programs open in notepad by default 2

[laker67]

most of the programs i try to open on my machine open with notepad . This happened after i accidently opened a file with notepad . I wanted to do system restore back but when i go to system tools->system restore , that program also opens in notepad Garbage.
Also When i reboot the computer i get 19 programs opened in notepad on the desktop including-tptray, apoint, ceekey, ypager etc . i also tried to open command prompt by cmd and it also opens in notepad . Can any one tell me how to restore all the programs to open with their default "open with" rather than notepad . Any thoughts appreciated .

 

[bcastner]

faq608-4650

 

[laker67]

I did try virus scan as mentioned . But no luck . I'm guessing it has got to do with change in registery.

 

[linney]

Home Virus info Virus analyses

http://www.sophos.com/virusinfo/analyses/trojoffensive.html

Troj/Offensive
Type
Trojan

Detection
Detected by Sophos Anti-Virus.

Description
"Troj/Offensive is a JavaScript Trojan horse. If you visit an infected website the Trojan horse will attempt to exploit a vulnerability in the Microsoft virtual machine first discovered in October 2000. Some of the Registry changes include offensive remarks about the people and government of Japan.

The Trojan horse makes a large number of changes to the Registry, effectively making Windows unusable.

Amongst the changes that the Trojan horse makes are changes to the associations for .EXE, .REG, .HTM, .HTML, .INF, .DLL, .INI, .SYS, .COM, and .BAT files so that rather than being associated with their respective applications they launch Windows Notepad instead.

The Trojan horse changes the association for .TXT files so it attempts to launch them as executable files.

Microsoft has released a patch which reportedly fixes the security vulnerability. More details of this patch are available here."






You could try running the "Exe file fix from this site.

http://www.dougknox.com/xp/file_assoc.htm

From Lockergnome tips.

"Use Registry Editor to change the (Default) string value in the following registry key to "%1" %* (with quotation marks):

HKEY_CLASSES_ROOT\exefile\shell\open\command\

Windows cannot find PROGRAM.EXE. This program is needed for opening files of type 'Application.'" What to do? Fire up your Registry editor and navigate to HKEY_LOCAL_MACHINE \ Software \ Classes \ Exefile \ Shell \ Open \ Command. Now, whatever value is in there needs to be replaced with the following: "%1" %* (exactly as shown). You should only have to do this when your EXEs have stopped launching properly."

 

[laker67]

Thanks for the tip but no luck.Regarding the Trojan, I did check the link and its not for the version of windows i'm running (windows xp home). Its for windows 95,98,2000. I also downloaded from dugknox.com but no luck .....any thoughts...appreciated...

 

[zmann]

It sounds to me like you have your file associations mixed up. Try going into control panel, folder options, file types. And make sure that the files that are opening with notepad are associated with the correct program to open with.

Just a thought,

Z

 

[linney]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command

What default value have you got in this key?

If you cant access RegEdit, copy Regedit.exe to My Documents rename the .exe to .bat or .com and see if you can open the renamed file to get access to the Registry. You can try that with %SystemRoot%\System32\restore\rstrui.exe and see if System Restore starts when you copy/rename rstrui.exe to .com or .bat?

You may be able to fix the associations for some file extensions with editing them as "zmann" has indicated, but the more important ones are not listed in there.

I don't think that right-clicking on a .exe file gives you the option to "Open With" and "Choose a Program" and fix the association that way either.

In fact, I'm beginning to think Format and Reinstall, but I have been wrong so often, why should this be any different?

See how you go with some of the other suggestions by forum members, I still have a few ideas to suggest but will hold off until and if it becomes a last chance solution.

Have you done any backups?

 

[bcastner]

Fix EXE file association:

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

 

[laker67]

Linney,
I'm able to access regedit directly .The default value of
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command="%1" %* which seems to be right .

I also downloaded xp_exe_fix.zip file from

http://www.doughknow.com

and i guess it did fix the registery but the files still open in notepad .

