:cry:
I have been unable to get rid of an infection that my sister has on her computer. She had many and I was able to get rid of all but one. I have run
Find-Qoologic
Kill2Me.exe
LQfix.bat
AboutBuster.exe
rbkiller.exe
VX2Finder9x(126).exe
cwshredder.exe
in an attempt to get rid of this infection with no success.
I have done many scans for viruses with F_Prot, in DOS, with no results and tried Panada but it crashed before it could finish.
The one that keeps coming back is "datadx.dll". It seems to reinstall itself to the Windows\system folder and creates a "run key" in the registry with the name of "autoupdate" and a value containing the path to "Windows\system\datadx.dll shstart" as you can see from the listing bellow. We had already deleted the file "datadx.dll" in DOS so you do not see it as a running process for we can not get on line if it is running. If it was running you would see an entry like "C:\WINDOWS\RUNDLL32.EXE" in the running processes listing of HijackThis.

Any help would be most appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 4:40:49 PM, on 7/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
E:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\U.S. ROBOTICS INTERNET CALL NOTIFICATION\CALLWAITING.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\FIX\FIXES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2000\Search Bar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpidschd.exe -log -- -log] C:\Program Files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MI193~10\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.www.med
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

It looks like you still have components of the Qoologic infection on your system.

Please Download the following tools to assist us in removing this infection!

• Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"<
  • Extract it somewhere you will remember like the Desktop<
  • Dont do anything with it yet!<
  <
• Download the Track qoo utility I've attached below. Unzip it and save it as you did for WinPFind

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

• Click "Start Scan"<
• It will scan the entire System, so please be patient!<
• Once the Scan is Complete
  1. Go to the WinPFind folder<
  2. Locate WinPFind.txt<
  3. Place those results in the next post!<
  <

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Thank you very much for your reply

When she ran "Track qoo" she got a "Scripting Error" but I think I may have disabled Java Scripting in IE , trying to help her, so now I am thinking that that may effect a VB Script, but I don't know. Would IE settings effect this program?

She was able to run WinPFind with out a problem.

results given bellow

Go figure!!!
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files Found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! C:\log.txt
FSG! C:\log.txt
FSG! C:\win.txt
UPX! C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
KavSvc C:\WINDOWS\SYSTEM.DAT
KavSvc C:\WINDOWS\HWINFO.DAT
qoologic C:\WINDOWS\USER.DAT
UPX! C:\WINDOWS\tsc.exe
UPX! C:\WINDOWS\RMAgentOutput.dll

Checking %System% folder...
PTech C:\WINDOWS\system\MDACRDME.HTM
Umonitor C:\WINDOWS\system\ipebase11.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/26/05 C:\WINDOWS\SYSTEM.DAT
7/26/05 C:\WINDOWS\USER.DAT
7/26/05 C:\WINDOWS\ShellIconCache
6/15/05 C:\WINDOWS\Desktop\SHORTCUTS\ZbThumbnail.info
7/22/05 C:\WINDOWS\HELP\UPDATE.GID
7/12/05 C:\WINDOWS\HELP\RNAAPP.GID
7/12/05 C:\WINDOWS\HELP\apps.GID
7/13/05 C:\WINDOWS\Profiles\jgneagu@ixpres.com\USER.DAT
7/26/05 C:\WINDOWS\SYSTEM\vsconfig.xml
7/8/05 C:\WINDOWS\SYSTEM\ZLLICTBL.DAT
7/24/05 C:\WINDOWS\Tasks\SA.DAT
7/19/05 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
6/20/05 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Pattern.bmp
7/7/05 C:\WINDOWS\History\desktop.ini
7/7/05 C:\WINDOWS\History\History.IE5\desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemTray SysTray.Exe
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
EM_EXEC D:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HPAIO_PrintFolderMgr C:\WINDOWS\SYSTEM\hpoopm07.exe
3Cmlink C:\WINDOWS\SYSTEM\3cmlnkW.exe
Tweak UI RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Zone Labs Client E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
MSFS
MAPI
IMAIL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpySweeper
E6TaskPanel "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

The scripting error might be due to related settings in the Internet Options control panel, but it could just as likely (or more likely) be due to one of the following:

A) Script-blocking is enabled in your anti-virus software, as mentioned in the Track_Qoo instructions I posted earlier.

