Knowledge Base Title: Description of Computer Viruses Document Number: Q129972 Publ Date: 08-APR-1996 Product Name: Microsoft Windows 95.x Retail Product Product Version: 3.10 3.11 95 | 5.00 6.00 6.20 6.21 6.22 Operating System: WINDOWS | MS-DOS --------------------------------------------------------------------- The information in this article applies to: - Microsoft MS-DOS operating system versions 5.0, 6.0, 6.2, 6.21, 6.22 - Microsoft Windows operating system versions 3.1, 3.11 - Microsoft Windows for Workgroups versions 3.1, 3.11 - Microsoft Windows 95 --------------------------------------------------------------------- SUMMARY ======= A computer virus is an executable file designed to replicate itself and avoid detection. A virus may try to avoid detection by disguising itself as a legitimate program. Viruses are often rewritten and adjusted so that they will not be detected. Anti-virus programs must be updated continuous- ly to look for new and modified viruses. Viruses are the number-one method of computer vandalism. The first computer viruses were designed by programmers who wanted to show off their programming skills and to demonstrate how easily computer security systems could be infiltrated. Today, viruses are made to corrupt or scramble data on a computer's hard disk in the file allocation table (FAT), boot sector, data files, or program files. There are over 5000 known viruses, and new virus strains continue to show up regularly. The rate of virus infection is also increasing. In the United States, creating or distributing a virus is classified as a computer crime, and is a federal offense. The Electronic Privacy Act of 1986 is the most noteworthy legislation against the fraudulent use of computers. Europe has enacted the Computer Misuse Act of 1991, which specifically states that creating or knowingly distributing a computer virus is a criminal act. There are three types of computer viruses: - Boot-sector viruses - File-infecting viruses - Trojan horse programs MORE INFORMATION ================ Boot-Sector Viruses ------------------- When a computer boots (or starts), it looks to the boot sector of the hard disk before loading the operating system or any other startup files. A boot-sector virus is designed to replace the information in the hard disk's boot sectors with its own code. When a computer is infected with a boot-sector virus, the virus' code is read into memory before anything else. Once the virus is in memory, it can replicate itself onto any other disks that are used in the infected computer. The Form, Michaelangelo, Junkie Virus, and Ohio viruses are examples of this type of virus. A boot-sector virus can cause the following problems: - In Windows 3.x, 32-bit file or disk access may not work. - You may not be able to create a permanent swap file in Windows 3.1 or Windows for Workgroups version 3.1x. - The CHKDSK tool may report that conventional memory stops at 638K rather than at 640K. - You may receive the following error message as your computer starts: Bad or missing command interpreter. Enter name of command interpreter. File-Infecting Viruses ---------------------- This is the most common type of virus. A file-infecting virus attaches itself to an executable program file by adding its own code to the executable file. The virus code is usually added such that it escapes detection. When the infected file is run, the virus can attach itself to other executable files. Files infected by this type of virus usually have a .COM, .EXE, or .SYS extension. Some file-infecting viruses are designed for specific programs. Program types that are often targeted are overlay (.OVL) files and dynamic-link library (DLL) files. Although these files are not executed, they are called by executable files. The virus is transmitted when the call is made. Damage to data occurs when the virus is triggered. A virus can be triggered when an infected file is executed, or when a particular environment setting is met (such as a specific system date). The Friday the 13th, Enigma, Loki, and Nemesis viruses are examples of this type of virus. Trojan Horse Programs --------------------- A Trojan horse program is not a virus. The key distinction between a virus and a Trojan horse program is that a Trojan horse program does not replicate itself; it only destroys information on the hard disk. A Trojan horse program disguises itself as a legitimate program such as a game or utility. A Trojan horse program often looks and initially acts like a legitimate program, but once it is executed, it can destroy or scramble data. A Trojan horse program can contain viruses, but is not a virus itself. The Aids Information, Twelve Tricks A and B, and Darth Vader programs are examples of Trojan horse programs. Commonly Asked Questions and Answers About Computer Viruses ----------------------------------------------------------- 1. Q. Can data files carry viruses? A. Data files cannot be infected; they can only be damaged. Only executable files and floppy disks with infected boot sectors can carry viruses and infect computers. 2. Q. Can viruses destroy hardware? A. There are no known viruses that damage hardware. 