I have a question about file associations. Specifically, .dat files. I've noticed that all of my .dat files are associated with Windows Media Player. Why is this? What do .dat files do? Would a malicious program be able to gain anything by changing a file type association to Windows Media Player? What association should .dat files have?
The following programs have .dat files that all have assiciations with Windows Media Player

Port Explorer: domains.dat, ip.dat, ports.dat, and unins000.dat
PG: unins000.dat
TDS3: tds3smtp.dat, unins000.dat

Hi Dallen,
to me this sounds not good.
Maybe if you open you windows media player and empty all file associations, close the thing, does all look different then? maybe need to reboot to take effect?
After you can open your windows media player again and look what really should be associated with it.
If it down's change at all ... a hijackthis log..?
(is there a windows media player hack around?)

dallen-This has happened to me several times. I just go in an reassociate the .dat files with notepad.

If you ever find out the cause let me know.

Jooske,
I opened Windows Media Player and looked at the file associations and .dat files aren't even on the list.

Deke,
Should .dat files be associated to notepad? I guess one of the things I'd like to know is what should .dat files be associated with?

dallen-I am on W98SE and all my .dat files are associated with notepad.

On the larger ones you will get a popup asking if you want to open them in wordpad.

Thanks Deke.

Jooske,
Sorry for the delay. I had to download hijackthis because I didn't have it on my system. I will post the log below:

Logfile of HijackThis v1.97.7
Scan saved at 11:11:38 AM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\DiamondCS\ProcessGuard\dcsuserprot.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DiamondCS\TDS3\TDS-3.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\IMsecure\IMsecure.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\DiamondCS\ProcessGuard\procguard.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\sdntc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dustin H. Allen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TDS3] C:\Program Files\DiamondCS\TDS3\TDS-3.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Process Guard.lnk = C:\Program Files\DiamondCS\ProcessGuard\procguard.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.9661689815
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab

Here is my startup list just in case it gives you any additional information:

StartupList report, 5/30/2004, 11:07:30 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Dustin H. Allen\Desktop\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\DiamondCS\ProcessGuard\dcsuserprot.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DiamondCS\TDS3\TDS-3.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\IMsecure\IMsecure.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\DiamondCS\ProcessGuard\procguard.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\sdntc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dustin H. Allen\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Dustin H. Allen\Start Menu\Programs\Startup]
IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
Process Guard.lnk = C:\Program Files\DiamondCS\ProcessGuard\procguard.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE
AsioReg = REGSVR32.EXE /S CTASIO.DLL
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Jet Detection = C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
NAV Helper - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\PROGRA~1\MICROS~2\OFFICE11\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[Creative Software AutoUpdate]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTSUEng.ocx
CODEBASE = http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab

[ICSScannerLight Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll
CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.9661689815

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTPID.ocx
CODEBASE = http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\DUSTIN~1.ALL\LOCALS~1\Temp\~ef7194.tmp


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,648 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks!
I asked for an HJT expert to come over and look at it as i don't see anything wrong.
Only the HOSTS entry need changing for this IP address since the forum moved to 64.91.255.87


In my windows system all dat files have the winamp icon, so i drag them to notepad if i want to look into them, never trying to use them with doubleclick.
It has been ok for a while till it was all the same again so i left it till now.

Thanks Jooske, for your help and please let me know what the HJT expert says. Oh, what is the HOSTS thing you were talking about and how do I change it?

I think you're referring to this:
-{ Quote: "O1 - Hosts: 203.161.127.141 www.dcsresearch.com" }-

DAT files can be anything, you shouldn't be double-clicking on files you arent sure of anyway. Usually, DAT files are Video CD data which is why WMP has associated itself with them (just in case)

To change that HOSTS entry, i find it easiest via TDS:
TDS > System Analyse > View File > Network Hosts > change that IP 203... into 64.91.255.87, click save, and if you then press the F5 it should bring you to the TDS forum again.
Not sure if Windows needs a reboot to take effect for the HOSTS file, but you see soon enough!

No reactions yet on the HJT? Hmmmmmmm

When I follow the steps you suggest to make the change:
-{ Quote: "TDS > System Analyse > View File > Network Hosts " }-
Nothing happens when I click Network Hosts.

Hmmm if you do a search in windows for the HOSTS file?
It is somewhere as HJT located it.

