Help - Search - Members - Calendar
Full Version: Infected with Trojan.Vundo
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
redrum
Dec 7 2005, 04:49 PM
Hi folks. I got a problem => My PC is infected with Trojan.Vundo. I already tried the Symantec Removal Tool but it didn't work... (it said that Trojan.Vundo has been removed, unfortunately the trojan is still present...). I've done some online scans (kaspersky, Panda Active Scan and Trendmicro Spyware Scan), so if u need the logs, I could post them. Here's my Hijackthis log:

CODE
Logfile of HijackThis v1.99.1
Scan saved at 14:48:58, on 07.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Logitech\iTouch\iTouch.exe
C:\WINDOWS.0\Mixer.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Programme\ICQLite\ICQLite.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS.0\System32\RUNDLL32.EXE
C:\programme und installationen\quicktime 6.00 pro\qttask.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Programme\Valve\Steam\Steam.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS.0\system32\crypserv.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS.0\System32\nvsvc32.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS.0\System32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fussballcup.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fussballcup.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php?account_id=3004
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~3\WINDOW~2\WinSB1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOKUME~1\BENROD~1\LOKALE~1\Temp\bacpi.dat (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS.0\2_0_1browserhelper2.dll (file missing)
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~3\WINDOW~2\WinSB1.DLL
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS.0\System32\jkkjj.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] C:\Programme\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme und Installationen\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS.0\alchem.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [*unplay] C:\WINDOWS.0\system\unplay.exe
O4 - HKLM\..\Run: [*svcmfc] C:\WINDOWS.0\system\svcmfc.exe
O4 - HKLM\..\Run: [*ipcab] C:\WINDOWS.0\Config\ipcab.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\programme und installationen\quicktime 6.00 pro\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] C:\Programme\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Kazaa Lite K++.lnk = C:\Programme und Installationen\Kazaa Lite K++\klrun.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Verknüpfung mit emule.lnk = C:\Dokumente und Einstellungen\Ben Roderes\Desktop\emule.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06dd2bd2c6df8bd6aa15/netzip/RdxIE601.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.download-intern.de/InstallationsAssistent.ocx
O20 - Winlogon Notify: jkkjj - C:\WINDOWS.0\System32\jkkjj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS.0\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: I***Eng - Unknown owner - C:\WINDOWS.0\System32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe


Another problem is that my computer doesn't run in Safe mode. If I try to start it in Safe Mode, everything seems to work, but my desktop doesn't appear, there's only a black screen...

Hope any of you guys can help me...

ps: hope my english isn't too bad :boh:
Mosaic1
Dec 7 2005, 07:24 PM
Please download VundoFix.exe to your desktop. Here's a link:

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.

You'll use it shortly.

----------------------

Run Hijackthis and select the following items. Press the fix checked button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php?account_id=3004
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~3\WINDOW~2\WinSB1.DLL
O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOKUME~1\BENROD~1\LOKALE~1\Temp\bacpi.dat (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS.0\2_0_1browserhelper2.dll (file missing)
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~3\WINDOW~2\WinSB1.DLL

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS.0\alchem.exe
O4 - HKLM\..\Run: [*unplay] C:\WINDOWS.0\system\unplay.exe
O4 - HKLM\..\Run: [*svcmfc] C:\WINDOWS.0\system\svcmfc.exe
O4 - HKLM\..\Run: [*ipcab] C:\WINDOWS.0\Config\ipcab.exe
O4 - Startup: Verknüpfung mit emule.lnk = C:\Dokumente und Einstellungen\Ben Roderes\Desktop\emule.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.download-intern.de/InstallationsAssistent.ocx
O23 - Service: I***Eng - Unknown owner - C:\WINDOWS.0\System32\angelex.exe (file missing)

---------------------


Open the VundoFix folder and doubleclick on KillVundo.bat

A command window will open and it should look like this:



VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk


At this point press enter one time.

Next you will see:


Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.