3. Q. Can setting an executable file's read-only attribute deter viruses? A. Most viruses can easily override a read-only attribute. 4. Q. If software is shrink-wrapped, is it virus-free? A. Shrink-wrapped software can carry viruses, particularly if a software vendor rewraps returned software and sells it again. 5. Q. If my computer is infected, is all my data destroyed? A. If you diagnose the virus early, it is likely that your data can be saved or recovered. 6. Q. Are bulletin board systems and shareware software responsible for the spread of computer viruses? A. Most bulletin board systems and online services are run by responsible system operators who scan for viruses often. Some go so far as to scan all files as they are uploaded and downloaded. 7. Q. Will my backup files be useless if a virus is backed up? A. You can use the backup files to restore data files that were not infected when you performed the backup. 8. Q. Can viruses infect files on write-protected floppy disks? A. It is impossible for a virus to infect files on a write-protected floppy disk. KBCategory: kbref kbother KBSubcategory: msdos win31 wfw wfwg win95 Additional reference words: 3.10 3.11 5.00 6.00 6.20 6.21 6.22 swapfile michaelangelo Anit-CMOSa Bloomington Enemy 2 Form Forms Friday 13th Jerusalem Keypress 1 Keypress 1A Keypress 1C Keypress 1E JENB Little Red Li'l Red Monkey Mummy NOINT PSQR1-1364 SCR2 Screaming Fish II Screaming Fish IIB Sticky [ML2] Stoned Sunday Yankee Doodle 95 COPYRIGHT Microsoft Corporation, 1996. Knowledge Base Title: Troubleshooting MS-DOS Compatibility Mode on Hard Disks Document Number: Q130179 Publ Date: 09-APR-1996 Product Name: Microsoft Windows 95.x Retail Product Product Version: 95 Operating System: WINDOWS --------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows 95 --------------------------------------------------------------------- SYMPTOMS ======== The Performance tab in System properties shows that one or more of the hard disks in your computer is using MS-DOS Compatibility mode. MS-DOS compatibility mode may be in use for either the file system or for virtual memory. CAUSE ===== MS-DOS Compatibility mode may be in use for any of the following reasons: - An "unsafe" device driver, memory-resident program, or virus hooked the INT21h or INT13h chain before Windows 95 loaded. - The hard disk controller in your computer was not detected by Windows 95. - The hard disk controller was removed from the current configuration in Device Manager. - There is a resource conflict between the hard disk controller and another hardware device. - The Windows 95 protected-mode driver is missing or damaged. - The Windows 95 32-bit protected-mode disk drivers detected an unsupportable configuration or incompatible hardware. RESOLUTION ========== To correct the problem, follow these steps: 1. Use the Performance tab in System properties to identify which drive is using MS-DOS Compatibility mode and why. NOTE: Floppy disk drives and CD-ROM drives operating in MS-DOS Compatibility mode cause the Performance tab to display the message "Some drives are using MS-DOS compatibility" for the file system, but this article applies only to troubleshooting hard disks operating in MS-DOS Compatibility mode. a. If the driver name listed as causing MS-DOS Compatibility mode is MBRINT13.SYS, your computer may be infected with a boot-sector virus, or you are running real-mode geometry translation software (for an IDE hard disk with more than 1024 cylinders) that is not compatible with Windows 95 protected-mode disk drivers. For information about real-mode geometry translation software that is compatible with Windows 95 protected-mode disk drivers, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q126855 TITLE : Windows 95 Support for Large IDE Hard Disks Disk Manager 6.03 is supported in protected mode on hard disks on the primary IDE channel and when DriveSpace disk compression is not installed. For drives on the secondary IDE channel, Disk Manager 7.0 or later is required. When using the DriveSpace compression software that is included with Microsoft Windows 95 and Microsoft Plus!, Disk Manager 7.04 or later must be used. For more information, please see the following article in the Microsoft Knowledge Base: ARTICLE ID: Q126855 TITLE : Windows 95 Support for Large IDE Hard Disks For information about detecting and removing boot-sector viruses, please see the following articles in the Microsoft Knowledge Base: ARTICLE-ID: Q82923 TITLE : Methods to Detect a Boot-Sector Virus ARTICLE-ID: Q129972 TITLE : Description of Computer Viruses b. If a driver that is listed in the CONFIG.SYS file is named, contact the driver's manufacturer to determine whether there is a version of the driver that allows protected-mode access in Windows 95. If no driver is listed on the Performance tab, continue with Step 2. 