notepad opens to full screen flames

Hi,

Clicking on a .txt file opens up a command window, it then goes full screen, then red and yellow colors in flame shapes, in “motion” appear on the screen.
“esc” ends the flames.
Notepad never opens

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
(work machine, currently unpluged from the network, I will f-disk it before it goes back on the network.)

Win XP, SP1, current patched, slightly hardened (labmice checklist), McAfee AV updated daily, Pop-up stopper, bugnosis, and then TDS-3 with 4-1-04 update.

> Is this with every txt file and in any location?
Yes

> file properties will tell you what to open it with
Claims to be notepad but it has the cmd icon.
(I changed it back from word)

> Can you re-associate them to be opened with notepad as TXT files?
done

> Is the flaming and moving only at opening TXT files,
Yes

>or also with other kinds of files
No

> Just when you open them somewhere special or anywhere on your system?
Anywhere

> ....Process Lists...
Nothing bad shows up on a TDS-3 process scan.

Alt Tab lets me switch out of the flames and do other things.

C-A-D, task manager, Processes...
NTVDM.exe is what is run when I try to open a .txt file.
If I kill that process the cmd window (running the flames)(on the taskbar as "c:\windows\sustem32\noptepad.exe") goes away.
I can run more than 1 set of flames at the same time.

> Properties...
There is a notepad.exe in c:/windows and in c:/windows/system32
On a good machine there are the same size and have the same icon
On the bad machine the c:\windows/system32 notepad.exe has a size of 2.31 kb and the cmd icon. The date modified is MONDAY 3/29/04
The c:/windows notepad.exe size and icon closely matches the good machine even to matching the create and modify dates as associated with the creation of each machine.

> If you recently visited some site or clicked anything unusable...
most likly on Monday. I'll go look around for what happened that day.

> if you find extra instances of notepad in your system
Other than above there is a notepad.exe (with the correct icon) (compressed, noted by the color change) in c:\windows\system32\dllcache which opens up the real notepad propgram just fine.

> Autostart Explorer, are there any new keys you did not see before?
I do not think that I ran this on the machine. A current run does not show anything new for notepad. My current opinion is that the notepad.exe was "replaced". (not a registry change) Are there logs anwhere else but the log subdirectory? I had to associate .txt back to Word to see the logs


FTP c:\windows\system32\notepad.exe to where?

As asked I ran HiJackThis with the malware running.
It shows up as the ntvdm.exe (last line of the processes)
All of the other programs are expected and I installed on purpose.


HiJackThis log file:

Logfile of HijackThis v1.97.7
Scan saved at 3:03:25 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\rights\Local Settings\Temp\HijackThis.exe
C:\WINDOWS\system32\ntvdm.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - C:\Program Files\Bugnosis\WebBug.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bugnosis - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - C:\Program Files\Bugnosis\WebBug.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Sun ONE Synchronization - iPlanet] C:\Program Files\Common Files\XCPCSync\Translators\iPlanet\iPlanetTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Sync2It.lnk = C:\Program Files\Sync2It\Sync2It.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37823.2909027778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[dvk01]

Notepad.exe as a legitimate copy should be 65K in size on xp

can you zip up & send me the small notepad.exe file that is in windows/system32

send it to the email address on the spykiller site in my signature

then delete that notepad file, copy the version from a good machine and drop it into system32

then download CWshredder from http://www.thespykiller.co.uk then Run it
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed on the last page, in order to prevent re-infection, otherwise you will be continually reinfected
the patches are :
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
*Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"

[dvk01]

NTVDM.exe is a legitimate windows file that translates 16 bit programs into 32 bit so they will run on windows,, that is why it appears when this bad version of notepad runs

I have seen notepad replaced in sopme cases but not with the flame, but with other so called jokes

> make sure you follow the advice about the security updates
Machine has 828026 patch installed. (It is in add/remove programs, It is also listed under c:\windows)
I have automatric windows update service running and I also go to windows update website weekly.

> can you zip up & send me the small notepad.exe file that is in > windows/system32
From home, tonight.

[Jooske]

Derek,
for my education and future readers', for my uneducated eyes the hjt looks very clean, why is the CWShredder to be used here? Is that an extra precaution?

[dvk01]

Quote:

quoting: Jooske link=board=17;threadid=26714;start=0#msg154694 date=1080977731]
Derek,
for my education and future readers', for my uneducated eyes the hjt looks very clean, why is the CWShredder to be used here? Is that an extra precaution?

The only reason I suggested cwshredder is because in the past I have seen some versions of CWS replace notepad with an infected copy and I suspected that this might be a possibilty that needed exluding, even though there were no obvious cws signs in the log

Several of the cws variants hide succsessfully from a hjt log

[Jooske]

Ah! that explains. So i start understanding the HJT logs little by little with all your guys' tons of instructions in all those logs!

Googled indeed for notepad and indeed several nasties replace that one; also because of the relaced icon got me thinking.
In one thread i saw the notepad file associated to some avi's and more of such jokes. This was my reason to look for fileassociations in the first place and the possible 0 bytes files.
Hope after this CWShredder and replacing the notepad.exe with a clean original one all is clean again.
I forgot about the possible hidden instances!

Was thinking: it's an XP so if all this is ok a system restore to before the suspected date could be something too, but i like to be really very sure if all is cleaner then clean and what caused the stuff!

Thanks!

short reivew of history and email for monday reveals that it is the day I went to links removed as the sites in question are against this forum TOS
( I was invesitgating another computer which had had RemoteNC installed on it. The owners will not flatten it and re-build it.)


[i] edited to remove links , by DVK01[/1]