unwanted icons keep re-apearing on desktop, win2000

Discussion in 'Computer Support' started by J-McC, Jul 19, 2005.

  1. J-McC

    J-McC Guest

    I have a customer who has several unwanted icons that are really .exe
    files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
    pc_tune_up.
    His kids while "helping him" at the weekend managed to infect one of
    his point of sale terminals as follows.

    I have scanned for spyware (spybot14) and virus scanned also.
    When I start up the system It wants to run Chkdsk so I let this run
    but it found heaps of corrupt or fault sectors/blocks, they seemed to
    be in groups of 4 consecative numbers. The anti virus program also
    found lots of corrupt files. (which is probably to be expected), but I
    dont think it got far enough to find any viruses.

    When using totalcmd32, which is excellent and shows hidden files
    etc,to look in the "my documents\mainuser\desktop" folder the links to
    all my desktop icons are listed EXCEPT for these EXE programs.
    Doing a search for them came up blank. You can delete them for the
    current session but lo and behold they are back next time you boot.

    The computer is running like a dog. I ran task manager and found a
    file called "ntdvm.exe" was running and hogging nearly all the cpu
    resources. I was able to kill this app and the cpu usage dropped to
    about 4% from nearly 95%. I had a look on the other register and
    found this ntdvm running there also, but it was not running on the
    main dispensary computer. I thought this may be a rogue file but I
    have since found this file is needed if you want to run 16bit apps
    (from MS knowledge base). It was located in the winnt\system32
    folder. I renamed it to ntdcmold.exe but upon rebooting this file was
    back again as well as the renamed one ,same size and date (2002).

    I have also found that I am unable to read cds at the moment on this
    p/c and the usb memory stick also fails to read. I am able to read
    flies over the network though.

    I guess if it were a dog it would be maggot infested!

    Since this p/c is part of a chemist shop POS system I need to fix it
    quickly. I am concerned about all the sudden bad blocks but I think
    something must have stuffed the system volume info file as the system
    is running Win 2000 and NTFS. I was going to replace the hdd and
    re-install win2k and the pos software as the p/c is "mission critical"

    Any constructive help would be appreceated.
    J McC
    J-McC, Jul 19, 2005
    #1
    1. Advertising

  2. J-McC

    Duane Arnold Guest

    http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html

    The above is what is in the link below.

    http://tinyurl.com/klw1

    It talks about using Process Explorer and other tools to help find the
    compromise.

    http://www.pcworld.com/downloads/file_description/0,fid,23780,RSS,RSS,00.asp

    http://www.sysinternals.com/Utilities/ProcessExplorer.html

    You right-click a running task in the Upper Pane and select Properties and
    PE will tell you everything about the task and what's using it.

    You go to menu Show Lower Pane Show all Dlls and PE will show all processes
    that are running with the process and their locations.

    Maybe, you'll spot something.

    Obviously, something that is running or piggy backing off a running process
    is bringing the exploit back.

    Duane :)
    Duane Arnold, Jul 19, 2005
    #2
    1. Advertising

  3. J-McC

    PC Guest

    "J-McC" <> wrote in message
    news:...
    >I have a customer who has several unwanted icons that are really .exe
    > files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
    > pc_tune_up.
    > His kids while "helping him" at the weekend managed to infect one of
    > his point of sale terminals as follows.
    >
    > I have scanned for spyware (spybot14) and virus scanned also.
    > When I start up the system It wants to run Chkdsk so I let this run
    > but it found heaps of corrupt or fault sectors/blocks, they seemed to
    > be in groups of 4 consecative numbers. The anti virus program also
    > found lots of corrupt files. (which is probably to be expected), but I
    > dont think it got far enough to find any viruses.
    >
    > When using totalcmd32, which is excellent and shows hidden files
    > etc,to look in the "my documents\mainuser\desktop" folder the links to
    > all my desktop icons are listed EXCEPT for these EXE programs.
    > Doing a search for them came up blank. You can delete them for the
    > current session but lo and behold they are back next time you boot.
    >
    > The computer is running like a dog. I ran task manager and found a
    > file called "ntdvm.exe" was running and hogging nearly all the cpu
    > resources. I was able to kill this app and the cpu usage dropped to
    > about 4% from nearly 95%. I had a look on the other register and
    > found this ntdvm running there also, but it was not running on the
    > main dispensary computer. I thought this may be a rogue file but I
    > have since found this file is needed if you want to run 16bit apps
    > (from MS knowledge base). It was located in the winnt\system32
    > folder. I renamed it to ntdcmold.exe but upon rebooting this file was
    > back again as well as the renamed one ,same size and date (2002).
    >
    > I have also found that I am unable to read cds at the moment on this
    > p/c and the usb memory stick also fails to read. I am able to read
    > flies over the network though.
    >
    > I guess if it were a dog it would be maggot infested!
    >
    > Since this p/c is part of a chemist shop POS system I need to fix it
    > quickly. I am concerned about all the sudden bad blocks but I think
    > something must have stuffed the system volume info file as the system
    > is running Win 2000 and NTFS. I was going to replace the hdd and
    > re-install win2k and the pos software as the p/c is "mission critical"
    >
    > Any constructive help would be appreceated.
    > J McC
    >


