Multiple problems/possible virus?

We have two computers running Win 98 networked together, both have updated Norton AV running (version 2000).
About a week ago one of the computers started having problems starting with Netscape loading very slowly, then several programs began *hanging up* and taking longer to respond. Eventually over the course of the week things have progressed to the point that the computer locks up frequently, and when trying to run a Norton virus scan, defrag or scandisk, the program begins then freezes up and then a stack overflow error occurs some of the time. We have increased the MinSPs to 4 and that message hasn't occurred as frequently although it did happen again this morning. Also the computer won't shut down. Programs seem to be working until it locks up.
During the lockups,there was a message that a rndal file wasn't responding. The rndal file was associated with real player which we tried to uninstall (it wouldn't) and we tried to reinstall (it wouldn't do that either). We finally deleted the program from Windows Explorer and that message has not reoccured. However now when it locks up the program running isn't responding. Last night the mail program (Eudora) wouldn't check and we discovered the mail settings had been changed. We ran a virus scan from the other computer that came up negative.

Because we had added and removed some software programs we thought we had deleted some necessary files but after the email program settings were changed we suspect a virus.

If it is a virus, what is the process for checking for viruses with Norton already running but not picking it up, and we are wondering if there are any other ideas that could be causing this problem?

Also, let me know if you need more info
and thanks for your help!

Mud

 

Mudlet - could be you have picked up a critter.

There are a few things I would try.

Get one of the free AV checkers out there (F-prot would be a good bet) and run a scan with it.

However, first I'd try to do some housekeeping from DOS (DOS as opposed to a DOS window). Scanreg /fix followed by Scanreg /opt followed by scandisk with the switches needed to fix problems encountered.

Check your root folder (probably C:\) for the presence of way too many files. And while you are at it, delete any that have a pattern of filennnn.chk where nnnn is any number. Not harmful but you don't need em.

Clean out your temp folder if you haven't already and then the recycle bin. BTW - if you hold down the SHIFT key while deleting, the files go away rather than stopping for a while in the recycle bin.

Then run the AV check with another product.

Then try your defrag again.

As a precaution, I'd drop the network connection before starting any of the above.

Sorry if any of the above was too elementary but there is never any way to know the experience level of folks asking questions so I'd rather tell too much than too little.

 

Multiple problems/possible virus

Thanks Newt for your help.
We will definitely try your suggestions
and feedback the results here.

A couple of questions:
to do the housekeeping in DOS,
would it look like this?

Scanreg /fix Scanreg /opt scandisk

That's what I'm reading but thought I'd verify.

Also, we discovered that tonight we can run
Norton, scandisk, and defrag in Safe Mode,,
is that significant or to be expected?

Thanks,
Mud

 

Ran scandisk in DOS, found nothing,,,

Also downloaded and ran a full scan with F-Prot,
and it found no viruses.

Just now after sitting for a couple of hours,
it was locked up. I did ctrl/alt/del and
it said msgsrv was not responding. I did end task but it was still hanging up.

We have deleted all cookies, temporary internet files, files from windows/applog and windows temp files.

I don't know what else to try,,,,,,,,

 

Startup Cop

Either get Startup Cop or use MSCONFIG to shut down things that are loading a Startup.

Cntrl-Alt-Del will not stop things from reloading at start up.

And with a locked up system it is useless anyway.

Everything except explorer ( if it shows ), systray can be shut down for trial purposes. Scanregistry can be shut down but it is not recommended.

Startup Cop is the easiest to use.

Just now after sitting for a couple of hours, it was locked up

Something is ( or may be ) eating up resources.

Are any screensavers being used. They will cause the above at times.

Do you by any chance have any Norton Products ( other then Anti-Virus or a Firewall loading st startup ? I am refering to any of Norton Utilities if you have same. Nothing from NU should be allowed to load at startup.

If Norton AV Auto Protect is set to check all files it may cause this problem.

Forgot another possible cause for the problems.

Have you checked ( or had some one else check ) that all cooling devices are working properly. ?


BillyBob

 

Thanks BillyBob, I have a couple of comments and questions:

Just now after sitting for a couple of hours, it was locked up

Something is ( or may be ) eating up resources.

It does seem that way,,,,but there are no screensavers being used,,,and the only Norton product is that antivirus program that loads in startup and is enabled to autoprotect, but this has been this way for 2 yrs and never caused a problem.
No Norton Utilities or firewalls are being used.


Let me also add that recently there was a new software program loaded that ran in DOS, and some other windows programs. We were thinking there was a conflict somewhere but can't seem to find it. No viruses have been found running Norton AV in safe mode or installing and running F-Prot yesterday. About a month ago we had a bymer virus but we ran the fix for that and it looks like we took care of it. I have been to regedit and found no evidence there of a virus.

do any of those clues help at all?

