Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two Notepad.exe Processes, Different Sizes


  • Please log in to reply
13 replies to this topic

#1 joygreen

joygreen

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Location:Southeast U.S.A.
  • Local time:06:26 AM

Posted 24 July 2007 - 01:41 AM

Hello Peeps :thumbsup:,

I just read about the malware that renames notepad.exe to note.exe; but I don't have a note.exe file. I am using valid XP, but its OEM. I do think a stinker got into my machine and passed it to my 98 machine through a lan connection (that worked only briefly), because both machines now get the ad-aware errors, that finds, corrects, and finds again.

On task manager, I have (on XP) two notepad.exe files. They have the same user name and user objects, but different sizes of PID and Mem. Usage.

Scans always say everything's ok, although freebie RegCure finds hundreds of errors it wants to fix for money. Machine is running slower than usual; I am getting rid of One Care (its a hog) and am only keeping it to try to restore my backups that are useless due to the O/S restores that of course wipe out the restore points.

Any ideas on notepad error?

Thank you ,
joy ~~~ to the world... joy to you and me... joy to the fishes in the deep blue sea, joy to you and me. :flowers:
"Restore an environmentally sustainable and economically just America"

BC AdBot (Login to Remove)

 


m

#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:26 AM

Posted 24 July 2007 - 02:02 AM

I would recommend that you uninstall regcure it is linked to programs such as errornuker, and the main site gets a McAfee risky downloads rating. Besides it seems to have the same type of interface that all the Smitfraud/Zlob trojan downloaded programs do, and any program that wont fix any problems without money is probably a rip off.

have you tried super anti spyware yet? http://www.superantispyware.com/download.html
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 24 July 2007 - 02:22 AM

Search your hard drive for any notepad.exe files and upload them at Jotti for analysis.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:26 AM

Posted 24 July 2007 - 06:06 AM

There appears to be 2 notepad.exe files running in Task Manager. Do you have 2 notepad.exe windows open on the Desktop or in the Task Bar? If not, then these are likely to be trouble. After following the advice above, I'd refer you to these two forums:

http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 joygreen

joygreen
  • Topic Starter

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Location:Southeast U.S.A.
  • Local time:06:26 AM

Posted 25 July 2007 - 02:15 AM

Thank you for your replies. I probably did have two instances of notepad open when Task Manager ™ reported them. I verified that tonight by opening and closing notepad while watching TM. (Duh-me, thanks for the insight). Oh, and I got rid of Reg-cure as soon as it asked me for money. I've got none of that...

~~~~~~~~~~~~~
So then I updated and ran Ad-Aware (notepad had been opened once during the session) and was closed while I ran ad-aware.

The same two "Windows Vulnerability" "Critical Objects" came back:
object type= RegData, Object: "HKEY_CLASSES_ROOT:regfile\shell\open\command"" (notepad.exe %1)
and
object type= RegData, Object: "HKEY_CLASSES_ROOT:scrfile\shell\open\command"" (notepad.exe %1)

Adaware reported "Location" as:
regfile\shell\open\command""(notepad.exe %1)
scrfile\shell\open\command""(notepad.exe %1)

Ad-aware Description "General Windows Security Issue. Your system security may be compromised... (no details)
~~~~~
So I deleted them as usual, but they keep coming back. I am using webroot spyware and virus package, and replaced my firewall to match my other PC (still trying to network them)

I just ran both files through Jotti. Cool site. Found nothing, however. The notepad files are in c:\windows and c\windows\system32.

I'll try superantispyware and read those forums.

Thanks, guys. You are great. :thumbsup:
"Restore an environmentally sustainable and economically just America"

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 25 July 2007 - 02:26 AM

Try running AdAware in Safe Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:26 AM

Posted 25 July 2007 - 02:33 AM

The webroot spysweeper is blocking ad awares changes when you fix them, make sure spysweeper is disabled or the registry protection is turned off.

Edited by oldf@rt, 25 July 2007 - 02:33 AM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#8 joygreen

joygreen
  • Topic Starter

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Location:Southeast U.S.A.
  • Local time:06:26 AM

Posted 25 July 2007 - 05:03 AM

Hi guys, it looks like we're all up all night tonight. I ran superantispyware and it only found tracking cookies. So I will run ad-aware in safe mode as suggested.

Thank you again, and I hope we all find some time to sleep.

joy

PS: John: I clicked on those two links and they gave me lists. I did do a search on notepad before I posted this question, and got a slew of results. But they were only mentioning notepad in passing, not questions about notepad. I'll admit I didn' read ALL of them, but, didn't see any titles about notepad. Were you suggesting a way to search for a topic that's already covered? If there's a better way to do it, I'd love to see ~ Thanks :thumbsup:

Edited by joygreen, 25 July 2007 - 05:09 AM.

