Latest Forum Posts
[VIDEO] From
last post by dkuk2000
Arsenal 24/25 season
last post by Snaps
[VIDEO] Earth Abides
last post by mbilko
The All New Doctor Who Thread...
last post by Par Mizan
Movember
last post by RJS
[VIDEO] Star Wars Visions
last post by admars
Post Trump fallout
last post by sj
[VIDEO] The Return of Captain Kirk
last post by Jitendar Canth
The Terminator 4k
last post by mbilko

Page 1 of Text files, notepad.exe acessing the net and services.exe

PCs & Mobiles Forum

Text files, notepad.exe acessing the net and services.exe

Alan Titherington (Reviewer) posted this on Tuesday, 22nd March 2005, 00:02

A bit of a garbled title but I need some advice on whether I have some sort of hijacking going on on my old and trustworthy win98 machine.

Every time I try to open a .txt file, I get a SpywareGuard message telling me that notepad.exe is trying to access the net. After this it tells me that some program called services.exe is also trying to acces the net.

The following line always gets added to system.ini every time it happens :

load=C:\WINDOWS\INET10079\SERVICES.EXE

and win.ini gets edited as well ;

[windows]
load=
NullPort=None
norun=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
run=C:\WINDOWS\INET10079\SERVICES.EXE

and lo and behold, the folder 10079 appears again and services.exe begins to function, although doesn`t seem to do anything as I won`t let it out of my machine.


Is this a normal Windows thing?

AdAware and AVGVirus don`t seem to think there`s anything wrong, but I`m not so sure.

cheers!

My collection

This item was edited on Tuesday, 22nd March 2005, 00:18

RE: Text files, notepad.exe acessing the net and services.exe

slipperysam (Elite) posted this on Tuesday, 22nd March 2005, 16:22

Generaly no problem with services.exe being allowed to access the web (Windows Services Controller), so long as the windows file hasn`t been replaced by a Trojan. Not sure that Notepad should be doing so though.

Try running Trend Housecall and Panda Active Scan.

Good luck.

Sam.

RE: Text files, notepad.exe acessing the net and services.exe

Alan Titherington (Reviewer) posted this on Tuesday, 22nd March 2005, 17:52

Cheers Sam,

I`m pretty sure it`s not the usual Windows `services.exe` but some horrible little virus sitting around on the registry somewhere altering ini files and waiting for me to open up a text file (which seems to start it all off). Shall check those sites you mentioned.


My collection

RE: Text files, notepad.exe acessing the net and services.exe

Alan Titherington (Reviewer) posted this on Wednesday, 23rd March 2005, 08:00

Unfortunately, nothing seems to notice that there`s a problem (although they picked up on a few dodgy things in temp internet files - can`t imagine how they got there! :D).

However, it only seems to happen when things are linked to open with notepad.exe. Popped into the registry to change the association for .txt files to my trusty PFE32 file editor and the problem disappeared.

Now, this leads me to thinking that notepad.exe has been take over by the viral equivalent of the mysterons, or has actually been replaced by a completely new file with the same name, but which has nothing to do with opening text files, rather more to do with getting on the net and doing nasty things.

Anyone any ideas about what may happen to notepad.exe when you`re not looking?

My collection

RE: Text files, notepad.exe acessing the net and services.exe

hk389344 (Mostly Harmless) posted this on Wednesday, 23rd March 2005, 10:01

Alan,

Have a look at the following from Symantec - it sounds fairly similar. There`s a downloadable tool on the page to try and clean it.

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html

RE: Text files, notepad.exe acessing the net and services.exe

Alan Titherington (Reviewer) posted this on Friday, 25th March 2005, 22:09

cheers hk. It was a similar one to that described, but it had renamed notepad.exe to notepad.exe.bak (very kind of it) and replaced it with something called notepad.exe, which was only 12k (original is 59k or something). Simple job of replacing them again and delting the new one, a few edits ot windows.ini and system.ini, a small foray into the registry and everything seems ok :-). Annoyed with all the tools which didn`t catch it though.

My collection

Go back to PCs & Mobiles Forum threads, or All Forum threads