 

Just now after sitting for a couple of hours, it was locked up

This can be a very tough thing to find an answer to. This is the main reason I suggest Startup Cop and experiementation.

Right now you and me is riding in the same boat. I have one machine that does this also. But not all the time.

I THINK it is caused by the order in which my Wife runs various programs. But I never think to ask her to write down the order in which she runs them.

do any of those clues help at all?

Yes. As it does help to illiminate some of the manypossiblities.

But I do feel that the problem lies in something this is running in the background OR a program that is run and not shutting down and cleaning up properly.

You mentioned a DOS program. If you are running the Original Win98 or 98 SE DOS should not be a problems.

Another important question that I forgot to ask.

Does this happen when just starting the machine or after running some programs ? If it happens when just starting the machine and letting it set it almost a given that it is something that is loading at startup. If it happens only after running some programs it is almost a given that one of them is not behaving properly.

And * SOME * of MS software can be a REAL PAIN in this area.

Do you by any chance have MS Office or REAL Player ( another trouble maker ) loading at start up. With Ms Office the FastFind ( or findfast what ever it is ) may cause problems.

BillyBob

 

Billy Bob,
Some answers to your questions,,,

first this computer is running 98SE.


Does this happen when just starting the machine or after running some programs ? If it happens when just starting the machine and letting it set it almost a given that it is something that is loading at startup. If it happens only after
running some programs it is almost a given that one of them is not behaving properly.

It first started showing up seemingly after sitting for an hour or two, but has progressively gotten worse. The symptoms we have noted so far are :

Defrag/scandisk/Norton virus scan won't work in windows,,,all will work in safe mode or DOS.

When attempting to run all the above, the computer locks up. Originally when doing ctrl/alt/del we would get a message that said rndal not responding (which was associated with Real Player, recently updated). We attempted to uninstall/reinstall Real so we could see if that was the problem and it wouldn't work. So we deleted the program from Windows Explorer and ran regclean and it appears now Real is gone, however this line shows up in
regedit under

HKLM/Software/Microsoft/Windows/CurrentVersion/Run

TkBell.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

This implies to me there is still a file existing trying to run associated with Real???

Anyway, after Real was removed the rndal error message doesn't appear but another one does,,,
that says msgsrv386 is not responding. Also,
many times we get an stack overflow error message that says possibly due to recently installed vxd's. We have increased the MinSP's settings in system.ini and it didn't help.

Hope this helps, but might make things more confusing,,,,

Thanks,
Mud

 

Defrag/scandisk/Norton virus scan won't work in windows

To me this is a sign of corrupted OS files. Alias a case of VERSIONITUS. ( wrong version of files eneterd by some software )

And/or the un-install took out more then it should.

If you have Norton Utilities I suggest a Boot from the Windows Startup disk and run Norton DiskDoctor With Surface check for DOS from the CD first. NDD for DOS will fix some things that Scandisk for DOS won't.

And then what I would do in this case but you may not want to is re-install Windows over itself after booting from the SUD. Just making sure it re-installs into the existing folder.

But it will depend on which of the SE CDs you have. If you have the UPGRADE CD this can be done.

If you have the UPDATE CD it must be done from within Windows.

 

Found the problem!!!! It was a bug,,,,,,,

I believe we finally found the problem,,,,

after much researching we found a link to a worm and followed up on it, and it turns out that it seems to be the problem.

Here is the link, you can look at it for future reference:

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000100414232506

The worm comes in as a legitimate program
distributed.net client somehow via email or an attached file. I have no idea when this could have happened, except that about a month or two ago both computers got infected by a bymer virus and we ran scans on both and thought we had eliminated it. I am wondering if now this was a reinfection?

All along I had a feeling this was a virus but after scanning with Norton and then F-Prot didn't show this virus. We finally found it in msconfig/startup as a file showing up there running in startup. It looked suspicious because it ended with -hide. After running the fix for the virus that line remains in startup in misconfig,
and now we are wondering how can we remove that line from there? It must be in the registry somewhere but I can't find it.

Thanks,
Mud

 

Well that is some good news. ( not the the Virus part tho )

If you can not find it in the Registry try running sysedit and look in the system.ini and the win.ini.

Sometimes stuff does get entered in the Run= or load= lines.

But it would be a good idea to look over the rest of both files also.

BillyBob

 

Thanks Billy,
We found it in the registry.
I also found many things there to delete
(old program stuff)
and much more I have no idea what it is,,,
odd and strange names of stuff.

Where can you find what is safe to delete and not?

thanks,
Mud