"Restore an environmentally sustainable and economically just America"

#9 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:26 AM

Posted 25 July 2007 - 06:23 AM

Are you fully updated on Windows Update? Some anti-malware programs will warn you when there's a vunerability on your system.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#10 joygreen

joygreen
  • Topic Starter

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Location:Southeast U.S.A.
  • Local time:06:26 AM

Posted 31 July 2007 - 05:36 PM

I still have the notepad errors. I ran adaware in safe (but forgot to disconect spysweeper). Last night I turned off a bunch of junk from the startup menu. Win Live One Care expired, and I didn't plan to renew, so i disabled it and put Sygate on. Webroot is running virus and spy and never finds anything.

Sygate keeps popping up with one care messages, so I finally gave up and re-enabled one care, and turned off sygate. The win protection center says all is turned on. But I got these hairy messages from Sygate right before I made the switch. Does this stuff say anything to anyone? I googled the "Internet Corporation for Assigned Names and Number", and got a list of things, one being a domain name service - they all looked like spies to me as they used my IP address with .255 at the end. I don't have one of those defined, and don't think I'm doing business with anyone in Marina Del Rey.


OrgName: Internet Assigned Numbers

Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
NetName: IANA-CBLK1
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for

special purposes.
Comment: Please see RFC 1918 for

additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for

Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for

Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated

2007-07-30 19:10
# Enter ? for additional hints on

searching ARIN's WHOIS database.

===============eof

I wish we had a new Icon that bursts into tears... Instead I am going to logoff. See y'all later.
"Restore an environmentally sustainable and economically just America"

#11 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:26 AM

Posted 01 August 2007 - 05:53 AM

Don't just turn the One Care off - uninstall it from the Add/Remove Programs applet in Control Panel (and put the Sygate back on!). With Sygate, you can tell it to always block the One Care traffic (if that message returns after uninstalling it) and won't be bothered by the messages again.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#12 joygreen

joygreen
  • Topic Starter

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Location:Southeast U.S.A.
  • Local time:06:26 AM

Posted 17 August 2007 - 05:10 PM

After trying all the suggestions kindly offered, my PC just wouldn't cooperate. So I did a google, and found a way to fix this. Notepad.exe only belongs in one directory. Doing a search found it in more than one, and every time I deleted it, it just came back. After reading the suggested solution, I right-clicked my shortcuts and found them all to be pointing to the wrong directory, so I deleted all of them (except the one in Accessories) . Then I ... :thumbsup: ... edited the directory as described below and it worked!!!

The link is to give credit to the solution writer. I thank all of you for your attention to this. I really did feel like a spy was/is on my PC, because I usually have to type in my e-mail password twice, even though I know I didn't fat-finger it the first time.

http://help.lockergnome.com/security/default-Ad-Aware-ftopict1741.html

I'm running Win98SE so Notepad.exe should only be in the C:\Windows folder - same for Win95 and WinME. In NT4, Win2k and WinXP, Notepad.exe should be in the C:\Windows\System32 (or where ever Windows resides in your system).

A search in Google Groups/alt.comp.anti-virus listed about 30 other threads related to Notepad.exe problems.

According to Symantec this is a trojan called Backdoor.Way. I had the same thing happen as you. Adaware would clean it, then when I restarted and re-ran Adaware again it was back. First run Adaware and if it is there, remove it. Then open regedit (START-Run-regedit-OK). Go to:

HKLM\Software\Classes\txtfile\Shell\Open\Command

Go to the right pane and double click (default). The editor will open, It will show %SystemRoot%\System32\NOTEPAD>EXE%1. Remove the \System32. OK, then exit regedit.

Go to Start-All Programs-Accessories, find the notepad shortcut icon. Right click, click properties.
In the target window also remove \System32, click apply and OK. Do this with any other Notepad shortcuts you may have made.

Next go to regedit again and check:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run.Check the right pane to see if there is a listing: msgtask C:\Windows\System32\msgsvc.exe. If there is: Select Value the Delete and exit regedit. I did not have this part on my system, but check it anyway. (This wasn't on my XP machine either)

(Note: before I restarted my machine, I did Start-Run-Notepad.exe and it still worked)

Now restart your system, re-run Adaware and see if it is gone. It worked on mine. Good luck.

"Restore an environmentally sustainable and economically just America"

#13 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:04:26 AM

Posted 17 August 2007 - 05:21 PM

WARNING:
The above procedure, is a registry edit.
Improper changes to the registry could render your computer inoperable.
Remember to backup the registry, before making any changes.
Instructions, on how to do that, can be found here:
How to back up, edit, and restore the registry
(I highly suggest, you make a copy of the above article.)
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#14 joygreen

joygreen
  • Topic Starter

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Location:Southeast U.S.A.
  • Local time:06:26 AM

Posted 17 August 2007 - 06:18 PM

TG, Thank you for adding that precaution.
"Restore an environmentally sustainable and economically just America"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users