I have installed TDS-3. It does not pick up this problem I have (for the last 4 days) Clicking on a .txt file opens up a command window, it then goes full screen, then red and yellow colors in flame shapes, in “motion” apoppear on the screen. “esc” ends the flames. Notepad never opens Notepad.exe as a program opens just fine form it’s sub-directory --File extension for txt changed to open in MS word, opens just fine Sounds like a registry setting change in the call to open notepad.
Hi BruceR, and welcome the first part of the story is not clear to me yet, the second with notepad opening or not -- could there by files 0 bytes size among which notepad.exe among others in the TDS directory? If so, delete those 0 bytes files there. I copied windows.exe and wordpad.exe one time extra in the TDS directory and now windows can make as many 0 bytes sized copies as it wants, but they still work for me. The first part of the question does not look good at all. Is this with every txt file and in any location? If you go in windows explorer and rightclick on a textfile the file properties will tell you what to open it with, and is that word for all txt files, also very small little tiny few characters files you just created right this minute as a test.txt file? Can you re-associate them to be opened with notepad as TXT files? If they are large they should normally open with wordpad (over 100 KB i think) Is the flaming and moving only at opening TXT files, or also with other kinds of files and just when you open them somewhere special or anywhere on your system? When you go in TDS > System Analysis > Process Lists do you see there any running process which you don't recognise? If you look in the same area in Autostart Explorer, are there any new keys you did not see before? Which windows version are you using? I would also like you to check this notepad.exe if it has been modified recently and can you in that case please submit it to submit@diamondcs.com.au for advice. Please report back! What i also would like to know if you recently visited some site or clicked anything unusable which might be connected to this problem, if you find extra instances of notepad in your system or in another place then where it should be (default c:\windows probably) etc.
can you please do this for me http://www.wilderssecurity.com/showthread.php?t=15913 but go direct to step 2, download hijackthis and post in the hiajck removal forum I think this is a version of CWS as I've seen similar behaviour before, but I need to se the hjt log and if poss the diampond autostart log which shows a lot more details
Hi, Thanks for the reply. I do not believe that my problem is related to TDS-3, except that it does not catch it. (work machine, currently unpluged from the network, I will f-disk it before it goes back on the network.) Currenltly working on a old/slow laptop without e-mail.. Win XP, SP1, current patched, slightly hardened (labmice checklist), McAfee AV updated daily, Ad-Aware, SpyBot S&D, and then TDS-3 with 4-1-04 update. > Is this with every txt file and in any location? Yes > file properties will tell you what to open it with Claims to be notepad but it has the cmd icon. (I changed it back from word) > Can you re-associate them to be opened with notepad as TXT files? done > Is the flaming and moving only at opening TXT files, Yes >or also with other kinds of files No > Just when you open them somewhere special or anywhere on your system? Anywhere > ....Process Lists... Nothing bad shows up on a TDS-3 process scan. Alt Tab lets me switch out of the flames and do other things. C-A-D, task manager, Processes... NTVDM.exe is what is run when I try to open a .txt file. If I kill that process the cmd window (running the flames)(on the taskbar as "c:\windows\sustem32\noptepad.exe") goes away. I can run more than 1 set of flames at the same time. > Properties... There is a notepad.exe in c:/windows and in c:/windows/system32 On a good machine there are the same size and have the same icon On the bad machine the c:\windows/system32 notepad.exe has a size of 2.31 kb and the cmd icon. The date modified is MONDAY 3/29/04 The c:/windows notepad.exe size and icon closely matches the good machine even to matching the create and modify dates as associated with the creation of each machine. > If you recently visited some site or clicked anything unusable... most likly on Monday. I'll go look around for what happened that day. > if you find extra instances of notepad in your system Other than above there is a notepad.exe (with the correct icon) (compressed, noted by the color change) in c:\windows\system32\dllcache which opens up the real notepad propgram just fine. > Autostart Explorer, are there any new keys you did not see before? I do not think that I ran this on the machine. A current run does not show anything new for notepad. My current opinion is that the notepad.exe was "replaced". (not a registry change) Are there logs anwhere else but the log subdirectory? I had to associate .txt back to Word to see the logs FTP c:\windows\system32\notepad.exe to where? Bruce
Hi Bruce, Could you please send that notepad.exe (if possible: zipped) to Gavin: submit@diamondcs.com.au Please report back!
Yes I will await this one curiously.. please post your ASViewer and Hijack this log in this thread too
WinTasks Process Library ntvdm - ntvdm.exe - Process Information Process File: ntvdm or ntvdm.exe Process Name: Windows 16-bit Virtual Machine Description: Application that provides an environment for a 16-bit process to execute on a 32-bit platform. Company: Microsoft Corp. System Process: Yes Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No Common Errors: N/A There is a thread about a changed notepad.exe over at DSLR forum http://www.dslreports.com/forum/remark,9849469~mode=flat which might be related. And another one here: http://groups.google.ca/groups?selm=406c3945.3020265%40news.kolumbus.fi&oe=UTF-8&output=gplain And if it suits the story a fix for the new ICRbot http://www.terrorfactor.com/IRCBot.trojan.fix.html On my win98se system the original notepad is in the windows\notepad.exe but as i remember there are some nasties and exploits trying to change notepad i put extra copies of the original also in system and system32 and even one in the TDS-3 directory. So after that it is easy to add them all to the CRCscan.txt in TDS with their full paths so if any of them would change there is an immediate alarm on the changed version which can be zipped and submitted to Gavin submit@diamondcs.com.au immediately. Please don't format yet, by the sounds it is very useful to know everything of your infection first and if with that knowledge you can check the whole network extra once you know what to look for! Suppose it's the same on the XP system you're using: Another test would be if you do a find in windows for all files created or changed that day, sort them in order of creation time and look around the same time of the notepad.exe Would like to know if there are specific files which need extra attention. Hey BruceR, you mgiht like to register as a member for the forum here, it's free and we can give you good karma cookies for bringing this highly interesting matter here to help you the best we can and having another system cleaned on the internet!
I've sent the notepad file to Gavin, that he sent me after giving him some cleaning instructions in the hijack forum. It's not the same as the other you mentioned as it's a very small file, only 2.31k but written in some machine code that none of my analysers will read his HJT log is posted here http://www.wilderssecurity.com/showthread.php?t=26714
short reivew of history and email for monday reveals that it is the day I went to ~sites removed to conform to forum TOS~. ( I was invesitgating another computer which had had RemoteNC installed on it. The owners will not flatten it and re-build it.) *removed links*
Ahhh! Now we really want a full HJT and AutoStartViewer log from you, to look if there is more the matter. Keep the mailbox open and the submit@diamondcs.com.au at hand before deleting anything from your system. Pardon, you did already in the other thread Is the system now after another deep scan and online scan really all clean and behaving well? Does the owner not have confidence after the RemoteNC files are removed? Depends on if they know where it came from and when. In that case you could get back to an older restore point or in the clean situation create a new one after having deleted all former instances.
