Jorge, I found another one of your posts (thanks again) in the archives I never received on this matter below.
------------ Notpad is a Notepad sub with -supposedly- more features. You will find it here www.naughter.com/notpad.html You might have downloaded it from a freeware/shareware site, and then.......... (who knows what happened) best regards Jorge ---------------- Naa, that's not it. :-) This "notpad" I found in my Windows folder is EXACTLY like "notepad" in every way. Looks the same, works the same. It appears the original "notepad" was renamed to "notpad". Plus this was a brand new format and I hadn't even installed anything yet other than essentials. This may explain what happened to my ability to view the "status bar" in Notepad, it's now grayed out. I'll put that in a dedicated post. -Clint ----- Original Message ----- From: "Support-OrpheusComputing.com" I got the problem of not being able to "View source" fixed. I remember now someone mentioned before that happens when you have a notepad shortcut on your desktop. I dragged those bogus Notepad's to my desktop when I was checking them out, that's what caused it. I moved them to a folder, and now view source works again. So what I'm left with now, is what is "Notpad" and how I got it, and those registry keys SpyBot is keeps finding I mentioned below. -Clint ----- Original Message ----- From: "Support-OrpheusComputing.com" That's NOT "Notepad" but "NOTPAD" without the "e". All I could find in searches is a seemingly legit program that's a replacement for Notepad. I just searched my ENTIRE PC, drives, partitions, etc., and the ONLY place I found it was in the System32 folder. Now, the odd thing is, I didn't install it. I don't see it on other XP Pro PC's over here. The reason I think this is a problem, is what happened. I was going to some websites and I got a warning from one of my anti-SpyWare programs that "Notepad is trying to be executed" or accessed, something like that. I assumed at the time it was NOTEPAD and not NOTPAD, but I can't be sure. I of course denied it. After closing all the webpages, I could NOT open text files! Nothing happened when I clicked them. I had to right click and "open with" and I noticed in the list there was TWO entries for "notepad". One was the default XP Notepad icon and was exactly called "Notepad", but the other was one of those blue and white MS-DOS application looking icons, and it was called "NOTEPAD" in all caps! The one in all caps would not work! I then chose the regular one called "Notepad" and selected to always open with it, and text files opened ok again. But now I have lost the ability to "view source" at any webpages by using the toolbar OR right clicking the webpage and selection "view source". NEITHER of those work now! Sometimes Notepad will open and it's totally empty, other times NOTHING at all will happen! It was not until I went to "folder options" and "file types" to check out file associations, and scrolled down to "notepad" (I forget if it was upper or lower case, or a combo,or even if it was spelled correctly) that I noticed the button for it was now at "Restore", meaning another program had taken over text files, yet it was STILL called "Notepad", I THINK. I think it was all caps. I went into the "advanced" area and "browse" to check out the system32 folder and it was then I noticed I had a "notpad" (no "e") and a "NOTEPAD", case sensitive! "notpad" was the ORIGINAL XP default Notepad icon, yet it was spelled without the "e"! "NOTEPAD" was the blue and white DOS app icon I described above! I dragged "NOTEPAD" from the system32 folder onto my Desktop, then I renamed "notpad" to "Notepad". I right clicked both files to check out the properties, and that one that was the blue and white icon is only a 3K file! What was "notpad" that I just changed to "notepad" appears to be the real thing at 64.5k in size which is correct, and version 5.1.2600.0 which is also correct, and all other info points to the real original M$ file. It appears to be identical in every way to the Notepad file on my other XP Pro PC's. Somehow, it apparently got its name changed! How?? And what the heck is that blue and white MS-DOS app 3K file called "NOTEPAD"? Right clicking it says it was created in 2001! But it says modified today at 2AM. I searched the other PC's for "notpad", and again, found nothing in the registry or on the drives. "Notpad" IS in my registry! It's listed right under "Notepad". I haven't deleted it yet. It turned up in a bunch of different places in my registry. (Pasted at the very bottom). After renaming "notpad" to "Notepad", and removing the blue and white iconed "NOTEPAD" from the system32 folder, text files now open up as usual, that bogus "NOTEPAD" has been removed from the "open with" dialog, but I still cannot view the source of any webpages!! I went to the "programs" tab of IE options and Notepad is indeed still there as the "HTML editor". Yet, view source will not work. The closest thing I found to this was the QAZ worm, but it renames Notepad to not.com: "When executed, it will search for Windows folder in the local system and network and copies to "notepad.exe". The original notpad.exe file is renamed to note.com. Then it modifies the registry entries to start automatically." Now that doesn't make sense, that must be a typo because that quote says "..the original NOTPAD" and not "notepad"! According to that, "notpad.exe" is the real Windows file! Must be a typo? I ran a spyware scan with SpyBot and Adaware, and SpyBot found 6 BHO's of which I told it to remove. I ran it again, and it STILL found them! I searched the registry for the keys it says was there, and they are NOT there! What's going on with that? This is what it said it found: DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\0\1004!=W=3 DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003\Softwar e\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\0\1004!=W=3 DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\0\1004!=W=3 DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\0\1004!=W=3 The closest thing I found to that was (example of the first entry): HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\0\1004 and note that key does not have the "!=W=3" Spybot said it has! NONE of them do, each key Spybot said it found, is like the key above, just with "1004" and that's it. Also, those keys I DO have with the 1004 or NOT dword entries as all of the others are in the same area, it's the only one that's a "string" with the "ab" icon. I don't know if these keys Spybot is finding has anything to do with the Notepad problem are not, but why is SpyBot finding something that is not there? Should I delete those registry keys anyway? So, does anyone know of a obviously malicious code or program called "notpad"; how I got it even after denying the anti-spyware request; what happened to "Notepad" to change it to "notpad"; and how to get back the ability to "view source" again? This is a brand new format on a new HD and new PC, and I just got finished with it hours ago!! I'm not about to have to reformat again to fix this issue!! :-< Thanks, -Clint God Bless Clint Hamilton, Owner http://OrpheusComputing.com ) Places where "notpad" was found: HKEY_CLASSES_ROOT\Applications\notpad.exe HKEY_CURRENT_USER\Software\Classes\Applications\notpad.exe HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ComDlg32\OpenSaveMRU\* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ComDlg32\OpenSaveMRU\exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.rar\OpenWithList HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.txt\OpenWithList HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003\Softwar e\Classes\Applications\notpad.exe HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003\Softwar e\Classes\Applications\notpad.exe\shell\open\command HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003\Softwar e\Microsoft\Search Assistant\ACMru\5603 HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003\Softwar e\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMR U\* HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003\Softwar e\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMR U\exe HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003\Softwar e\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenW ithList HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003\Softwar e\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenW ithList HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003_Classes \Applications\notpad.exe HKEY_USERS\S-1-5-21-1614895754-527237240-725345543-1003_Classes \Applications\notpad.exe\shell\open\command ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
