Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Notepad.exe System Process With T2.exe Non Process


  • Please log in to reply
5 replies to this topic

#1 cubanresourceful

cubanresourceful

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 06 October 2007 - 04:05 PM

This only happens on my Toshiba laptop, occasionally I get this, and only a system restore or fresh re-install works, on to the explanation.

I run dial-up, so it is especially bad for me! What happens is, randomly, two files (possibly more, but I've located only two for now) gets created on my computer, and their whereabouts are unknown. I use the latest Mozilla Firefox and Thunderbird, and I have NOD32 expired anti-virus. (Though I have the latest update, the last update that was applied was yesterday before it expired.) I've scanned my entire system with it, no viruses found, great! Then, when those two files appeared randomly, (I know, because for some reason it eats up my dial-up connection), I scanned them too. Again, no virus detected.

t2.exe is created in C:\, and I see has really no purpose, but seems to get bigger as time passes by. I replace it with a dummy file, replaces fine, and stays at 0kb. Now, NOTEPAD.exe is another small file, invisible, running as a SYSTEM process, and is located in C:\WINDOWS\system. Now, that shouldn't be, as a NOTEPAD.exe file shouldn't exist there, and more importantly, shouldn't be running as a SYSTEM process! (Take note that NOTEPAD.exe doesn't auto-run when Windows is started in safemode.

I can replace NOTEPAD.exe by first terminating the process, and then quickly replacing it with a dummy file. I don't understand how I got these files on my drive, as I am a safe browser, and I have adblock installed, and I don't download "suspicious" files. Especially .EXE files.

Now, my dial-up still takes a hit, after replacing those files, but I can't seem to locate the other possible generated files, and secondly, what they are downloading,

If you can help, it would be greatly appreciated, though I don't have the original files from above. Already replaced with dummy files.

System Specs:
Toshiba Satellite 5205-S5151
Windows XP Pro

Thanks you very much!

It seems as I was typing this, NOTEPAD.exe was re-generated, replacing my dummy NOTEPAD.exe! And t2.exe was also regenerated. I will be copying these files to a remote place, if needed by you guys!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 PM

Posted 06 October 2007 - 11:19 PM

Sounds like "The Qaz Trojan - Notepad.exe trojan".

Download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed and updated with a special "clean driver" for removing persistent malware.)
Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

Then perform at least one of these online Virus scans:
(The following require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)
BitDefender Online Scanner <- Add a check by "Autoclean".
F-Secure Online Scanner <- Be sure to follow the directions on the F-Secure page for proper Installation. (also checks for rootkits).

Edited by quietman7, 06 October 2007 - 11:20 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cubanresourceful

cubanresourceful
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 07 October 2007 - 12:29 AM

Thanks you very much, but how did I get this trojan? I browse safely, don't download/open suspicious files, and use Firefox? I'm just wondering, because this has happened countless times on my Laptop, but not my Desktop. Possibly because since I am on dial-up, im not able to download all the XP updates from 2002-2007? Thanks you very much, you guys are great!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 PM

Posted 07 October 2007 - 06:37 AM

Possibly because since I am on dial-up, im not able to download all the XP updates from 2002-2007?

Why can't you download the updates while on dial-up?

That would be on possible explanation. If you are using an unpatched version of Windows XP, it is CRITICAL that you update to Service Pack 1a with enhanced security features and all critical patches other than SP2. Without doing this right away, you are wide open to re-infection and other security risks.

Read the "Top 10 reasons to install Windows XP Service Pack 2" and "How to upgrade to Windows XP Service Pack 2".

If you have problems installing SP2, see "Troubleshooting your SP2 installation.
If you have problems downloading SP2 from the Internet, see "Order Windows XP Service Pack 2 on CD.

After upgrading to SP2, be sure to install all the upates and patches via "Microsoft Update".

"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"PC World's: The 10 Biggest Security Risks".

Edited by quietman7, 07 October 2007 - 06:41 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cubanresourceful

cubanresourceful
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 07 October 2007 - 01:57 PM

Well, to put it simply, I can only use dial-up for a short period of time, so it doesn't tie up my phone line and make me miss important calls. My computer is virus free, and no more dial-up bandwidth being wasted, thanks you very much! I will read those topics you posted, but until I can afford high speed, I'll just stick with my Windows XP with no service pack. XD

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 PM

Posted 07 October 2007 - 07:16 PM

I'm on dial-up myself so I understand your frustration. Still I think your making a mistake and leaving yourself at risk. If your malware free you can always order Windows XP Service Pack 2 on CD as I indicated in my previous post and at least minimize that risk.

To protect yourself against malware and reduce the potential for re-infection, read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"PC World's: The 10 Biggest Security Risks".
"Seven ways to keep your search history private".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users