 |  |  |  |  |  |  |  |
datadx.dll
 |
:cry:
I have been unable to get rid of an infection that my sister has on her computer. She had many and I was able to get rid of all but one. I have run
Find-Qoologic
Kill2Me.exe
LQfix.bat
AboutBuster.exe
rbkiller.exe
VX2Finder9x(126).exe
cwshredder.exe
in an attempt to get rid of this infection with no success.
I have done many scans for viruses with F_Prot, in DOS, with no results and tried Panada but it crashed before it could finish.
The one that keeps coming back is "datadx.dll". It seems to reinstall itself to the Windows\system folder and creates a "run key" in the registry with the name of "autoupdate" and a value containing the path to "Windows\system\datadx.dll shstart" as you can see from the listing bellow. We had already deleted the file "datadx.dll" in DOS so you do not see it as a running process for we can not get on line if it is running. If it was running you would see an entry like "C:\WINDOWS\RUNDLL32.EXE" in the running processes listing of HijackThis.
Any help would be most appreciated!
Logfile of HijackThis v1.99.1
Scan saved at 4:40:49 PM, on 7/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
E:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\U.S. ROBOTICS INTERNET CALL NOTIFICATION\CALLWAITING.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\FIX\FIXES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2000\Search Bar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpidschd.exe -log -- -log] C:\Program Files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MI193~10\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.www.med
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
I have been unable to get rid of an infection that my sister has on her computer. She had many and I was able to get rid of all but one. I have run
Find-Qoologic
Kill2Me.exe
LQfix.bat
AboutBuster.exe
rbkiller.exe
VX2Finder9x(126).exe
cwshredder.exe
in an attempt to get rid of this infection with no success.
I have done many scans for viruses with F_Prot, in DOS, with no results and tried Panada but it crashed before it could finish.
The one that keeps coming back is "datadx.dll". It seems to reinstall itself to the Windows\system folder and creates a "run key" in the registry with the name of "autoupdate" and a value containing the path to "Windows\system\datadx.dll shstart" as you can see from the listing bellow. We had already deleted the file "datadx.dll" in DOS so you do not see it as a running process for we can not get on line if it is running. If it was running you would see an entry like "C:\WINDOWS\RUNDLL32.EXE" in the running processes listing of HijackThis.
Any help would be most appreciated!
Logfile of HijackThis v1.99.1
Scan saved at 4:40:49 PM, on 7/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
E:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\U.S. ROBOTICS INTERNET CALL NOTIFICATION\CALLWAITING.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\FIX\FIXES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2000\Search Bar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpidschd.exe -log -- -log] C:\Program Files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MI193~10\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.www.med
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
It looks like you still have components of the Qoologic infection on your system.
Please Download the following tools to assist us in removing this infection!
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Doubleclick WinPFind.exe
Double Click on "Track qoo.vbs"
Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!
Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
Please Download the following tools to assist us in removing this infection!
- Download WinPFind
- Right Click the Zip Folder and Select "Extract All"<
- Extract it somewhere you will remember like the Desktop<
- Dont do anything with it yet!<
- Download the Track qoo utility I've attached below. Unzip it and save it as you did for WinPFind
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Doubleclick WinPFind.exe
- Click "Start Scan"<
- It will scan the entire System, so please be patient!<
- Once the Scan is Complete
- Go to the WinPFind folder<
- Locate WinPFind.txt<
- Place those results in the next post!<
Double Click on "Track qoo.vbs"
Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!
Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Thank you very much for your reply
When she ran "Track qoo" she got a "Scripting Error" but I think I may have disabled Java Scripting in IE , trying to help her, so now I am thinking that that may effect a VB Script, but I don't know. Would IE settings effect this program?
She was able to run WinPFind with out a problem.
results given bellow
Go figure!!!
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.
