Please help identify possible windows virus: pi symbol and corrupt controls.. netbios too?

Discussion in 'Anti-Virus' started by Matt Rosin, Aug 8, 2003.

  1. Matt Rosin

    Matt Rosin Guest

    Hello Everyone,

    I would much appreciate it if you could help me identify the
    virus/malware that just showed up on a Win98 machine.
    I do not think this came from email since I have various patches,
    don't open attachments, etc.
    The symptoms are:
    - All windows show a light gray greek letter pi in the lower right
    corner (i.e. what the praetorians in the movie The Net used). This is
    not the upside down pi someone mentioned once seeing at bootup.
    - All pulldown menu down-arrows (the part you click to open them) are
    corrupted (they have a number 6 instead of a down-arrow)
    - Checkboxes are similarly corrupted
    - minimize, maximize, and close buttons instead show off-center
    numerals i.e. 0 and 1.
    - fixed spacing Internet Explorer (v.6.0) fonts seem to be reset to
    tiny lowres bitmap versions.
    - Not picked up by free online scans at trend micro and one other, I
    believe McAffee. Also an old Norton didn't pick it up.
    - New Virus Buster Corp. Ed. did not pick it up.
    - Have not noticed special traffic to/from this machine (using
    ethereal)
    - It may be a coincidence, or a nasty spawning of virus on intranet,
    but a nearby machine (W2K) was found by an admin to be the cause of a
    large amount of NetBIOS traffic slowing down the network, even though
    NetBIOS was not apparently set in the control panel. In fact most
    traffic seems to be NetBIOS.
    - have found no references to any related keywords on the net, in
    vendor encyclopediae, or usenet. Though I thought I had seen something
    like this before once.. maybe not.
    - no, nothing happened when I shift-control-clicked on the pi, except
    a little frisson.
    - scan of that machine with xnmap shows only port 139 (netbios-ssn)
    open.
    - okay, by overlaying the nbns and raw graphs in Ethereal's IO-Stat I
    can see most traffic is indeed NetBIOS.

    I would much appreciate your help. As far as I know, everyone has up
    to date Norton or Virus Buster which is supposedly better, and all I
    want to know is how to get my system cleaned up.

    Thanks for your time.

    Sincerely,

    Matt Rosin
    mattr (at the domain of) telebody (dot) com
    p.s. I already get more than my share of spam daily please no spam.
     
    Matt Rosin, Aug 8, 2003
    #1
    1. Advertisements

  2. Matt Rosin

    Tim Guest

    Corrupt video card driver ? Bad video card?
    Sounds more like a hardware issue than a virus issue.
     
    Tim, Aug 8, 2003
    #2
    1. Advertisements

  3. Matt Rosin

    me Guest

    See if this helps (it's from "W95 days"):

    http://support.microsoft.com/support/kb/articles/Q134/8/61.asp

    --J
    Replies to: jNpolak(at)Ojuno(dot)Tcom
     
    me, Aug 8, 2003
    #3
  4. Matt Rosin

    Matt Rosin Guest

    Thanks for your response. I thought it might be a programmer's tool,
    or maybe even an easter egg, I had forgotten about a long time ago,
    but can't think what it might be. Doesn't go away after reboot.

    The machine is a small Sony VAIO laptop, PCG-Z505G/BP (an older
    celeron running Win98).

    Anyone else with information much appreciated.

    Matt
     
    Matt Rosin, Aug 9, 2003
    #4
  5. Matt Rosin

    me Guest

    It might. If marlett is missing, perhaps windoze uses symbol
    instead.
    Looksee at "letter p" in those two fonts. ;)

    --J
    Replies to: jNpolak(at)Ojuno(dot)Tcom
     
    me, Aug 9, 2003
    #5
  6. Matt Rosin

    cquirke Guest

    Do you have "too many" fonts (1000+) on a Win9x PC, or a corrupted
    TTFCache (font cache)? Martlett.tff is used for those UI elements,
    but seems to be lost or out of reach (too many fonts overflows the
    relevant store in the registry for the font names/paths)

    Error Messages Are Your Friends
     
    cquirke, Aug 10, 2003
    #6
  7. Matt Rosin

    me Guest

    Suggestion: go back to the MS KB article and follow all links.
    This does "smell" very much like the windoze font cache
    problem(s). And all of those have solutions/workarounds.

    --J
    Replies to: jNpolak(at)Ojuno(dot)Tcom
     
    me, Aug 10, 2003
    #7
  8. Matt Rosin

    cquirke Guest

    It does, but there are other possible font-mishap variations:

    1) Font folder does not have System attribute set (Attrib +s Fonts?)
    2) Marlett.ttf is not Hidden (Attrib +h Marlett.ttf)
    3) Marlett.ttf is broken (any Scandisk "fixes" lately?)
    4) There are "too many fonts"

    Option (4) is tougher to fix and needs some detail. The problem is
    not one of number of fonts per se, but goes about a 64k limit on the
    size a single registry key can grow to. There is a key that holds the
    names of all the fonts installed on the system, and the space occupied
    by each entry varies; if the font file resides outside of the Fonts
    directory and has to have a full directory path, more space is needed
    and you can hit the limit before the expected "1000 fonts".

    If you exceed that limit, then some font entries will be lost from the
    relevant registry key. If one of those is Marlett.ttf, then no amount
    of Extract /A, Attrib +s, Attrib +h or Del TTFCache is likely to fix
    the problem - you may have to debulk your font collection!

    Try a google on "MARLETT.TTF" :)

    My MARLETT.TTF is 17 412 bytes long, FWIW (Win98SE)

    Error Messages Are Your Friends
     
    cquirke, Aug 11, 2003
    #8
  9. Matt Rosin

    me Guest

    Ditto Win95

    --J
    Replies to: jNpolak(at)Ojuno(dot)Tcom
     
    me, Aug 11, 2003
    #9
  10. Matt Rosin

    me Guest

    Until Sat, I din't know that the "///" in the border is a
    "letter." ;)

    --J
    Replies to: jNpolak(at)Ojuno(dot)Tcom
     
    me, Aug 11, 2003
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.