programs open in notepad by default 2

[laker67]

most of the programs i try to open on my machine open with notepad . This happened after i accidently opened a file with notepad . I wanted to do system restore back but when i go to system tools->system restore , that program also opens in notepad Garbage.
Also When i reboot the computer i get 19 programs opened in notepad on the desktop including-tptray, apoint, ceekey, ypager etc . i also tried to open command prompt by cmd and it also opens in notepad . Can any one tell me how to restore all the programs to open with their default "open with" rather than notepad . Any thoughts appreciated .

 

[bcastner]

linney,

The "Charlie White" has nothing to do with System Restore. It has to do with "Last know good confuration".

The monitoring of EXE files is related to System Restore, but I grant the point that it is more likely an issue with System File Protection than System Restore. Issue: a lot of malware introduces and/or changes "look alike" Windows files, and it dutifully replaces them if deleted in \%WINDR\System or \5WINDIR$\System32.

I am not either 100% sure it is a virus. My own opinion at the moment is that a "hijack" is annoying; something that replaces system files and/or prevents the base operating system from running, even if not purely distributed through viral means, is a new catagory: a huge p.i.a.; I used loosly the term "virus" as most antivirus protection programs will pick these up, but not always. They should always, my opinion.

I have never tried the rename Hijack This from .exe to .com, but I stand by my earlier comments: it does work for regidit.exe, and I believe it works for msconfg.exe.

 

[linney]

Part 2 and Part 3 of "Charlie White" refers to System Restore and copying System Restore Registry files to C/Windows/System32/Config folder.

 

[laker67]

I'm not 100% sure it is a virus . I did try to open a file that was downloaded from internet(belive its an exe).Since I couldnt open it,accidently i did try to open it with notepad and then all this gibbrish followed . Other than file assocation with file types the machine seem to be working normal . As i said earlier my regedit does seem to be working fine and as i did go through most of the registery this morning they seem to be fine .But i will check once i get home this evening from work . I'm also going to download general repair to file associations from
DoughKnox . I do have Notron Antivirus which i cant run now since its a exe . I did seem Online virus scans and they couldnt find any virus on the computer .I will keep you posted ! Thanks alot guys .

 

[bcastner]

My apologies linney, yes Charlie White does draw from System Restore.

And that is likely a wiser choice than my own: \%WINDER%\repair

Or on my systems, \ERDNT

A scheduled repair task.

I know you are also a fan, but that is what I use when necessary on the systems I manage. Registry Backup, freeware, excellent, use it:

http://home.t-online.de/home/lars.hederer/erunt/

My apologies. I use the basic notion of the MS KB as expressed by Charlie White, but am used to restoring registry backup images elsewhere than the System Restore files.

 

[bcastner]

I also think a "Charlie White" is nearly draconian as a solution in this instance.

 

[linney]

No apologies necessary, this is an interesting and worthwhile posting and discussion.

Old "Charlie's" name was only brought into the discussion as a result of killing system restore prematurely. Not intended as a solution, but more a case of keeping your "powder dry".

I too use ERUNT and recommend it to everybody.

http://home.t-online.de/home/lars.hederer/erunt/

But like the Recovery Console, "Set" commands, if Erunt is not on the machine before the trouble occurs, it is a missed opportunity.

 

[laker67]

bcastner/linney :
With the all this discussion going on ..can you go guys tell me which is the best approch i need to look into ....for this instance .

 

[bcastner]

A registry replacement should not be necessary.

. check your RUN keys in the registry: backup the keys and then remove anything suspicious, or remove the keys completely;
. reboot
. run the file association fixes
. reboot
. You should be able to run Hijack This, and post the results here.

 

[laker67]

I noticed that in the Control panel->folder options->file types ,there is no exe file type associated at all with any applications i have. Do i need to create a new file type of exe there and associate . I did run hijackthis and here is the log .

