Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

notepad(4).exe


  • Please log in to reply
64 replies to this topic

#1 rmanasa

rmanasa

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 August 2013 - 02:23 PM

Greetings -

I'm having two bits of "odd behavior" that may or may not be caused by a virus or malware:

1. When searching my computer using Search Everything (http://voidtools.com/), I find  notepad(4).exe. The file cannot be run, renamed or deleted. It is not visible when looking through the C:\Windows\system32 folder. There are regular, functioning copies of notepad.exe in C:\Windows, C:\Windows\System32 and C:\Windows\SysWOW64, all of which work just fine.

2. Perhaps related is another problem. When right clicking on a file in the Downloads folder in Firefox and selecting "Open Containing Folder", I get the following error:

 

"This file does not have a program associated with it for performing this action. Please install a program or, if one is already installed, create an association in the Default Programs control panel."
 

This also happens when right clicking a file in the Start Menu/Documents and selecting "Open File Location". The dialog box is entitled "explorer.exe" instead of "firefox.exe", but is otherwise identical. This happens in any similar location that I have tried so far.

 

Oddly, if the folder containing the file is open in another window on my desktop, selecting "Open File Location" or "Open Containing Folder" shifts the focus to that window and highlights the program.

 

I followed many posted suggestions on this, most related to making sure the registry settings for folder and file associations are correct (e.g., http://www.winhelponline.com/blog/file-asso-fixes-for-windows-7/) without success.

 

Apologies in advance if these issues are outside the scope of combofix. Looking forward to your reply. Thank you!

 



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:48 PM

Posted 11 August 2013 - 03:07 PM

1. Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:

:filefind
notepad*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 rmanasa

rmanasa
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 August 2013 - 03:27 PM

Thanks for the quick reply, Broni. Here is what SystemLooks sez:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 16:24 on 11/08/2013 by Rick Manasa
Administrator - Elevation successful

========== filefind ==========

Searching for "notepad*"
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk    --a---- 1304 bytes    [04:54 14/07/2009]    [04:54 14/07/2009] B314F70E2471B24836DC682425597F40
C:\Users\Rick Manasa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Notepad.lnk    --a---- 783 bytes    [22:00 13/04/2013]    [22:00 13/04/2013] 42BEB3FFFB04A53EAA60CE8814A112EA
C:\Windows\notepad.exe    --a---- 179712 bytes    [02:42 05/08/2013]    [01:14 14/07/2009] D378BFFB70923139D6A4F546864AA61C
C:\Windows\en-US\notepad.exe.mui    --a---- 12288 bytes    [07:06 21/11/2010]    [07:06 21/11/2010] 430B4D855464BF5B85B872BE5EBC3943
C:\Windows\System32\notepad.exe    --a---- 193536 bytes    [17:37 31/10/2011]    [01:39 14/07/2009] F2C7BB8ACC97F92E987A2D4087D021B1
C:\Windows\System32\en-US\notepad.exe.mui    --a---- 12288 bytes    [07:06 21/11/2010]    [07:06 21/11/2010] 430B4D855464BF5B85B872BE5EBC3943
C:\Windows\SysWOW64\notepad.exe    --a---- 179712 bytes    [23:41 13/07/2009]    [01:14 14/07/2009] D378BFFB70923139D6A4F546864AA61C
C:\Windows\SysWOW64\en-US\notepad.exe.mui    --a---- 12288 bytes    [07:06 21/11/2010]    [07:06 21/11/2010] 50EF8674DF0CB68A957D44566BF86982
C:\Windows\winsxs\amd64_microsoft-windows-notepad.resources_31bf3856ad364e35_6.1.7600.16385_en-us_79dac9b8e8ab2637\notepad.exe.mui    --a---- 12288 bytes    [07:06 21/11/2010]    [07:06 21/11/2010] 430B4D855464BF5B85B872BE5EBC3943
C:\Windows\winsxs\amd64_microsoft-windows-notepadwin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f51dc315e4ca5723\notepad.exe.mui    --a---- 12288 bytes    [07:06 21/11/2010]    [07:06 21/11/2010] 430B4D855464BF5B85B872BE5EBC3943
C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\notepad.exe    --a---- 12288 bytes    [17:37 31/10/2011]    [23:25 04/08/2013] 4072783B8EFB99A9E5817067D68F61C6
C:\Windows\winsxs\amd64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_cb0f7f2289b0c21a\notepad.exe    --a---- 12288 bytes    [17:37 31/10/2011]    [23:25 04/08/2013] 4072783B8EFB99A9E5817067D68F61C6
C:\Windows\winsxs\wow64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_d5642974be118415\notepad.exe    --a---- 179712 bytes    [23:41 13/07/2009]    [01:14 14/07/2009] D378BFFB70923139D6A4F546864AA61C
C:\Windows\winsxs\x86_microsoft-windows-notepad.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1dbc2e35304db501\notepad.exe.mui    --a---- 12288 bytes    [07:06 21/11/2010]    [07:06 21/11/2010] 50EF8674DF0CB68A957D44566BF86982

-= EOF =-



#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:48 PM

Posted 11 August 2013 - 03:28 PM

Just a thought (I use Everything almost daily)...when searching by keywords...Everything will reflect the phantom items reflected as "recent".  These are not really files, but a administrative note of some sort.  It's important to look at the path of the apparent file and see where it is supposed to located on the hard drive.

