Wesley:
What path ? The file search "path". The environmental variable that points an executable
to find EXE and DLL files when implicitly executed rather than explicitly executed.
For example; %windir%\notepad.exe
If I was in the folder (POV) "C:\Program Files\Microsoft Office\Office\" and I implicitly
called NOTEPAD.EXE, it would be found in the "path" rather than explicitly having to use the
fully qualified path; %windir%\notepad.exe
So when I said "The following place does NOT count..." is because the files in the dllcache
are not in the path and therefore would not be executed implicitly. To execute an EXE in
that folder you would have to explicitly call the fully qualified path;
%windir%\system32\dllcache\notepad.exe
Dave
| I certainly stand corrected on the plural of virus.
|
| Upon further investigation I have found that my copy of Notepad.exe in
| C:\WINDOWS\system32 was the extra copy. I think, maybe, I thought I oughta
| have a copy there. So I moved a copy there myself at one time. I have no
| idea why, must have seemed like a good idea at the time.
|
| Windows File Protection (WFP) didn't complain about moving and then deleting
| that copy.
|
| I now have two copies of notepad.exe. One each in C:\WINDOWS and
| C:\WINDOWS\system32\dllcache.
|
| What path? The copy of notepad.exe in C:\WINDOWS\system32\dllcache is what
| WFP uses to replace a moved/deleted or otherwise messed up copy.
|
| Dllcache = Windows File Protection backup files.
|
| I agree with your statement about notepad being open and the OP being unable
| to delete because notepad is in use which may certainly indicate a virus.
|
| No, I was concentrating on your statement... [[There should not be a
| NOTEPAD.EXE in c:\windows...]] Admittedly I drifted from the intent of the
| original post. ;-(
|
| --
| Hope this helps. Let us know.
| Wes
|
| In | David H. Lipman <
[email protected]> hunted and pecked:
| > From here I can GUARANTEE you have no 'virii' -- why ?
| >
| > Because there is no such terminology as 'vireo's. The plural of
| > virus is viruses
| >
| > There is NO reason to have two copies of NOTEPAD.EXE one in each of
| > the following..
| >
| >> C:\WINDOWS
| >> C:\WINDOWS\system32
| >
| > Albeit I too have two on a Win2K PC.
| >
| > The following place does NOT count since it is not in the path
| >> C:\WINDOWS\system32\dllcache
| >
| > But the OP stated "I am unable to delete the file in C:\Windows."
| > which is usually indicative that the file handle is open and since
| > this is a ASCII editor, it should not be open unless it is being used
| > by the user, not the OS. Thus the conclusion the OP sounds like he
| > is infected
| >
| > I think you concentrated on the NUMBER of NOTEPAD.EXE files rather
| > than the other info.
| >
| > Dave
| >
| >
| >
| >
| >
| > | >> I have XP Pro SP1.
| >> I have three notepad.exe's.
| >> Located here >>>
| >> C:\WINDOWS
| >> C:\WINDOWS\system32
| >> C:\WINDOWS\system32\dllcache
| >>
| >> I am 99.97% sure I have no virii.
| >>
| >> For fun I opened C:\WINDOWS and dragged notepad.exe to the desktop.
| >> I then opened the Event Viewer and saw this >>>
| >>
| >> Event Type: Information
| >> Event Source: Windows File Protection
| >> Event Category: None
| >> Event ID: 64002
| >> Date: 11/24/2004
| >> Time: 8:48:31 PM
| >> User: N/A
| >> Computer: MYPENTIUM450
| >> Description:
| >> File replacement was attempted on the protected system file
| >> c:\windows\notepad.exe. This file was restored to the original
| >> version to maintain system stability. The file version of the system
| >> file is
| >> 5.1.2600.0.
| >>
| >> So having notepad in C:\WINDOWS may not be a bad thing.
| >>
| >> Also...
| >> [[Windows Folder
| >> The Windows folder and its subfolders contain the operating system
| >> files for your Windows XP Professional installation (as shown in
| >> Table A.4).
| >>
| >> Table A.4
| >> Folder Name
| >> WINDOWS or WINNT
| >> Contents
| >> Miscellaneous operating system and application files (for
| >> example, Control.ini, Desktop.ini, Notepad.exe, and System.ini
| >> files) ]] <snip>
| >>
| >> From >>>
| >> Windows XP System Files Reference
| >>
| >
|
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prgg_det_gite.asp
| >>
| >> --
| >> Hope this helps. Let us know.
| >> Wes
| >>
| >> In | >> David H. Lipman <
[email protected]> hunted and pecked:
| >>> Sounds like you are infected !
| >>>
| >>> There should not be a NOTEPAD.EXE in c:\windows and another in
| >>> c:\windows\system32 .
| >>>
| >>> Please perform the below indicated scanning process. If
| >>> NOTEPAD.EXE is deleted it is infected and has to be replaced.
| >>>
| >>> Here is how to replace NOTEPAD.EXE *if*, after perform the following
| >>> instructions it is deleted.
| >>>
| >>> expand D:\i386\notepad.exe_ %windir%\notepad.exe
| >>> {where D: is the WinXP CDROM }
| >>>
| >>> 1) Download the following two items...
| >>>
| >>> Trend Sysclean Package
| >>>
http://www.trendmicro.com/download/dcs.asp
| >>>
| >>> Latest Trend signature files.
| >>>
http://www.trendmicro.com/download/pattern.asp
| >>>
| >>> Create a directory.
| >>> On drive "C:\"
| >>> (e.g., "c:\New Folder")
| >>> or the desktop
| >>> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >>>
| >>> Download Sysclean.com and place it in that directory.
| >>> Download the Trend Pattern File by obtaining the ZIP file.
| >>> For example; lpt261.zip
| >>>
| >>> Extract the contents of the ZIP file and place the contents in the
| >>> same directory as sysclean.com.
| >>>
| >>> 2) Disable System Restore
| >>>
| >>>
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm 3)
| >>> Reboot your PC into Safe Mode 4) Using the Trend Sysclean
| >>> utility, perform a Full Scan of your platform and
| >>> clean/delete any infectors found 5) Restart your PC and perform
| >>> a "final" Full Scan of your platform 6) Re-enable System Restore
| >>> and re-apply any System Restore preferences, (e.g. HD space
| >>> to use suggested 400 ~ 600MB), 7) Reboot your PC.
| >>> 8) Create a new Restore point
| >>> 9) Please report back your results
| >>>
| >>> Dave
| >>>
| >>>
| >>>
| >>>
| >>> "Thoroughly Confused" <Thoroughly
| >>> (e-mail address removed)> wrote in message
| >>> | >>>> I recently read a thread in this forum about replacing a spyware
| >>>> tainted MS Notepad by deleting the notepad.exe file in C:\Windows
| >>>> and replacing it with the file from C:\Windows\System32.
| >>>>
| >>>> I have two computers and Notepad has been acting strangely on both,
| >>>> so I thought I might try the above fix. I did it on the first
| >>>> computer successfully and it now works fine. The second computer is
| >>>> another story. I am unable to delete the file in C:\Windows. When I
| >>>> try, it disappears from my files list for a second or two, then it
| >>>> re-appears.
| >>>>
| >>>> I've tried shredding utilities with the same result. I also tried
| >>>> renaming the file and the extention, but afterwards another copy of
| >>>> the notepad.exe file would appear in a few seconds. Then, just to
| >>>> see, I attempted to delete the file in C:\Windows\System32. The
| >>>> results were exactly the same.
| >>>>
| >>>> I hope someone can give me an idea about what's going on and how I
| >>>> can fix this problem. Thank you for your assistance.
|