Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > unwanted icons keep re-apearing on desktop, win2000

Reply
Thread Tools

unwanted icons keep re-apearing on desktop, win2000

 
 
J-McC
Guest
Posts: n/a
 
      07-19-2005
I have a customer who has several unwanted icons that are really .exe
files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
pc_tune_up.
His kids while "helping him" at the weekend managed to infect one of
his point of sale terminals as follows.

I have scanned for spyware (spybot14) and virus scanned also.
When I start up the system It wants to run Chkdsk so I let this run
but it found heaps of corrupt or fault sectors/blocks, they seemed to
be in groups of 4 consecative numbers. The anti virus program also
found lots of corrupt files. (which is probably to be expected), but I
dont think it got far enough to find any viruses.

When using totalcmd32, which is excellent and shows hidden files
etc,to look in the "my documents\mainuser\desktop" folder the links to
all my desktop icons are listed EXCEPT for these EXE programs.
Doing a search for them came up blank. You can delete them for the
current session but lo and behold they are back next time you boot.

The computer is running like a dog. I ran task manager and found a
file called "ntdvm.exe" was running and hogging nearly all the cpu
resources. I was able to kill this app and the cpu usage dropped to
about 4% from nearly 95%. I had a look on the other register and
found this ntdvm running there also, but it was not running on the
main dispensary computer. I thought this may be a rogue file but I
have since found this file is needed if you want to run 16bit apps
(from MS knowledge base). It was located in the winnt\system32
folder. I renamed it to ntdcmold.exe but upon rebooting this file was
back again as well as the renamed one ,same size and date (2002).

I have also found that I am unable to read cds at the moment on this
p/c and the usb memory stick also fails to read. I am able to read
flies over the network though.

I guess if it were a dog it would be maggot infested!

Since this p/c is part of a chemist shop POS system I need to fix it
quickly. I am concerned about all the sudden bad blocks but I think
something must have stuffed the system volume info file as the system
is running Win 2000 and NTFS. I was going to replace the hdd and
re-install win2k and the pos software as the p/c is "mission critical"

Any constructive help would be appreceated.
J McC http://www.velocityreviews.com/forums/(E-Mail Removed)

 
Reply With Quote
 
 
 
 
Duane Arnold
Guest
Posts: n/a
 
      07-19-2005
http://www.windowsecurity.com/articl...vironment.html

The above is what is in the link below.

http://tinyurl.com/klw1

It talks about using Process Explorer and other tools to help find the
compromise.

http://www.pcworld.com/downloads/fil...RSS,RSS,00.asp

http://www.sysinternals.com/Utilitie...sExplorer.html

You right-click a running task in the Upper Pane and select Properties and
PE will tell you everything about the task and what's using it.

You go to menu Show Lower Pane Show all Dlls and PE will show all processes
that are running with the process and their locations.

Maybe, you'll spot something.

Obviously, something that is running or piggy backing off a running process
is bringing the exploit back.

Duane





 
Reply With Quote
 
 
 
 
PC
Guest
Posts: n/a
 
      07-19-2005

"J-McC" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a customer who has several unwanted icons that are really .exe
> files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
> pc_tune_up.
> His kids while "helping him" at the weekend managed to infect one of
> his point of sale terminals as follows.
>
> I have scanned for spyware (spybot14) and virus scanned also.
> When I start up the system It wants to run Chkdsk so I let this run
> but it found heaps of corrupt or fault sectors/blocks, they seemed to
> be in groups of 4 consecative numbers. The anti virus program also
> found lots of corrupt files. (which is probably to be expected), but I
> dont think it got far enough to find any viruses.
>
> When using totalcmd32, which is excellent and shows hidden files
> etc,to look in the "my documents\mainuser\desktop" folder the links to
> all my desktop icons are listed EXCEPT for these EXE programs.
> Doing a search for them came up blank. You can delete them for the
> current session but lo and behold they are back next time you boot.
>
> The computer is running like a dog. I ran task manager and found a
> file called "ntdvm.exe" was running and hogging nearly all the cpu
> resources. I was able to kill this app and the cpu usage dropped to
> about 4% from nearly 95%. I had a look on the other register and
> found this ntdvm running there also, but it was not running on the
> main dispensary computer. I thought this may be a rogue file but I
> have since found this file is needed if you want to run 16bit apps
> (from MS knowledge base). It was located in the winnt\system32
> folder. I renamed it to ntdcmold.exe but upon rebooting this file was
> back again as well as the renamed one ,same size and date (2002).
>
> I have also found that I am unable to read cds at the moment on this
> p/c and the usb memory stick also fails to read. I am able to read
> flies over the network though.
>
> I guess if it were a dog it would be maggot infested!
>
> Since this p/c is part of a chemist shop POS system I need to fix it
> quickly. I am concerned about all the sudden bad blocks but I think
> something must have stuffed the system volume info file as the system
> is running Win 2000 and NTFS. I was going to replace the hdd and
> re-install win2k and the pos software as the p/c is "mission critical"
>
> Any constructive help would be appreceated.
> J McC (E-Mail Removed)
>


