Trojan:Notepad/Pices is a trojan-dropper that disguises itself as a legitimate Windows Notepad process or a seemingly harmless text-editing utility. Like most trojans, its primary purpose is to establish a foothold on your system and deliver additional malicious payloads — ranging from spyware and keyloggers to ransomware and cryptocurrency miners. Once active, Pices variants typically communicate with remote command-and-control servers to receive instructions, download secondary malware, and exfiltrate stolen data. This threat is particularly deceptive because it mimics trusted system processes, making detection more difficult for users who rely solely on Task Manager observations.

Trojan:Notepad/Pices — cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

Infections often occur through bundled software installers, malicious email attachments posing as invoices or shipping documents, or compromised websites that exploit outdated browser plugins. Users may notice performance degradation, unexpected network activity, or unfamiliar processes running under names that closely resemble legitimate Windows components. Because Pices establishes persistence mechanisms in the registry and startup folders, a simple restart will not eliminate the infection — comprehensive manual removal or professional remediation is required.

If you suspect Trojan:Notepad/Pices is active on your machine right now: Disconnect from the internet immediately (unplug Ethernet or disable Wi-Fi), do not enter any passwords or financial information, and avoid restarting the computer until you can boot into Safe Mode with Networking. The trojan may attempt to download additional malware or transmit captured data during normal operation. If you're uncertain how to proceed safely, shut down the machine and call us at (770) 637-1555 — we can walk you through safe-mode boot or schedule an immediate appointment.

Threat Profile

Attribute Details
Threat Family Trojan-Dropper / Trojan-Downloader
Known Aliases Trojan.Notepad.Pices, Win32/Pices, TrojanDropper:Win32/Pices, Notepad.exe (spoofed)
Platform Windows (7, 8, 8.1, 10, 11) — 32-bit and 64-bit variants observed
Discovery Timeframe Mid-2010s; variants continue to circulate with updated obfuscation techniques
Primary Distribution Software bundlers, phishing email attachments, drive-by downloads, fake codec installers
Persistence Mechanisms Registry Run keys, Startup folder shortcuts, scheduled tasks, Windows Service installation (less common)
Typical Capabilities Download/execute arbitrary payloads, keylogging, browser credential theft, screenshot capture, backdoor access
Common IoCs Executable in %APPDATA% or %LOCALAPPDATA% with random GUID folder names; registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run; outbound HTTP/HTTPS to unknown domains on non-standard ports
Network Behavior Establishes C2 communication over HTTP/HTTPS; may use hardcoded IPs or DNS-based domains; downloads encrypted payloads; exfiltrates compressed ZIP archives of stolen data
Data-Theft Targets Browser saved passwords, cookies, autofill data, cryptocurrency wallet files, FTP credentials, email client databases
Removal Difficulty Moderate — requires safe-mode boot, registry editing, and thorough file-system cleanup; secondary payloads may complicate removal
Associated Secondary Threats Varies by campaign — ransomware (e.g., STOP/Djvu family), info-stealers (e.g., Redline, Vidar), cryptominers (XMRig variants)

How It Spreads

Trojan:Notepad/Pices reaches victim machines primarily through deceptive software bundling and social engineering. Cybercriminals package the trojan dropper inside installers for popular freeware — video converters, PDF readers, download managers — hosted on third-party download portals. During installation, users who rush through the setup wizard and accept default options unknowingly authorize the trojan's installation alongside the intended application. The dropper often uses names like "NotepadUpdate.exe" or "NotePad_Installer.exe" to appear benign in the file list.

Email-based distribution is equally common. Attackers send messages impersonating shipping carriers, financial institutions, or business partners, with subjects like "Invoice #48392 Overdue" or "UPS Delivery Exception Notice." Attached ZIP or RAR archives contain executables disguised with double extensions (e.g., "Invoice.pdf.exe") or PDF icons applied to .exe files. When opened, the dropper executes silently while displaying a decoy document or error message to mask its activity. In some campaigns, malicious Microsoft Office documents with embedded macros download the Pices dropper from a remote server when macros are enabled.

  • Bundled freeware installers from unofficial download sites (codec packs, system "optimizers," torrent clients)
  • Phishing emails with malicious attachments posing as invoices, receipts, shipping notifications, or tax documents
  • Drive-by downloads from compromised websites or malicious advertisements that exploit outdated browser plugins (Flash, Java, Silverlight)
  • Fake software updates presented as Flash Player updates, codec installers, or font packages required to view web content
  • Torrent and peer-to-peer networks where cracked software, keygens, and game cracks are bundled with trojans
  • Malvertising campaigns on legitimate sites, where clicking a fraudulent ad triggers an automatic download
  • USB-based propagation (less common) where infected removable media auto-runs the dropper on insertion

What It Does On Your Machine

Once executed, Trojan:Notepad/Pices performs an initial reconnaissance scan to profile the infected system — gathering OS version, installed security software, IP address, and geographic location. This information is transmitted to the attacker's command-and-control server, which then responds with instructions specific to the victim's profile. High-value targets (systems in corporate networks or with cryptocurrency wallets detected) may receive more aggressive payloads, while home users might be enrolled in a botnet or receive adware.