At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS.0\System32\jkkjj.dll

Press Enter.

Next you will see:


Please type in the second filepath as instructed by the forum staff

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS.0\System32\jjkkj.*

Press Enter to continue.

The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS.0\System32\jkkjj.dll
O20 - Winlogon Notify: jkkjj - C:\WINDOWS.0\System32\jkkjj.dll


While hijackthis is open check to see if you find any 04 entries whose names start with an asterisk like those you already removed in step one.

You already removed these:
O4 - HKLM\..\Run: [*unplay] C:\WINDOWS.0\system\unplay.exe
O4 - HKLM\..\Run: [*svcmfc] C:\WINDOWS.0\system\svcmfc.exe
O4 - HKLM\..\Run: [*ipcab] C:\WINDOWS.0\Config\ipcab.exe

See if you have any of these or similar entries. If so, fix those too.



After you have fixed these items, close Hijackthis. Manually shutdown and then restart the computer.




Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Allow them to clean

Panda will have the option to create a log afer the scan has finished. Click the See Report button. Then click the save Report button. It will be saved under the name activescan.txt Do that and post that log into your next reply here.


Run hijackthis and post the new log and the vundofix.txt file from the vundofix folder into as well.
redrum
Dec 8 2005, 02:02 PM
Hi. Thanks for your quick help. It seems as if Trojan.Vundo was now removed.

Here's my Panda ActiveScan logfile:

CODE
Incident                      Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/sahagent        Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\bundletracking.asp                                                                                                                                                                        
Adware:adware/transponder     Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\dummy.htm                                                                                                                                                                                  
Spyware:spyware/rpc32vm       Not desinfected               C:\WINDOWS.0\SYSTEM32\rpc32vm.dll                                                                                                                                                                                                                              
Adware:adware/clickalchemy    Not desinfected               C:\WINDOWS.0\alchem.ini                                                                                                                                                                                                                                        
Adware:adware/twain-tech      Not desinfected               C:\WINDOWS.0\satmat.ini                                                                                                                                                                                                                                        
Spyware:spyware/betterinet    Not desinfected               C:\WINDOWS.0\INF\satmat.inf                                                                                                                                                                                                                                    
Spyware:spyware/altnet        Not desinfected               C:\PROGRAM FILES\altnet                                                                                                                                                                                                                                        
Adware:adware/ncase           Not desinfected               C:\TEMP\FLEOK                                                                                                                                                                                                                                                  
Adware:adware/sidesearch      Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Anwendungsdaten\Lycos                                                                                                                                                                                                
Adware:adware/blazefind       Not desinfected               C:\PROGRAMME\WindowsSA                                                                                                                                                                                                                                          
Adware:adware/exact.bargainbuddyNot desinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/nCase           Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\ncase.bat                                                                                                                                                                        
Adware:Adware/WebHancer       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\webhancer.exe                                                                                                                                                                    
Adware:Adware/WebHancer       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\webhancer.exe[whInstaller.ini]                                                                                                                                                    
Adware:Adware/WebHancer       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\webhancer.exe[whAgent.inf]                                                                                                                                                        
Adware:Adware/WebHancer       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\webhancer.exe[WhAgent.exe]                                                                                                                                                        
Adware:Adware/WebHancer       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\webhancer.exe[whInstaller.exe]                                                                                                                                                    
Adware:Adware/WebHancer       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\webhancer.exe[WhSurvey.exe]                                                                                                                                                      
Adware:Adware/WebHancer       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\webhancer.exe[Webhdll.dll]                                                                                                                                                        
Adware:Adware/WebHancer       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\nsqD.tmp\webhancer.exe[whiehlpr.dll]                                                                                                                                                      
Spyware:Spyware/BetterInet    Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\satmat.inf                                                                                                                                                                                
Adware:Adware/IPInsight       Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\satmat.ini                                                                                                                                                                                
Adware:Adware/Twain-Tech      Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\twaintec.inf                                                                                                                                                                              
Adware:Adware/IST.YourSiteBar Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temporary Internet Files\Content.IE5\0Z9ZE63L\CAW7QDS3.HTM                                                                                                                                      
Adware:Adware/NetPals         Not desinfected               C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temporary Internet Files\Content.IE5\16KVQF2R\w3th3rb[1].cab[ATPartners.inf]                                                                                                                    
Adware:Adware/BlazeFind       Not desinfected               C:\Program Files\WindowsSB\WinSBUninst.EXE                                                                                                                                                                                                                      
Adware:Adware/BlazeFind       Not desinfected               C:\Programme\HijackThis\backups\backup-20051207-220138-788.dll                                                                                                                                                                                                  
Adware:Adware/WUpd            Not desinfected               C:\WINDOWS.0\Downloaded Program Files\BridgeX.inf                                                                                                                                                                                                              
Spyware:Spyware/BetterInet    Not desinfected               C:\WINDOWS.0\inf\satmat.inf                                                                                                                                                                                                                                    
Adware:Adware/Twain-Tech      Not desinfected               C:\WINDOWS.0\inf\twaintec.inf                                                                                                                                                                                                                                  
Adware:Adware/IPInsight       Not desinfected               C:\WINDOWS.0\satmat.ini                                                                                                                                                                                                                                        
Adware:Adware/WinTools        Not desinfected               C:\WINDOWS.0\system32\grwinsthlp.exe                                                                                                                                                                                                                            
Spyware:Spyware/Virtumonde    Not desinfected               C:\WINDOWS.0\system32\mllmm.dll                                                                                                                                                                                                                                


