Jump to content


Photo

Notepad?


  • Please log in to reply
23 replies to this topic

#1 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 24 June 2004 - 12:50 AM

I had Spyware that deleted my notepad and I really need it back. I got the Spyware gone with uninstalling the program that installed it and running Ad-Aware. But, my notepad is gone. Whenever I try to open it from the start menu, i click it and nothing happens. When I double click on a notepad file that I've saved onto my computer, it opens fine because I put the notepad.exe file from the site http://www.spywareinfo.com/~merijn in C:\WINDOWS and C:\WINDOWS\System32 .. soo help? How can I get notepad to open from the start menu?

#2 rosso_acido

rosso_acido

    Earl of Mysterious Briefcases

  • Full Member
  • PipPipPipPip
  • 286 posts

Posted 24 June 2004 - 03:51 AM

Unless the reason is something more complicated, it looks like the shortcut for Notepad on the Start Menu doesn't point to the correct location.

You can try fixing this by locating the Notepad.exe file on your HD, right-clicking and selecting Send to --> Desktop (Create Shortcut). Then you cut or copy this new shortcut and go Start --> Programmes --> Accessories --> Notepad. Right-click on the Notepad entry and select Paste. You will be asked whether you want to replace the old shortcut with the new one. Click OK and you should be done. :)

Hope this helps.
R. :wave:
I am the iron anchor.

#3 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 24 June 2004 - 02:18 PM

I did what you said. Then I clicked on Notepad in the accesories menu and nothing happened.. also when I right clicked on it and "Pasted" the start menu flashed once as if a change was taking effect but the notepad image beside the word Notepad is still a broken image and when I click notepad nothing happens. :unsure:

#4 rosso_acido

rosso_acido

    Earl of Mysterious Briefcases

  • Full Member
  • PipPipPipPip
  • 286 posts

Posted 24 June 2004 - 02:36 PM

What exactly do you mean by a broken image? Could you perhaps grab a screenshot and attach it to your post? I'm curious now. :scratchhead:

Posted Image Better still. Why not post a HijackThis log as well, since the problem might indeed be a bit more complicated than it seemed.

If you haven't done so already, please download Hijack This! Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

An expert will soon be around to take a look at your log. :)

R. :wave:

Edited by rosso_acido, 24 June 2004 - 03:22 PM.

I am the iron anchor.

#5 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 24 June 2004 - 06:49 PM

Thanks! What do you mean by "permanent" folder, though?

#6 Muriel

Muriel

    scholar of crapware's demise

  • Full Member
  • Pip
  • 97 posts

Posted 24 June 2004 - 07:07 PM

What R- means by a permanent folder is just to give HJT a location other than within a Temp directory or on your desktop, as in the C:\HJT mentioned above. If you prefer, create a new folder in a location you're comfortable with and place HJT there.

The reason for this is that if you ever fix anything with HJT, it creates backups in case they're needed, and a temp directory that might get cleared out or your desktop(which would get filled with clutter) are not ideal locations for this.

Hope this helps ;)

#7 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 24 June 2004 - 07:12 PM

Ok thanks Muriel! I understand now.

There is a lot there.. is there supposed to be?!

Logfile of HijackThis v1.97.7
Scan saved at 7:07:55 PM, on 10/31/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\DOCUME~1\KENZ~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealOne Player\realplay.exe
C:\Documents and Settings\Kenz\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R3 - Default URLSearchHook is missing
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [dpwsock] C:\WINDOWS\System32\dpwsock.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7875.4600578704
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab


I also attached a screenshot that you asked for. Thanks for all your help so far!

Attached Images

  • notepad.jpg

Edited by webdesigndawg038, 24 June 2004 - 07:14 PM.


#8 Muriel

Muriel

    scholar of crapware's demise

  • Full Member
  • Pip
  • 97 posts

Posted 24 June 2004 - 07:28 PM

I should mention up front that R- and I aren't authorized to give system fixing instructions unless approved by one of the experts here, though I'll do what I can.

That said, one did ask if you could tell us exactly what spyware you had on your system, and what you used to fix it. Knowing that will help alot in coming up with a fix.

#9 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 24 June 2004 - 07:47 PM

I had msgplus.net's Messenger Plus! 2 which installed Sponsor programs. I had this little blue toolbar at the top of my internet explorer browser. It had links on it.. I can't really explain it. I'd give you a screenshot because I figured out how to get rid of it. I just uninstalled and reinstalled messenger plus. There was also this silver bar that had links on it that on the bottom of my browser. I got rid of that too.