The dropper establishes multiple persistence mechanisms to survive reboots. It copies itself to a randomly named folder in %LOCALAPPDATA% or %APPDATA%, often using a GUID-style directory name to avoid pattern-based detection. It then creates registry Run keys pointing to this executable, ensuring it launches every time the user logs in. Some variants also create scheduled tasks set to trigger at system startup or at regular intervals. If the initial dropper is deleted but these persistence mechanisms remain, the trojan will simply re-download itself from the C2 server.

The payload delivery phase varies by campaign objective. Info-stealer modules scan for browser profile folders (Chrome, Firefox, Edge, Opera) and extract stored credentials, cookies, and autofill data. Keylogging components monitor keystrokes and clipboard content, capturing passwords entered on banking sites or cryptocurrency exchanges. Screenshot modules capture the desktop at regular intervals or when specific window titles (online banking, email clients) are detected. Cryptocurrency miner payloads consume CPU and GPU resources to mine Monero or similar privacy coins, causing system slowdowns and overheating. Ransomware payloads encrypt user files and demand Bitcoin payment for the decryption key.

Throughout this process, the trojan employs anti-analysis techniques to evade detection. It may terminate processes belonging to antivirus software, disable Windows Defender through registry modifications, or inject code into legitimate system processes like explorer.exe or svchost.exe to hide its network activity. Users often first notice the infection through secondary symptoms: sluggish performance, browser homepage changes, unfamiliar browser extensions, unexpected pop-up advertisements, or alerts from their antivirus software (if not successfully disabled).

Typical Filesystem and Registry Artifacts
C:\Users\[Username]\AppData\Local\{3F8A9C2E-D4B7-4E1A-9F2C-8D5B6E3C4A7F}\noteupd.exe C:\Users\[Username]\AppData\Roaming\NotepadCache\config.dat C:\Users\[Username]\AppData\Roaming\NotepadCache\svcmgr.exe # Registry persistence entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Notepad Service" = "C:\Users\[Username]\AppData\Local\{GUID}\noteupd.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "NotepadUpdate" = "C:\Users\[Username]\AppData\Roaming\NotepadCache\svcmgr.exe" # Scheduled task (check with: schtasks /query /fo LIST /v | findstr Notepad): TaskName: \Microsoft\Windows\Notepad\NotepadSyncTask Run: C:\Users\[Username]\AppData\Local\{GUID}\noteupd.exe Trigger: At logon of any user

Manual Removal — Step by Step

01

Disconnect From the Network Immediately

Unplug your Ethernet cable or disable Wi-Fi to prevent the trojan from communicating with its command-and-control server, downloading additional payloads, or exfiltrating stolen data. This also stops lateral movement if you're on a home or office network. Leave the computer powered on for now — shutting down may trigger cleanup routines that delete evidence or make removal harder.

02

Boot Into Safe Mode with Networking

Restart the computer and repeatedly press F8 (Windows 7) or hold Shift while clicking Restart (Windows 8/10/11), then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and select option 5 (Safe Mode with Networking). Safe Mode loads only essential drivers and prevents most malware from auto-starting. You'll need networking capability to download removal tools later in the process.

03

Identify and Terminate the Malicious Process

Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes — executables running from unusual locations like %APPDATA% or %LOCALAPPDATA%, processes with random alphanumeric names, or anything impersonating "notepad.exe" but running from a non-standard path. Right-click and select "Open file location" to verify. If it's not in C:\Windows\System32\, it's likely malicious. Note the file path, then right-click and select "End task." The process may immediately restart due to persistence mechanisms — that's expected.

04

Remove Registry Persistence Entries

Press Win+R, type regedit, and press Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce. Look for entries pointing to executables in %APPDATA% or %LOCALAPPDATA% folders, especially those with names like "Notepad Service," "NotepadUpdate," or similar variations. Right-click each suspicious entry and delete it. Also check HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run if you have administrator access. Close Registry Editor when finished.

05

Delete Scheduled Tasks

Open an elevated Command Prompt (search "cmd," right-click, "Run as administrator"). Type schtasks /query /fo LIST /v | findstr /i notepad to list any scheduled tasks with "notepad" in the name or path. If you find suspicious tasks, delete them with schtasks /delete /tn "\TaskName" /f (replace \TaskName with the exact path shown in the query). Common malicious task names include variations of "NotepadSync," "NotepadUpdate," or random GUIDs under Microsoft\Windows fake subfolders.

06

Delete the Trojan's Files and Folders

Using File Explorer, navigate to the executable's location you noted in Step 3 (typically C:\Users\[YourName]\AppData\Local\{GUID}\ or ...\AppData\Roaming\NotepadCache\). Delete the entire folder. If you receive an "access denied" or "file in use" error, the process is still running — return to Task Manager, end it again, and immediately delete the folder before it restarts. Also check the Startup folder (C:\Users\[YourName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) for any shortcuts pointing to the trojan.

