After restoring Win98 from a crash, I noticed a file in the C:\Windows subdir which has very strange characteristics:

The file name shows as: ._)__9_£.0ƒ_
(This is tahoma font, in DOS other chars are displayed. Can work with it in DOS by referring to it as *.0??)

This file can not be renamed nor deleted
not in Windows nor DOS (booting into DOS)
nor attributes modified under DOS.

Windows Returns message:
File System Error (1026).

Backup reports the file "was busy during backup"

Explorer shows attributes SHR but properties sheet shows no checks (DOS shows SHR).

It can be sent to DOS Edit and appears to be a binary with no recognizable words or messages in it (it also seems about 30kb in size).

File size in Explorer (and DOS) is showing 32kb but properties sheet shows zero bytes.

File date in Explorer (and DOS) shows 6/22/99 but properties shows dates as unknown

Can not be "Sent To" Notepad nor Write.

Does anyone have any idea what this is?

Have you performed an updated virus scan?

Did you try to delete 'Connect To The Internet' and one or more icons from the Desktop? (This can cause a File System Error 1026)

Is your Temp. Internet folder full? (Downloading/Saving to Disk, and, Copying files can also cause File System Error 1026)

I would try run/SFC after doing a virus scan to see if any corrupt files come up.

What caused the crash?

Right... also with what caused the crash, how did you restore from the crash?

Have you done a good virus scan lately?

Have you run scandisk lately?

BBA

[This message has been edited by BBA (edited 07-07-99).]

Ran System File Check every day for about 10 days after crash and every time anything new added. Nothing here.

Use Washer program after every internet session (and sometimes in between if sessions long) -- cache is not a factor.

Don't know what caused crash (was happening about every 20 days or so). Crashes always and only occurred after system was powered down for 1 or more days and restarted. Windows sometimes hung right at start (after all HW messages done, and Win was invoked) but usually got all the way to the desktop and began spinning out errors. No Device Manager problems ever reported (when I could get to DM). Restarts in SM useless. Most times registries checked out OK. Sometimes SFC would come up with corrupt drivers. One time some cpl's were bad. Other times may have been files not covered by SFC? Always required full re-install of Win98 on reformatted partition (not entire drive).

Started backing up C:\ (has only OS on it)
to another partition and used this backup to restore all Windows and System files after the latest. All went well and only the ghost remains. Installed SE after this time without a hitch.

Have used McAfee (latest version) but comes up clean. Have 2 HD with 8 partitions (4GB total). Never any problem with other partitions. No other strangers on these disks.

I did delete Connect to the internet and many other trash items from my desktop and replaced them with those I use and do the same in the Quick Launch. How would this create the ghost? And on top of all, what IS the ghost? Is it a corrupted fat entry? Why does not Scan disk find it? Why can I view it in DOS editor but Windows can not see it?

This is just a curiosity at this point since all apps including games have been running fine. But it would be interesting to do a postmortum on the ghost as it might have security and virus implications.

Just found an article that says to try and change file attributes with the old "Winfile" app if explorer wont do it.

Try it! Just type 'winfile' at the run line.

If you can change its file attributes there, then delete it!

Worth a shot.

BBA

That file sure sounds like an anomaly!

More than once I've heard of up-to-date AV protection does not always catch a virus! Susan highly recommends using the trial DOS version from here: www.avp.com/ (http://www.avp.com/)

Seems like it would be worth trying.


[This message has been edited by socalgal (edited 07-08-99).]

That is a corrupt file or a bad cluster being reported as a file. You'll need a disk util (Norton disk doctor) to get rid of it.
The original file/dir name has been trashed by data being returned to the disk in the wrong way OR a disk slap (read/write head smacked the disk platter) took place during your crash and system noise made what APPEARS to be a file but is not. There may or may not be actual physical damage. You'll have to check with a good util. NDD will let you repair the file name to a usable format (file00001.chk) or at least mark the cluster as bad so that your sys won't use it.

That problem needs to be corrected. Your sys thinks that cluster is correct by reporting the bogus file name. If your sys writes anything to that area, that data will get corrupted as well. This might be why your getting your crashes. Among other things, if your swap file is dynamic, it may be trying to use a bad cluster and choking out.

