«

I have a customer who has several unwanted icons that are really .exe
files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
pc_tune_up.
His kids while "helping him" at the weekend managed to infect one of
his point of sale terminals as follows.

I have scanned for spyware (spybot14) and virus scanned also.
When I start up the system It wants to run Chkdsk so I let this run
but it found heaps of corrupt or fault sectors/blocks, they seemed to
be in groups of 4 consecative numbers. The anti virus program also
found lots of corrupt files. (which is probably to be expected), but I
dont think it got far enough to find any viruses.

When using totalcmd32, which is excellent and shows hidden files
etc,to look in the "my documents\mainuser\desktop" folder the links to
all my desktop icons are listed EXCEPT for these EXE programs.
Doing a search for them came up blank. You can delete them for the
current session but lo and behold they are back next time you boot.

The computer is running like a dog. I ran task manager and found a
file called "ntdvm.exe" was running and hogging nearly all the cpu
resources. I was able to kill this app and the cpu usage dropped to
about 4% from nearly 95%. I had a look on the other register and
found this ntdvm running there also, but it was not running on the
main dispensary computer. I thought this may be a rogue file but I
have since found this file is needed if you want to run 16bit apps
(from MS knowledge base). It was located in the winnt\system32
folder. I renamed it to ntdcmold.exe but upon rebooting this file was
back again as well as the renamed one ,same size and date (2002).

I have also found that I am unable to read cds at the moment on this
p/c and the usb memory stick also fails to read. I am able to read
flies over the network though.

I guess if it were a dog it would be maggot infested!

Since this p/c is part of a chemist shop POS system I need to fix it
quickly. I am concerned about all the sudden bad blocks but I think
something must have stuffed the system volume info file as the system
is running Win 2000 and NTFS. I was going to replace the hdd and
re-install win2k and the pos software as the p/c is "mission critical"

Any constructive help would be appreceated.
J McC

http://www.windowsecurity.com/articl...vironment.html

The above is what is in the link below.

http://tinyurl.com/klw1

It talks about using Process Explorer and other tools to help find the
compromise.

http://www.pcworld.com/downloads/fil...RSS,RSS,00.asp

http://www.sysinternals.com/Utilitie...sExplorer.html

You right-click a running task in the Upper Pane and select Properties and
PE will tell you everything about the task and what's using it.

You go to menu Show Lower Pane Show all Dlls and PE will show all processes
that are running with the process and their locations.

Maybe, you'll spot something.

Obviously, something that is running or piggy backing off a running process
is bringing the exploit back.

Duane

"J-McC" <> wrote in message
news:...
>I have a customer who has several unwanted icons that are really .exe
> files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
> pc_tune_up.
> His kids while "helping him" at the weekend managed to infect one of
> his point of sale terminals as follows.
>
> I have scanned for spyware (spybot14) and virus scanned also.
> When I start up the system It wants to run Chkdsk so I let this run
> but it found heaps of corrupt or fault sectors/blocks, they seemed to
> be in groups of 4 consecative numbers. The anti virus program also
> found lots of corrupt files. (which is probably to be expected), but I
> dont think it got far enough to find any viruses.
>
> When using totalcmd32, which is excellent and shows hidden files
> etc,to look in the "my documents\mainuser\desktop" folder the links to
> all my desktop icons are listed EXCEPT for these EXE programs.
> Doing a search for them came up blank. You can delete them for the
> current session but lo and behold they are back next time you boot.
>
> The computer is running like a dog. I ran task manager and found a
> file called "ntdvm.exe" was running and hogging nearly all the cpu
> resources. I was able to kill this app and the cpu usage dropped to
> about 4% from nearly 95%. I had a look on the other register and
> found this ntdvm running there also, but it was not running on the
> main dispensary computer. I thought this may be a rogue file but I
> have since found this file is needed if you want to run 16bit apps
> (from MS knowledge base). It was located in the winnt\system32
> folder. I renamed it to ntdcmold.exe but upon rebooting this file was
> back again as well as the renamed one ,same size and date (2002).
>
> I have also found that I am unable to read cds at the moment on this
> p/c and the usb memory stick also fails to read. I am able to read
> flies over the network though.
>
> I guess if it were a dog it would be maggot infested!
>
> Since this p/c is part of a chemist shop POS system I need to fix it
> quickly. I am concerned about all the sudden bad blocks but I think
> something must have stuffed the system volume info file as the system
> is running Win 2000 and NTFS. I was going to replace the hdd and
> re-install win2k and the pos software as the p/c is "mission critical"
>
> Any constructive help would be appreceated.
> J McC
>

(With respect) If it's 'Mission Critical' don't prat about.
Run HD Diagnostics from the drives manufacturer, if that comes up ok just
wipe and reinstall.
If the drive is dodgy replace it and reinstall.
It will be the simplist/quickest solution in the end, chasing
spyware/virus/malwar/trojans down though technicaly possible is to time
consuming (as you are finding out).

Cheers
Paul

On Tue, 19 Jul 2005 00:40:57 GMT, J-McC wrote:

> I have a customer who has several unwanted icons that are really .exe
> files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
> pc_tune_up.
> His kids while "helping him" at the weekend managed to infect one of
> his point of sale terminals as follows.
>
> I have scanned for spyware (spybot14) and virus scanned also.
> When I start up the system It wants to run Chkdsk so I let this run
> but it found heaps of corrupt or fault sectors/blocks, they seemed to
> be in groups of 4 consecative numbers. The anti virus program also
> found lots of corrupt files. (which is probably to be expected), but I
> dont think it got far enough to find any viruses.
>
> When using totalcmd32, which is excellent and shows hidden files
> etc,to look in the "my documents\mainuser\desktop" folder the links to
> all my desktop icons are listed EXCEPT for these EXE programs.
> Doing a search for them came up blank. You can delete them for the
> current session but lo and behold they are back next time you boot.
>
> The computer is running like a dog. I ran task manager and found a
> file called "ntdvm.exe" was running and hogging nearly all the cpu
> resources. I was able to kill this app and the cpu usage dropped to
> about 4% from nearly 95%. I had a look on the other register and
> found this ntdvm running there also, but it was not running on the
> main dispensary computer. I thought this may be a rogue file but I
> have since found this file is needed if you want to run 16bit apps
> (from MS knowledge base). It was located in the winnt\system32
> folder. I renamed it to ntdcmold.exe but upon rebooting this file was
> back again as well as the renamed one ,same size and date (2002).
>
> I have also found that I am unable to read cds at the moment on this
> p/c and the usb memory stick also fails to read. I am able to read
> flies over the network though.
>
> I guess if it were a dog it would be maggot infested!
>
> Since this p/c is part of a chemist shop POS system I need to fix it
> quickly. I am concerned about all the sudden bad blocks but I think
> something must have stuffed the system volume info file as the system
> is running Win 2000 and NTFS. I was going to replace the hdd and
> re-install win2k and the pos software as the p/c is "mission critical"
>
> Any constructive help would be appreceated.
> J McC

CHeck out http://www.jhoodsoft.org/AntiSpyware.html for the Microsoft
Antispyware Beta. I've had good luck using it where others Spybot and
Cwshredder etc. have failed.