Logfile of HijackThis v1.97.7
Scan saved at 6:04:17 PM, on 1/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.toshiba.com/search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.toshiba.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.toshiba.com

F1 - win.ini: run=c:\windows\system32\cpusave.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [wdwctrl] c:\windows\system32\wdwctrl.exe /nocomm
O4 - HKLM\..\Run: [Cpusave] c:\windows\system32\cpusave.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Cpusave] c:\windows\system32\cpusave.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -

http://tdserver.bitstream.com/tdserver.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37846.5768981481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) -

http://autos.msn.com/components/ocx/autopricer/autopricer.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4315/mcfscan.cab

 

[linney]

.Exe is not listed in file types. Most installed programs file extensions, that are specially used by that program itself, are not listed there either.

What is this application for, O4 - HKLM\..\Run: [wdwctrl] c:\windows\system32\wdwctrl.exe /nocomm?

Have a look at Explorer.exe in Task Manager (processes) you may have more than one (not unusual, but do any of them have a memory usage size of 200 - 400kb? This is the size of Notepad.exe.

 

[laker67]

In the task manager (after i open a notepad file) the size of notepad.exe is 2816K . I do have an explorer.exe -19,708k . There is 8,848K for iexplorer.exe .


I did look up for wdwctrl.exe and its located in c:\windows\prefetch folder . It does seem to be having alot of exe files but written as. for ex:TASKMGR.EXE-20256C55.pf ,NOTEPAD.EXE-336351A9.pf ....But the last modified file in the folder is August/2003 . when i create a notepad doc it seem to be updating NOTEPAD.EXE-336351A9.pf in that directory .

 

[linney]

I wouldn't worry about the PreFetch folder entries. They are only links to make programs start faster. If you want to you can delete everything in there and Windows will just recreate the files as you load programs.

Forget what I was saying about Notepad and Task Manager that was an error on my part.

I'm no expert with "Hijack This" logs, wait until others join in. The only thing I noticed was that you may have "Alexa" installed, but that is only a minor problem.

O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

 

[bcastner]

GEMA virus, found in this entry: cpusave.exe

http://securityresponse.symantec.com/avcenter/venc/data/trojan.gema.html

MYBAR Hijack:

http://securityresponse.symantec.com/avcenter/venc/data/adware.mybar.html

Exit all running copies of IE.

Have Hijack remove:

F1 - win.ini: run=c:\windows\system32\cpusave.exe

O4 - HKLM\..\Run: [Cpusave] c:\windows\system32\cpusave.exe

O4 - HKCU\..\Run: [Cpusave] c:\windows\system32\cpusave.exe

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

Go to Start, Run and type regsvr32 /u mybar.dll

Go to Start, Run, rd /s c:\Program files\MyWay

 

[laker67]

HijackThis did remove all the 5 items mentioned . I did remove MyWay directory . But when i try to unregister mybar.dll by typing regsrv32 /u mybar.dll its envoking regsrv32.exe which comes in notepad garbage . should i make a copy regsrv32.exe in .com and then invoke...???

 

[bcastner]

Unregister after a reboot.

 

[laker67]

No luck, regsrv32.exe still opens in notepad when i try to unregister.

 

[bcastner]

Start regedit.


HKEY CLASSES ROOT\exefile\shell\open\command

Replace the default value in the right pane (double click it to edit) with:

"%1" %*

Then navigate here:

HKEY CLASSES ROOT\.exe (that's period - exe)

Replace the "default" value in the right pane (double click it to edit)with:

exefile

Also, make sure HKEY CLASSES ROOT\.exe is not an expandable branch, if there is a + sign in front of it, click the + and delete the subbranch below the ...exe.

 

[bcastner]

Have you in Explorer tried right-clicking any .EXE file, seelcting Open with, and then browsing to point to Explorer.exe in C:\Windows?

 

[carrr]

I can't see anyting that hasn't already been hit on...though the lack of something definitive for this:

O4 - HKLM\..\Run: [wdwctrl] c:\windows\system32\wdwctrl.exe /nocomm

...bothers me.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[laker67]

HKEY CLASSES ROOT\.exe has default .exefile
but there was a also a key for contenttype which had the value of application/x-msdownload . There was a subbranch called PersistentHandler which i deleted .
Also i didnt get an option of "open with" for exe files .