Jump to content


Photo

Notepad Trouble


  • This topic is locked This topic is locked
6 replies to this topic

#1 MrGoodbar

MrGoodbar

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 July 2004 - 09:52 AM

after a recent (and i suspect ongoing) infection Notepad seems to have dissapeared from my machine. I know it seems a little petty as its such a small, basic program but it does come in handy for coding a few things and posting HiJack logs etc. anybody know how to get it back?

my browser also seems very sluggish and certain pages including Yahoo wont load on the first attempt (HTTP Error 400 - Bad Request?) and need to be refreshed. any ideas?

thanx in advance to anyone who can shed some light on these little annoyances.

#2 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 09 July 2004 - 02:12 PM

I have got the same problem! Any help? I suspect a virus. named notpad.exe which took place of notepad.exe.

#3 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 10 July 2004 - 03:11 AM

Some pests like the CoolWebSearch trojans overwrite important system files and replace them with more trojans. Notepad.exe is one that gets attacked. I posted this for someone else. Maybe, it will help you. If you have XP, you should have a copy of
notepad.exe in your dll cache in C:/WINDOWS
and C:/WINDOWS/system32.
If only notepad is corrupt, you can
download a copy of it at www.spywareinfo.com/~merijn. If, your problem is bigger than that, you may need this:
Open the file search, click on tools, folder
options, then view. Check the "Show hidden files" option, and uncheck "hide
extensions..." and "Hide protected operating files" (O.k and apply)
Then, perform a search for notepad.exe If you don't have a notepad in windows
and the notepad.exe file in the dllcache in windows and
system 32, do the following:
Go to start, click on run and type in cmd.exe
Click o.k.
At the prompt, type in sfc/scannow to bring up your
sfc tool (It scans your system for missing or replaced system
files then puts them back.) It may ask for your XP disc, to get a clean copy
if your files are corrupt. Insert the disk; when it asks what to do,
choose exit. Let the sfc tool do the rest. When it's done (about 10 minutes),
take out the disk, search for notepad.exe, and copy/paste a copy of
notepad.exe in windows/dllcache and windows/system 32. There should already
be a notepad in the actual windows folder, and the windows/system32/dllcache.
Now, you should be able to use notepad, plus you've done a quick repair
on system files. If some .dll files happen to still be damaged, you may have
to search the net for a .dll library and download your missing files. That should do it. Remember to keep your anti-virus and anti-spyware programs updated.

#4 MrGoodbar

MrGoodbar

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 July 2004 - 09:38 AM

i had a look and i still have Notepad.exe, it just wont open. The curser changes to "busy" so its trying to do something, it just cant open it. think i should just delete and replace?

Im still having alot of trouble with my Internet Browser too. I deleted sum suspicious looking items using HiJackThis and Internet Explorer started to work again but they keep reappearing. i'll post my log and highlight the offending items im referring to, see if u can tell me what they are:


Logfile of HijackThis v1.97.7
Scan saved at 15:39:09, on 10/07/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPHA1MON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\WINDOWS\SYSTEM\HPHIPM07.EXE
C:\WINDOWS\SYSTEM\HPHID407.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\RXMON.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\PLAYLIST.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\MY DOCUMENTS\MARTIN\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pipex.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dial.pipex.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PIPEX
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

F1 - win.ini: run=hpfsched
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPHA1MON] C:\WINDOWS\SYSTEM\HPHA1MON.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Remote Packet Capture Protocol v.2.0] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [Plug and Play] C:\WINDOWS\wininet32.exe
O8 - Extra context menu item: Take snap shot - C:\WINDOWS\TEMP\CSSnapShot.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.dial.pipex.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn....v45/yacscom.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab

#5 MrGoodbar

MrGoodbar

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 July 2004 - 09:45 AM

one more thing i just realised.... I think everytime I try to open Notepad it runs the following two programs:

C:\WINDOWS\wininet32.exe
C:\WINDOWS\runwin32.exe

this help explain whats happening at all?

#6 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 11 July 2004 - 02:43 PM

You have trojans still on your computer. For starters, run your anti-virus. If you don't have one,
go to www.pandasoftware.com/activescan/activescan.asp?Language=2&Country=63&
or housecall.antivirus.com
These free scans will remove the virus also. You can later remove the free scan files from your computer if you don't want them.
AVG (Grisoft) is a free anti virus program also. (It's your choice.)
After a full system scan, if you're still having problems,
Delete the value:

RunWin32 %windir%\RunWin32.exe

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
If you have MADCOW.EXE in your system, delete it (It is an internet worm that spreads through MS outlook and uses wininet32.exe.
Maybe, this will help.

#7 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 11 July 2004 - 03:21 PM

In case, I wasn't too clear at the end, wininet32.exe
should be deleted also, but like I said, hopefully your virus
scan will do it for you. ( I always recommend a scan before you
go into the registry.)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button