Possibly Corrupt Notepad Can't Be Replaced

[Guest]

I recently read a thread in this forum about replacing a spyware tainted MS
Notepad by deleting the notepad.exe file in C:\Windows and replacing it with
the file from C:\Windows\System32.

I have two computers and Notepad has been acting strangely on both, so I
thought I might try the above fix. I did it on the first computer
successfully and it now works fine. The second computer is another story. I
am unable to delete the file in C:\Windows. When I try, it disappears from my
files list for a second or two, then it re-appears.

I've tried shredding utilities with the same result. I also tried renaming
the file and the extention, but afterwards another copy of the notepad.exe
file would appear in a few seconds. Then, just to see, I attempted to delete
the file in C:\Windows\System32. The results were exactly the same.

I hope someone can give me an idea about what's going on and how I can fix
this problem. Thank you for your assistance.

 

[David H. Lipman]

Sounds like you are infected !

There should not be a NOTEPAD.EXE in c:\windows and another in c:\windows\system32 .

Please perform the below indicated scanning process. If NOTEPAD.EXE is deleted it is
infected and has to be replaced.

Here is how to replace NOTEPAD.EXE *if*, after perform the following instructions it is
deleted.

expand D:\i386\notepad.exe_ %windir%\notepad.exe
{where D: is the WinXP CDROM }

1) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt261.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point
9) Please report back your results

Dave




| I recently read a thread in this forum about replacing a spyware tainted MS
| Notepad by deleting the notepad.exe file in C:\Windows and replacing it with
| the file from C:\Windows\System32.
|
| I have two computers and Notepad has been acting strangely on both, so I
| thought I might try the above fix. I did it on the first computer
| successfully and it now works fine. The second computer is another story. I
| am unable to delete the file in C:\Windows. When I try, it disappears from my
| files list for a second or two, then it re-appears.
|
| I've tried shredding utilities with the same result. I also tried renaming
| the file and the extention, but afterwards another copy of the notepad.exe
| file would appear in a few seconds. Then, just to see, I attempted to delete
| the file in C:\Windows\System32. The results were exactly the same.
|
| I hope someone can give me an idea about what's going on and how I can fix
| this problem. Thank you for your assistance.

 

[Guest]

Sounds like you are infected !

There should not be a NOTEPAD.EXE in c:\windows and another in c:\windows\system32 .

Please perform the below indicated scanning process. If NOTEPAD.EXE is deleted it is
infected and has to be replaced.

Here is how to replace NOTEPAD.EXE *if*, after perform the following instructions it is
deleted.

expand D:\i386\notepad.exe_ %windir%\notepad.exe
{where D: is the WinXP CDROM }

1) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt261.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point
9) Please report back your results

Dave




| I recently read a thread in this forum about replacing a spyware tainted MS
| Notepad by deleting the notepad.exe file in C:\Windows and replacing it with
| the file from C:\Windows\System32.
|
| I have two computers and Notepad has been acting strangely on both, so I
| thought I might try the above fix. I did it on the first computer
| successfully and it now works fine. The second computer is another story. I
| am unable to delete the file in C:\Windows. When I try, it disappears from my
| files list for a second or two, then it re-appears.
|
| I've tried shredding utilities with the same result. I also tried renaming
| the file and the extention, but afterwards another copy of the notepad.exe
| file would appear in a few seconds. Then, just to see, I attempted to delete
| the file in C:\Windows\System32. The results were exactly the same.
|
| I hope someone can give me an idea about what's going on and how I can fix
| this problem. Thank you for your assistance.

After getting your system cleaned. You can help keep it clean Download and
install the Mozilla Firefox browser. During installation, set it to import
your IE favorites. On first opening, set it to be your default browser.

 

[Wesley Vogel]

I have XP Pro SP1.
I have three notepad.exe's.
Located here >>>
C:\WINDOWS
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache

I am 99.97% sure I have no virii.

For fun I opened C:\WINDOWS and dragged notepad.exe to the desktop. I then
opened the Event Viewer and saw this >>>

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 11/24/2004
Time: 8:48:31 PM
User: N/A
Computer: MYPENTIUM450
Description:
File replacement was attempted on the protected system file
c:\windows\notepad.exe. This file was restored to the original version to
maintain system stability. The file version of the system file is
5.1.2600.0.

