Urkel virus! Help please!
Audrey Smolin
I copied some files (network packet driver stuff) from my secretary's
computer to a floppy, and then used the floppy in my system (A Compaq
running DOS 6.20). Later, when I started windows, I got the following
message:
"CPQWDCTL Error W5: The microsoft windows 32-bit disk driver (CPQWDCTL)
cannot be loaded. There is unrecognizable disk software installed on this
computer.
The address that MS-DOS uses to communicate with the hard disk has been
changed. Some software, such as disk-caching software, changes this
address.
If you aren't running such software, you should run a virus-detection
program to make sure there is no virus on your computer.
To continue starting windows without using the 32 bit disk driver, press
any key."
I ran F-prot 2.17 and was informed that "the Urkul virus search string had
been found in memory. F-prot advised booting from a clean floppy, and
then closed. When I ran F-prot with the /NOMEM parameter, it did not
report any viruses.
I rebooted the computer and pressed the F5 key to bypass startup files ...
virus string aws still reported as present.
I booted from a clean, write-protected DOS 6.2 floppy containing F-prot.
It could not find drive C:!!! I closed F-prot and typed C: at the A:>
prompt and got the message "invalid drive specification".
I ran f-prot from the floppy with the /hard /auto /disinf parameters and
it reported Urkel? infection in Master Boot Record but it couldn't/didn't
disinfect.
I tried another clean, write protected bootable floppy - same story!
I went back to my secretary's computer. It behaved the same way, except
that the message said WDCTL instead of CPQWDCTL (her system is not a
COMPAQ, its an HP).
Oh yeah .... the bootable floppies that I tried behaved properly (i.e.
drive C: could be recognized) in another, uninfected PC in my department.
If I format a new floppy from my hard drive, the computer can recognize C:
after booting, but I again get reports of the Urkul virus in memory.
HELP!!!
How do I clean this virus up I can't address drive C: after booting from a
clean floppy??
--
Audrey Smolin (asm...@panix.com)
John Young
>Does anyone know anything about the Urkel virus?
>I copied some files (network packet driver stuff) from my secretary's
>computer to a floppy, and then used the floppy in my system (A Compaq
>running DOS 6.20). Later, when I started windows, I got the following
>message:
It sounds like you somehow activated the virus. Urkel would be on the
boot sector of the floppy. Normally you have to boot the computer with
the infected floppy in the A drive. This would "activate" the virus and
load it into memory to infect other floppies and local hard drives.
>I ran F-prot 2.17 and was informed that "the Urkul virus search string had
>been found in memory. F-prot advised booting from a clean floppy, and
>then closed. When I ran F-prot with the /NOMEM parameter, it did not
>report any viruses.
The virus was in memory. By using the nomem option, the virus in memory
is ignored. Any virus with stealth that is active in memory will hide the
infection on a drive. In other words, you confused things by using nomem.
Don't use this option unless there is a confirmed FALSE ALARM in memory.
>I booted from a clean, write-protected DOS 6.2 floppy containing F-prot.
>It could not find drive C:!!! I closed F-prot and typed C: at the A:>
>prompt and got the message "invalid drive specification".
This is a normal message if the hard drive has been infected with a
partition encypting virus. Monkey (another virus) would show the same
thing. The virus encrytion key is in the virus and is only active when
the virus is active. Booting from the floppy means that the virus is not
active, DOS can't see the partition table, and the virus can be removed
by programs that understand the encrytion.
Two programs I know can do this are McAfee's Scan version 223 and
Norton's Disk Doctor. Scan can be downloaded from mcafee.com in the
/pub/beta directory. This is shareware you can buy if you like it. The
command to remove the virus is SCAN C: /CLEAN.
>I tried another clean, write protected bootable floppy - same story!
You do have another uninfected floppy here!
>If I format a new floppy from my hard drive, the computer can recognize C:
>after booting, but I again get reports of the Urkul virus in memory.
By formatting a floppy on the infected system, you put the virus onto the
floppy. This infected floppy could be sent to the F-Prot guys for
analysis. If Scan can't remove the virus, send an infected floppy to them
as well.
--
If I had two marbles, I'd give you one
crea...@netcom.com
James Fabiano
> Does anyone know anything about the Urkel virus?
> I copied some files (network packet driver stuff) from my secretary's
> computer to a floppy, and then used the floppy in my system (A Compaq
> running DOS 6.20). Later, when I started windows, I got the following
> message:
> cannot be loaded. There is unrecognizable disk software installed on this
> computer.
> The address that MS-DOS uses to communicate with the hard disk has been
> changed. Some software, such as disk-caching software, changes this
> address.
> If you aren't running such software, you should run a virus-detection
> program to make sure there is no virus on your computer.
> To continue starting windows without using the 32 bit disk driver, press
> any key."
> been found in memory. F-prot advised booting from a clean floppy, and
> then closed. When I ran F-prot with the /NOMEM parameter, it did not
> report any viruses.
> virus string aws still reported as present.
> It could not find drive C:!!! I closed F-prot and typed C: at the A:>
> prompt and got the message "invalid drive specification".
> it reported Urkel? infection in Master Boot Record but it couldn't/didn't
> disinfect.
>
> that the message said WDCTL instead of CPQWDCTL (her system is not a
> COMPAQ, its an HP).
> Oh yeah .... the bootable floppies that I tried behaved properly (i.e.
> drive C: could be recognized) in another, uninfected PC in my department.
> after booting, but I again get reports of the Urkul virus in memory.
>
>
> How do I clean this virus up I can't address drive C: after booting from a
> clean floppy??
> --
> Audrey Smolin (asm...@panix.com)
David W. Hodgins
> On Tuesday, June 27, 1995 at 3:00:00 AM UTC-4, Audrey Smolin wrote:
>> Does anyone know anything about the Urkel virus?
It's unlikely the computer posted about 27 years ago is still in use.
Regards, Dave Hodgins
James Fabiano
David W. Hodgins
a write protected dos boot floppy and run "fdisk /mbr c:".
Not many computers still have working floppy drives though. None of mine do.
According to www.diskpart.com/articles/boot-sector-repair-4125.html it's now
boot from the windows startup cd/dvd and run "Bootrec.exe /FixBoot".
I haven't used windows on any of my computers since win 98, though I still some
times help others with newer versions.
Now, I'd boot from a linux live iso image on a usb drive, use that to install
grub2, grub2-efi, or refind, depending on hardware and preferences, to the drive.
Regards, Dave Hodgins
Nomen Nescio
David W. Hodgins
windows still ran on top of dos, so a master boot record infection would be
based on dos.
In June 2022, 27 years later, James asked if it really did what Audrey asked
about.
A search for Urkel virus still only points to the 1995 version. No more recent
versions show up.
The only problem here is that google hides the fact that the articles are from
usenet, not google groups, and makes it much less likely that people replying
to a thread will notice the date of the article they are replying to.
Regards, Dave Hodgins