Unfortunately I didn't have the time to scan with Trendmicro, but I'll start the scan in a few minutes and will post it immediately after it's done.
redrum
Dec 8 2005, 02:52 PM
Hi again.

It seems as if the Trendmicro Scan won't work. It simply stops scanning at the same file everytime (unfortunately I wasn't able to read the file's name...). Or is it possible that it could last nearly half an hour to scan that one file??

Well anyway, here's my new HJT Log:

CODE
Logfile of HijackThis v1.99.1
Scan saved at 15:47:31, on 08.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.0\Explorer.EXE
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS.0\Mixer.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS.0\System32\RUNDLL32.EXE
C:\programme und installationen\quicktime 6.00 pro\qttask.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Programme\Valve\Steam\Steam.exe
C:\Programme\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS.0\system32\crypserv.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS.0\System32\nvsvc32.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fussballcup.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fussballcup.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] C:\Programme\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme und Installationen\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\programme und installationen\quicktime 6.00 pro\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] C:\Programme\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Kazaa Lite K++.lnk = C:\Programme und Installationen\Kazaa Lite K++\klrun.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06dd2bd2c6df8bd6aa15/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS.0\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe


And the Vundofix.txt log:

QUOTE
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS.0\System32\jkkjj.dll

The second filepath entered was C:\WINDOWS.0\System32\jjkkj.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 496 'smss.exe'

Killing PID 1432 'explorer.exe'
Killing PID 1432 'explorer.exe'

Killing PID 1716 'rundll32.exe'

Killing PID 580 'winlogon.exe'
Killing PID 580 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS.0\System32\jkkjj.dll Deleted sucessfully.
C:\WINDOWS.0\System32\jjkkj.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


I didn't find any other 04 entries in HJT whose names start with an asterisk...

Besides, I just wanted to know if I can share files over network or is this unsafe because there may still be parts of Vundo left?? thx
Mosaic1
Dec 8 2005, 04:14 PM
I didn't have you delete certain files because I would like a sample of them. The AV's are not alerting that these files are infected up and so we want to send them out.

Would you create a folder on your desktop and move these files into that folder please.

C:\WINDOWS.0\system\unplay.exe
C:\WINDOWS.0\system\svcmfc.exe
C:\WINDOWS.0\Config\ipcab.exe


Once these are in that folder then right click on that folder and Click Sendto>Compressed. This will create a zipped copy of that folder.