So having notepad in C:\WINDOWS may not be a bad thing.

Also...
[[Windows Folder
The Windows folder and its subfolders contain the operating system files for
your Windows XP Professional installation (as shown in Table A.4).

Table A.4
Folder Name
WINDOWS or WINNT
Contents
Miscellaneous operating system and application files (for
example, Control.ini, Desktop.ini, Notepad.exe, and System.ini files) ]]
<snip>

From >>>
Windows XP System Files Reference
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prgg_det_gite.asp

 

[David H. Lipman]

From here I can GUARANTEE you have no 'virii' -- why ?

Because there is no such terminology as 'vireo's. The plural of virus is viruses

There is NO reason to have two copies of NOTEPAD.EXE one in each of the following..

| C:\WINDOWS
| C:\WINDOWS\system32

Albeit I too have two on a Win2K PC.

The following place does NOT count since it is not in the path
| C:\WINDOWS\system32\dllcache

But the OP stated "I am unable to delete the file in C:\Windows." which is usually
indicative that the file handle is open and since this is a ASCII editor, it should not be
open unless it is being used by the user, not the OS. Thus the conclusion the OP sounds
like he is infected

I think you concentrated on the NUMBER of NOTEPAD.EXE files rather than the other info.

Dave





| I have XP Pro SP1.
| I have three notepad.exe's.
| Located here >>>
| C:\WINDOWS
| C:\WINDOWS\system32
| C:\WINDOWS\system32\dllcache
|
| I am 99.97% sure I have no virii.
|
| For fun I opened C:\WINDOWS and dragged notepad.exe to the desktop. I then
| opened the Event Viewer and saw this >>>
|
| Event Type: Information
| Event Source: Windows File Protection
| Event Category: None
| Event ID: 64002
| Date: 11/24/2004
| Time: 8:48:31 PM
| User: N/A
| Computer: MYPENTIUM450
| Description:
| File replacement was attempted on the protected system file
| c:\windows\notepad.exe. This file was restored to the original version to
| maintain system stability. The file version of the system file is
| 5.1.2600.0.
|
| So having notepad in C:\WINDOWS may not be a bad thing.
|
| Also...
| [[Windows Folder
| The Windows folder and its subfolders contain the operating system files for
| your Windows XP Professional installation (as shown in Table A.4).
|
| Table A.4
| Folder Name
| WINDOWS or WINNT
| Contents
| Miscellaneous operating system and application files (for
| example, Control.ini, Desktop.ini, Notepad.exe, and System.ini files) ]]
| <snip>
|
| From >>>
| Windows XP System Files Reference
|
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prgg_det_gite.asp
|
| --
| Hope this helps. Let us know.
| Wes
|
| In | David H. Lipman <[email protected]> hunted and pecked:
| > Sounds like you are infected !
| >
| > There should not be a NOTEPAD.EXE in c:\windows and another in
| > c:\windows\system32 .
| >
| > Please perform the below indicated scanning process. If NOTEPAD.EXE
| > is deleted it is infected and has to be replaced.
| >
| > Here is how to replace NOTEPAD.EXE *if*, after perform the following
| > instructions it is deleted.
| >
| > expand D:\i386\notepad.exe_ %windir%\notepad.exe
| > {where D: is the WinXP CDROM }
| >
| > 1) Download the following two items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend signature files.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download Sysclean.com and place it in that directory.
| > Download the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt261.zip
| >
| > Extract the contents of the ZIP file and place the contents in the
| > same directory as sysclean.com.
| >
| > 2) Disable System Restore
| >
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm 3)
| > Reboot your PC into Safe Mode 4) Using the Trend Sysclean
| > utility, perform a Full Scan of your platform and
| > clean/delete any infectors found 5) Restart your PC and perform a
| > "final" Full Scan of your platform 6) Re-enable System Restore
| > and re-apply any System Restore preferences, (e.g. HD space
| > to use suggested 400 ~ 600MB), 7) Reboot your PC.
| > 8) Create a new Restore point
| > 9) Please report back your results
| >
| > Dave
| >
| >
| >
| >
| > "Thoroughly Confused" <Thoroughly (e-mail address removed)>
| > wrote in message
| > | >> I recently read a thread in this forum about replacing a spyware
| >> tainted MS Notepad by deleting the notepad.exe file in C:\Windows
| >> and replacing it with the file from C:\Windows\System32.
| >>
| >> I have two computers and Notepad has been acting strangely on both,
| >> so I thought I might try the above fix. I did it on the first
| >> computer successfully and it now works fine. The second computer is
| >> another story. I am unable to delete the file in C:\Windows. When I
| >> try, it disappears from my files list for a second or two, then it
| >> re-appears.
| >>
| >> I've tried shredding utilities with the same result. I also tried
| >> renaming the file and the extention, but afterwards another copy of
| >> the notepad.exe file would appear in a few seconds. Then, just to
| >> see, I attempted to delete the file in C:\Windows\System32. The
| >> results were exactly the same.
| >>
| >> I hope someone can give me an idea about what's going on and how I
| >> can fix this problem. Thank you for your assistance.
|

