File associations

Discussion in 'Trojan Defence Suite' started by dallen, May 30, 2004.

Thread Status:
Not open for further replies.
  1. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I have a question about file associations. Specifically, .dat files. I've noticed that all of my .dat files are associated with Windows Media Player. Why is this? What do .dat files do? Would a malicious program be able to gain anything by changing a file type association to Windows Media Player? What association should .dat files have?
    The following programs have .dat files that all have assiciations with Windows Media Player

    Port Explorer: domains.dat, ip.dat, ports.dat, and unins000.dat
    PG: unins000.dat
    TDS3: tds3smtp.dat, unins000.dat
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Dallen,
    to me this sounds not good.
    Maybe if you open you windows media player and empty all file associations, close the thing, does all look different then? maybe need to reboot to take effect?
    After you can open your windows media player again and look what really should be associated with it.
    If it down's change at all ... a hijackthis log..?
    (is there a windows media player hack around?)
     
  3. Deke

    Deke Registered Member

    Joined:
    May 30, 2004
    Posts:
    42
    Location:
    Texas
    dallen-This has happened to me several times. I just go in an reassociate the .dat files with notepad.

    If you ever find out the cause let me know.
     
  4. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Jooske,
    I opened Windows Media Player and looked at the file associations and .dat files aren't even on the list.

    Deke,
    Should .dat files be associated to notepad? I guess one of the things I'd like to know is what should .dat files be associated with?
     
  5. Deke

    Deke Registered Member

    Joined:
    May 30, 2004
    Posts:
    42
    Location:
    Texas
    dallen-I am on W98SE and all my .dat files are associated with notepad.

    On the larger ones you will get a popup asking if you want to open them in wordpad.
     
  6. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Thanks Deke.

    Jooske,
    Sorry for the delay. I had to download hijackthis because I didn't have it on my system. I will post the log below:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:11:38 AM, on 5/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\DiamondCS\ProcessGuard\dcsuserprot.exe
    C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\DiamondCS\TDS3\TDS-3.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\IMsecure\IMsecure.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\DiamondCS\ProcessGuard\procguard.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\sdntc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dustin H. Allen\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\DiamondCS\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
    O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: Process Guard.lnk = C:\Program Files\DiamondCS\ProcessGuard\procguard.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.9661689815
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab
     
  7. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Here is my startup list just in case it gives you any additional information:

    StartupList report, 5/30/2004, 11:07:30 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Dustin H. Allen\Desktop\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\DiamondCS\ProcessGuard\dcsuserprot.exe
    C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\DiamondCS\TDS3\TDS-3.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\IMsecure\IMsecure.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\DiamondCS\ProcessGuard\procguard.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\sdntc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dustin H. Allen\Desktop\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Dustin H. Allen\Start Menu\Programs\Startup]
    IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
    Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    Process Guard.lnk = C:\Program Files\DiamondCS\ProcessGuard\procguard.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    CTHelper = CTHELPER.EXE
    AsioReg = REGSVR32.EXE /S CTASIO.DLL
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    Jet Detection = C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
    NAV Helper - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job
    Symantec Drmc.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft Office Template and Media Control]
    InProcServer32 = C:\PROGRA~1\MICROS~2\OFFICE11\IEAWSDC.DLL
    CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

    [Creative Software AutoUpdate]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CTSUEng.ocx
    CODEBASE = http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab

    [ICSScannerLight Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll
    CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.9661689815

    [ActiveDataInfo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    [Creative Software AutoUpdate Support Package]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CTPID.ocx
    CODEBASE = http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\DUSTIN~1.ALL\LOCALS~1\Temp\~ef7194.tmp


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 7,648 bytes
    Report generated in 0.047 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks!
    I asked for an HJT expert to come over and look at it as i don't see anything wrong.
    Only the HOSTS entry need changing for this IP address since the forum moved to 64.91.255.87


    In my windows system all dat files have the winamp icon, so i drag them to notepad if i want to look into them, never trying to use them with doubleclick.
    It has been ok for a while till it was all the same again so i left it till now.
     
  9. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Thanks Jooske, for your help and please let me know what the HJT expert says. Oh, what is the HOSTS thing you were talking about and how do I change it?

    I think you're referring to this:
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    DAT files can be anything, you shouldn't be double-clicking on files you arent sure of anyway. Usually, DAT files are Video CD data which is why WMP has associated itself with them (just in case)
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    To change that HOSTS entry, i find it easiest via TDS:
    TDS > System Analyse > View File > Network Hosts > change that IP 203... into 64.91.255.87, click save, and if you then press the F5 it should bring you to the TDS forum again.
    Not sure if Windows needs a reboot to take effect for the HOSTS file, but you see soon enough!

