I have solved the problem. I was the victim of malicious
code. No doubt there are others out there that will
experience this. I found the answer in this here:
http://www.mail-
archive.com/
[email protected]/msg09308.html
From: Support-OrpheusComputing.com
Subject: PCWorks: What is "Notpad", malicious code?? My
Notepad was hijacked
Date: Sun, 16 May 2004 02:45:35 -0700
That's NOT "Notepad" but "NOTPAD" without the "e". All I
could
find in searches is a seemingly legit program that's a
replacement for Notepad. I just searched my ENTIRE PC,
drives,
partitions, etc., and the ONLY place I found it was in the
System32 folder. Now, the odd thing is, I didn't install
it.
I don't see it on other XP Pro PC's over here. The
reason I
think this is a problem, is what happened.
I was going to some websites and I got a warning from one
of my
anti-SpyWare programs that "Notepad is trying to be
executed"
or accessed, something like that. I assumed at the time
it was
NOTEPAD and not NOTPAD, but I can't be sure. I of course
denied it. After closing all the webpages, I could NOT
open
text files! Nothing happened when I clicked them. I had
to
right click and "open with" and I noticed in the list
there was
TWO entries for "notepad". One was the default XP
Notepad icon
and was exactly called "Notepad", but the other was one of
those blue and white MS-DOS application looking icons,
and it
was called "NOTEPAD" in all caps! The one in all caps
would
not work! I then chose the regular one called "Notepad"
and
selected to always open with it, and text files opened ok
again. But now I have lost the ability to "view source"
at any
webpages by using the toolbar OR right clicking the
webpage and
selection "view source". NEITHER of those work now!
Sometimes
Notepad will open and it's totally empty, other times
NOTHING
at all will happen!
It was not until I went to "folder options" and "file
types" to
check out file associations, and scrolled down
to "notepad" (I
forget if it was upper or lower case, or a combo,or even
if it
was spelled correctly) that I noticed the button for it
was
now at "Restore", meaning another program had taken over
text
files, yet it was STILL called "Notepad", I THINK. I
think it
was all caps. I went into the "advanced" area
and "browse" to
check out the system32 folder and it was then I noticed I
had a
"notpad" (no "e") and a "NOTEPAD", case
sensitive! "notpad"
was the ORIGINAL XP default Notepad icon, yet it was
spelled
without the "e"! "NOTEPAD" was the blue and white DOS
app icon
I described above! I dragged "NOTEPAD" from the system32
folder onto my Desktop, then I renamed "notpad"
to "Notepad".
I right clicked both files to check out the properties,
and
that one that was the blue and white icon is only a 3K
file!
What was "notpad" that I just changed to "notepad"
appears to
be the real thing at 64.5k in size which is correct, and
version 5.1.2600.0 which is also correct, and all other
info
points to the real original M$ file. It appears to be
identical in every way to the Notepad file on my other XP
Pro
PC's. Somehow, it apparently got its name changed!
How?? And
what the heck is that blue and white MS-DOS app 3K file
called
"NOTEPAD"? Right clicking it says it was created in
2001! But
it says modified today at 2AM.
I searched the other PC's for "notpad", and again, found
nothing in the registry or on the drives. "Notpad" IS in
my
registry! It's listed right under "Notepad". I haven't
deleted it yet. It turned up in a bunch of different
places in
my registry. (Pasted at the very bottom).
After renaming "notpad" to "Notepad", and removing the
blue and
white iconed "NOTEPAD" from the system32 folder, text
files now
open up as usual, that bogus "NOTEPAD" has been removed
from
the "open with" dialog, but I still cannot view the
source of
any webpages!! I went to the "programs" tab of IE
options and
Notepad is indeed still there as the "HTML editor". Yet,
view
source will not work.
The closest thing I found to this was the QAZ worm, but it
renames Notepad to not.com:
"When executed, it will search for Windows folder in the
local
system and network and copies to "notepad.exe". The
original
notpad.exe file is renamed to note.com. Then it modifies
the
registry entries to start automatically."
Now that doesn't make sense, that must be a typo because
that
quote says "..the original NOTPAD" and not "notepad"!
According to that, "notpad.exe" is the real Windows
file! Must
be a typo?