2. Check to make sure that the hard disk controller is listed in Device Manager. If it is not listed, install it with the Add New Hardware Wizard. If the Wizard does not detect the controller, run the Wizard again but do not let the Wizard detect the hardware in your computer. Instead, select the controller from the hardware list. If the controller is not listed, contact the manufacturer of the hard disk controller to determine whether there is a Windows 95 protected-mode disk driver or a Windows 3.1 32-bit disk access (FastDisk) driver available. NOTE: If the hard disk controller is listed in Device Manager but has a red X over it, it has been removed from the current hardware profile. Click Properties for the controller in Device Manager and then click the check box corresponding to the current hardware profile under Device Usage. 3. If the hard disk controller is listed in Device Manager but has a yellow exclamation point over it, there is an IRQ, I/O, DMA, or RAM address conflict with another device, the protected-mode driver is missing or damaged, or the "Disable all 32-bit protected-mode disk drivers" check box is selected in File System properties. a. Check to make sure that the "Disable all 32-bit protected-mode disk drivers" check box has not been selected on the Troubleshooting tab in File System properties. To access this tab, double-click System in Control Panel, click the Performance tab, and then click File System. b. Resolve any resource (IRQ, I/O, DMA, or RAM address) conflicts with other devices. Consult the controller's documentation for information about resource usage and changing resource usage. c. Check to make sure that the protected-mode driver is in the Windows\SYSTEM\IOSUBSYS directory and is loading properly. To determine which driver is providing 32-bit disk access, click Properties for the controller in Device Manager and click the Driver tab to see which driver files are associated with the controller. NOTE: If you are using an IDE, EIDE, or ESDI hard disk controller, the Driver tab may not be present when you click Properties for the controller in Device Manager. Unless you are using a third-party driver, Esdi_506.pdr is the protected-mode driver that is used to provide 32-bit disk access for these controllers. Restart Windows 95 and press F8 at the "Starting Windows 95" message. Select a Logged (/BOOTLOG.TXT) start. Examine the just-created BOOTLOG.TXT file to determine if the driver listed above is loading properly. If the BOOTLOG.TXT file shows an "Init Failure" or "Load Failure" message for the driver listed above, proceed with step D. If the BOOTLOG.TXT file shows an "INITCOMPLETESUCCESS" message for the drive listed above, examine the IOS.LOG file. Windows 95 creates an IOS.LOG file in the Windows directory if any drives are using MS-DOS Compatibility mode. The first few lines of the IOS.LOG file may contain information describing why the protected-mode disk driver failed to load. Please have this information available if you contact Microsoft Product Support Services about this problem. d. Make sure the protected-mode driver is not damaged. For all ESDI and IDE drives, Windows 95 uses ESDI_506.PDR in the IOSUBSYS directory to provide 32-bit disk access. For SCSI controllers, Windows 95 uses SCSIPORT.PDR and a "mini-port" (.MPD) driver to provide 32-bit disk access. Manually extract the appropriate .PDR or .MPD files from the Windows 95 disks or CD-ROM, or run Setup and choose the Verify option. 4. Contact the hard disk controller's manufacturer for information about Windows 95 compatibility. You may be able to get protected-mode, 32-bit disk access in Windows 95 by using one of the following methods: - Disable any enhanced features (such as caching, fast or turbo mode, reduced data transfer rates, and so on) on the controller (SCSI, IDE, or ESDI) or system BIOS (IDE only). - obtain a protected-mode Windows 95 disk driver, or Windows 3.1 FastDisk driver for the controller. MORE INFORMATION ================ A real-mode driver is "safe" if its functionality does not exceed the functionality of the corresponding Windows 95 protected-mode driver. If a real-mode driver is safe, the protected-mode driver can take over all I/O operations for the corresponding device. Otherwise, Windows 95 routes all I/O operations through the real-mode driver. An example of an unsafe driver is a real-mode IDE/ESDI driver that uses dynamic encryption for security reasons. Since Windows 95 does not provide encryption, Windows 95 does not allow the protected-mode IDE/ESDI driver to take over the real-mode driver. Any real-mode driver with functionality on the following list is considered unsafe: - Data compression that is not compatible with DoubleSpace - Data encryption - Disk mirroring - Bad sector mapping - Fault tolerance (for example, maintenance of ECC correction on a separate disk) - Vendor-specific IOCTLs - Microsoft-defined IOCTLs with vendor-extended features The safe driver list (the IOS.INI file) is a Windows 95-maintained list of safe drivers. Each entry in the list identifies a driver or TSR that Windows 95 can take over with the corresponding protected-mode driver. The safe driver list includes the name of the driver or TSR. This name should be the same as the name in the CONFIG.SYS or AUTOEXEC.BAT file. Windows 95 does not store the version number of the driver or TSR in the list, so it is the responsibility of the vendor to change the name of the driver if a future