Notepad.exe Virus

From: MAP (anonymous_at_discussions.microsoft.com)
Date: 03/31/04


Date: Wed, 31 Mar 2004 05:26:26 -0800


>-----Original Message-----
>Hello there,
>I've a couple of Virus related questions. Any help or
ideas how to get/make Microsoft fix or aware is
appreciated.
>
>1. I had the msblast.exe virus long before cnn start
talking about it. It always starts a process with a
random (RP) name which doesn't allow me to start
taskmanager to kill it, neither msconfig to disable
msblast. I used another utility to kill the random
process and then used mscofig to disable msblast from
starting. However, the random process still comes up and
I have to kill it with my utility every time I start my
computer. msconfig doesn't stop it. Any suggestions on
what to do next to get rid of this RP? I did try Mcaffee
and Symantec's free Virus desinfecters on the net but
they didn't take it away
>
>2. It seems to me that now NOTEPAD.exe is infected!
Here's what happen. When I try to start Notepad, a
process called over.exe is started that consumes 90% of
the CPU time (under taskmanager) but the real Notepad
never appears on the screen. Every time I start Notepad
from the start==> run, or in the CMD console another
over.exe starts and my system start humming and I can see
that it's getting slower.
>Any suggestions, recommendations, or pointers on how to
reach Microsoft security folks?
>Thanks.
>
>athmanen@computerscosmos.com
>.
>over.exe may be a trojan

Overview
Alias: BackDoor-UQ [McAfee], Backdoor.Zhang [Kaspersky],
security risk or a "backdoor" program [F-Prot]
Category: RAT: (Remote Administration Tool) A Trojan that
when run, provides an attacker with the capability of
remotely controlling a machine via a "client" in the
attacker's machine, and a "server" in the victim's
machine.
 
Similar Pests: RAT
Origins
Author: Huaxingln
By This Author: Sweet Heart 1.0b
Date of Origin: January, 2003
Operation
Storage Required: at least 1133KB
Detection Issues: Difficult to detect by design. May hide
from process list. May install with variable names in
variable locations.
Detection and Removal
Automatic Removal: PestPatrol detects this.

PestPatrol removes this.

 
Manual Removal: Follow these steps to remove Sweet Heart
Yesterday from your machine. Begin by backing up your
registry and your system, and/or setting a Restore Point,
to prevent trouble if you make a mistake.
 Stop Running Processes:

Kill these running processes with Task Manager:

stay over.exe

 
 Remove Files:

Remove these files (if present) with Windows Explorer:

stay over.exe

 
Kelly has provided removal tools for msblast go here

www.kellys-korner-xp.com/xp_tweaks.htm



Relevant Pages

  • Re: Notepad.exe Virus
    ... > get/make Microsoft fix or aware is appreciated. ... I had the msblast.exe virus long before cnn start talking about ... I used another utility to kill the random process and then ... When I try to start Notepad, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Word 2007 scanning for virus never ends; Word will not start
    ... Notepad performance is irrelevant because it is not part of Office, so Office plug-in will not affect it. ... Also Notepad is PLAIN TEXT and cannot be embedded by a virus, so a Notepad plug-in would be useless. ... >>> While it no longer enters the virus scan it also disables all other ...
    (microsoft.public.word.application.errors)
  • RE: IE default Page
    ... trojan, per housecall.antivirus.com's virus scanner. ... kill off those services (regedit and delete the references after you ... run hijackthis and kill whatever you see that doesn't belong ... threads and/or system services that watch the system processes and ...
    (Incidents)
  • Re: Word 2007 scanning for virus never ends; Word will not start
    ... Notepad performance is irrelevant because it ... PLAIN TEXT and cannot be embedded by a virus, so a Notepad plug-in would be ... then the likely culprit is an old third-party add-in. ... However, now when I open a Word document, Word displays 'scanning ...
    (microsoft.public.word.application.errors)
  • Re: notepad deleted
    ... >> bogus version of notepad.exe. ... >> If all Norton did was delete the bogus version in the system32 folder, ... >> system 32 folder and see if notepad now works... ... >>> nortons deleted my notepad because it had a virus that it said it ...
    (microsoft.public.windowsxp.help_and_support)