 

[Wesley Vogel]

I certainly stand corrected on the plural of virus.

Upon further investigation I have found that my copy of Notepad.exe in
C:\WINDOWS\system32 was the extra copy. I think, maybe, I thought I oughta
have a copy there. So I moved a copy there myself at one time. I have no
idea why, must have seemed like a good idea at the time.

Windows File Protection (WFP) didn't complain about moving and then deleting
that copy.

I now have two copies of notepad.exe. One each in C:\WINDOWS and
C:\WINDOWS\system32\dllcache.

What path? The copy of notepad.exe in C:\WINDOWS\system32\dllcache is what
WFP uses to replace a moved/deleted or otherwise messed up copy.

Dllcache = Windows File Protection backup files.

I agree with your statement about notepad being open and the OP being unable
to delete because notepad is in use which may certainly indicate a virus.

No, I was concentrating on your statement... [[There should not be a
NOTEPAD.EXE in c:\windows...]] Admittedly I drifted from the intent of the
original post. ;-(

--
Hope this helps. Let us know.
Wes

In

From here I can GUARANTEE you have no 'virii' -- why ?

Because there is no such terminology as 'vireo's. The plural of
virus is viruses

There is NO reason to have two copies of NOTEPAD.EXE one in each of
the following..

C:\WINDOWS
C:\WINDOWS\system32

Albeit I too have two on a Win2K PC.

The following place does NOT count since it is not in the path

C:\WINDOWS\system32\dllcache

But the OP stated "I am unable to delete the file in C:\Windows."
which is usually indicative that the file handle is open and since
this is a ASCII editor, it should not be open unless it is being used
by the user, not the OS. Thus the conclusion the OP sounds like he
is infected

I think you concentrated on the NUMBER of NOTEPAD.EXE files rather
than the other info.

Dave

I have XP Pro SP1.
I have three notepad.exe's.
Located here >>>
C:\WINDOWS
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache

I am 99.97% sure I have no virii.

For fun I opened C:\WINDOWS and dragged notepad.exe to the desktop.
I then opened the Event Viewer and saw this >>>

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 11/24/2004
Time: 8:48:31 PM
User: N/A
Computer: MYPENTIUM450
Description:
File replacement was attempted on the protected system file
c:\windows\notepad.exe. This file was restored to the original
version to maintain system stability. The file version of the system
file is
5.1.2600.0.

So having notepad in C:\WINDOWS may not be a bad thing.

Also...
[[Windows Folder
The Windows folder and its subfolders contain the operating system
files for your Windows XP Professional installation (as shown in
Table A.4).

Table A.4
Folder Name
WINDOWS or WINNT
Contents
Miscellaneous operating system and application files (for
example, Control.ini, Desktop.ini, Notepad.exe, and System.ini
files) ]] <snip>

From >>>
Windows XP System Files Reference

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prgg_det_gite.asp

--
Hope this helps. Let us know.
Wes

In

 

[Alex Nichol]

Sounds like you are infected !

There should not be a NOTEPAD.EXE in c:\windows and another in c:\windows\system32 .

There should. It is the normal setup for some reason. One is used in
file associations, eg .txt, and the other by the shortcut in start -
All programs - Accessories

 

[David H. Lipman]

Wesley:

What path ? The file search "path". The environmental variable that points an executable
to find EXE and DLL files when implicitly executed rather than explicitly executed.

