation, two Windows NT 4.0 SP6 systems with identical problem. Both have been operating fine for several months. Both system had Norton Anti-virus installed and updated with Dec. 13 2001 definitions. Today both systems displayed the same blue screen of death.

So the symtoms are:
Boot up system, everything seems OK.
Can log on and start using software (If quick enough).
After systems has been running for less then a minute an blue screen of death appears. This particular BSoD is unlike any other I have seen. Here is the short of it:

***STOP: (Along string of HEX addresses)
CPUID:Genuine Intel 6.8.6 irql:1f SYSVER 0xf0000565

There is then three columns - Dll Base - DateStmp - Name

There is about 50 or 60 entries in these columns.
Under the Dll Base column and the DateStmp column is simply hex address.
Under the Name column is a list of files. There is only one exe file called ntoskrnl.exe. The rest of the files are all DLL and SYS files.

The last section of the BSoD reads:

Beginning dump of physical memory
Physical memory dump complete. Contact your system administrator or
technical support group.


So if anyone can identify this virus for me I would be very grateful. And, any advice or suggestions on how to go about identifing an unknown virus would be very welcomed. Yes I did spend hours and hours on Symantec website trying to find it. But with over 53,000 viruses I don't think I will live long enough to read through them all.

Thanks in advance for any help you may be able to offer.





------------------
Assembler,

Bow before me for I am r00t

Thanks Ass3mbler,

The particular virus I am now dealing with did not show itself until the 17th of the month and the BSoD is still alive and running today (18th).

I have no ideal how to handle this particular virus. I have about 60 seconds before the BSoD, and it takes about 40 seconds to boot and log on. Which leaves me about 20 seconds to try and look for anything unusual.

This is frustrating me to no end. I have had to deal with many viruses in the past but this is the first time I have not been able to so much as identify the virus.

The only way I can see to get around this would be to boot from a floppy
Then run anti virus software. From the CD
You should first download the latest virus def’s files to a clean system and copy them to a clean floppy.
Your anti virus software should look to the floppy for the new / updated def files

It’s unfortunate But it looks like you contracted the virus before Nav was aware of it.
And it is going active now before nav is starting

------------------
To ERR is HUMAN
To REALLY screw things UP, YOU NEED a COMPUTER !

Go to Bootdisk (http://www.bootdisk.com) and grab F-prot on a floppy...insert the floppy and boot to it....

------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

Originally posted by mjc:
Go to Bootdisk (http://www.bootdisk.com) and grab F-prot on a floppy...insert the floppy and boot to it....


Thank you everyone for your help and support. Your efforts are very appreciated.

Sorry for my ignorance in this area, but I am having trouble with F-prot. I downloaded and ran F-prot which creates a floppy disk. When I tried to boot from the disk I couldn’t. Upon inspection it was obvious why, it isn’t a boot disk. The only files created on the floppy are FP311A.ZIP, f-prot.bat, readme.txt, UNZIP.EXE.

The contents of the readme is;

------------------------------------------------------------------------
To run F-Prot, simply type f-prot while in the A-Drive.

It makes a folder on your C-Drive called virus and unzips
the program there and automatically runs it.
------------------------------------------------------------------------

No problem with this so far, my problem is, how the heck do I boot an NT system from floppy disk. I have the original 3 disks that came with my NT but when I boot with Disk 1 it wants to re-install NT every time and I don’t see any option to drop to a DOS shell in order to run F-Prot. If I quite the installation by pressing F3 key, I am told to remove all disks and the system simply restarts. I can not use a Win98 startup disk as it does not recognize the NT FAT table.

Grab a Win98 or the DRDOS boot floppy from bootdisk.com...

One thing I forgot to ask is it set up as a FAT or NTFS drive?

If it is NTFS then the DOS stuff won't see the partition(s) and it won't work... http://www.PCGuide.com/ubb/frown.gif http://www.PCGuide.com/ubb/eek.gif http://www.PCGuide.com/ubb/frown.gif

------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

Originally posted by Rick:
The only way I can see to get around this would be to boot from a floppy
Then run anti virus software. From the CD
You should first download the latest virus def’s files to a clean system and copy them to a clean floppy.
Your anti virus software should look to the floppy for the new / updated def files

It’s unfortunate But it looks like you contracted the virus before Nav was aware of it.
And it is going active now before nav is starting



Thanks for your help Rick,
OK, I went as far as to go out a purchase a New Norton Anti-Virus 2002 for 98/NT/XP Pro/2000 Pro/ME/XP Home.

I know full well that I can't use it as is. I also have same NAV 2002 installed on a 98 machine. By the looks of it I can not download just the def files from symantec. I can download new definitions but they are an executable file that tries to update NAV.

So my questions are, can I copy my definition files from my 98 machine to a floppy, and second, which files do I copy to the floppy?

mjc,

NTFS. Am I history?

Download NTFSDOS from here:
http://www.sysinternals.com/ntw2k/freeware/NTFSDOS.shtml

This will allow you to see NTFS partitions from DOS.