version of the driver is enhanced in a manner that makes the driver unsafe. By default, the following drivers are considered safe: - MS-DOS 5.0-compatible real-mode block device drivers - INT 13 monitors (hooks INT 13 for monitoring INT 13 I/O but does not access the hardware directly or modify the I/O buffer) - INT 13 hooker (hooks INT 13 for altering INT 13 I/O but does not access the hardware directly) - INT 13 driver (provides INT 13 functionality and directly accesses the hardware) - ASPI Manager (implements ASPI for MS-DOS specification) - CAM Manager (implements MS-DOS CAM specification) NOTE: If the real-mode driver you are using has better performance or provides some functions that are not be present in the Windows 95 protected-mode driver, the driver's vendor should remove the driver from the safe driver list. The system will use real mode to access the drive. If the real-mode driver you are using can be safely taken over by protected-mode drivers, the driver's vendor can add that driver to the safe driver list. Disk Manager is manufactured by OnTrack Computer Systems, a vendor independent of Microsoft; we make no warranty, implied or otherwise, regarding this product's performance or reliability. EZ-Drive is manufactured by Micro House, a vendor independent of Microsoft; we make no warranty, implied or otherwise, regarding this product's performance or reliability. KBCategory: kbenv kbhw kbtshoot KBSubcategory: wpp95 win95 diskmem Additional reference words: 95 ez.exe dm.exe dmdrvr.bin xbios.ovl tshoot COPYRIGHT Microsoft Corporation, 1996. Knowledge Base Title: Troubleshooting Windows 95 Startup Problems Document Number: Q136337 Publ Date: 11-APR-1996 Product Name: Microsoft Windows 95.x Retail Product Product Version: 95 Operating System: WINDOWS --------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows 95 --------------------------------------------------------------------- SUMMARY ======= This article lists troubleshooting tips you can use if your computer stops responding (hangs) or returns an error message (such as a fatal exception error) the first time it starts after Windows 95 Setup. This article is not meant to be a comprehensive list of all the reasons your computer may not start. It is meant to provide you with a general strategy for isolating the problem. MORE INFORMATION ================ Safe Mode --------- If Windows 95 does not start, try to start it in Safe mode. To start Windows 95 in Safe mode, press the F8 key when you see the "Starting Windows 95" message, and then choose Safe Mode from the Startup menu. If Windows 95 does not start in Safe mode, see the "Windows 95 Does Not Start in Safe Mode" section below. If Windows 95 starts in Safe mode, see the "Windows 95 Starts in Safe Mode" section below. Windows 95 Does Not Start in Safe Mode -------------------------------------- Any of the following conditions can cause Windows 95 not to start in Safe mode: - Your computer is infected with a virus. For additional information about computer viruses, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q129972 TITLE : Description of Computer Viruses - Your computer's CMOS settings are not correct. Check your computer's CMOS settings to make sure they are correct. (You may need to contact the computer manufacturer to verify these settings.) - There is a hardware conflict. These conflicts can include, but are not limited to, PCI BIOS settings, IRQ conflicts, redundant COM ports (for example, two COM1 ports, or an internal modem set to the same COM port as an existing serial port), and defective RAM chips. - A setting in the Msdos.sys file needs to be changed (for example, the Logo setting should be set to zero). For additional information on the Msdos.sys file, please see the following article(s) in the Microsoft Knowledge Base: ARTICLE-ID: Q118579 TITLE : Contents of the Windows 95 Msdos.sys File - You need to use the Vga.drv or Vga.vxd video drivers from the Windows 95 CD-ROM. These files are located in the Drivers\Display\Vga folder. For example, these drivers may be helpful if you have an Intel Triton PCI controller or a Cirrus Logic 5401 or 5402 VGA video adapter. For more information about these files, please see the Readme.txt file in the same folder. If you still cannot start your computer in Safe mode after checking these items, reinstall Windows 95 in a new, empty folder. This step helps to establish whether the problem is related to a remnant of the previous operating system (such as a configuration setting) or a hardware problem. Windows 95 Starts in Safe Mode ------------------------------ If Windows 95 starts in Safe mode, step through the startup process to see if any devices fail to load. To do so, restart your computer, press F8 when you see the "Starting Windows 95" message, and then choose Step-By-Step Confirmation from the Startup menu. The following table lists several startup options. The options are labeled Boot A, Boot B, Boot C, and Boot D. Try each option and note your results. To use a boot option, press Y or N as outlined in the option in the table below each time you are prompted whether you want to load a particular device. Boot