For example; %windir%\notepad.exe
If I was in the folder (POV) "C:\Program Files\Microsoft Office\Office\" and I implicitly
called NOTEPAD.EXE, it would be found in the "path" rather than explicitly having to use the
fully qualified path; %windir%\notepad.exe

So when I said "The following place does NOT count..." is because the files in the dllcache
are not in the path and therefore would not be executed implicitly. To execute an EXE in
that folder you would have to explicitly call the fully qualified path;
%windir%\system32\dllcache\notepad.exe

Dave



| I certainly stand corrected on the plural of virus.
|
| Upon further investigation I have found that my copy of Notepad.exe in
| C:\WINDOWS\system32 was the extra copy. I think, maybe, I thought I oughta
| have a copy there. So I moved a copy there myself at one time. I have no
| idea why, must have seemed like a good idea at the time.
|
| Windows File Protection (WFP) didn't complain about moving and then deleting
| that copy.
|
| I now have two copies of notepad.exe. One each in C:\WINDOWS and
| C:\WINDOWS\system32\dllcache.
|
| What path? The copy of notepad.exe in C:\WINDOWS\system32\dllcache is what
| WFP uses to replace a moved/deleted or otherwise messed up copy.
|
| Dllcache = Windows File Protection backup files.
|
| I agree with your statement about notepad being open and the OP being unable
| to delete because notepad is in use which may certainly indicate a virus.
|
| No, I was concentrating on your statement... [[There should not be a
| NOTEPAD.EXE in c:\windows...]] Admittedly I drifted from the intent of the
| original post. ;-(
|
| --
| Hope this helps. Let us know.
| Wes
|
| In | David H. Lipman <[email protected]> hunted and pecked:
| > From here I can GUARANTEE you have no 'virii' -- why ?
| >
| > Because there is no such terminology as 'vireo's. The plural of
| > virus is viruses
| >
| > There is NO reason to have two copies of NOTEPAD.EXE one in each of
| > the following..
| >
| >> C:\WINDOWS
| >> C:\WINDOWS\system32
| >
| > Albeit I too have two on a Win2K PC.
| >
| > The following place does NOT count since it is not in the path
| >> C:\WINDOWS\system32\dllcache
| >
| > But the OP stated "I am unable to delete the file in C:\Windows."
| > which is usually indicative that the file handle is open and since
| > this is a ASCII editor, it should not be open unless it is being used
| > by the user, not the OS. Thus the conclusion the OP sounds like he
| > is infected
| >
| > I think you concentrated on the NUMBER of NOTEPAD.EXE files rather
| > than the other info.
| >
| > Dave
| >
| >
| >
| >
| >
| > | >> I have XP Pro SP1.
| >> I have three notepad.exe's.
| >> Located here >>>
| >> C:\WINDOWS
| >> C:\WINDOWS\system32
| >> C:\WINDOWS\system32\dllcache
| >>
| >> I am 99.97% sure I have no virii.
| >>
| >> For fun I opened C:\WINDOWS and dragged notepad.exe to the desktop.
| >> I then opened the Event Viewer and saw this >>>
| >>
| >> Event Type: Information
| >> Event Source: Windows File Protection
| >> Event Category: None
| >> Event ID: 64002
| >> Date: 11/24/2004
| >> Time: 8:48:31 PM
| >> User: N/A
| >> Computer: MYPENTIUM450
| >> Description:
| >> File replacement was attempted on the protected system file
| >> c:\windows\notepad.exe. This file was restored to the original
| >> version to maintain system stability. The file version of the system
| >> file is
| >> 5.1.2600.0.
| >>
| >> So having notepad in C:\WINDOWS may not be a bad thing.
| >>
| >> Also...
| >> [[Windows Folder
| >> The Windows folder and its subfolders contain the operating system