07

Run Malwarebytes and a Secondary Scanner

Download Malwarebytes Free (from malwarebytes.com using a clean device if possible, then transfer via USB) and run a full "Threat Scan." Malwarebytes is particularly effective at detecting trojan-dropper families and their persistence mechanisms. After Malwarebytes completes and quarantines threats, download and run a second-opinion scanner like Emsisoft Emergency Kit or Kaspersky Virus Removal Tool to catch any remaining components. Reboot after all detections are removed.

08

Reset Browsers and Remove Malicious Extensions

Trojan:Notepad/Pices often installs browser hijackers or credential-stealing extensions. In Chrome, Edge, and Firefox, go to Settings → Extensions and remove anything unfamiliar or installed around the infection date. Then reset each browser to defaults: in Chrome/Edge go to Settings → Reset settings → Restore to default; in Firefox go to Help → More Troubleshooting Information → Refresh Firefox. This clears injected scripts and restores your homepage and search engine.

09

Change All Passwords from a Clean Device

Because Pices variants commonly steal browser-saved passwords and may include keylogging functionality, assume all credentials entered on the infected machine are compromised. Using a smartphone, tablet, or confirmed-clean computer, change passwords for email, banking, social media, and any sites where payment information is stored. Enable two-factor authentication wherever possible. Check your bank and credit card statements for unauthorized transactions.

10

Reboot Normally and Verify Cleanup

Restart the computer in normal mode and monitor behavior for 24–48 hours. Check Task Manager for unfamiliar processes, monitor network activity with Resource Monitor (search "resmon" in Start), and run periodic quick scans with your installed antivirus. If you notice the trojan has returned, secondary malware may be present that's re-downloading the dropper — at that point, professional remediation or a clean Windows reinstall may be the most reliable solution.

Prevention

  1. Download software only from official sources. Avoid third-party download sites like Softonic, download.com mirrors, or "free software" aggregators. Get applications directly from the developer's website or the Microsoft Store. If you must use freeware, research it first and read user reviews for reports of bundled malware.
  2. Scrutinize email attachments, especially from unknown senders. Legitimate businesses rarely send unsolicited invoices or shipping notices as attachments. Verify the sender's email address carefully (not just the display name), and never enable macros in Office documents from untrusted sources. When in doubt, contact the supposed sender through an independent channel to confirm authenticity.
  3. Keep Windows and all software updated. Enable automatic updates for Windows, browsers, Adobe Reader, Java, and other commonly exploited applications. Many trojan infections exploit known vulnerabilities that have been patched for months or years — staying current closes these entry points.
  4. Use a reputable antivirus with real-time protection. Windows Defender (built into Windows 10/11) provides solid baseline protection if kept updated. For additional security, consider Malwarebytes Premium, Bitdefender, or ESET. Configure real-time scanning and behavioral detection, and don't disable your antivirus to install software that "doesn't work" with security tools — that's a red flag.
  5. Pay attention during software installations. Choose "Custom" or "Advanced" installation modes and read each screen carefully. Uncheck boxes offering toolbars, browser changes, or "recommended" bundled applications. Legitimate software doesn't require you to install five other programs you've never heard of.
  6. Implement standard-user accounts for daily use. Create a separate administrator account for software installation and system changes, and use a standard (non-admin) account for web browsing and everyday work. This limits malware's ability to make system-wide changes or disable security software.
  7. Be cautious with USB drives and external media. Disable AutoPlay in Windows settings to prevent infected USB drives from auto-running malware. Scan any external drive with your antivirus before opening files, especially if the drive has been used on public computers or borrowed from others.
  8. Regularly back up important data to an offline or cloud location. If a trojan downloads ransomware as its secondary payload, a recent backup means you can restore your files without paying the ransom. Use Windows File History, a cloud service with versioning (OneDrive, Google Drive with file history enabled), or an external drive you disconnect after backups complete.
Our 90-Day Warranty: When Computer Repair Roswell removes Trojan:Notepad/Pices or any malware from your system, we guarantee our work for 90 days. If the same threat returns within that period due to incomplete removal (not re-infection from unsafe browsing), we'll clean it again at no charge. We also provide a written report of what we found and removed, plus personalized advice to prevent future infections.

Bring It In

If you've followed the manual steps above and still see signs of infection — or if the process feels overwhelming — don't risk further damage by experimenting. Trojan:Notepad/Pices infections often involve multiple malware components, and incomplete removal can leave backdoors active for weeks or months. Our technicians have the specialized tools and experience to fully eradicate complex trojan infections, verify that no secondary payloads remain, and restore your system to clean operation. We'll also check for signs of data theft and advise you on appropriate protective measures for your accounts and financial information.

Computer Repair Roswell is located at 1007 Canton Street, Roswell, GA 30075, right in the heart of Historic Roswell. We're open Monday through Friday 9 AM to 6 PM, and Saturday 10 AM to 4 PM. No appointment necessary for drop-offs, though calling ahead at (770) 637-1555 ensures we have a technician ready to begin diagnostics immediately. Most trojan removals are completed within 24 hours, and we'll contact you with a detailed assessment and honest pricing before proceeding with any work. We serve homeowners and small businesses throughout Roswell, Alpharetta, and North Fulton — and we've been cleaning infections like Pices from local machines since 2010.