A Boot B Boot C Boot D --------------------------------------------------------------------- Load DriveSpace Driver? (Y)es (Y)es (Y)es (Y)es Process the system registry? (Y)es (Y)es (Y)es (N)o Create a startup log file (Bootlog.txt)? (Y)es (Y)es (Y)es (Y)es Process your startup device drivers (Config.sys)? (N)o (N)o (Y)es (Y)es Device=\Himem.sys? (Y)es (Y)es (Y)es (Y)es Device=\Ifshlp.sys? (Y)es (Y)es (Y)es (Y)es Device=\Dblbuff.sys? (Y)es (Y)es (Y)es (Y)es Device=\Setver.exe? (Y)es (Y)es (Y)es (Y)es Process your startup command file (Autoexec.bat)? (N)o (N)o (Y)es (Y)es Load the Windows graphical user interface? (Y)es (Y)es (Y)es (Y)es Load all Windows Drivers? (N)o (Y)es (N)o (Y)es Boot A: If Windows 95 does not start under these conditions, try the Boot D option. If Windows 95 starts, there is a problem with a driver or terminate-and-stay-resident program (TSR) loading in the Config.sys or Autoexec.bat file, or there is a problem with a Windows 95 protected-mode driver. Boot B: If Windows 95 does not start under these conditions, try the Boot C option. If Windows 95 starts, there is a problem with a driver or TSR loading in the Config.sys or Autoexec.bat file. You can pinpoint the problem by stepping through these files. Boot C: If Windows 95 does not start under these conditions, try the Boot D option. If Windows 95 starts, there is a problem with a Windows 95 protected-mode driver. For more information about these problems, see the "Troubleshooting Protected-Mode Driver Problems" section of this article. Boot D: If Windows 95 does not start under these conditions, try the steps in the "System.ini" section below. If Windows 95 starts, there is a problem with the system registry. For information about restoring the registry, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q131431 TITLE : Err Msg: There Is Not Enough Memory to Load the Registry System.ini: To determine whether the System.ini or Win.ini file is causing a problem, try the following steps: 1. Rename the System.ini file in the Windows folder to System.sav. 2. Copy (do not rename) the System.cb file in the Windows folder to System.ini. 3. Add the following line to the [boot] section of the System.ini file and then save the file: drivers=mmsystem.dll 4. Rename the Win.ini file in the Windows folder to Win.sav. 5. Restart your computer. If this works, there is a problem with an entry in the System.ini or Win.ini file. Examine these files more closely to determine the exact cause of the problem. If Windows 95 does not start when you step through the boot process, start your computer in Safe mode, and then change the video driver to the standard VGA driver. NOTE: When you copy the System.cb file to System.ini, your mouse may stop working. If this occurs, add the following lines to the appropriate sections of the new System.ini file: [boot] mouse.drv=mouse.drv -and- [386Enh] mouse=*vmouse, msmouse.vxd Troubleshooting Protected-Mode Driver Problems ---------------------------------------------- If Windows 95 starts only when you press N at the Load All Windows Drivers? prompt, try the following steps: 1. Start Windows 95 in Safe mode. 2. Use the right mouse button to click My Computer, and then click Properties on the menu that appears. 3. On the Device Manager tab, disable any devices in the following categories: Display adapters Floppy disk controllers Hard disk controllers Keyboard Mouse Network adapters PCMCIA socket Ports SCSI controllers Sound, video, and game controllers To disable a device, follow these steps: a. In Device Manager, double-click the category name, and then double- click the device. b. On the General tab, click the Original Configuration (Current) check box to clear it, and then click OK. c. Restart your computer. NOTE: If Windows 95 does not start, go to the "System.ini" section of this article. 4. Once Setup finishes, enable the devices you disabled in step 3. Enable the devices in the following order: - Com ports - Hard disk controllers - Floppy disk controllers - Other devices To enable a device, follow these steps: a. In Device Manager, double-click the category name, and then double- click the device. b. On the General tab, click the Original Configuration (Current) check box to select it, and then click OK. c. While the properties for each device are open, click the Resources tab and make sure there are no conflicts listed in the Conflicting Devices list. 5. Restart your computer. Additional Notes ---------------- For information about known hardware issues, please see the Hardware.txt file in the Windows folder on your hard disk. For additional troubleshooting assistance, check the Bootlog.txt file in the root directory on your hard disk. This file lists the loading status of all real-mode and protected-mode drivers. If Windows 95 does not start, the Bootlog.txt file lists the last driver that loaded successfully, and lists a "LoadFail" entry for each driver that failed to load before the problem occurred. KBCategory: kbtshoot kbsetup kbhw KBSubcategory: win95 Additional reference words: 95 tshoot first boot fail setup noboot no-boot crash hang fails work COPYRIGHT Microsoft Corporation, 1996