This just started today, but about every 30 minutes, a Notepad prompt appears saying:
“The filename, directory name, or volume label syntax is incorrect.”
I click it off and everything is fine - but it still keeps popping up later.
How do I stop this from occurring?
Can’t imagine what’s causing it, but dumb question: have you tried rebooting?
I’d bet money you’ve got a filetype association problem. Check your associations (you don’t say what OS, so I can’t tell you exactly how), and see if anything other than .txt, .htm, .html and similar text-only types is associated to Notepad.
There are severall viruses, trojans and spyware running around that do Bad Things to notepad. Here are some threads from Google Groups about just a few of these.
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&th=4147777b5e4facf6&rnum=11
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&th=5c08969bd0c8d737&rnum=14
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&th=268dcc1fd05dca87&rnum=20
(I hope these links remain valid. I searched for recent articles using the keywords: notepad virus)
In short: run the usual anti-virus, anti-spyware programs. See the computer sticky.
EarlyOut
I’ll give myself a smak-the-head :smack: for not trying a restart but sadly it didn’t work. (Thanks for the suggestion, though).
QED
The file associations for Notepad (on my computer) are:
DIC EXC HTM INI LOG SCP SCT TXT WSC WTX ZAP
ftg
I did read the SDMB computer sticky but I was specifically looking for Notepad and didn’t see anything. Wow I can’t believe that hackers are going after Notepad. Anyway, I’m going to follow your suggestions also.
Thanks all, and I sure will let you know what works. Still, if anyone else feels like posting to this thread - please feel free.
I’ll be back as AHHHHHH - NOLD says.
I still have the Notepad problem. From what I have read on the Internet, it isn’t the Notepad virus which replaces Notepad with something else. The real Notepad is still on my hard drive (50K - the correct file size), but it still keeps “popping up” with those prompts. Unlike the real Notepad, when I click off the prompt, Notepad is still running. When a second popup occurs and I click that off, 2 Notepad icons are now running (and so forth).
The only thing similar to the Notepad virus is that I cannot use View Source to see the source code of a web page.
I have tried deleting Notepad but it reappears even after using a “shredder” to delete Notepad.
Any other thoughts on this would be greatly appreciated.
(Oh, I am running Windows 2000).
I’m guessing if Notepad could be entirely deleted, that might solve everything.
I’ve tried deleting it in many ways (even using a shredder program that makes 20 “sweeps” over the file). So, how could I delete Notepad entirely from the computer?
Clearly that is NOT the proper notepad.exe. If it were, deleting it would permanently remove it. Some process is launching on boot and putting it back, and you have to locate this process and kill it first. I’d suggest Hijack This. Run it and post the log here.
If that don’t work, do a search with of files with *.bat, and with phrase in file “notepad” of the total harddrive.
QED
Thanks for continuing to help me with this.
Well here is the highjack this log file:
Logfile of HijackThis v1.98.2
Scan saved at 12:49:15 AM, on 10/10/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PROMon.exe
C:\PROGRA~1\NORTON~1
avapw32.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NaviSearch\bin
ls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\WINNT\medload.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar oolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar oolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://www.excite.com”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\snju7uhy.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\snju7uhy.slt\prefs.js)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32
vms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM…\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM…\Run: [PROMon.exe] PROMon.exe
O4 - HKLM…\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
avapw32.exe
O4 - HKLM…\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM…\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM…\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM…\Run: [IPInSightLAN 01] “C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe” -l
O4 - HKLM…\Run: [IPInSightMonitor 01] “C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe”
O4 - HKLM…\Run: [a-winpoet-service] “C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe”
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM…\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [sslkwtoxsrtbe] C:\WINNT\system32\ejiuxmk.exe
O4 - HKLM…\Run: [WildTangent CDA] RUNDLL32.exe “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll”,cdaEngineMain
O4 - HKLM…\Run: [webHancer Survey Companion] “C:\Program Files\webHancer\Programs\whSurvey.exe”
O4 - HKLM…\Run: [NaviSearch] C:\Program Files\NaviSearch\bin
ls.exe
O4 - HKLM…\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM…\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM…\Run: [loads.exe] C:\WINNT\medload.exe
O4 - HKLM…\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU…\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU…\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O9 - Extra ‘Tools’ menuitem: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/contact/formassist.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=5d15351b96687ac90b54afcc18827f4e0c2e1af8d6b2139a6d78fa1ba96d9d848d38af6822d00ec9f99362db9dd3db34d4b55fa34a893c9a5b532161d5cd35:316ec1697e4766858480d3e80deecaa8
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/156b0b300cbbb3a32a06/netzip/RdxIE601.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/mmed.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
**Parental Advisory, I’ll try that now.
If Windows File Protection is running, it will replace a deleted notepad.exe. If you’re really interested in deleting it, get rid of winnt\system32\dllcache
otepad.exe first.