Upload that zipped folder to this forum.
http://www.thespykiller.co.uk/forum/index.php?board=1.0


Press new topic, and give a link to this topic.

Here's that link for you to give them:
http://gladiator-antivirus.com/forum/index...showtopic=30546

Let them know I asked for this upload and that it's a Vundo folder.
Press the browse button and then navigate to zipped folder.

Press send and the file will be uploaded. Please do not post any logs over there. This is just an upload site for suspicious files. Thanks. this will help a lot of people who are currently infected.


Thanks for helping.


Once that has been done and we have the files, you can delkte the zip and folder with the originals.

-----------------

I strongly urge you to uninstall Kazaa Lite. A lot of infections are passed through its network.

------
Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and look down to More advanced options and click onthe chevron next to it.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Delete these files:

C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\bundletracking.asp
C:\Dokumente und Einstellungen\Ben Roderes\Lokale Einstellungen\Temp\dummy.htm
C:\WINDOWS.0\SYSTEM32\rpc32vm.dll
C:\WINDOWS.0\alchem.ini
C:\WINDOWS.0\satmat.ini
C:\WINDOWS.0\INF\satmat.inf
C:\Dokumente und Einstellungen\Ben Roderes\Anwendungsdaten\Lycos
C:\Programme\HijackThis\backups\backup-20051207-220138-788.dll
C:\WINDOWS.0\inf\satmat.inf
C:\WINDOWS.0\inf\twaintec.inf
C:\WINDOWS.0\satmat.ini
C:\WINDOWS.0\system32\grwinsthlp.exe
C:\WINDOWS.0\system32\mllmm.dll



Delete these folders:

C:\PROGRAM FILES\altnet
C:\TEMP\FLEOK
C:\PROGRAMME\WindowsSA


This next file needs special handling.

Go to start >Run and paste in thie command, press enter and then wait for the success message:

regsvr32 /u occache.dll

Delete this file:
C:\WINDOWS.0\Downloaded Program Files\BridgeX.inf

Go back to start >Run and paste in this command, press enter and theb wait for the success message:

regsvr32 /i occache.dll

------------------------




Run hijackthis. Select the following and press the fix checked button.

O4 - HKLM\..\Run: [QuickTime Task] "C:\programme und installationen\quicktime 6.00 pro\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Kazaa Lite K++.lnk = C:\Programme und Installationen\Kazaa Lite K++\klrun.exe
O4 - Startup: PowerReg Scheduler.exe

-----------

Download and run Cleanup.

http://home.comcast.net/~sgould4567/softwa...p/download.html

Learn how to use Cleanup:
http://home.comcast.net/~sgould4567/softwa...up/running.html



----------


There has been an issue found recently with Sun Java. This may have been why you were infected with Vundo.

When newer versions are installed, the older versions are left behind and malware can call these older versions to exploit flaws. Some malware has been found to install this way.

First update to the very latest version of Sun Java. Yours is an older version.

Then go into Add Remove programs and uninstall any older versions you find listed there.

-----------------------------


Trend Micro may work now. If not, then try a scan at another AV site. We like to get rid if as much leftover junk as possible.


http://www.bitdefender.com/scan/licence.php
redrum
Dec 8 2005, 04:38 PM
hm i just noticed that there apparently are no such files you mentioned to copy in a new folder (I talk of these ones:
C:\WINDOWS.0\system\unplay.exe
C:\WINDOWS.0\system\svcmfc.exe
C:\WINDOWS.0\Config\ipcab.exe)

I don't know if this helps, but in C:\Windows.0\Config\ there's a file named bacpi.tmp. I realized it's the inverse of the file name you wanted me to look for... Well it's not an execution, but however, I thought that it might be useful for you...