Sometimes, not very often, you can kill those types of files by starting in dos, moving the file to a new dir and deltree the dir. Use the filename extension with wildcards like you mentioned earlier.

Oh, yea: Dos sees the "filename" as a valid FAT entry. Unless it was reporting a lost chain or overlapped file entry, scandisk won't have a problem with it. Even the "thorough" option in scandisk is fairly simplistic. You can see the "file" contents in dos because you are using qbasic to edit the file contents. W9X uses text editors to do this. You don't have a txt based file and the file name extension is not in the Win database, so Win can't see it.

Use Norton or something similar that looks at the file contents rather than only what the FAT reports.

[This message has been edited by MadMax (edited 07-08-99).]

Excellent, MadMax.. now it makes sense.

What brand of drive is it?

May sound a bit strange, but get the diagnostic util from the manufacturer and check it out. I had a simalar problem, and maxdiag (i had a Maxtor drive) reported some strange anomaly. A low level format fixed it right up.

Just an idea.

Yup, I agree 100% with MadMax and Dominus. I had exactly that problem on a 286 once. It had about four or five files like that (gibberish names, 0Kb and impossible to delete) but it was certainly not a virus. The hard disk (only 20Mb) was simply getting old and faulty. I replaced the drive (a whopping 100Mb this time) and the problem went away.

[This message has been edited by DavidX (edited 07-09-99).]

I also had the same thing happen. I was able to re-name the file and then I could delete it.

Thanks everyone for the good comments.

MadMax I believe you are onto something.

Even though I had most crashes with this box before the ghost appeared, I have had several HD problems. Right from the start ('96) the installed Maxtor HD had spreading bad sectors and was replaced by the VA retailer ('97). I later added a Fujitsu (keeping the replacement Maxtor which later developed a few more bad sectors). I've also had problems in reading from one of the two (identical) CD Roms installed. Naturally the diagnostic tools I used found nothing wrong but I don't have access to the right tools for this and, no, for this unit a $100 diagnostic fee would be out of the question.

Together with the fact that all the crashes occurred after the machine was out of action for one or more days, I'm beginning to believe there is some sort of thermal physical problem with the disc controller chips on the MB (it is a Shuttle HOT557, VX chipset). I don't know what reputation Shuttle has -- don't seem widely used by folk building their own systems.

Looks like MB will have to go.

Regards

Well, Shuttle MB's were one of the Premo OC boards a couple of years ago. And on the other hand, Maxtor and Fujitsu drives have always had bad rap's. The quality call seems like a hard one to make in your case.

Did you have any luck with the DOS move/rename/deltree? What about the Winfile.exe?

BBA

Ghost does not show in WinFile at all.
(not listed).

DOS Move gets Permission Denied

Try to remove RSH and attrib returns
Access Denied.

File can only be read by DOS Edit. DOS Edit
will also Save As and the resulting file (if it is a file) is shown as 32kb and can be deleted -- but the original ghost, of course remains.

I do not want to put NU back on my machine after having to reinstall Win95 to get rid of it (when i had Win95). Ditto with Nuts & Bolts. Fix it (new version) about as helpful as scan disk with this one.

Interesting comments on the HD. I agree on Maxtor (looks like junk and sounds like junk too) but Fujitsu is (mechanically) a nice piece of work and I would be surprised if it had anything to do with this.

You don't have to install NU. Boot with the emergency disk and run NDD from the menu.

Disk Doctor only runs from DOS anyway.

[This message has been edited by MadMax (edited 07-09-99).]

Status Report: Ghost file remains.

Norton NDD (DOS or Windows) "can't find"
(can't see) ghost and, of course, does not remove it. Otherwise, Norton gives whole system an A-Ok. I'm glad I tried Norton tho as it did a nice job cleaning up my registries.

UltraEdit "can't find" copy I put on floppy.
Only DOS Edit can see it.

Checkit (DOS version) 4 hr test (5 meg log file!) of HD found nothing wrong (not even "weak spots"). Ditto NU (NU test much shorter tho).