#10 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,254 posts

Posted 24 June 2004 - 08:54 PM

You have some things on your system that may be part of the problem... Please close all open browsers and windows, run HJT and mark/fix this:

R3 - Default URLSearchHook is missing

This looks suspicious, so I recommend fixing it unless you definitely know that it is safe:

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab

This is a program from Kazaa... If you still have any part of Kazaa on your computer, I strongly recommend that you remove it. I recommend that you fix this and then see if it is in Add/Remove Programs and remove it there... If it isn't, I suggest finding the folder and deleting it:

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

Also, I was not able to find any useful information on this item and that is usually bad news... Please find the file and check Properties... If you don't recognize the author as a valid company, it would probably be a good idea to fix it... If you aren't sure, post back whatever info you find:

O4 - HKCU\..\Run: [dpwsock] C:\WINDOWS\System32\dpwsock.exe

After you run these fixes, please reboot and post a fresh HJT log so we can see how things look. Also, check Notepad and see how it is working... HJT usually saves the log to Notepad, is that where your log was saved??
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#11 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 25 June 2004 - 12:26 AM

I'm really confused.

#12 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,254 posts

Posted 25 June 2004 - 10:35 AM

I'm really confused.

I would be happy to explain in more detail if you could tell me what is confusing. Are you having trouble figuring out how to run HJT? Do you not know how to check Properties?? Please be clear about what is confusing you and I can give more detail....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#13 andt2583

andt2583

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 June 2004 - 02:31 PM

i have got exactly the same problem and it started after i ran that cwshredder program which fixed something !
whats all that about ?

#14 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,254 posts

Posted 25 June 2004 - 05:43 PM

andt2583,

In this forum we don't answer questions that are not from the original person who started the thread... If you want to figure out the answer to your question, start a New Topic for yourself....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#15 andt2583

andt2583

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 June 2004 - 05:59 PM

yeah ok ! was just trying to add some input ok.

#16 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 26 June 2004 - 02:28 PM

Also, I was not able to find any useful information on this item and that is usually bad news... Please find the file and check Properties... If you don't recognize the author as a valid company, it would probably be a good idea to fix it... If you aren't sure, post back whatever info you find:

O4 - HKCU\..\Run: [dpwsock] C:\WINDOWS\System32\dpwsock.exe


Ok.. I looked in C:/Windows/System32 and there isn't a dpwsock.exe. Just DPWSOCK.DLL and dpwsockx.dll. So how do I get Properties on dpwsock.exe if it isn't there?

#17 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,254 posts

Posted 26 June 2004 - 03:00 PM

You will probably need to set WinXP to show all hidden and system files... Go here for information on how to do that....

http://support.micro...kb;en-us;302347

Do you understand the rest of the directions I gave... if not, please let me know and I will explain....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#18 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 26 June 2004 - 04:58 PM

Thanks for that link. I did what it said and tried a few different searches for dpwsock.exe and dpwsock. I didn't get anything besides the dpwsock.dll 's and a few other files that weren't dpwsock.exe.

Yes, I understand the rest of your directions. I did them. The only one I'm having a problem with is this one. Thanks.

When I was searching a McAfee VirusScan notification came up saying that a trojan had been detected and cleared in C/Windows/System32 called HTML/Debeski.bat.

Edited by webdesigndawg038, 26 June 2004 - 05:03 PM.


#19 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,254 posts

Posted 26 June 2004 - 05:08 PM

Okay, go ahead and reboot and post a fresh HJT log so we can see what is going on now... Also, how are you doing with the Notepad issue??
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#20 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 26 June 2004 - 05:11 PM

It is still the same as my last post here about it. :\ I just rebooted before I searched for that thing. Do I have to reboot again?

#21 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,254 posts

Posted 26 June 2004 - 05:18 PM

If you haven't made any changes since your last reboot, you don't need to reboot again... If you did make changes it is important to reboot to make sure it shows up in your log...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#22 webdesigndawg038

webdesigndawg038

    Mary-Kate and Ashley Olsen are Awesome!

  • Full Member
  • Pip
  • 10 posts

Posted 26 June 2004 - 05:23 PM

Ok. Here it is!

Logfile of HijackThis v1.97.7
Scan saved at 5:21:46 PM, on 11/2/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kenz\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [dpwsock] C:\WINDOWS\System32\dpwsock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7875.4600578704
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

#23 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,254 posts

Posted 26 June 2004 - 05:33 PM

This is still there and the fact that you can't seem to find it makes it even more suspicious... Try booting into Safe Mode and do a search in that folder with WinXP set to show all hidden files/folders and system files...

O4 - HKCU\..\Run: [dpwsock] C:\WINDOWS\System32\dpwsock.exe

If you find it, rename it to something like dpwsock.BAK and reboot to see what happens... Also, check the Properties as I suggested before... If you can't find it, we may have to use another tool....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#24 noordinaryspider

noordinaryspider

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 June 2004 - 07:05 PM

I believe this is a new bug. My twelve year old son's computer has multiple problems, listed in a different thread, because he clicked on a link somebody sent him on Yahoo Messenger last night.

One of the problems is that NOTEPAD.EXE has vanished; not the shortcut, the program.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button