Hi,

For a week now I've been fighting with a VX2 on my laptop running W2K with NTFS. At least that's what Adware reports when I run it. It can't clean it, though. I have basically the same sympthoms other people report in the posts. Last night I ran Dllcompare and then Killbox. I entered the dll files from Dllcompare (which I suspect should not be in my system32 folder) into Killbox, without letting it reboot. After the last file I said "OK" to reboot. At that point it responded with "Verifying Reg entries...plz wait" and after that poped up a message with white X in a red circle saying "PendingFileRenamingOperations RegistryData has been Removed from External Process!" and it didn't reboot the machine. I restarted the computer myself and then ran Dllcompare again. In the log file there were again a lot of files listed. So I guess nothing has been done. Do you have an idea what that last Killbox message means? How can I make it reboot?
Thanks

If you want to post a dllcompare log and a findit log, we would be glad to help you out .

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Crunchie, thanks for your readiness to help.

I followed the procedure described in http://www.lavasoftsupport.com/index...pic=54511&st=0
My machine is a laptop running W2K SP3 with NTFS.

As I said Killbox didn't reboot the machine, I restarted it. Then after I logged in again I ran Ad-ware SE Pro and told it to do a full system scan on next startup , to use delayed loading and clean automatically. Then I rebooted again and ran DLLcompare after Ad-ware finished the scan. It found no suspicious files except msrdo20.dll and rdocurs.dll but I assume those are ok since their date was in 2000. Guard.tmp was also not in the system32 folder. On next reboot Ad-ware also doesn't find any VX2 anymore. At this stage I just continued with the procedure, cleaned the registry and the hosts file. Then rebooted and checked everything again - no trace of VX2. However, my machine continues to be extremely slow. When I open Task Manager I can see that the CPU usage is at 100%. I don't know what is occupying it. Is there any way to understand what is doing this?
Here are my DLLcompare log file and Findit log lile. I ran those in Safe Mode, since the machine is so slow in normal mode. Let me know if I have to do anything else.

Dllcompare:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\msrdo20.dll Wed May 10 2000 11:00:00p A.S.. 397,312 388.00 K
C:\WINNT\SYSTEM32\rdocurs.dll Mon Mar 13 2000 11:00:00p A.S.. 151,552 148.00 K
________________________________________________

1,158 items found: 1,158 files (2 H/S), 0 directories.
Total of file sizes: 211,449,510 bytes 201.65 M

Administrator Account = True

AppInit_DLLs value = apitrap.dll (not hidden)
--------------------End log---------------------


Findit:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Download\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490

Directory of C:\WINNT\System32

01/05/2005 09:33p <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 21,070,811,136 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490

Directory of C:\WINNT\System32

01/05/2005 09:33p <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
11 File(s) 26,523 bytes
2 Dir(s) 21,070,801,920 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490

Directory of C:\WINNT\System32


------ Temp Files in System32 Directory ------

Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490

Directory of C:\WINNT\System32

12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 21,070,809,600 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K

1 item found: 1 file, 0 directories.
Total of file sizes: 124 bytes 0.12 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"

There does not appear to be anything untoward there. Perhaps running in safe mode affected the scan and a normal scan would be more beneficial?
Do you have hijackthis? If not, Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive). If you prefer an executable file, then download from here.
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Silent runners will find things that hijackthis cannot see, if there.

I don't think I have msconfig. I typed msconfig in Start > Run and it said there is no such file Can you give some more info on that, please?

You need to download it from the links I provided. Where it says here

Sorry, I misunderstood. W2K does not come with Msconfig . You can download it though. That was one of my 'canned' responses that I use each time required. It saves a lot of typing . W2K is the only system without it, I believe. Just ignore that part.

OK, good. I have also put hijackthis and silentrunner in separate folders on my hard drive. Is this ok?

Yes, that's fine. If you run silent runners it will create a log when it has finished scanning. The log will be saved in the same folder it is running from. Copy the contents of that log here.
Run hijackthis and save the entire log and copy that here also.

Fine, I'll send the results tomorrow. It's late now here and I'm going to bed