Conclusion: HD is OK. This seems to be something unusual -- would be a great way to protect something you didn't want anyone to get to, eh?

By the way, every time any attempt is made to access ghost, the date/time (listed in Windows & DOS) changes to that time.

Reformat is last step but with system stable and two layers of Win98 (original plus SE), I'm not doing this unless I have to anyway!

Regards
Charles Romer

If those utilities didn't find a problem, I'd start seriously worrying about a virus. That anomoly is not supposed to exist! If it was me, I'd wipe the disk. Even if the sys works ok now, that wierd little "file" is NOT right. I'm sorry, but I wouldn't take a chance on serious damage later. Could be a time bomb.....

Egads! Sure is a weird one. I don't think I'd feel too safe with that thing. I agree with MadMax (again)

would be a great way to protect something you didn't want anyone to get to, eh?

Any possibility this is some kind of encrypted file?

Despite what Norton and the other utilities may say, I still tend to think the problem lies with your Maxtor HD (I take it the Fujitsu is your slave and that the offending file is on your C: partition). I've seen this problem so many times and in those cases it was always the HD or the ribbon cable (took me ages to find that one http://www.sysopt.com/forum/frown.gif It must have been corrupting data in some way. Replaced it and problem never reoccurred after reformat.). I admit this case may be different (there's always an exception) but . . .


[This message has been edited by DavidX (edited 07-20-99).]

David -- Thanks, but the problem is on the Fujitsu drive (I made the new, better constructed drive the master when I installed it).

Socalgal -- Interesting idea since I tried about a year ago to install a work related product called Winframe that totally wrecked my system. The install included some kind of encrypted file. Two problems with this idea: 1) I only had the Maxtor HD at the time, and 2) as a result of that trainwreck, I reformatted it before I put back Win95.
Still, if this thing could evade a format (can't low level format HDs like I used to do under DOS 3.3) and then propagated itself to the the new (physical) location of C:\Windows???

Sounds like a stretch but does anyone know anything about Winframe and whether or not it could do this.

Also, I tried to work on the ghost with NU version 4.5 (DOS 3 version) using NU's Attrib program. Ghost resisted this but I got a new message this time: that disk was write protected (referring to C http://www.sysopt.com/forum/smile.gif! Maybe this is just how NU45 Attrib interpreted the error OR maybe this is what Ghost is using to block access. Anybody know a (software) work around for write protection?

One last item, I opened the copy of ghost that I put on a floppy, then I typed a couple words right at the beginning (don't know why I thought of this) and saved it. After this I could open it with UltraEdit in Hex Mode and examine the translation. The only english I found was near the end of the listing (probably in slack space, I couldn't tell) saying "This program cannot be run in DOS mode." Most of the listing is blanks with patches of code in between. It looks like (in order of probability):

1) a corrupted program
2) an encrypted file
3) a virus

Be back whenerver I have news.

Thanks everybody for your interest.

Regards.
Charles Romer

For fun, I downloaded a program about 6 months ago (since uninstalled) called Encase. It's a forensic data analysis and retrieval program that cops use get evidence from a hdd. It was quite revealing. I wonder if that could shed some light on this file?

Encase was pretty self-explanatory, easy to install/uninstall causing my system no problems. The demo is free to download. They even have a message board. Don't know why I didn't think of it before.

www.guidancesoftware.com/index.html?navigation.html&0 (http://www.guidancesoftware.com/index.html?navigation.html&0)

Edit: just to clarify, this won't help you get rid of the file, just maybe allow you to see inside of it. Maybe that will help. Also, QuickView+ might be able to see the innards of it too.

[This message has been edited by socalgal (edited 07-23-99).]

Just run [Microsoft Windows..not DOS] scandisk.

It will soon recognise this area of your disk as containing an error...usually a file in your file allocation table that does not actually exist. It wont let you delete it because it cant tell for sure the size of the file, exactly where it is held on the hard disk, and what properties the file has. If it did just delete the file based on the info it had, you could lose much valuable data.

Just run Scandisk which will quickly work out that the file is non-existant and will either delete it or attempt to convert any parts of the file to a usable file (assuming there are valid parts of the file...I doubt there are).

