Some signs of virus infection are:

Windows 16-bit and 32-bit program files infected with a DOS virus will usually fail to run. DOS viruses infecting newer versions of COMMAND.COM may result in “Bad or missing command interpreter” messages and the system is halted. When an infected program is started, Windows immediately produces a fatal error message, or in some instances, Windows locks up or displays blue screens. An error message may state that an “Invalid Page Fault” occurred, a program attempted to write to an illegal memory location, or the file you are attempting to execute could not be located. The last error message is confusing because many times you are double-clicking on the same executable file Windows is saying it could not locate (don’t be fooled by a misdirected shortcut). Be especially suspicious if Windows executables will not start, but DOS programs work fine; or vice versa. Another virus-created error message stating “This version of Windows does not run on DOS 7.0 or earlier” when you haven’t installed new programs should clearly lead you to suspect a DOS virus.

With Windows 3.1, viruses frequently caused the following Windows warnings, “The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. There is an unrecognizable disk software installed on this computer” or “This application has tried to access the hard disk in a way that is incompatible with the Windows 32-bit disk access feature (WDCTRL). This may cause the system to become unstable.” Inability to create a temporary or permanent swap file can be caused by a boot virus. Later versions of Windows 3.x produce error messages suggesting that computer viruses could be responsible when presenting these types of errors.

Windows 9x systems may boot without an error message, but reveal that the file or virtual memory system is in MS-DOS Compatibility mode . You can check this by choosing Start → Control Panel → System → Performance. On most systems you should see the file and virtual memory system in 32-bit mode. Systems running real-mode processes could be the result of Windows detecting a program that hooks the disk’s write-interrupt routine. Although there can be several legitimate causes (i.e. third-party driver, antivirus program, etc.) for this type of symptom, computer viruses are a likely cause. If the driver name listed as causing MS-DOS Compatibility mode is MBRINT13.SYS , definitely suspect a boot virus. You can edit IOS.LOG to determine what file might be causing the conflict.

If you’ve been around Windows NT any decent amount of time, you are probably already familiar with the infamous Blue Screen of Death (BSOD) errors. The blue screen refers to the color of the background displayed during Fatal System Stop Errors (Windows 2000 BSOD is actually black). They have been around since the days of Windows 3.0, and are present in Windows 9x, but are more common in Windows NT. When Windows encounters a serious error, it will immediately halt the system and display a debugging screen. If you are not used to BSODs, they can be a little intimidating -- lots of numbers and filenames. What is displayed on the screen is different for each platform. Windows NT gives the most information. Windows 2000 has dropped a lot of the information that was displayed in the NT version, but all versions give you the error message text and an error number, and are followed by the drivers and programs associated with the error. A good troubleshooter can use this information to identify the offending device driver or program, or use it to research Microsoft’s Knowledge-Base articles for a remedy.

If a boot virus is successful in writing itself to an NTFS boot disk, NT will almost always show blue screen with a STOP error . In the case of boot viruses, STOP messages will most often begin with error codes 0x0000007A, 0x0000007B, or in the case of Windows 2000, 0x00000077. All of these STOP errors are the result of NT not being able to correctly read the boot drive or paging memory.

Many computer viruses are discovered during the Windows installation process. When Windows 95 first came out, thousands of users complained to Microsoft that the Windows 95 Setup Disk 2 was infected with a virus. Users would start installing Windows, but when they came to Disk 2, Windows indicated the disk was bad. Many users did a virus scan and detected a boot virus on the new disks and incorrectly blamed the Redmond, Washington company. Microsoft wasn’t distributing infected diskettes, the users’ systems already contained a boot virus, which infected the new diskette while Windows was saving setup information. An “Invalid system disk” message can appear after the first reboot on an infected Windows 9x system, as Windows goes to load itself for the first time. A “Packed file corrupt” error message can occur during the initial install stages on an infected machine.

Boot viruses can cause Windows NT to state, “The hard disk containing the partition or free space you chose is not accessible to your computer’s startup program.” An infected Windows NT PC with a NTFS boot partition may say “A kernel file is missing from the disk. Insert a system disk and restart the system.” A common sign you can see when installing Windows NT on an infected system is that NT begins to load, goes black, and then reboots, and continues repeating the cycle. Again, an infected boot sector can be suspected. Occasionally, Windows NT will be quite direct with some of its error messages, like “MBR checksum error: a virus may be present. Verify Master Boot Record integrity”.

Microsoft programmers are getting better at detecting virus-like situations and the error messages they cause. Of course, the virus writers are fighting back. Some boot sector viruses, like Gold-Bug, will detect the Windows startup process, disinfect the boot sector on the fly, and then reinfect after Windows is through checking.

Windows is very careful about what hard disk areas it uses when creating permanent swap files during the initial install. If, while creating a new swap file, Windows detects an incorrectly modified disk or disk subsystem, it will refuse to create a swap file. In Windows 3.x, the message might be, “The partitioning scheme used on your hard drive prevents the creation of a permanent swap file.” Viruses, trying to intercept the file-write interrupts, can cause swap file problems and error messages.

In summary, as we all know, Windows has enough problems and errors without a computer virus being involved, but an active PC with any of these symptoms should be checked for computer viruses. Suspect a nonvirus problem first, if you know the PC hasn’t been exposed to any new programs, files, diskettes, new emails, or Internet accesses.