---

I haven't used Kazaa for ages, but I found a folder which apparently wasn't uninstalled... or am I simply too stupid to remove Kazaa?? ahah.gif

---

Well, anyway, let me know what you think about the files I can't find...
Besides, can I do the rest of the things u told me or do I have to move and upload those files first??

thx,redrum
Mosaic1
Dec 8 2005, 04:40 PM
Really move them. They are Vundo Files. Be careful not to start any of them.
Mosaic1
Dec 8 2005, 04:45 PM
After you finish that, see if Safe mode is back to working normally.

If not, you can always boot to safe Mod and press CTRL + ALT+ DEL and brgin up task manager. Then click the Processes tab. Go to the File menu and click File>Run

Type explorer into the run box and see if you get your desktop and taskbar in Safe Mode.
redrum
Dec 8 2005, 05:00 PM
can i move on, without having moved the files you talked about?
Mosaic1
Dec 8 2005, 05:12 PM
It may be that the files are not present. Is that the case?
redrum
Dec 8 2005, 05:13 PM
yeah, exactly. I told u about a post I made earlier and edited... should have simply written a new post..sry
Mosaic1
Dec 8 2005, 05:21 PM
There could be something left on the drive, possibly. Not running, but there. I used to use this batch to produce a large file anded files.txt

Could you run it please and sned me the results?

Download the attachment and unzip it to a new folder you will create on the desktop. Open that new folder and double click on getfiles.bat

When finished it will produce a large textfile named files.txt in that same folder.

Please email that file as an attachment to me here:
Katie_3232AThotmail.com

Change the AT to an @ for the address to work.

I'll have a look for any leftovers and let you know. It will take some time to do that. I have errands to run and won't be around for most of the afternoon.
redrum
Dec 8 2005, 05:30 PM
ok, I just emailed it...

Can I now move on with the other things u told me to do or shall I wait until you had a look at the logfile of getfiles.bat??

thx
Mosaic1
Dec 8 2005, 07:49 PM
I emailed you back as soon as I got your email to tell you to go ahead and continue. Thanks


Yes, go ahead. I'll be back later.
redrum
Dec 8 2005, 09:04 PM
Hello again.

I've been able to delete all the files you told me (except the ones we were talking about earlier...). You told me two times to delete C:\Windows.0\satmat.ini. I guess it was supposed to stand there one time, wasn't it? Besides, you said to delete C:\WINDOWS.0\INF\satmat.inf and the same thing again, only INF written in small numbers this time... I suppose that's another mistake. If not, correct me.

Erm in HJT I could not find O4 - Startup: Kazaa Lite K++.lnk = C:\Programme und Installationen\Kazaa Lite K++\klrun.exe
As you told me, I managed to find one or two left-over files of Kazaa, and I deleted them, so that may be the reason why I couldn't find it in HJT...

Everything else worked out.

I will run Cleanup tomorrow morning (Is this backup of the files they talk about on their site really necessary?)... Shall I post the results (if there are any ahah.gif ) and also post a new HJT logfile, or are we done here?

thx
redrum
Dec 9 2005, 11:22 AM
Hi there

I ran Cleanup, and it was really necessary => 6.8 GB (!) of space freed!
TrendMicro works now. I'll make a scan with it now and come back later
Mosaic1
Dec 9 2005, 03:44 PM
Don't worry about small or captial letters. Go ahead and delete the file. For some reason one utility liss a filename in small letters and windows lists it in Capitals.


When you run cleanup, do the backups. You don't have to bckup any temporary files though. Then wait for a couple of weeks to see ifo you have any problems. IF everything is in working order, delte the backups. They are insurance for you.


You can post a new log if you like.


:
Mosaic1
Dec 9 2005, 04:41 PM
That's a lot of space recovered. You should be sure to clean out your temp folders on a regular basis.
redrum
Dec 11 2005, 12:47 PM
yeah, well that's what i told myself after I saw these results :o) Atm everything seems to work normal...

THX 4 your help
Mosaic1
Dec 11 2005, 09:16 PM
You're welcome.

Once you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.


After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.