| >> files for your Windows XP Professional installation (as shown in
| >> Table A.4).
| >>
| >> Table A.4
| >> Folder Name
| >> WINDOWS or WINNT
| >> Contents
| >> Miscellaneous operating system and application files (for
| >> example, Control.ini, Desktop.ini, Notepad.exe, and System.ini
| >> files) ]] <snip>
| >>
| >> From >>>
| >> Windows XP System Files Reference
| >>
| >
|
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prgg_det_gite.asp
| >>
| >> --
| >> Hope this helps. Let us know.
| >> Wes
| >>
| >> In | >> David H. Lipman <[email protected]> hunted and pecked:
| >>> Sounds like you are infected !
| >>>
| >>> There should not be a NOTEPAD.EXE in c:\windows and another in
| >>> c:\windows\system32 .
| >>>
| >>> Please perform the below indicated scanning process. If
| >>> NOTEPAD.EXE is deleted it is infected and has to be replaced.
| >>>
| >>> Here is how to replace NOTEPAD.EXE *if*, after perform the following
| >>> instructions it is deleted.
| >>>
| >>> expand D:\i386\notepad.exe_ %windir%\notepad.exe
| >>> {where D: is the WinXP CDROM }
| >>>
| >>> 1) Download the following two items...
| >>>
| >>> Trend Sysclean Package
| >>> http://www.trendmicro.com/download/dcs.asp
| >>>
| >>> Latest Trend signature files.
| >>> http://www.trendmicro.com/download/pattern.asp
| >>>
| >>> Create a directory.
| >>> On drive "C:\"
| >>> (e.g., "c:\New Folder")
| >>> or the desktop
| >>> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >>>
| >>> Download Sysclean.com and place it in that directory.
| >>> Download the Trend Pattern File by obtaining the ZIP file.
| >>> For example; lpt261.zip
| >>>
| >>> Extract the contents of the ZIP file and place the contents in the
| >>> same directory as sysclean.com.
| >>>
| >>> 2) Disable System Restore
| >>>
| >>> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm 3)
| >>> Reboot your PC into Safe Mode 4) Using the Trend Sysclean
| >>> utility, perform a Full Scan of your platform and
| >>> clean/delete any infectors found 5) Restart your PC and perform
| >>> a "final" Full Scan of your platform 6) Re-enable System Restore
| >>> and re-apply any System Restore preferences, (e.g. HD space
| >>> to use suggested 400 ~ 600MB), 7) Reboot your PC.
| >>> 8) Create a new Restore point
| >>> 9) Please report back your results
| >>>
| >>> Dave
| >>>
| >>>
| >>>
| >>>
| >>> "Thoroughly Confused" <Thoroughly
| >>> (e-mail address removed)> wrote in message
| >>> | >>>> I recently read a thread in this forum about replacing a spyware
| >>>> tainted MS Notepad by deleting the notepad.exe file in C:\Windows
| >>>> and replacing it with the file from C:\Windows\System32.
| >>>>
| >>>> I have two computers and Notepad has been acting strangely on both,
| >>>> so I thought I might try the above fix. I did it on the first
| >>>> computer successfully and it now works fine. The second computer is
| >>>> another story. I am unable to delete the file in C:\Windows. When I
| >>>> try, it disappears from my files list for a second or two, then it
| >>>> re-appears.
| >>>>
| >>>> I've tried shredding utilities with the same result. I also tried
| >>>> renaming the file and the extention, but afterwards another copy of
| >>>> the notepad.exe file would appear in a few seconds. Then, just to
| >>>> see, I attempted to delete the file in C:\Windows\System32. The
| >>>> results were exactly the same.
| >>>>
| >>>> I hope someone can give me an idea about what's going on and how I
| >>>> can fix this problem. Thank you for your assistance.
|