I don’t have any suggestions for the main problem, but did you know that Notepad is covered under Windows File Protection? The system will restore any protected file erased or overwritten. WFP is on Win2K and later (and maybe NT), 9x and ME have a similar ‘feature’ called System File Checker. I wouldn’t consider the restoration of the program necessarily suspect.
More here. Search for ‘protection’.
-mdf
drat
The following look suspicious to me, and should be investigated:
C:\WINNT\system32\NOTEPAD.EXE (notepad.exe is NOT native to the system32 folder! It’s in the Windows top-level folder.)
O4 - HKLM…\Run: [sslkwtoxsrtbe] C:\WINNT\system32\ejiuxmk.exe (random-seeming process and file names are always highly suspect)
QED
Thanks for the quick reply.
As far as those 2 suspect files, how do I investigate further? (I’ve been online over 7 years now and the “crapware” keeps changing all the time - I can’t keep up with it anymore.)
Go to Start > Run… and type regedit, then hit Enter. Use File > Export to back up your registry to a .reg file. Then, in the Regedit window, go to File > Find… and type in ejiuxmk.exe. Delete the entry when it finds it (yes, I’m almost 100% positive this file is up to no good). Use F3 to find additional entries and delete each one. Close the Registry Editor, then go and delete the \system32\NOTEPAD.EXE file. Reboot. See if Notepad is running. If not, you’ve nailed it.
QED
I did as you said and restarted the system. I went to Internet Explorer and used View Source (which uses Notepad) and it worked (it hasn’t been working since this Notepad “popup” nonsense started). So, I thought it was succcessful.
However, about a minute later, there was a Notepad popup with the same message. Also, the View Source didn’t work. Maybe that’s significant in the sense that the problem may have been fixed for a few minutes.
Well it’s 2:00 am here and I’m too tired to keep on working on this tonight.
Hmmm. Well, when you wake up, run off another Hijack This log. Meanwhile, I’ll do some digging and see if I can’t find a better solution.
Can you elaborate on this:
When does this sort of thing happen to the real Notepad?
Now, some stuff to investigate.
- Run the command
at
at a command prompt and see if anything is scheduled. You may need to do this as an administrator.
- Another thing – is the file size consistent for all copies of notepad.exe? There is C:\winnt
otepad.exe, C:\winnt\system32
otepad.exe, and C:\winnt\system32\dllcache
otepad.exe
(a file called notepad.exe does belong in the system32 directory, so its presence alone should not be worrisome)
3. Something else to try as an administrator is to take away the Execute permission from everybody on all copies of notepad.exe. Then if you enable failure logging on all those copies, you might see just who/what is trying to run the program in the security logs. I realize that is not obvious how to do that, so I can write some instructions when I too am refreshed and able to write instructions!
Here’s the latest “hijack this” log:
Logfile of HijackThis v1.98.2
Scan saved at 1:21:59 PM, on 10/10/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PROMon.exe
C:\PROGRA~1\NORTON~1
avapw32.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NaviSearch\bin
ls.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\WINNT\medload.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar oolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar oolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://www.excite.com”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\snju7uhy.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\snju7uhy.slt\prefs.js)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32
vms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM…\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM…\Run: [PROMon.exe] PROMon.exe
O4 - HKLM…\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
avapw32.exe
O4 - HKLM…\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM…\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM…\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM…\Run: [IPInSightLAN 01] “C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe” -l
O4 - HKLM…\Run: [IPInSightMonitor 01] “C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe”
O4 - HKLM…\Run: [a-winpoet-service] “C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe”
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM…\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [WildTangent CDA] RUNDLL32.exe “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll”,cdaEngineMain
O4 - HKLM…\Run: [webHancer Survey Companion] “C:\Program Files\webHancer\Programs\whSurvey.exe”
O4 - HKLM…\Run: [NaviSearch] C:\Program Files\NaviSearch\bin
ls.exe
O4 - HKLM…\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM…\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM…\Run: [loads.exe] C:\WINNT\medload.exe
O4 - HKLM…\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU…\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU…\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O9 - Extra ‘Tools’ menuitem: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/contact/formassist.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=5d15351b96687ac90b54afcc18827f4e0c2e1af8d6b2139a6d78fa1ba96d9d848d38af6822d00ec9f99362db9dd3db34d4b55fa34a893c9a5b532161d5cd35:316ec1697e4766858480d3e80deecaa8
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/156b0b300cbbb3a32a06/netzip/RdxIE601.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/mmed.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
JRootabega
- I ran “at” and nothing happened
- The file size of Notepad in the WINNT folder and in the SYSTEM32 folder is 50K which is what it should be.
- Obviously I held off on this suggestion.