Small Smiley face on boot

I was messing around with compiz trying to disable it via a command someone had recommended I think it was xgl something…now I reboot, and I get a black screen and a small smiley pacman like black and white face pops up and nothing happens. I can boot via live CD but my hard disk no…anyone see this before and how can I fix this?

Did you try the failsafe boot option from the menu

Do a Google on “+smiley face” +virus and I think you might find your problem …


If you do have the Smiley Face, that’s an OLD boot sector virus. It infects the hard drive itself and installs itself in memory before the system even boots up. That will kill most any modern operating system, which wants to switch the machine to protected mode very early in the boot.

What makes this frustratingly hilarious is that most virus scanners are for Windows! You can try Avast!'s PLOP distro (PLoP Linux - LiveCD, USB boot, PXE network boot, antivirus, rescue, partimage, NTFS, tftp, avast, f-prot). Worst case, you simply reinstall Opensuse; when it rewrites the boot sector with Grub, that’ll kill it for you.

Your next question would be, “where’d I get it?” Have you recently inserted an old diskette in your computer, or opened an old .zip archive under Winderz? :slight_smile:

Smpoole, are you serious? How can I have activated a virus? Even an old boot sector one like that. Bloody hell, no I do not recall looking at older files or anything like that. How would something like that activate within linux if it was made for DOS (sorry maybe a stupid question). Odd, really odd, so just reinstalling opensuse should fix this or do I have to clean out of the memory. On another note would this cause the computer to freeze? I have had this problem for a while and I thought it was a compiz (that’s why i was trying to mess with that).

On last question I had my home directory on a separate hardisk all together, and used a smaller hardisk for the root directory and so do you think those would have been affected as well, and is there a way I can my data back just in case?

Are you saying you don’t even get the grub boot screen?
Just boot parted magic and reinstall grub, maybe that will fix it.

To be sure before you decide on re-installation. Maybe a screen shot of how it looks will be useful if it is really the same as describe by smpoole7. If it is only the boot sector being attacked by that tiny smiley can the cd/dvd installer be used to reinstall grub without undergoing a full operating system installation?

I already tried that…did not work, for some odd reason. The repair on the installation disk would not work.

Yes I’m sorry forgot to add that detail, no I dont see a grub boot screen…just blackness…afterward some odd charcters jump around and flash then finally, a DOS smiley centered horizontally but about 20% away from the bottom of the screen shows up, and thats it really…

Okay, I tried the installation software’s repair tools to fix grub, now I no longer get the smiley face, just a black screen and nothing happens. I give up, going to reinstall opensuse, hopefully my home directory is intact…now question is, how do i get rid of this thing if it a virus indeed, would Klam do it?

You give up too easy How about trying this

If you have a Linux Live CD, boot from it and log in. Then open a console window and enter su and you will be at the command prompt with root powers and ready to proceed. If on the other hand you have the openSUSE install DVD, boot from it and on the first menu of options select the Rescue System option. That will start an elementary Linux Live operating system and bring you to the login prompt. Enter the username root and you will be at the command prompt with root powers and ready to proceed. Whichever way you started (the openSUSE install DVD or a Linux Live CD) when you are at the root command prompt, first you find the partition containing openSUSE’s bootloader. Then you reinstall Grub with a pointer to that partition. First find the openSUSE installation:

You enter this ---------------- grub
Computer returns like this ---- grub>
You enter this ---------------- find /boot/grub/menu.lst
Computer returns like this ---- (hd0,5)
Here, (hd0,5) is Grub’s pointer to my openSUSE installation. Your pointer will be different from my example (hd0,5). Substitute your values for my example (hd0,5). Now that you have the pointer, proceed like this:
You enter this ---------------- root (hd0,5)
Computer returns like this ---- Filesystem type is ext2fs, partition type 0x83
You enter this ---------------- setup (hd0)
You see several lines like this — Checking if /boot/grub/stage1 exists … yes Computer finally returns this-- Succeeded…Done
You enter this ---------------- quit
You enter this ---------------- reboot

caf, thanks for the help, I’ll give it a shot…hope it works…


Remember you have to replace the values in that guide with your values as reported by grub.
I always use Parted Magic but any live cd will do. But parted defaults to super user.

Some other guides
All About Grub - openSUSE

HowTo Boot into openSUSE when it won’t Boot from the Grub Code on the Hard Drive

sherifkadry wrote:
> Okay, I tried the installation software’s repair tools to fix grub, now
> I no longer get the smiley face, just a black screen and nothing
> happens.

sounds like a hardware failure to me…

> I give up, going to reinstall opensuse, hopefully my home
> directory is intact…

hmmmm…will it actually boot from a CD/DVD??
hmmmm…are you seeing the initial BIOS messages???

from the moment you hit the start button until you get the “just a
black screen and nothing happens.” do you now see anything??

if it were my data i would not be inclined to risk destroying it
with a probably unneeded reinstall attempt… [reinstalling is a well
worn M$ means of administration which is not often useful here in
solving THE problem…]


The quick answer is, I have no idea. I don’t know the details of your system. You mention that you have a separate, older hard drive. The virus may have been there all along and you recently managed to activate it somehow by accidentally booting onto it. The classic way that people used to get these things is by accidentally booting onto an infected floppy or CD/DVD.