    (With respect) If it's 'Mission Critical' don't prat about.
    Run HD Diagnostics from the drives manufacturer, if that comes up ok just
    wipe and reinstall.
    If the drive is dodgy replace it and reinstall.
    It will be the simplist/quickest solution in the end, chasing
    spyware/virus/malwar/trojans down though technicaly possible is to time
    consuming (as you are finding out).

    Cheers
    Paul
    PC, Jul 19, 2005
    #3
  4. J-McC

    John H Guest

    On Tue, 19 Jul 2005 00:40:57 GMT, J-McC wrote:

    > I have a customer who has several unwanted icons that are really .exe
    > files. They are Casino.exe, sexydates.exe, nokia_tones.exe and
    > pc_tune_up.
    > His kids while "helping him" at the weekend managed to infect one of
    > his point of sale terminals as follows.
    >
    > I have scanned for spyware (spybot14) and virus scanned also.
    > When I start up the system It wants to run Chkdsk so I let this run
    > but it found heaps of corrupt or fault sectors/blocks, they seemed to
    > be in groups of 4 consecative numbers. The anti virus program also
    > found lots of corrupt files. (which is probably to be expected), but I
    > dont think it got far enough to find any viruses.
    >
    > When using totalcmd32, which is excellent and shows hidden files
    > etc,to look in the "my documents\mainuser\desktop" folder the links to
    > all my desktop icons are listed EXCEPT for these EXE programs.
    > Doing a search for them came up blank. You can delete them for the
    > current session but lo and behold they are back next time you boot.
    >
    > The computer is running like a dog. I ran task manager and found a
    > file called "ntdvm.exe" was running and hogging nearly all the cpu
    > resources. I was able to kill this app and the cpu usage dropped to
    > about 4% from nearly 95%. I had a look on the other register and
    > found this ntdvm running there also, but it was not running on the
    > main dispensary computer. I thought this may be a rogue file but I
    > have since found this file is needed if you want to run 16bit apps
    > (from MS knowledge base). It was located in the winnt\system32
    > folder. I renamed it to ntdcmold.exe but upon rebooting this file was
    > back again as well as the renamed one ,same size and date (2002).
    >
    > I have also found that I am unable to read cds at the moment on this
    > p/c and the usb memory stick also fails to read. I am able to read
    > flies over the network though.
    >
    > I guess if it were a dog it would be maggot infested!
    >
    > Since this p/c is part of a chemist shop POS system I need to fix it
    > quickly. I am concerned about all the sudden bad blocks but I think
    > something must have stuffed the system volume info file as the system
    > is running Win 2000 and NTFS. I was going to replace the hdd and
    > re-install win2k and the pos software as the p/c is "mission critical"
    >
    > Any constructive help would be appreceated.
    > J McC


    CHeck out http://www.jhoodsoft.org/AntiSpyware.html for the Microsoft
    Antispyware Beta. I've had good luck using it where others Spybot and
    Cwshredder etc. have failed.
    John H, Jul 19, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dusty

    desktop icons keep changing

    Dusty, Feb 16, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    17,058
  2. Robert11

    Desktop Icons Keep Re-Arranging Themselves: Why ?

    Robert11, Jan 6, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    641
    Wanderer
    Jan 7, 2005
  3. Robert11
    Replies:
    8
    Views:
    11,678
    Bringing Chaos
    May 10, 2008
  4. Nancy

    Desktop Icons keep moving

    Nancy, Jun 28, 2005, in forum: Computer Support
    Replies:
    9
    Views:
    38,176
    ellis_jay
    Jun 30, 2005
  5. Guest

    Desktop Icons Keep Moving

    Guest, Mar 31, 2007, in forum: Computer Support
    Replies:
    1
    Views:
    1,184
Loading...

Share This Page