 

[David H. Lipman]

I should have added -- "Sorry for any confusion."

Dave



| Wesley:
|
| What path ? The file search "path". The environmental variable that points an executable
| to find EXE and DLL files when implicitly executed rather than explicitly executed.
|
| For example; %windir%\notepad.exe
| If I was in the folder (POV) "C:\Program Files\Microsoft Office\Office\" and I implicitly
| called NOTEPAD.EXE, it would be found in the "path" rather than explicitly having to use
the
| fully qualified path; %windir%\notepad.exe
|
| So when I said "The following place does NOT count..." is because the files in the
dllcache
| are not in the path and therefore would not be executed implicitly. To execute an EXE in
| that folder you would have to explicitly call the fully qualified path;
| %windir%\system32\dllcache\notepad.exe
|
| Dave

 

[Wesley Vogel]

David,

Gotcha! Notepad runs from %windir%.

--
Hope this helps. Let us know.
Wes

In

Wesley:

What path ? The file search "path". The environmental variable that
points an executable to find EXE and DLL files when implicitly
executed rather than explicitly executed.

For example; %windir%\notepad.exe
If I was in the folder (POV) "C:\Program Files\Microsoft
Office\Office\" and I implicitly called NOTEPAD.EXE, it would be
found in the "path" rather than explicitly having to use the fully
qualified path; %windir%\notepad.exe

So when I said "The following place does NOT count..." is because the
files in the dllcache are not in the path and therefore would not be
executed implicitly. To execute an EXE in that folder you would have
to explicitly call the fully qualified path;
%windir%\system32\dllcache\notepad.exe

Dave

I certainly stand corrected on the plural of virus.

Upon further investigation I have found that my copy of Notepad.exe
in C:\WINDOWS\system32 was the extra copy. I think, maybe, I
thought I oughta have a copy there. So I moved a copy there myself
at one time. I have no idea why, must have seemed like a good idea
at the time.

Windows File Protection (WFP) didn't complain about moving and then
deleting that copy.

I now have two copies of notepad.exe. One each in C:\WINDOWS and
C:\WINDOWS\system32\dllcache.

What path? The copy of notepad.exe in C:\WINDOWS\system32\dllcache
is what WFP uses to replace a moved/deleted or otherwise messed up
copy.

Dllcache = Windows File Protection backup files.

I agree with your statement about notepad being open and the OP
being unable to delete because notepad is in use which may certainly
indicate a virus.

No, I was concentrating on your statement... [[There should not be a
NOTEPAD.EXE in c:\windows...]] Admittedly I drifted from the intent
of the original post. ;-(

--
Hope this helps. Let us know.
Wes

In

From here I can GUARANTEE you have no 'virii' -- why ?

Because there is no such terminology as 'vireo's. The plural of
virus is viruses

There is NO reason to have two copies of NOTEPAD.EXE one in each of
the following..

C:\WINDOWS
C:\WINDOWS\system32

Albeit I too have two on a Win2K PC.

The following place does NOT count since it is not in the path
C:\WINDOWS\system32\dllcache

But the OP stated "I am unable to delete the file in C:\Windows."
which is usually indicative that the file handle is open and since
this is a ASCII editor, it should not be open unless it is being
used by the user, not the OS. Thus the conclusion the OP sounds
like he is infected

I think you concentrated on the NUMBER of NOTEPAD.EXE files rather
than the other info.

Dave





I have XP Pro SP1.
I have three notepad.exe's.
Located here >>>
C:\WINDOWS
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache

I am 99.97% sure I have no virii.

For fun I opened C:\WINDOWS and dragged notepad.exe to the desktop.
I then opened the Event Viewer and saw this >>>

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 11/24/2004
Time: 8:48:31 PM
User: N/A
Computer: MYPENTIUM450
Description:
File replacement was attempted on the protected system file
c:\windows\notepad.exe. This file was restored to the original
version to maintain system stability. The file version of the
system file is
5.1.2600.0.

So having notepad in C:\WINDOWS may not be a bad thing.

Also...
[[Windows Folder
The Windows folder and its subfolders contain the operating system
files for your Windows XP Professional installation (as shown in
Table A.4).

Table A.4
Folder Name
WINDOWS or WINNT
Contents
Miscellaneous operating system and application files (for
example, Control.ini, Desktop.ini, Notepad.exe, and System.ini
files) ]] <snip>

From >>>
Windows XP System Files Reference

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prgg_det_gite.asp

 

[Guest]

"There are no facts, only interpretations." - Friedrich Nietzsche 1844-1900


I'd like to thank everyone for all of the suggestions and help so far. This
is all becoming very baffling to me. I will continue to add to the confusion
by giving you updated information.

Firstly, I have occurances of Notepad.exe in all the same folders mentioned
by Wesley Vogel. In addition, there are 3 other copies associated with
folders created during my SP2 upgrade, one of those copies being older and
smaller than the others. I presume this is if I decide to roll back to SP1.