    No reactions yet on the HJT? Hmmmmmmm
     
  12. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    When I follow the steps you suggest to make the change:
    Nothing happens when I click Network Hosts.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hmmm if you do a search in windows for the HOSTS file?
    It is somewhere as HJT located it.
     
    Last edited: May 31, 2004
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Jooske,

    Nothing wrong with the HJT log.
    File associations taken over by a browser would show up under O12, but as you can see, nothing there.

    Regards,

    Pieter
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot Pieter!

    Dallen, brings you back to another time uncheck everything from WMP, just in case another time and re-associate ------- would TWEAK UI be helpful here?
     
  16. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
  17. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Rainwalker,
    Thanks for the help. I reviewed all the information and I learned a lot and you were correct in pointing me in this direction as Spybot Search & Destroy was protecting my host file. However, I am still experiencing a problem. When I follow these steps:
    Nothing happens when I click Network Hosts even after I've unchecked the "protect hosts" box in Spybot Search & Destroy and shut it down. Is there another way to edit the HOSTS file?
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You can open it in wordpad.
    Strange if TDS doesn't let you correct that path, masybe it only looks at the original c:\windows location, but it should be searcheable.
    Do other files with notepad open in TDS, like the log files and all other, so it really is the HOSTS file location and not because of notepad.exe 0 bytes instances in the TDS directory? Those 0 bytes files you can delete occasionally and those files should run fine again.
     
  19. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    No. When I try to open a logfile usind TDS >> View Logfile... >> then select the logfile. Nothing happens either. This is strange.
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Look if there are files 0 bytes small in the TDS directory and elsewhere. Windows has the habit creating them of files it can not run at a certain moment (reasons unknown) and they're put somewhere in the path and thus blocking access to the original in Windows.
    You can occasionally delete those 0 bytes files, you'll have them in many cases in several places; the second thing to do is to copy the original notepad.exe and wordpad.exe in the TDS directory (not move, just an extra copy) and it should always work again.
     
  21. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Are you saying that it is always safe to delete 0 byte files? and if so, does that apply to anywhere on my computer, or only in the TDS directory, because I think I have several scattered around my system.
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You could check with the NTFS ADS STREAMS scanner in TDS if they are really empty or have other sizes with streams in them.
    Notepad for example seems more targeted by malware, so if that has a stream it could be really be interesting to look deeper; normally streams smaller then 128 bytes (not kb!) can be ignored; for a first deep scan you might like to look at how many of those streams are on your system and look deeper if they are larger then 128 bytes for example, and certainly if the streams would contain exe code for instance it's worth to submit them for deeper Gavin study.
    But if they are really empty you can delete them.
    I have several in TDS and some places more even at times the run32dll thing and ever found the kernel32.dll both 0 bytes but my system was still running.
    On XP the Helpfile is famous for being there with 0 bytes and thus it doesn't work not any more (workaround is a shortcut on the desktop for that one) etc etc.
    So notepad.exe and wordpad.exe on a few strategical places where you need them more often (would it help to place a shortcut in the TDS directory to the origional notepad.exe in windows directory btw?) and you should be able to use them properly and see all your logs there again.
     
  23. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    OK. I got it to work, thanks to your help. There was a notepad.exe file within the TDS3 folder with 0 bytes, not KB, so I deleted it. It worked after I did that.
    Basically, I have a couple of questions about this. If I uncheck the box for TDS to ignore the NTFS ADS STREAMS, then the scanner goes crazy detecting many, so how can I use it to check a particular file? Second, I also have a wierd problem that I feel is related to this. If I view my TDS3 folder's contents in Thumbnail view, many of the folders have pictures on them that aren't supposed to be. For example, the PortLists folder within the TDS3 folder has a picture of an albulm from my .wma music collection on it. I notice that many of these random pictures being assigned to random folders are showing up when I do a system scan using TDS3 with the "ignore the NTFS ADS STREAMS" box UNCHECKED.

    Can you give me some insight on what you think about this?
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Does XP have a tool like TWEAK UI? I got in win98 file associations back with that where possible. And after using it files worked still ok, coulsd have been different :)
    Maybe your scanner or firewall or other program was so kind to add ntsf ads streams, with this result?
    Not quite sure why the scan goes on the loose on them......
    Hope somebody can explain that!
     
  25. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    OK. I downloaded TWEAK UI from Microsoft's website for Windows XP. How will that help me?
     
Thread Status:
Not open for further replies.