»»»»»»»»»»»»»»»»»»»»»»»» Files Found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
UPX! C:\log.txt
FSG! C:\log.txt
FSG! C:\win.txt
UPX! C:\windows.txt
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
KavSvc C:\WINDOWS\SYSTEM.DAT
KavSvc C:\WINDOWS\HWINFO.DAT
qoologic C:\WINDOWS\USER.DAT
UPX! C:\WINDOWS\tsc.exe
UPX! C:\WINDOWS\RMAgentOutput.dll
Checking %System% folder...
PTech C:\WINDOWS\system\MDACRDME.HTM
Umonitor C:\WINDOWS\system\ipebase11.dll
Checking %System%\Drivers folder and sub-folders...
Checking the Windows folder for system and hidden files within the last 60 days...
7/26/05 C:\WINDOWS\SYSTEM.DAT
7/26/05 C:\WINDOWS\USER.DAT
7/26/05 C:\WINDOWS\ShellIconCache
6/15/05 C:\WINDOWS\Desktop\SHORTCUTS\ZbThumbnail.info
7/22/05 C:\WINDOWS\HELP\UPDATE.GID
7/12/05 C:\WINDOWS\HELP\RNAAPP.GID
7/12/05 C:\WINDOWS\HELP\apps.GID
7/13/05 C:\WINDOWS\Profiles\jgneagu@ixpres.com\USER.DAT
7/26/05 C:\WINDOWS\SYSTEM\vsconfig.xml
7/8/05 C:\WINDOWS\SYSTEM\ZLLICTBL.DAT
7/24/05 C:\WINDOWS\Tasks\SA.DAT
7/19/05 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
6/20/05 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Pattern.bmp
7/7/05 C:\WINDOWS\History\desktop.ini
7/7/05 C:\WINDOWS\History\History.IE5\desktop.ini
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
Checking %ALLUSERSPROFILE%\Startup folder...
Checking %ALLUSERSPROFILE%\Application Data folder...
Checking %USERPROFILE%\Startup folder...
Checking %USERPROFILE%\Application Data folder...
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemTray SysTray.Exe
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
EM_EXEC D:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HPAIO_PrintFolderMgr C:\WINDOWS\SYSTEM\hpoopm07.exe
3Cmlink C:\WINDOWS\SYSTEM\3cmlnkW.exe
Tweak UI RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Zone Labs Client E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
MSFS
MAPI
IMAIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpySweeper
E6TaskPanel "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
When she ran "Track qoo" she got a "Scripting Error" but I think I may have disabled Java Scripting in IE , trying to help her, so now I am thinking that that may effect a VB Script, but I don't know. Would IE settings effect this program?
She was able to run WinPFind with out a problem.
results given bellow
Go figure!!!
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.
»»»»»»»»»»»»»»»»»»»»»»»» Files Found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
UPX! C:\log.txt
FSG! C:\log.txt
FSG! C:\win.txt
UPX! C:\windows.txt
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
KavSvc C:\WINDOWS\SYSTEM.DAT
KavSvc C:\WINDOWS\HWINFO.DAT
qoologic C:\WINDOWS\USER.DAT
UPX! C:\WINDOWS\tsc.exe
UPX! C:\WINDOWS\RMAgentOutput.dll
Checking %System% folder...
PTech C:\WINDOWS\system\MDACRDME.HTM
Umonitor C:\WINDOWS\system\ipebase11.dll
Checking %System%\Drivers folder and sub-folders...
Checking the Windows folder for system and hidden files within the last 60 days...
7/26/05 C:\WINDOWS\SYSTEM.DAT
7/26/05 C:\WINDOWS\USER.DAT
7/26/05 C:\WINDOWS\ShellIconCache
6/15/05 C:\WINDOWS\Desktop\SHORTCUTS\ZbThumbnail.info
7/22/05 C:\WINDOWS\HELP\UPDATE.GID
7/12/05 C:\WINDOWS\HELP\RNAAPP.GID
7/12/05 C:\WINDOWS\HELP\apps.GID
7/13/05 C:\WINDOWS\Profiles\jgneagu@ixpres.com\USER.DAT
7/26/05 C:\WINDOWS\SYSTEM\vsconfig.xml
7/8/05 C:\WINDOWS\SYSTEM\ZLLICTBL.DAT
7/24/05 C:\WINDOWS\Tasks\SA.DAT
7/19/05 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
6/20/05 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Pattern.bmp
7/7/05 C:\WINDOWS\History\desktop.ini
7/7/05 C:\WINDOWS\History\History.IE5\desktop.ini
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
Checking %ALLUSERSPROFILE%\Startup folder...
