Is it a sympthom of a Trojan or Backdoor on my PC?

Discussion in 'malware problems & news' started by Jeremy2, Aug 26, 2004.

Thread Status:
Not open for further replies.
  1. Jeremy2

    Jeremy2 Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    72
    I've Sygate firewall installed, and in the logs I've the following message:

    Application Hijacking has been detected
    The application: C:\WINDOWS\system32\notepad.exe try to launch another application: C:\Program Files\Mozilla Firefox\firefox.exe to go to remote host 209.158.113.3


    Very strange that notepad is trying to launch a browser.
    Any thoughts?

    Thanks in advance, Jeremy
     
  2. dostival_un

    dostival_un Guest

    That is not the real notepad. Notepad.exe is normally in windows folder, not system32
     
  3. pintakasi

    pintakasi Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    1
    Location:
    France
    I had this issue before and cannot fix it using my antivirus so I just deleted the notepad.exe. After doing that I tried to repair my Win XP in order to reinstall the notepad to no avail. Later, I just replaced notepad with Note Tab - a freeware with full-featured text editor.
    I hope this help.
     
  4. squash

    squash Guest

    I use Notetab Light too...

    However if you want notepad back it's located in C:\WINDOWS\system32\dllcache ... which contains a backup of all the windows xp important files used by Windows file protection to bring back copies of files...
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  6. Jeremy2

    Jeremy2 Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    72
    Hi,
    I have already run KAV, and Ad-aware, spybot, and TDS-3 Pro. (all daily updated).
    No thing was detected.

    Thanks in advance for any help, Jeremy
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    that IP number is one of the US anonymous proxies so is automatically suspect unlewss you are running something like proximatron or a simialar application that would route all requests through an anonymous proxy

    I would automatically suspect a cws hijack attempt asd they often use a suspect notepad to perform their dirty deeds
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
Loading...
Thread Status:
Not open for further replies.