B) The system is a Win 98 system, so it might not have current enough versions of the Visual Basic (VB) components to run the Track_Qoo VB script. I'm not sure if this is an issue with Track_Qoo specifically, but I know that it's an issue with some of other tools that we use which rely on VB in some way. I'll have to look in to that.

* As an alternative to Track_Qoo, can you please download FindQoologic.zip. Unzip the downloaded file into its own folder and double-click on FindQoologic.bat to run it. When finished, FindQoologic.bat will generate a report log; please post the contents of that log here.

I had the same problem running "Track qoo 1.vbs" on my Win98se machine so I used the error message and did a search on Google which came up with "http://freepops.diludovico.it/index.php?act=Print&client=printer&f=9&t=1460". It seems that VBS requires "Windows Management Instrumentation" in win95/98 and NT 4.0 but the more resent Windows, XP/2000/2003, come with that program already installed. I was able to download and install a file from MS called "wmi9x.exe" that gives one the support that VBS needs. I ran the program "Track qoo 1.vbs" on my computer after the install with no problems. I sent the fix to my sister and she has not gotten back to me yet but as soon as she does I will post the text output from that program. If you are interested here is the MS site where you can download the file "wmi9x.exe". "http://www.microsoft.com/downloads/details.aspx?FamilyID=98a4c5ba-337b-4e92-8c18-a63847760ea5&DisplayLang=en"

Good work on your follow-up regarding the error message and the issues revolving around older versions of Windows, VB, and WMI. That's where I was going with what I said in point B of my pervious post, but you seem to have gotten it sorted out already.

Let us know what happens after your sister has a chance to try things and get back to you. Also- I would like to see the report from the FindQoologic program if possible.

Thanks for the update.

Again thank you very much for your response!

here is the output you requested.

I knew their would not be much from "find-qoologic2.bat" for I had run it before and found two items that I deleted in DOS. The items where "RRRMKJ.exe" and "BBBOCNB.exe" and neither of them had a run key in the registry.

~~~~~~~~~~~~~~~~~~~~~~~~
Output from "Track qoo 1.vbs"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"EM_EXEC"="D:\\PROGRA~1\\LOGITECH\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\SYSTEM\\hpoopm07.exe"
"3Cmlink"="C:\\WINDOWS\\SYSTEM\\3cmlnkW.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"Zone Labs Client"="E:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- NortonAntivirus
{067DF822-EAB6-11cf-B56E-00A0244D5087}
0

Subkey --- {98098B30-21C2-11D2-9D1D-64DD03C10000}



Subkey --- PowerArchiver
{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}
d:\Program Files\PowerArchiver\PASHLEXT.DLL

Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey ---


==============================


==============================
C:\WINDOWS\Start Menu\Programs\StartUp

U.S. Robotics Internet Call Notification.lnk
==============================
C:\WINDOWS\SYSTEM cpl files


ALSNDMGR.CPL Realtek Semiconductor Corp.
APPWIZ.CPL Microsoft Corporation
AutoDisk.cpl Iomega Corp.
Avsmcpa.cpl Network Associates, Inc.
DESK.CPL Microsoft Corporation
IGFXCPL.CPL Intel Corporation
FINDFAST.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
S32LUCP1.CPL Symantec Corporation
SanCpl.cpl SiSoft Software
STICPL.CPL
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
TWEAKUI.CPL Microsoft Corporation
conres.cpl

~~~~~~~~~~~~~~~~~~~~~~~~~~~
output from "find-qoologic2"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»



»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you the file.

C:\WINDOWS\SYSTEM\conres.cpl

Reboot afterwards if the file is successfully deleted.

If the file is not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot.

==

Please post another hijackthis log and the other two logs.

Thank you very much for your response.
I have told my sister what to do and she said she would do it. We will get back to you with the information you requested. I am sorry for the delay. It certainly is not because of our lack of appreciation for the help that has been offered but due to the logistics of the situation.

Marshall

No worries about delays in responses, Marshall- it happens to us as well.

Get back to us with the results when you can; we'll be here.