Checking %ALLUSERSPROFILE%\Application Data folder...
Checking %USERPROFILE%\Startup folder...
Checking %USERPROFILE%\Application Data folder...
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemTray SysTray.Exe
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
EM_EXEC D:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HPAIO_PrintFolderMgr C:\WINDOWS\SYSTEM\hpoopm07.exe
3Cmlink C:\WINDOWS\SYSTEM\3cmlnkW.exe
Tweak UI RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Zone Labs Client E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
MSFS
MAPI
IMAIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpySweeper
E6TaskPanel "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
•
•
•
•
Originally Posted by mwda
When she ran "Track qoo" she got a "Scripting Error" but I think I may have disabled Java Scripting in IE , trying to help her, so now I am thinking that that may effect a VB Script, but I don't know. Would IE settings effect this program?
A) Script-blocking is enabled in your anti-virus software, as mentioned in the Track_Qoo instructions I posted earlier.
B) The system is a Win 98 system, so it might not have current enough versions of the Visual Basic (VB) components to run the Track_Qoo VB script. I'm not sure if this is an issue with Track_Qoo specifically, but I know that it's an issue with some of other tools that we use which rely on VB in some way. I'll have to look in to that.
* As an alternative to Track_Qoo, can you please download FindQoologic.zip. Unzip the downloaded file into its own folder and double-click on FindQoologic.bat to run it. When finished, FindQoologic.bat will generate a report log; please post the contents of that log here.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
I had the same problem running "Track qoo 1.vbs" on my Win98se machine so I used the error message and did a search on Google which came up with "http://freepops.diludovico.it/index.php?act=Print&client=printer&f=9&t=1460". It seems that VBS requires "Windows Management Instrumentation" in win95/98 and NT 4.0 but the more resent Windows, XP/2000/2003, come with that program already installed. I was able to download and install a file from MS called "wmi9x.exe" that gives one the support that VBS needs. I ran the program "Track qoo 1.vbs" on my computer after the install with no problems. I sent the fix to my sister and she has not gotten back to me yet but as soon as she does I will post the text output from that program. If you are interested here is the MS site where you can download the file "wmi9x.exe". "http://www.microsoft.com/downloads/details.aspx?FamilyID=98a4c5ba-337b-4e92-8c18-a63847760ea5&DisplayLang=en"
Good work on your follow-up regarding the error message and the issues revolving around older versions of Windows, VB, and WMI. That's where I was going with what I said in point B of my pervious post, but you seem to have gotten it sorted out already. 
Let us know what happens after your sister has a chance to try things and get back to you. Also- I would like to see the report from the FindQoologic program if possible.
Thanks for the update.
Let us know what happens after your sister has a chance to try things and get back to you. Also- I would like to see the report from the FindQoologic program if possible.
Thanks for the update.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Again thank you very much for your response!
here is the output you requested.
I knew their would not be much from "find-qoologic2.bat" for I had run it before and found two items that I deleted in DOS. The items where "RRRMKJ.exe" and "BBBOCNB.exe" and neither of them had a run key in the registry.
~~~~~~~~~~~~~~~~~~~~~~~~
Output from "Track qoo 1.vbs"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"EM_EXEC"="D:\\PROGRA~1\\LOGITECH\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\SYSTEM\\hpoopm07.exe"
"3Cmlink"="C:\\WINDOWS\\SYSTEM\\3cmlnkW.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"Zone Labs Client"="E:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- NortonAntivirus
{067DF822-EAB6-11cf-B56E-00A0244D5087}
0
Subkey --- {98098B30-21C2-11D2-9D1D-64DD03C10000}
Subkey --- PowerArchiver
{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}
d:\Program Files\PowerArchiver\PASHLEXT.DLL
Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey ---
==============================
==============================
C:\WINDOWS\Start Menu\Programs\StartUp
U.S. Robotics Internet Call Notification.lnk
==============================
C:\WINDOWS\SYSTEM cpl files
ALSNDMGR.CPL Realtek Semiconductor Corp.
