notepad opens to full screen flames

Discussion in 'adware, spyware & hijack cleaning' started by BruceR, Apr 2, 2004.

Thread Status:
Not open for further replies.
  1. BruceR

    BruceR Guest


    Clicking on a .txt file opens up a command window, it then goes full screen, then red and yellow colors in flame shapes, in “motion” appear on the screen.
    “esc” ends the flames.
    Notepad never opens

    (work machine, currently unpluged from the network, I will f-disk it before it goes back on the network.)

    Win XP, SP1, current patched, slightly hardened (labmice checklist), McAfee AV updated daily, Pop-up stopper, bugnosis, and then TDS-3 with 4-1-04 update.

    > Is this with every txt file and in any location?

    > file properties will tell you what to open it with
    Claims to be notepad but it has the cmd icon.
    (I changed it back from word)

    > Can you re-associate them to be opened with notepad as TXT files?

    > Is the flaming and moving only at opening TXT files,

    >or also with other kinds of files

    > Just when you open them somewhere special or anywhere on your system?

    > ....Process Lists...
    Nothing bad shows up on a TDS-3 process scan.

    Alt Tab lets me switch out of the flames and do other things.

    C-A-D, task manager, Processes...
    NTVDM.exe is what is run when I try to open a .txt file.
    If I kill that process the cmd window (running the flames)(on the taskbar as "c:\windows\sustem32\noptepad.exe") goes away.
    I can run more than 1 set of flames at the same time.

    > Properties...
    There is a notepad.exe in c:/windows and in c:/windows/system32
    On a good machine there are the same size and have the same icon
    On the bad machine the c:\windows/system32 notepad.exe has a size of 2.31 kb and the cmd icon. The date modified is MONDAY 3/29/04
    The c:/windows notepad.exe size and icon closely matches the good machine even to matching the create and modify dates as associated with the creation of each machine.

    > If you recently visited some site or clicked anything unusable...
    most likly on Monday. I'll go look around for what happened that day.

    > if you find extra instances of notepad in your system
    Other than above there is a notepad.exe (with the correct icon) (compressed, noted by the color change) in c:\windows\system32\dllcache which opens up the real notepad propgram just fine.

    > Autostart Explorer, are there any new keys you did not see before?
    I do not think that I ran this on the machine. A current run does not show anything new for notepad. My current opinion is that the notepad.exe was "replaced". (not a registry change) Are there logs anwhere else but the log subdirectory? I had to associate .txt back to Word to see the logs

    FTP c:\windows\system32\notepad.exe to where?

    As asked I ran HiJackThis with the malware running.
    It shows up as the ntvdm.exe (last line of the processes)
    All of the other programs are expected and I installed on purpose.

    HiJackThis log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:03:25 PM, on 4/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Documents and Settings\rights\Local Settings\Temp\HijackThis.exe

    O1 - Hosts:
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - C:\Program Files\Bugnosis\WebBug.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Bugnosis - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - C:\Program Files\Bugnosis\WebBug.dll
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [Sun ONE Synchronization - iPlanet] C:\Program Files\Common Files\XCPCSync\Translators\iPlanet\iPlanetTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: Sync2It.lnk = C:\Program Files\Sync2It\Sync2It.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -
    O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) -
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
  2. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    Notepad.exe as a legitimate copy should be 65K in size on xp

    can you zip up & send me the small notepad.exe file that is in windows/system32

    send it to the email address on the spykiller site in my signature

    then delete that notepad file, copy the version from a good machine and drop it into system32

    then download CWshredder from then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    and make sure you follow the advice about the security updates listed on the last page, in order to prevent re-infection, otherwise you will be continually reinfected
    the patches are :
    *Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"
  3. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    NTVDM.exe is a legitimate windows file that translates 16 bit programs into 32 bit so they will run on windows,, that is why it appears when this bad version of notepad runs

    I have seen notepad replaced in sopme cases but not with the flame, but with other so called jokes
  4. BruceR

    BruceR Guest

    > make sure you follow the advice about the security updates
    Machine has 828026 patch installed. (It is in add/remove programs, It is also listed under c:\windows)
    I have automatric windows update service running and I also go to windows update website weekly.

    > can you zip up & send me the small notepad.exe file that is in > windows/system32
    From home, tonight.
  5. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    for my education and future readers', for my uneducated eyes the hjt looks very clean, why is the CWShredder to be used here? Is that an extra precaution?
  6. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    The only reason I suggested cwshredder is because in the past I have seen some versions of CWS replace notepad with an infected copy and I suspected that this might be a possibilty that needed exluding, even though there were no obvious cws signs in the log

    Several of the cws variants hide succsessfully from a hjt log
  7. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Ah! that explains. So i start understanding the HJT logs little by little with all your guys' tons of instructions in all those logs!

    Googled indeed for notepad and indeed several nasties replace that one; also because of the relaced icon got me thinking.
    In one thread i saw the notepad file associated to some avi's and more of such jokes. This was my reason to look for fileassociations in the first place and the possible 0 bytes files.
    Hope after this CWShredder and replacing the notepad.exe with a clean original one all is clean again.
    I forgot about the possible hidden instances!

    Was thinking: it's an XP so if all this is ok a system restore to before the suspected date could be something too, but i like to be really very sure if all is cleaner then clean and what caused the stuff!

  8. BruceR

    BruceR Guest

    short reivew of history and email for monday reveals that it is the day I went to links removed as the sites in question are against this forum TOS
    ( I was invesitgating another computer which had had RemoteNC installed on it. The owners will not flatten it and re-build it.)

    edited to remove links , by DVK01[/1]
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.