Actions taken so far -

I downloaded and ran the Trend Micro scanning software, which indicted no
problems.

I routinely run Norton Anti-Virus 2004 and the following anti-spyware
utilies: Ad-Aware, Spybot, Spy Sweeper and Spyware Blaster, none of which
have turned up any threats. I check for and (if they exist) install updates
for all of these titles on a daily basis.

I used the Norton Symantec online virus scan. Once again, no threats found.

I also did what Wesley Vogel spoke of about the Event Viewer. The results
were the same. It indicated that it had prevented Notepad.exe from being
tampered with. This leads me to think that it's not possible to replace the
file by conventional means.

The fact remains that something is wrong with Notepad. It is very difficult
to use the way it is. It seems to me there has to be some way of replacing it
if it's corrupt.

Once again, I would appreciated any assistance. Thank you.

 

[David H. Lipman]

The way to replace it...
Go to; Start --> run
and execute the following command line.

expand D:\i386\notepad.exe_ %windir%\notepad.exe
and then...
expand D:\i386\notepad.exe_ %windir%\system32\notepad.exe

{ Where "D:" is the WinXP CDROM }

Dave




| "There are no facts, only interpretations." - Friedrich Nietzsche 1844-1900
|
|
| I'd like to thank everyone for all of the suggestions and help so far. This
| is all becoming very baffling to me. I will continue to add to the confusion
| by giving you updated information.
|
| Firstly, I have occurances of Notepad.exe in all the same folders mentioned
| by Wesley Vogel. In addition, there are 3 other copies associated with
| folders created during my SP2 upgrade, one of those copies being older and
| smaller than the others. I presume this is if I decide to roll back to SP1.
|
| Actions taken so far -
|
| I downloaded and ran the Trend Micro scanning software, which indicted no
| problems.
|
| I routinely run Norton Anti-Virus 2004 and the following anti-spyware
| utilies: Ad-Aware, Spybot, Spy Sweeper and Spyware Blaster, none of which
| have turned up any threats. I check for and (if they exist) install updates
| for all of these titles on a daily basis.
|
| I used the Norton Symantec online virus scan. Once again, no threats found.
|
| I also did what Wesley Vogel spoke of about the Event Viewer. The results
| were the same. It indicated that it had prevented Notepad.exe from being
| tampered with. This leads me to think that it's not possible to replace the
| file by conventional means.
|
| The fact remains that something is wrong with Notepad. It is very difficult
| to use the way it is. It seems to me there has to be some way of replacing it
| if it's corrupt.
|
| Once again, I would appreciated any assistance. Thank you.

 

[Wesley Vogel]

Having three Notepad.exes, one each in the following folders should be
correct.

%SystemRoot%
%SystemRoot%\System32
%SystemRoot%\system32\dllcache

Alex Nichol MS MVP is correct. Start\Programs\Accessories\Notepad uses
%SystemRoot%\system32\notepad.exe. So does Folder Options\FileTypes\TXT.

HKEY_CLASSES_ROOT\txtfile\shell\open\command
%SystemRoot%\system32\NOTEPAD.EXE %1

HKEY_CLASSES_ROOT\txtfile\shell\print\command
%SystemRoot%\system32\NOTEPAD.EXE /p %1

HKEY_CLASSES_ROOT\txtfile\shell\printto\command
%SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4"

After deleting the notepad in the system32 folder I had a problem. Right
click a *.bat file | Edit wouldn't work. Windows couldn't find blah, blah.
So I downloaded Doug Knox's batch_file_assoc.reg fix. Opened it in Edit and
compared line for line in my registry. At least the first six lines.

Sixth line down I found this...
HKEY_CLASSES_ROOT\batfile\shell\edit\command

So I looked at mine...
HKEY_CLASSES_ROOT\batfile\shell\edit\command
(Default)
REG_EXPAND_SZ
%SystemRoot%\System32\NOTEPAD.EXE %1

Aha! Glorioski, Mr. Zero! Copied and pasted Notepad.exe back into
%SystemRoot%\System32 and everything is okie dokie now.

A further Search of my registry returns too many
%SystemRoot%\System32\NOTEPAD.EXE references to list.

There's a moral in here some where.