Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi everyone,
I've come across a strange file in the root of my c: drive on my XP Home installation. The file is named s3lg (with no extension), & is 230 bytes in size. I've been trying to work out what put this file there. I did a full virus scan with up to date Norton AntiVirus, did a full Ad-aware & Spybot SD scan (both up to date as well), & nothing was picked up.
So, I have at the moment Systernals "FileMon" program watching it (to see if I can catch what process accesses the file). I've just received a hit - the svchost.exe process. It gave me the PID as well, so I opened up a command prompt & used the tasklist /svc command to see which of the 3 svchost.exe processes running on my PC was responsible, & what services were running under it. The particular svchost.exe process that was accessing this file was running the following services:
AudioSrv
CryptSvc
Dhcp
helpsvc
lanmanworkstation
Netman
Schedule
ShellHWDetection
Themes
W32Time
winmgmt
wuauservNow, I know what most of these services are, but I've come to a dead end because I don't know how to go further & work out what single service is using this file, & what for. So, can anyone either tell me what this file is for, or how I might go about fully working it out?
Thanks,
CM
Update: I ran a couple of online file virus scanners on the file - it cam up clean both times, but the second one informed me that the file was a gzip archive. So, I opened it up as an archive in my archiving program, & found that yes, there was a 637 byte file inside the 230 byte compressed file. The compressed file is a plain text file by the looks of it, same name as the archive (ie s3lg). So, it looks like it probably isn't a nasty (virus, spyware etc), but the contents of the text file are:
User-agent: *
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
Disallow: /catalog_list
Disallow: /news
Disallow: /pagead/
Disallow: /relpage/
Disallow: /imgres
Disallow: /keyword/
Disallow: /u/
Disallow: /univ/
Disallow: /cobrand
Disallow: /custom
Disallow: /advanced_group_search
Disallow: /advanced_search
Disallow: /googlesite
Disallow: /preferences
Disallow: /setprefs
Disallow: /swr
Disallow: /url
Disallow: /wml
Disallow: /hws
Disallow: /bsd?
Disallow: /linux?
Disallow: /mac?
Disallow: /microsoft?
Disallow: /unclesam?
Disallow: /answers/search?q=
Disallow: /local
Disallow: /froogle?
Disallow: /froogle_
It looks like some sort of internet thing. Anyone got any clue as to what this file is?CM
0 
Anyone got any clue as to what this file is?
Not really. It must be from some kind of apps you once ran on the machine in the bygone days. I'd rename it to something else, hold on for a while and if it's not missed I will delete it.
i_XpUser
0
As for the running processes in the tasklist, you may wish to check out each one HERE.
i_XpUser
0
Yeah, I will delete it I think (even though it is still being accessed today - last file modification date according to Windows Explorer is 14th June 2004). If it wasn't so unbelievable, I could swear that the file has the same format as a robots.txt file...& the "froogle" entry at least is part of www.google.com. However, I have never ran a webserver or website from my PC, & I've never heard of a website (let alone google.com) putting it's robots file onto your hard drive, so surely it can't be a robots file?
CM
0
And why would one of my system processes access this file, if it was a robots file? Very very odd...
0
Another interesting thing I have noticed:
I used my compression program to extract the s3lg file inside the gzip archive to my c:\temp folder. Not long after I did this, svchost.exe accessed both the c:\ & c:\temp copies of the file. Even though I have now deleted the c:\temp copy, svchost still is trying to access it...
0
Ok, I renamed & moved the file, but 4 hours later, svchost has tried to access it again...& it is also trying to acess the copy I deleted from c:\temp. In the meantime, I had also stopped a couple of the services listed under that svchost process - W32Time & wuauserv - to see if I could narrow down which service was the culprit. Sadly, it's obvious that it's neither of these two, & I can't disable any of the others - they are essential running if I want my PC to work. Actually, I can disable the helpsvc service - it's not required, but the others are, so I will see if disabling that one helps any.
0
Ok, quick one - shortly after I disabled helpsvc, svchost tried to access the file again, so it is one of the remaining services.
0
Ok, I think I might have got it sorted. I was able to temporarily disable the schedule task, & there has been no attempt by svchost to access the file in the last 19 hours. I checked what tasks were under the task scheduler in XP, & I found only 2 - both created by Norton AntiVirus. One was an already "not scheduled" full PC virus scan, the other was the 'netdetect' task - this task runs a program that detects if you are connected to the Internet. If it detects an Internet connection, it will go & check (via LiveUpdate), for any updated virus definitions. This was set to run every 5 minutes, but for some reason, it was marked as being unable to complete (last completion time was 30 May 2004). Even when running it manually, it would not go, so I have simply disabled it - from now on, I will check for new antivirus definitions manually. The conclusion must be that this 'netdetect' (aka LiveUpadte) task is responsible for the file. I will keep filemon running on the file for a while though, just to make sure.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
