Too All:

I managed to pick up a CWS virus which has apparently corrupted my
notepad.exe. I am running WinXP SP1 with the latest security patches and
NAV 2002 with the latest virus definitions. I have not run Spybot 1.3 or
Adaware yet.

I discovered the problem when I used my default text editor "UltraEdit32"
(an excellent programming editor) which complained about a virus and would
not start. Reinstalling UltraEdit did not help.

NAV with the latest virus definitions did NOT pick up anything.

I ran CWShredder 1.59.0 which found and removed 2 DLL files.

I reset my home page in IE (which I should not have used as I usually use
Mozilla).

I noticed that the icons for Notepad were corrupted.

I noticed that running Notepad would:
1) reset my IE homepage
2) Disable ZoneAlarm
3) reinstall the DLL's (with a different name) that CWShredder would again
remove.

I ran a complete search for "notepad" and came up with the following:

Name Folder Size Date Modified Date Created
NOTEPAD.EXE-2461BAE5.pf C:\WINDOWS\Prefetch 32 kb 6/27/2004
10:18 PM 6/27/2004 10:18 PM
NOTEPAD.EXE-195C34B9.pf C:\WINDOWS\Prefetch 32 kb 6/27/2004
10:18 PM 6/27/2004 10:18 PM
NOTEPAD.EXE-2DAE2DE6.pf C:\WINDOWS\Prefetch 32 kb 6/27/2004 9:30
PM 6/27/2004 9:30 PM
NOTEPAD.EXE C:\I386 25 kb 6/22/2004 8:23 AM 6/22/2004 8:23
AM 10/8/2002 12:40 PM
notepad.exe C:\WINDOWS 25 kb 6/22/2004 8:23 AM 6/22/2004
8:23 AM 8/18/2001 5:00 AM
NOTEPAD.EXE C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23 AM
6/22/2004 8:23 AM 8/18/2001 5:00 AM
notepad.exe.bak C:\I386 25 kb 6/22/2004 8:23 AM 6/22/2004
8:23 AM 6/18/2004 8:31 PM
notepad.exe.bak C:\WINDOWS 25 kb 6/22/2004 8:23 AM 6/22/2004
8:23 AM 6/18/2004 8:31 AM
notepad.exe.bak C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23 AM
6/22/2004 8:23 AM 6/18/2004 8:31 AM

My conclusion are:
1) notepad.exe has been replaced by a virus/trojan (clicking notepad.exe
generates the DLL's and resets my IE homepage)

2) the virus hit me on 6/18/2004 8:31 AM and maybe again on 6/22/2004 8:23
AM.

3) NAV has repeated failed to catch the virus

My 2 questions are:

1) How do I remove the virus/trojan notepad.exe

2) How do I replace the virus notepad.exe with an original notepad.exe on
WinXP SP1 with all the latest MS security patches.

Thanks,

Steve

In Message-ID:<mZODc.165698$3x.118115@attbi_s54> posted on Mon, 28 Jun
2004 06:33:54 GMT, Steve wrote: Begin:

>I discovered the problem when I used my default text editor "UltraEdit32"
>(an excellent programming editor) which complained about a virus and would
>not start. Reinstalling UltraEdit did not help.

just curious;
Did you have notepad redirected to UE?
You might also have to replace the substitute notepad.exe
(the one from UE) if it got corrupted by the cruel web trojan.
http://www.ultraedit.com/downloads/a...l.html#notepad

--

Bart

Bart Bailey wrote:
> In Message-ID:<mZODc.165698$3x.118115@attbi_s54> posted on Mon, 28 Jun
> 2004 06:33:54 GMT, Steve wrote: Begin:
>
>> I discovered the problem when I used my default text editor
>> "UltraEdit32" (an excellent programming editor) which complained
>> about a virus and would not start. Reinstalling UltraEdit did not
>> help.
>
> just curious;
> Did you have notepad redirected to UE?
> You might also have to replace the substitute notepad.exe
> (the one from UE) if it got corrupted by the cruel web trojan.
> http://www.ultraedit.com/downloads/a...l.html#notepad

Bart:

I do not have notepad redirected to UE. I do have UE set up as my default
IE editor (hense CWS mistook it for notepad).

I've got UltraEdit working OK after running CWShredder and Adaware.

How do I replace the trojan notepad.exe's with an original MS notepad.exe
for WinXP SP1?