 

Louis



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:48 PM

Posted 11 August 2013 - 03:30 PM

I don't see any "notepad(4).exe".

Do you have a location of that file?


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 rmanasa

rmanasa
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 August 2013 - 04:05 PM

Thank you both for your replies.

 

Search Everything sez notepad(4).exe is in C:\Windows\System32. It does not have the standard notepad icon. I'm not allowed to post images, so all I can do is describe it. It's a rectangle, with a gray top border, bluish box center left and lines indicating text (?) center and right.

 

Not sure if that's relevant or helpful, but there it is.



#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:48 PM

Posted 11 August 2013 - 04:16 PM

When you right click on that file what options do you have?


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 rmanasa

rmanasa
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 August 2013 - 04:28 PM

When I right click on notepad(4).exe in Search Everything, I have the following options:

 

Open

Open Path

Copy Full Name to Clipboard

--seperator--

Set Run Count ...

--seperator--

Delete

Rename

--seperator--

Read Extended Information

 

* Open give the following error message:

 

Windows cannot find 'C:\Windows\System32\notepad(4).exe'. Make sure you typed the name correctly, and then try again.

 

The error dialog box is entitled:

 

C:\Windows\System32\notepad(4).exe

 

* Open Path opens a window to the C:\Users\MyName folder.

 

* Copy Full Name to Clipboard copies this:

 

"C:\Windows\System32\notepad(4).exe"

 

* Set Run Count ... opens the Set Run Count dialog box, which sez the Run Count is set to 4. This is a variable that I can change. There is an OK and Cancel button in the box.

 

* Delete has no effect.

 

* Rename highlights the file name in blue, ready for renaming. Changing anything (like adding .old) and then hitting Enter does not change the file name.

 

* Read Extended Information has no discernable effect.



#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:48 PM

Posted 11 August 2013 - 04:39 PM

Are you reading that info from some Everything log or you can actually see that file in Windows Explorer?


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 rmanasa

rmanasa
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 August 2013 - 05:06 PM

The file notepad(4).exe is only visible through Search Everything. FYI - I've set my Folder Options in Explorer to:

 

Show hidden files, folders and drives - selected

Hide protected operating system files (Recommended) - deselected



#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:48 PM

Posted 11 August 2013 - 05:10 PM

I suggest you inquire at their forum: http://forum.voidtools.com/


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 rmanasa

rmanasa
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 August 2013 - 05:18 PM

Just because I was curious, I installed UltraSearch (https://www.jam-software.de/customers/downloadTrialProcess.php

) to see if another third party search tool might "find" notepad(4).exe. In addition to the functioning notepads, it found two instances of notepad.exe (*not* notepad(4).exe) that have that same non-standard icon, in wildly different locations:

 

C:\Windows\winsxs\amd64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_cb0f7f2289b0c21a\notepad.exe

 

C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\notepad.exe

 

Both of these are 0.01MB in size and Last Changed 8/4/13. The right click menu is much more extensive (I have Moo0 Window Menu Plus installed - http://www.moo0.com/software/WindowMenuPlus/download/free/.)  Selecting "Open Containing Folder" produces the same "no association" error.

 

Clearly, with the file size these are not the full notepad application. What they actually are is not so clear. <g>



#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:48 PM

Posted 11 August 2013 - 05:31 PM

Those are backup files listed as well in SystemLook log.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 rmanasa

rmanasa
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 August 2013 - 05:36 PM

Those are backup files listed as well in SystemLook log.

OK. No cause for worry then.

 

At this point, I'll just ask if notepad(4).exe looks like an issue that ComboFix can address. If so, let's move forward. If not, I'll look elsewhere for info. No worries either way.

 

The same goes for this association business. Does that sound like a virus or malware of some kind? What other information can I provide to help you decide? Thanks again for all your help so far.



#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:48 PM

Posted 11 August 2013 - 05:39 PM

I'm not familiar with "Everything" but from what I can see I suspect that "Everything" itself numbers those files if it sees more than one instance.

I don't think there is anything you should worry about.
 


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users