Jump to content


Notepad app. nuked

  • Please log in to reply
1 reply to this topic

#1 Teh Guest

Teh Guest


  • New Member
  • Pip
  • 1 posts

Posted 13 July 2004 - 04:37 PM

So yesterday I got infected with this About:blank thing. After getting rid of that problem I went to open a text file in notepad when I noticed it didn't open. I have since ran Trojan Hunter and Spysweeper and it still won't open. Any help or suggestions is greatly appreciated! here's my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 2:23:03 PM, on 7/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE
C:\Documents and Settings\colin\Desktop\Internet Explorer.EXE
C:\Program Files\Winamp3\Winamp\winamp.exe
C:\Documents and Settings\colin\My Documents\My eBooks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\colin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\colin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\colin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\colin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {26D43176-EED0-460E-AEBF-6BAC5B456A11} - C:\WINNT\system32\dckfo.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7520.9043402778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E15B639-1AE0-4EDD-AC11-9C8AA8022397}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E15B639-1AE0-4EDD-AC11-9C8AA8022397}: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E15B639-1AE0-4EDD-AC11-9C8AA8022397}: NameServer =

#2 terryb



  • Full Member
  • Pip
  • 51 posts

Posted 13 July 2004 - 10:31 PM

Yes, it was a spyware problem. Some spyware/trojans, etc. directly target notepad.exe and other important windows files (.dll files, etc.)
and replace them with more trojans (pests).
It looks like you may still have the "about blank" traces in your computer.
Do you have Spybot S&D? If so, go to the advanced mode, click on Tools/Browser Pages. If you see any "About Blank" items (Or any others of which you don't approve), use the change button to put back
your original search pages.
You may need to run your anti-virus software and Ad-Aware in safe mode, delete accordingly, and when you're sure your system is clean, you can begin a repair on notepad. With that, you have two options:
1. You can delete what is left of the corrupt notepad.exe and download a new copy at http://www.spywareinfo.com/~merijn
(Click on Windows Files at the far left.) OR,
You can use your SFC tool (System File Checker) to examine your important windows files and replace/restore what has been damaged.
Then, you can retrieve a clean, valid copy of notepad.exe to paste into your
Windows/dllcache and Windows/system32 (Where it should be to begin with.) It looks like you may have some damaged .dll files anyway from looking at your log file.
Also, an extra tip: I noticed you have quite a few tasks running, which can hinder your computer's performance/speed. You can safely end
them to improve functioning. (You can go into start/run/msconfig/startup and see how many programs are running. It is up to you what you keep running. (For myself, I only keep my anti-virus running at startup.) Less=faster!
From task manager,
It is safe to disable CTSvcCDA.EXE
[because with modern CD-ROM drives (36-speed and above) this task is of no use to any system.]
It is o.k. to disable mspmspsv.exe because it uses a lot of memory.
Try these and hopefully, the prob. will be solved.
P.S. Here is a link to a free online virus scan:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button