CWS Virus and Corrupt Notepad.exe

  • Thread starter Thread starter Steve
  • Start date Start date
S

Steve

Too All:

I managed to pick up a CWS virus which has apparently corrupted my
notepad.exe. I am running WinXP SP1 with the latest security patches and
NAV 2002 with the latest virus definitions. I have not run Spybot 1.3 or
Adaware yet.

I discovered the problem when I used my default text editor "UltraEdit32"
(an excellent programming editor) which complained about a virus and would
not start. Reinstalling UltraEdit did not help.

NAV with the latest virus definitions did NOT pick up anything.

I ran CWShredder 1.59.0 which found and removed 2 DLL files.

I reset my home page in IE (which I should not have used as I usually use
Mozilla).

I noticed that the icons for Notepad were corrupted.

I noticed that running Notepad would:
1) reset my IE homepage
2) Disable ZoneAlarm
3) reinstall the DLL's (with a different name) that CWShredder would again
remove.

I ran a complete search for "notepad" and came up with the following:

Name Folder Size Date Modified Date Created
NOTEPAD.EXE-2461BAE5.pf C:\WINDOWS\Prefetch 32 kb 6/27/2004
10:18 PM 6/27/2004 10:18 PM
NOTEPAD.EXE-195C34B9.pf C:\WINDOWS\Prefetch 32 kb 6/27/2004
10:18 PM 6/27/2004 10:18 PM
NOTEPAD.EXE-2DAE2DE6.pf C:\WINDOWS\Prefetch 32 kb 6/27/2004 9:30
PM 6/27/2004 9:30 PM
NOTEPAD.EXE C:\I386 25 kb 6/22/2004 8:23 AM 6/22/2004 8:23
AM 10/8/2002 12:40 PM
notepad.exe C:\WINDOWS 25 kb 6/22/2004 8:23 AM 6/22/2004
8:23 AM 8/18/2001 5:00 AM
NOTEPAD.EXE C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23 AM
6/22/2004 8:23 AM 8/18/2001 5:00 AM
notepad.exe.bak C:\I386 25 kb 6/22/2004 8:23 AM 6/22/2004
8:23 AM 6/18/2004 8:31 PM
notepad.exe.bak C:\WINDOWS 25 kb 6/22/2004 8:23 AM 6/22/2004
8:23 AM 6/18/2004 8:31 AM
notepad.exe.bak C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23 AM
6/22/2004 8:23 AM 6/18/2004 8:31 AM

My conclusion are:
1) notepad.exe has been replaced by a virus/trojan (clicking notepad.exe
generates the DLL's and resets my IE homepage)

2) the virus hit me on 6/18/2004 8:31 AM and maybe again on 6/22/2004 8:23
AM.

3) NAV has repeated failed to catch the virus

My 2 questions are:

1) How do I remove the virus/trojan notepad.exe

2) How do I replace the virus notepad.exe with an original notepad.exe on
WinXP SP1 with all the latest MS security patches.

Thanks,

Steve
 
Bart said:
just curious;
Did you have notepad redirected to UE?
You might also have to replace the substitute notepad.exe
(the one from UE) if it got corrupted by the cruel web trojan.
http://www.ultraedit.com/downloads/additional.html#notepad
Click to expand...

Bart:

I do not have notepad redirected to UE. I do have UE set up as my default
IE editor (hense CWS mistook it for notepad).

I've got UltraEdit working OK after running CWShredder and Adaware.

How do I replace the trojan notepad.exe's with an original MS notepad.exe
for WinXP SP1?

Thanks,

Steve
 
Steve said:
Too All:

I managed to pick up a CWS virus which has apparently corrupted my
notepad.exe. I am running WinXP SP1 with the latest security patches
and NAV 2002 with the latest virus definitions. I have not run
Spybot 1.3 or Adaware yet.

I discovered the problem when I used my default text editor
"UltraEdit32" (an excellent programming editor) which complained
about a virus and would not start. Reinstalling UltraEdit did not
help.

NAV with the latest virus definitions did NOT pick up anything.

I ran CWShredder 1.59.0 which found and removed 2 DLL files.

I reset my home page in IE (which I should not have used as I usually
use Mozilla).

I noticed that the icons for Notepad were corrupted.

I noticed that running Notepad would:
1) reset my IE homepage
2) Disable ZoneAlarm
3) reinstall the DLL's (with a different name) that CWShredder would
again remove.

I ran a complete search for "notepad" and came up with the following:

Name Folder Size Date Modified Date Created
NOTEPAD.EXE-2461BAE5.pf C:\WINDOWS\Prefetch 32 kb
6/27/2004 10:18 PM 6/27/2004 10:18 PM
NOTEPAD.EXE-195C34B9.pf C:\WINDOWS\Prefetch 32 kb
6/27/2004 10:18 PM 6/27/2004 10:18 PM
NOTEPAD.EXE-2DAE2DE6.pf C:\WINDOWS\Prefetch 32 kb
6/27/2004 9:30 PM 6/27/2004 9:30 PM
NOTEPAD.EXE C:\I386 25 kb 6/22/2004 8:23 AM 6/22/2004
8:23 AM 10/8/2002 12:40 PM
notepad.exe C:\WINDOWS 25 kb 6/22/2004 8:23 AM
6/22/2004 8:23 AM 8/18/2001 5:00 AM
NOTEPAD.EXE C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23 AM
6/22/2004 8:23 AM 8/18/2001 5:00 AM
notepad.exe.bak C:\I386 25 kb 6/22/2004 8:23 AM
6/22/2004 8:23 AM 6/18/2004 8:31 PM
notepad.exe.bak C:\WINDOWS 25 kb 6/22/2004 8:23 AM
6/22/2004 8:23 AM 6/18/2004 8:31 AM
notepad.exe.bak C:\WINDOWS\SYSTEM32 25 kb 6/22/2004 8:23
AM 6/22/2004 8:23 AM 6/18/2004 8:31 AM

My conclusion are:
1) notepad.exe has been replaced by a virus/trojan (clicking
notepad.exe generates the DLL's and resets my IE homepage)

2) the virus hit me on 6/18/2004 8:31 AM and maybe again on 6/22/2004
8:23 AM.

3) NAV has repeated failed to catch the virus

My 2 questions are:

1) How do I remove the virus/trojan notepad.exe

2) How do I replace the virus notepad.exe with an original
notepad.exe on WinXP SP1 with all the latest MS security patches.

Thanks,

Steve
Click to expand...

The results of an on-line scan at:

http://www.kaspersky.com/remoteviruschk.html

are:

NOTEPAD.EXE C:\WINDOWS\SYSTEM32
Scanned file: NOTEPAD.EXE
NOTEPAD.EXE - packed with FSG
NOTEPAD.EXE - infected by TrojanSpy.Win32.Small.r

Now how to I get an original copy of notepad.exe back?

Thanks,

Steve
 
Back
Top