There may be a new trojan that does a smiley face, but I agree that it’s hard to imagine in getting at the boot sector in Linux. The classic DOS Smiley acts like Pacman – the little smiley face runs across the screen and eats tiny little dots.

By the way, be warned that if this really IS a virus, and IF it’s an old boot sector virus, reinstalling Grub (or using “fdisk /mbr,” or any of the other standard fixes) MAY NOT WORK. A classic boot sector virus will move and encrypt the original boot records. The idea was, it would load itself in memory, then find (and decrypt) the original boot record(s) and start the system. It could then hide in memory and infect everything on the fly, while you were none the wiser. (Of course, this won’t work under ANY modern protected-mode operating system; it’ll just hang during the boot … … )

( … oh, boy, that sounds EXACTLY like what you’re describing, doesn’t it? SOMETHING has corrupted your operating system, anyway … )

Simply put: if it HAS encrypted your boot record, the best choice is to use an Anti-Virus package that knows how to clean and remove that virus. THAT’S why I suggested that, rather than a Grub rebuild, by the way.

A quick primer on boot viruses (without getting into a bunch of needless technical jargon, I’m speaking of a typical modern PC):

When your computer boots, it looks for the Master Boot Record (MBR) of the hard drive (or the CD/DVD, or the network, or a USB stick – I said I’d keep this simple). This depends on your BIOS settings, of course. But assume that it’s set to boot from the hard drive. The BIOS loads in the MBR boot code and executes it. Normally, the MBR code will look for an operating system and execute it; if you have a typical Linux install, it will load Grub or LILO, which then loads and starts the operating system.

The key is that the BIOS is completely stupid: it will load and execute whatever’s in that MBR (or the boot record of the CD/DVD, USB, etc., et. al.). Hopefully, it’s a boot loader. But it could be a virus, an animated picture of a dancing chicken, or anything else that’s executable in that primitive environment. The BIOS will happily load and execute it without questions.

When you first boot, you’re not IN Linux yet, you’re still in a very primitive, real-mode operating environment. Unless the BIOS people have changed this recently, in fact, even with the latest 686 or better processor, you’re executing in 16-bit real mode – same as the original 8086. The switch to 32- or 64-bit protected mode doesn’t occur until after the OS is loaded, because it has to set up the desired environment (and there are different ways to do it).

In sum: you can easily get an old boot sector virus whether you’ve installed FreeDOS, Windows 3.1, Windows 7, Linux, FreeBSD, or whatever.

See my reply above. 99% of the time, I’d agree with you. But because Linux users are so unfamiliar with viruses, they may do things that could actually make the problem worse (such as reinstalling Grub over an encrypted boot virus that has moved the partition tables).

That’s why I strongly suggested downloading a good bootable AV CD-ISO and letting it scan the hard drive for a possible virus. If the virus can be removed (and most of the classic ones can), the OP is up and running pretty quickly.

But IF he/she has reinstalled Grub over a boot virus, they could possibly have lost everything, requiring a complete reinstall from scratch.

As I said: we Linux lovers rarely have to worry about viruses, and as a result (I’ve seen this in other forums, not just here!), on those rare occasions when we get one, we tend to do all the usual fixes … and actually make the problem worse.

you confuse me:
i said do NOT reinstall and you said do NOT reinstall…

or, do i misunderstand what you wrote?

or what i wrote?? i didn’t even suggest he try a DVD “Repair Installed
System” or fiddle with GRUB----i just asked questions, because i
still think his “I no longer get the smiley face, just a black screen
and nothing happens.” might point to a hardware failure!!)


No, I misunderstood what you said. My fault. I abase myself in apology. :slight_smile:

> No, I misunderstood what you said.
whew! i thought i was about to understand why i’m so often

no apology required…:slight_smile:
dang, i keep forgetting these :slight_smile:


Here are my system details,
its a dual quad core xeon with 16gb of ram, and it has nothing except opensuse 11.1 as an os. I have 3 harddisks,
sda contains my root directory, and has 2 partitions a swap partition and an ext3 partition.

sdb contains my /home directory and is just a 1tb ext3 partition

sdc contains a /mirror directory and is just a 1tb ext3 partition.

So your advice is to boot into via a live CD and try to remove the virus before trying something as drastic as reinstallation of opensuse on sda.

Just remembered the last thing tar I remember accessing was the seagate tools, I was trying to scan my disks because the computer had crashed and I was trying to find out why. I doubt that would have this virus though.