APPWIZ.CPL Microsoft Corporation
AutoDisk.cpl Iomega Corp.
Avsmcpa.cpl Network Associates, Inc.
DESK.CPL Microsoft Corporation
IGFXCPL.CPL Intel Corporation
FINDFAST.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
S32LUCP1.CPL Symantec Corporation
SanCpl.cpl SiSoft Software
STICPL.CPL
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
TWEAKUI.CPL Microsoft Corporation
conres.cpl
~~~~~~~~~~~~~~~~~~~~~~~~~~~
output from "find-qoologic2"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
problem locating dir
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
here is the output you requested.
I knew their would not be much from "find-qoologic2.bat" for I had run it before and found two items that I deleted in DOS. The items where "RRRMKJ.exe" and "BBBOCNB.exe" and neither of them had a run key in the registry.
~~~~~~~~~~~~~~~~~~~~~~~~
Output from "Track qoo 1.vbs"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"EM_EXEC"="D:\\PROGRA~1\\LOGITECH\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\SYSTEM\\hpoopm07.exe"
"3Cmlink"="C:\\WINDOWS\\SYSTEM\\3cmlnkW.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"Zone Labs Client"="E:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- NortonAntivirus
{067DF822-EAB6-11cf-B56E-00A0244D5087}
0
Subkey --- {98098B30-21C2-11D2-9D1D-64DD03C10000}
Subkey --- PowerArchiver
{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}
d:\Program Files\PowerArchiver\PASHLEXT.DLL
Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey ---
==============================
==============================
C:\WINDOWS\Start Menu\Programs\StartUp
U.S. Robotics Internet Call Notification.lnk
==============================
C:\WINDOWS\SYSTEM cpl files
ALSNDMGR.CPL Realtek Semiconductor Corp.
APPWIZ.CPL Microsoft Corporation
AutoDisk.cpl Iomega Corp.
Avsmcpa.cpl Network Associates, Inc.
DESK.CPL Microsoft Corporation
IGFXCPL.CPL Intel Corporation
FINDFAST.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
S32LUCP1.CPL Symantec Corporation
SanCpl.cpl SiSoft Software
STICPL.CPL
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
TWEAKUI.CPL Microsoft Corporation
conres.cpl
~~~~~~~~~~~~~~~~~~~~~~~~~~~
output from "find-qoologic2"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
problem locating dir
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
•
•
Join Date: Feb 2004
Posts: 10,002
Reputation: 
Solved Threads: 757
Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you the file.
C:\WINDOWS\SYSTEM\conres.cpl
Reboot afterwards if the file is successfully deleted.
If the file is not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot.
==
Please post another hijackthis log and the other two logs.
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you the file.
C:\WINDOWS\SYSTEM\conres.cpl
Reboot afterwards if the file is successfully deleted.
If the file is not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot.
==
Please post another hijackthis log and the other two logs.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Thank you very much for your response.
I have told my sister what to do and she said she would do it. We will get back to you with the information you requested. I am sorry for the delay. It certainly is not because of our lack of appreciation for the help that has been offered but due to the logistics of the situation.
Marshall
I have told my sister what to do and she said she would do it. We will get back to you with the information you requested. I am sorry for the delay. It certainly is not because of our lack of appreciation for the help that has been offered but due to the logistics of the situation.
Marshall
No worries about delays in responses, Marshall- it happens to us as well.
Get back to us with the results when you can; we'll be here.
Get back to us with the results when you can; we'll be here.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
|
Similar Threads
- Cannot connect to Internet after running troubleshooting software (Viruses, Spyware and other Nasties)
- Yet another AURORA problem (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Spysherrif leaves blue screen behind...
- Next Thread: This page cannot be displayed
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec trojan unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