Thanks,

Steve

Steve wrote:
> Too All:
>
> I managed to pick up a CWS virus which has apparently corrupted my
> notepad.exe. I am running WinXP SP1 with the latest security patches
> and NAV 2002 with the latest virus definitions. I have not run
> Spybot 1.3 or Adaware yet.
>
> I discovered the problem when I used my default text editor
> "UltraEdit32" (an excellent programming editor) which complained
> about a virus and would not start. Reinstalling UltraEdit did not
> help.
>
> NAV with the latest virus definitions did NOT pick up anything.
>
> I ran CWShredder 1.59.0 which found and removed 2 DLL files.
>
> I reset my home page in IE (which I should not have used as I usually
> use Mozilla).
>
> I noticed that the icons for Notepad were corrupted.
>
> I noticed that running Notepad would:
> 1) reset my IE homepage
> 2) Disable ZoneAlarm
> 3) reinstall the DLL's (with a different name) that CWShredder would
> again remove.
>
> I ran a complete search for "notepad" and came up with the following:
>
> Name Folder Size Date Modified Date Created
> NOTEPAD.EXE-2461BAE5.pf C:\WINDOWS\Prefetch 32 kb
> 6/27/2004 10:18 PM 6/27/2004 10:18 PM
> NOTEPAD.EXE-195C34B9.pf C:\WINDOWS\Prefetch 32 kb
> 6/27/2004 10:18 PM 6/27/2004 10:18 PM
> NOTEPAD.EXE-2DAE2DE6.pf C:\WINDOWS\Prefetch 32 kb
> 6/27/2004 9:30 PM 6/27/2004 9:30 PM
> NOTEPAD.EXE C:\I386 25 kb 6/22/2004 8:23 AM 6/22/2004
> 8:23 AM 10/8/2002 12:40 PM
> notepad.exe C:\WINDOWS 25 kb 6/22/2004 8:23 AM
> 6/22/2004 8:23 AM 8/18/2001 5:00 AM
> NOTEPAD.EXE C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23 AM
> 6/22/2004 8:23 AM 8/18/2001 5:00 AM
> notepad.exe.bak C:\I386 25 kb 6/22/2004 8:23 AM
> 6/22/2004 8:23 AM 6/18/2004 8:31 PM
> notepad.exe.bak C:\WINDOWS 25 kb 6/22/2004 8:23 AM
> 6/22/2004 8:23 AM 6/18/2004 8:31 AM
> notepad.exe.bak C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23
> AM 6/22/2004 8:23 AM 6/18/2004 8:31 AM
>
> My conclusion are:
> 1) notepad.exe has been replaced by a virus/trojan (clicking
> notepad.exe generates the DLL's and resets my IE homepage)
>
> 2) the virus hit me on 6/18/2004 8:31 AM and maybe again on 6/22/2004
> 8:23 AM.
>
> 3) NAV has repeated failed to catch the virus
>
> My 2 questions are:
>
> 1) How do I remove the virus/trojan notepad.exe
>
> 2) How do I replace the virus notepad.exe with an original
> notepad.exe on WinXP SP1 with all the latest MS security patches.
>
> Thanks,
>
> Steve

The results of an on-line scan at:

http://www.kaspersky.com/remoteviruschk.html

are:

NOTEPAD.EXE C:\WINDOWS\SYSTEM32
Scanned file: NOTEPAD.EXE
NOTEPAD.EXE - packed with FSG
NOTEPAD.EXE - infected by TrojanSpy.Win32.Small.r

Now how to I get an original copy of notepad.exe back?

