c:\ntdetect.com keeps disappearing every few hours

  • Thread starter Thread starter brbruce
  • Start date Start date
B

brbruce

I am having a strange problem where the c:\ntdetect file mysteriously
disappears every few hours. It is not found in the recycle bin.

It started happenning a week ago, without any new installation being
done. I noticed that after a reboot, it continuously reran the Poweron
Self-Test procedure, and Windows would not start up. I used a XP
quickboot floppy to get into windows and eventually noticed that the
ntdetect file was missing. I copied it back, but it happened again the
next day. This time, I copied the file back, but kept an eye on the
c:\ directory. Even without doing anything on the machine, a couple
hours later, the file was gone! It seems to be consistently
disappearing every few hours. No other file disappears.

The computer runs WinXP Home edition with SP2 applied. It is used only
for web browsing and email. The computer runs Norton Personal Internet
Firewall, and Symantec Systemworks 2003 with Norton Antivirus. It is
also behind a router/internet gateway.

I ran Norton Antivirus, Webroot Spy sweeper, Adaware, and Spybot S&D
with the latest updates, but with no indication of any malware or virus
which might be causing this. The only thing I can think of is that
there is some virus that is doing this which Norton is not picking up.

There's not much to go on, but if this has happened to anyone else, or
rings a bell, I'd appreciate any assistance. Thanks.
 
brbruce said:
I am having a strange problem where the c:\ntdetect file mysteriously
disappears every few hours. It is not found in the recycle bin.

It started happenning a week ago, without any new installation being
done. I noticed that after a reboot, it continuously reran the
Poweron
Self-Test procedure, and Windows would not start up. I used a XP
quickboot floppy to get into windows and eventually noticed that the
ntdetect file was missing. I copied it back, but it happened again
the
next day. This time, I copied the file back, but kept an eye on the
c:\ directory. Even without doing anything on the machine, a couple
hours later, the file was gone! It seems to be consistently
disappearing every few hours. No other file disappears.

The computer runs WinXP Home edition with SP2 applied. It is used
only
for web browsing and email. The computer runs Norton Personal
Internet
Firewall, and Symantec Systemworks 2003 with Norton Antivirus. It is
also behind a router/internet gateway.

I ran Norton Antivirus, Webroot Spy sweeper, Adaware, and Spybot S&D
with the latest updates, but with no indication of any malware or
virus which might be causing this. The only thing I can think of is
that there is some virus that is doing this which Norton is not
picking up.

There's not much to go on, but if this has happened to anyone else, or
rings a bell, I'd appreciate any assistance. Thanks.

The fact that the computer dies on the POST (Power On Self Test) before
loading Windows indicates a hardware failure. Here are general hardware
troubleshooting steps:

1) Open the computer and run it open, cleaning out all dust bunnies and
observing all fans (overheating will cause system freezing). Obviously
you can't do this with a laptop, but you can hear if the fan is running
and feel if the laptop is getting too hot.

2) Test the RAM - I like Memtest86+ from www.memtest.org - let the test
run for an extended (like overnight) period of time - unless errors are
seen immediately.

3) Test the hard drive with a diagnostic utility from the mftr.

4) The power supply may be going bad or be inadequate for the devices
you have in the system - this isn't applicable to a laptop, of course.

5) Test the motherboard with something like TuffTest from
www.tufftest.com.

Testing hardware failures often involves swapping out suspected parts
with known-good parts. If you can't do the testing yourself and/or are
uncomfortable opening your computer, take the machine to a good local
computer repair shop (not a CompUSA or Best Buy type of store).

Malke
 
Hi Malke,

Thanks for the info. However, in this case, what I described was
probably misleading. The problem occurs right _after_ the POST, just
after it displays all the interrupts and hardware devices, etc. Under
normal circumstances, this is when the Windows splash screen would
appear.

Using a boot disk that has boot.ini, ntldr and ntdetect.com on it, I
can get Windows started, and after I restore ntdetect.com, the computer
will reboot OK, so I know it's not a hardware failure.

Right now, I have a batch job scheduled to run every minute to check
the file. Knowing exactly when the file gets deleted might give me a
clue.

I also researched how to get the NTFS permissions tab under WinXP Home
(in safe mode) and took access away from the normal id I use to see if
I can catch the process doing the deleting.
 
brbruce said:
Hi Malke,

Thanks for the info. However, in this case, what I described was
probably misleading. The problem occurs right _after_ the POST, just
after it displays all the interrupts and hardware devices, etc. Under
normal circumstances, this is when the Windows splash screen would
appear.

Using a boot disk that has boot.ini, ntldr and ntdetect.com on it, I
can get Windows started, and after I restore ntdetect.com, the
computer will reboot OK, so I know it's not a hardware failure.

Right now, I have a batch job scheduled to run every minute to check
the file. Knowing exactly when the file gets deleted might give me a
clue.

I also researched how to get the NTFS permissions tab under WinXP Home
(in safe mode) and took access away from the normal id I use to see if
I can catch the process doing the deleting.

Hmmm. This is a mystery, then. Please post back with the results of your
test. It doesn't seem likely that it's a virus since you are so
well-protected. It couldn't hurt to do a RAM and hard drive test, but
it certainly is strange that just those files disappear. Sorry I don't
have any answers but maybe someone else will.

Malke
 
It took a lot of detours trying to find ways to turn file access
auditing on in WinXP Home (unsuccessfully) and running trial versions
of windows process monitors, but I finally discovered the process that
was deleting my ntdetect.com file.

It was actually in the Windows Scheduler, but hidden (I did not know
you could hide scheduled tasks and found it completely by accident).
The task name was Patch, but it pointed to a file called C:\Program
Files\TMR\ntcheck.bat, which contained the following:

@echo off
c:
cd\
@echo off
attrib -s -h -r ntdetect.com
move /y ntdetect.com c:\windows >nul
@echo off

The file itself had the read-only and hidden attribute set. The job
began Jan 13, 2005 and ran each day every 3 hours from 11:12 am.

The directory it was in was for a product called Phatsoft TMR, which is
an alarm manager/scheduler, which I have no recollection of ever
installing or using. The software looks legit, and I can't find any
other references on the web about complaints about TMR or ntcheck.bat,
so I don't think they are related.

Since both Norton Antivirus and Webroot Spy Sweeper and Adaware and
Spybot did not pick it up, and there are no google hits for
ntcheck.bat, I'm guessing this is not a common hack.

Right now, I hate to even think it, but the only thing I can think of
is that I took the computer to a local computer store for repairs last
year, and this file may have been added at that time, and set to go off
after several months had gone by, possibly prompting another visit to
the store? No way of knowing, I guess.

-----------------------------------------------------------------------
 
you should be able to check the dates on the folder and files for that
software to see if it was installed when the machine was in for service.
 
Back
Top