I once had a dozen or so similar files on my hard disk. Interestingly enough, the files were approximately 1000 gigabytes in size each. Not bad considering the hard disk was 8.4gb...

Seems you missed the boat mick, that was tried long ago (RTFL)


I think the Low Level Format may be the only asnwer here!

BBA

If you haven't got it yet, you might try using DOS Edit, deleting all the characters in the file, try to rename it, see if it'll delete. Had a similar file once & this worked.

The Ghost file has been deleted WITHOUT reformating, etc.

Answer came from a Symantec knowledge base response to someone else's question. Described my situation almost exactly. (article=19893, 8/20/99).

Must use Norton Disk Editor (when, like in this situation, Disk Doctor does not help).

Procedure outlined in the article is to find the file in Disk Editor, switch to Hex mode and replace first character of file name with E5.

Disk editor indicates file as "deleted"

The final step is not in the Symantec article:

You reboot (cold), start windows (98) and run scan disk. Scan disk reports a file fragment (same byte count as ghost) which should be deleted.

According to the Symantec article, this was likely to have been only a very corrupted file.

After switching to a new and faster processor, I have had only one more incident of file corruption on startup like the incident that created the ghost file although this time all the damged files could be deleted.

I conclude that there is an intermitant fault in the disk controller of my Shuttle HOT-557 MB which sometimes scrambles (corrupts and cross-links) files used during startup (only files used during startup are affected and only on the boot partition and only after a very cold start-never on a restart--points at a thermal problem maybe). One of my drives (the Maxtor) suffered physical damage because of this. The other drive by fujitsu is a much heftier unit mecanically so files get scrambled but no physical damage (at least not yet).

Need to locate a good Socket7 (AT) MB so I can salvage the processor, 64MB of EDO memory, the very expensive PC-Power-&- Cooling case and PS plus all the peripherals. Any recommendations?

Oh, one last thought, I think the lack of parity or ECC memory in these types of systems could also be part of all the problems I have seen (and the cause of other problems that have been blamed on Windows). When I build my own system I will definitely use ECC (server type) chipset and memory.

Chasrome, now this is really something! Not only did you find a solution over 2 months (from your first post) after your discovery, but I would like to say Thank You for coming back and reporting your solution.

I am happy to hear your unusual problem is resolved because it sure was a mind bender on this side and the fix is certainly interesting also.

Kudos Chasrome. /forum/smile.gif

I had a 1 year old shuttle hot 557 that went sour on cold start-up as well. I would have to restart the thing about 15 times to get it to even complete the post....and then it would often crash in Window's splash screen and toast the registry.... ran fine when warmed up.

ODDLY ENOUGH, All the problems went away when I backed the bus down to 60mhz ((because, just for fun, I was installing an old 120mhz Pentium that I rescued from a "dame" named "LOLA")) /forum/smile.gif And it has run well ever since, and is currently running well for a local charity.

...and MadMax, YOU are toooo smart! ..and your profile is tooo funny!

[This message has been edited by CMonster (edited 09-18-99).]

CMonster ~ glad to hear Dame LOLA's first CPU is still ticking and for a good cause yet! /forum/smile.gif

Anyone have some suggestions for Chasrome re: his latest "any recommendations" in latest post?

Chasrome - or perhaps you could post a new topic for your "any recommendations" question...?


[This message has been edited by socalgal (edited 09-19-99).]

socalgal, OK, I found MB I need. It is a Tyan S1590S that lets me use all my current stuff plus upgrade forever (even supports ECC memory!). Was able to get it from Tech Store. It is really cheap (less than a PCI video card or a sound card). Also Tyan seems to have a good rep.

CMonster, Many thanks for info but no, I will not set jumper to 60. If it can't run at a standard 66 (Tyan and others run at 100!) out it goes. But your note was helpful -- the "last straw" for me to decide to replace MB.

TO MadMax: I just read the entire dialogue about the Win98 ghost file, astonishing... Could you please look at my posting of The square dot in the technical area of this board? It really has me puzzled.
Thanks!