Thanks,

Steve

Steve wrote:
> Steve wrote:
>> Too All:
>>
>> I managed to pick up a CWS virus which has apparently corrupted my
>> notepad.exe. I am running WinXP SP1 with the latest security patches
>> and NAV 2002 with the latest virus definitions. I have not run
>> Spybot 1.3 or Adaware yet.
>>
>> I discovered the problem when I used my default text editor
>> "UltraEdit32" (an excellent programming editor) which complained
>> about a virus and would not start. Reinstalling UltraEdit did not
>> help.
>>
>> NAV with the latest virus definitions did NOT pick up anything.
>>
>> I ran CWShredder 1.59.0 which found and removed 2 DLL files.
>>
>> I reset my home page in IE (which I should not have used as I usually
>> use Mozilla).
>>
>> I noticed that the icons for Notepad were corrupted.
>>
>> I noticed that running Notepad would:
>> 1) reset my IE homepage
>> 2) Disable ZoneAlarm
>> 3) reinstall the DLL's (with a different name) that CWShredder would
>> again remove.
>>
>> I ran a complete search for "notepad" and came up with the following:
>>
>> Name Folder Size Date Modified Date Created
>> NOTEPAD.EXE-2461BAE5.pf C:\WINDOWS\Prefetch 32 kb
>> 6/27/2004 10:18 PM 6/27/2004 10:18 PM
>> NOTEPAD.EXE-195C34B9.pf C:\WINDOWS\Prefetch 32 kb
>> 6/27/2004 10:18 PM 6/27/2004 10:18 PM
>> NOTEPAD.EXE-2DAE2DE6.pf C:\WINDOWS\Prefetch 32 kb
>> 6/27/2004 9:30 PM 6/27/2004 9:30 PM
>> NOTEPAD.EXE C:\I386 25 kb 6/22/2004 8:23 AM 6/22/2004
>> 8:23 AM 10/8/2002 12:40 PM
>> notepad.exe C:\WINDOWS 25 kb 6/22/2004 8:23 AM
>> 6/22/2004 8:23 AM 8/18/2001 5:00 AM
>> NOTEPAD.EXE C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23 AM
>> 6/22/2004 8:23 AM 8/18/2001 5:00 AM
>> notepad.exe.bak C:\I386 25 kb 6/22/2004 8:23 AM
>> 6/22/2004 8:23 AM 6/18/2004 8:31 PM
>> notepad.exe.bak C:\WINDOWS 25 kb 6/22/2004 8:23 AM
>> 6/22/2004 8:23 AM 6/18/2004 8:31 AM
>> notepad.exe.bak C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23
>> AM 6/22/2004 8:23 AM 6/18/2004 8:31 AM
>>
>> My conclusion are:
>> 1) notepad.exe has been replaced by a virus/trojan (clicking
>> notepad.exe generates the DLL's and resets my IE homepage)
>>
>> 2) the virus hit me on 6/18/2004 8:31 AM and maybe again on 6/22/2004
>> 8:23 AM.
>>
>> 3) NAV has repeated failed to catch the virus
>>
>> My 2 questions are:
>>
>> 1) How do I remove the virus/trojan notepad.exe
>>
>> 2) How do I replace the virus notepad.exe with an original
>> notepad.exe on WinXP SP1 with all the latest MS security patches.
>>
>> Thanks,
>>
>> Steve
>
> The results of an on-line scan at:
>
> http://www.kaspersky.com/remoteviruschk.html
>
> are:
>
> NOTEPAD.EXE C:\WINDOWS\SYSTEM32
> Scanned file: NOTEPAD.EXE
> NOTEPAD.EXE - packed with FSG
> NOTEPAD.EXE - infected by TrojanSpy.Win32.Small.r
>
> Now how to I get an original copy of notepad.exe back?
>
> Thanks,
>
> Steve

To All:

I found a replacement for notepad at:

http://www.spywareinfo.com/~merijn/w...s.html#notepad

Thanks Merijn.org!

Steve

On Mon, 28 Jun 2004 15:30:52 GMT, "Steve"
<(E-Mail Removed)> wrote:

>Now how to I get an original copy of notepad.exe back?

Another idea is to use something better. See what you think about
Metapad as a replacement:

http://www.liquidninja.com/metapad/

There are instructions in the FAQ on how to replace notepad with
metapad.


Art
http://www.epix.net/~artnpeg

In Message-ID:<QIPDc.104965$2i5.26227@attbi_s52> posted on Mon, 28 Jun
2004 07:24:32 GMT, Steve wrote: Begin:

>How do I replace the trojan notepad.exe's with an original MS notepad.exe
>for WinXP SP1?

Try here: http://www.spywareinfo.com/~merijn/w...s.html#notepad

--

Bart

"Steve" <(E-Mail Removed)> wrote in message news:MQWDc.129987$Sw.18853@attbi_s51...

> Now how to I get an original copy of notepad.exe back?

I believe that you can use msconfig to extract it from the CAB file.

(E-Mail Removed) wrote:
> On Mon, 28 Jun 2004 15:30:52 GMT, "Steve"
> <(E-Mail Removed)> wrote:
>
>> Now how to I get an original copy of notepad.exe back?
>
> Another idea is to use something better. See what you think about
> Metapad as a replacement:
>
> http://www.liquidninja.com/metapad/
>
> There are instructions in the FAQ on how to replace notepad with
> metapad.
>
>
> Art
> http://www.epix.net/~artnpeg

Art:

Thanks for the RE. I actually use UltraEdit32

http://www.idmcomp.com/

for my text editing. I will take a quick look at metapad though.

Steve