(With respect) If it's 'Mission Critical' don't prat about.
Run HD Diagnostics from the drives manufacturer, if that comes up ok just
wipe and reinstall.
If the drive is dodgy replace it and reinstall.
It will be the simplist/quickest solution in the end, chasing
spyware/virus/malwar/trojans down though technicaly possible is to time
consuming (as you are finding out).

Cheers
Paul


 
Reply With Quote
 
John H
Guest
Posts: n/a
 
      07-19-2005
On Tue, 19 Jul 2005 00:40:57 GMT, J-McC wrote:

> I have a customer who has several unwanted icons that are really .exe
> files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
> pc_tune_up.
> His kids while "helping him" at the weekend managed to infect one of
> his point of sale terminals as follows.
>
> I have scanned for spyware (spybot14) and virus scanned also.
> When I start up the system It wants to run Chkdsk so I let this run
> but it found heaps of corrupt or fault sectors/blocks, they seemed to
> be in groups of 4 consecative numbers. The anti virus program also
> found lots of corrupt files. (which is probably to be expected), but I
> dont think it got far enough to find any viruses.
>
> When using totalcmd32, which is excellent and shows hidden files
> etc,to look in the "my documents\mainuser\desktop" folder the links to
> all my desktop icons are listed EXCEPT for these EXE programs.
> Doing a search for them came up blank. You can delete them for the
> current session but lo and behold they are back next time you boot.
>
> The computer is running like a dog. I ran task manager and found a
> file called "ntdvm.exe" was running and hogging nearly all the cpu
> resources. I was able to kill this app and the cpu usage dropped to
> about 4% from nearly 95%. I had a look on the other register and
> found this ntdvm running there also, but it was not running on the
> main dispensary computer. I thought this may be a rogue file but I
> have since found this file is needed if you want to run 16bit apps
> (from MS knowledge base). It was located in the winnt\system32
> folder. I renamed it to ntdcmold.exe but upon rebooting this file was
> back again as well as the renamed one ,same size and date (2002).
>
> I have also found that I am unable to read cds at the moment on this
> p/c and the usb memory stick also fails to read. I am able to read
> flies over the network though.
>
> I guess if it were a dog it would be maggot infested!
>
> Since this p/c is part of a chemist shop POS system I need to fix it
> quickly. I am concerned about all the sudden bad blocks but I think
> something must have stuffed the system volume info file as the system
> is running Win 2000 and NTFS. I was going to replace the hdd and
> re-install win2k and the pos software as the p/c is "mission critical"
>
> Any constructive help would be appreceated.
> J McC (E-Mail Removed)


CHeck out http://www.jhoodsoft.org/AntiSpyware.html for the Microsoft
Antispyware Beta. I've had good luck using it where others Spybot and
Cwshredder etc. have failed.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
show desktop icons missing under arrange icons by JoAnna Windows 64bit 15 03-10-2009 08:23 AM
Sometimes Explorer vanishes along with the icons, but the icons come back Desdemona@Verona.com Computer Support 1 12-06-2007 03:17 AM
JTree and those small Icons ahead folder, file etc icons. Richie Williams Java 5 10-25-2007 05:01 PM
Remove Unwanted icons from bar at the bottom of my monitor BetsyB Computer Support 5 11-21-2005 03:38 PM
Java Web Start app icons keep going in user profile not All Users profile Brad Java 1 07-19-2005 02:10 AM



Advertisments