Hi Jooske,

Nothing wrong with the HJT log.
File associations taken over by a browser would show up under O12, but as you can see, nothing there.

Regards,

Pieter

Thanks a lot Pieter!

Dallen, brings you back to another time uncheck everything from WMP, just in case another time and re-associate ------- would TWEAK UI be helpful here?

Hi dallen....if your still having problems with changing the host file take a look at this thread; in that you are running Spybot

http://www.wilderssecurity.com/showthread.php?t=34293 :)

Rainwalker,
Thanks for the help. I reviewed all the information and I learned a lot and you were correct in pointing me in this direction as Spybot Search & Destroy was protecting my host file. However, I am still experiencing a problem. When I follow these steps:
-{ Quote: "TDS > System Analyse > View File > Network Hosts" }-
Nothing happens when I click Network Hosts even after I've unchecked the "protect hosts" box in Spybot Search & Destroy and shut it down. Is there another way to edit the HOSTS file?

You can open it in wordpad.
Strange if TDS doesn't let you correct that path, masybe it only looks at the original c:\windows location, but it should be searcheable.
Do other files with notepad open in TDS, like the log files and all other, so it really is the HOSTS file location and not because of notepad.exe 0 bytes instances in the TDS directory? Those 0 bytes files you can delete occasionally and those files should run fine again.

No. When I try to open a logfile usind TDS >> View Logfile... >> then select the logfile. Nothing happens either. This is strange.

Look if there are files 0 bytes small in the TDS directory and elsewhere. Windows has the habit creating them of files it can not run at a certain moment (reasons unknown) and they're put somewhere in the path and thus blocking access to the original in Windows.
You can occasionally delete those 0 bytes files, you'll have them in many cases in several places; the second thing to do is to copy the original notepad.exe and wordpad.exe in the TDS directory (not move, just an extra copy) and it should always work again.

Are you saying that it is always safe to delete 0 byte files? and if so, does that apply to anywhere on my computer, or only in the TDS directory, because I think I have several scattered around my system.

You could check with the NTFS ADS STREAMS scanner in TDS if they are really empty or have other sizes with streams in them.
Notepad for example seems more targeted by malware, so if that has a stream it could be really be interesting to look deeper; normally streams smaller then 128 bytes (not kb!) can be ignored; for a first deep scan you might like to look at how many of those streams are on your system and look deeper if they are larger then 128 bytes for example, and certainly if the streams would contain exe code for instance it's worth to submit them for deeper Gavin study.
But if they are really empty you can delete them.
I have several in TDS and some places more even at times the run32dll thing and ever found the kernel32.dll both 0 bytes but my system was still running.
On XP the Helpfile is famous for being there with 0 bytes and thus it doesn't work not any more (workaround is a shortcut on the desktop for that one) etc etc.
So notepad.exe and wordpad.exe on a few strategical places where you need them more often (would it help to place a shortcut in the TDS directory to the origional notepad.exe in windows directory btw?) and you should be able to use them properly and see all your logs there again.

OK. I got it to work, thanks to your help. There was a notepad.exe file within the TDS3 folder with 0 bytes, not KB, so I deleted it. It worked after I did that.
-{ Quote: "You could check with the NTFS ADS STREAMS scanner in TDS if they are really empty or have other sizes with streams in them." }-
Basically, I have a couple of questions about this. If I uncheck the box for TDS to ignore the NTFS ADS STREAMS, then the scanner goes crazy detecting many, so how can I use it to check a particular file? Second, I also have a wierd problem that I feel is related to this. If I view my TDS3 folder's contents in Thumbnail view, many of the folders have pictures on them that aren't supposed to be. For example, the PortLists folder within the TDS3 folder has a picture of an albulm from my .wma music collection on it. I notice that many of these random pictures being assigned to random folders are showing up when I do a system scan using TDS3 with the "ignore the NTFS ADS STREAMS" box UNCHECKED.

Can you give me some insight on what you think about this?

Does XP have a tool like TWEAK UI? I got in win98 file associations back with that where possible. And after using it files worked still ok, coulsd have been different :)
Maybe your scanner or firewall or other program was so kind to add ntsf ads streams, with this result?
Not quite sure why the scan goes on the loose on them......
Hope somebody can explain that!

OK. I downloaded TWEAK UI from Microsoft's website for Windows XP. How will that help me?

One of the Repair functions should be "repair file associations" and icons etc.
Fingers crossed it helps you too!