Also i do seem to be have notepad.exe in 3 folders .
c:\windows\notepad.exe
c:\windows\system32\notepad.exe
c:\win\dows\prefetech\NOTEPAD.EXE-336351A9.pf

Any thoughts...appreciated

 

[bcastner]

This one:
c:\windows\notepad.exe

Is a virus.

Download and post the log from Hijack This:

http://mjc1.com/mirror/hjt/

What may also help you is that you can copy regedit.exe, and rename it regedit.com and it will work. Similarly, Msconfig will work if renamed.

 

[laker67]

I did download from Hijack This . But i'm not able to run the exe from their site since it also opens in notepad . Should i delete c:\windows\notepad.exe .
I'm a newbie,so please bear with me .

 

[bcastner]

Turn off System Restore.
Bring up Task Manager, and if you find notepad.exe runnning, stop the task.
Delete notepad.exe in c:\windows
Try to run Hijack This now.

 

[bcastner]

Since you can access regedit, print out the following article and look in each registry RUN key for "notepad.exe" and remove it:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;179365

Reboot.

 

[laker67]

Thanks for the information bcastner . I will check the registery this evening once i get home .
Also notepad.exe have the same date and size in both the folders .
c:\windows\notepad.exe
c:\windows\system32\notepad.exe

 

[bcastner]

Just checking, as "fake" notepad, winlogon, svchost, .etc files are common.

If the date/time stamp, size, match between the copies in \Windows\System, and \Windows\System32 then leave it alone.

1. Do all of your analysis work in Safe Mode, as this automaticly disables some, not all, RUN keys from the registry.

2. Remember to disable System Restore.

3. If you can run Msconfig, renamed, then disable all Startup items and everything but the Windows XP services under the Services tab.

These are the registry areas of interest:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKU = HKEY_USER
HKLM = HKEY_LOCAL_MACHINE
HKCU = HKEY_CURRENT_USER

You might consider Exporting each of these keys to a safe location using regedit.

Then deleting them using regedit.

Then rebooting.

 

[OzCDN]

Here is a trick when your .exe extesions are hijacked.

Rename the ".exe" file that you want to run to ".com". It should launch after this ... unless your ".com" extension is also hijacked.

I had to do this once to edit the registry to fix a virus ... but regedit.exe could not be launched. Renaming to regedit.com did the job.

 

[bcastner]

Since you still have accesss to IE, use the general repair to file associations .reg file from Doug Knox. It takes effect only after a reboot:

http://www.dougknox.com/xp/tips/xp_easy_file.htm

This more comprehensively replaces file associations than my earlier .EXE association fix.

OzCDN is correct that renaming a copy of regedit.exe to regedit.com will let you access the program; this was discussed earlier.

You can beat this problem without a reinstallation with a carefull pruning of the registry RUN keys.

Keep us informed as to your progress.

 

[linney]

I wonder if turning off System Restore (at this stage) is the right thing to do as it will also lose you access to the good restore points (and registry snapshots) saved before this problem occurred.

I would advise leaving your restore points until after the problem is solved. Then it will be safer to turn off system restore.

As long as you don't run system restore nothing in there is going to effect your machine or reinstall any rubbish.

Once you are up and running correctly, then removing the restore points will be necessary to prevent you from recreating your current problem.

 

[bcastner]

linney,

A very good point.

My concern is that the issue is already implanted in \%WINDIR%\System, or \..\System32, and the restore points are useless.

By turning off System Restore I also stop the monitoring of EXE files on his system, including the caching of them.

If I could just get a startup log, including the best: Hijack, we could beat this thing just through Hijack and a Safe Mode removal.

Count me in as 89% sure that this thing can be worked-around, and beaten without a re-install.

 

[linney]

The restore points created since this trouble maybe useless but to get rid of them you have to get rid of everything including good restore points. My concern is that if we were to proceed to a "Charlie White" type solution it wouldn't be available.

How do you see the monitoring of exe files (not sure what you mean by caching) as a problem?

I am not 100% sure this is a virus type problem as it may be an "own goal" by "laker67" when he used Notepad to open a file and reset associations.


As for Hijack This, we may get this run if the .exe was renamed to .bat or .com, as alluded to throughout this thread.