Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Member Rimbaud's Avatar
    Join Date
    Nov 2003
    Location
    London
    Posts
    16
    Points
    0

    Default Trojan suspected - HijackThis log posted

    Hello

    I have performed the actions in the tutorial on spyware etc. Symptons of this include slow performance, suspected use of Outlook (based on its memory usage in Task Manager) and crashes due to WINLOGON.exe errors. Please help, this is my work machine!

    Logfile of HijackThis v1.99.1
    Scan saved at 12:55:09, on 05/07/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\sknowles\My Documents\My Pictures\New Folder\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: CIEPl Object - {6BB18EFE-F2C7-457C-81FE-705757171FA0} - C:\WINNT\system32\ws_3s32.dll
    O2 - BHO: (no name) - {A1972652-A269-4058-91DC-11AF8125F006} - C:\WINNT\system32\rqghivpp.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151665203517
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtta.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtta.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mtta.co.uk
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: iygkrvwo - C:\WINNT\SYSTEM32\iygkrvwo.dll
    O20 - Winlogon Notify: meyxbgyp - C:\WINNT\SYSTEM32\meyxbgyp.dll
    O20 - Winlogon Notify: rmktwdpm - C:\WINNT\SYSTEM32\rmktwdpm.dll
    O20 - Winlogon Notify: ws_3s32 - C:\WINNT\SYSTEM32\ws_3s32.dll
    O21 - SSODL: IEFilter - {60ED4E2E-52A2-4716-ADE4-67BC49763958} - C:\WINNT\system32\IEFilter.dll
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

    I can see a few things here that look unpleasant, but have not deleted anything and will wait for a response.

    Thanks very much in advance

    Rimbaud

  2. #2
    Member Rimbaud's Avatar
    Join Date
    Nov 2003
    Location
    London
    Posts
    16
    Points
    0

    Default

    As a follow up, performance drag has reached epic proportions. After approx 20 minutes of being logged in, explorer.exe hogs 99% of the memory, stopping nigh on everything else, requiring reboot.

    Outlook now appears relatively unaffected. I would love to be at home with different browser and email, but such is life...

    In addition, the crashes due to winlogon.exe are continuing, and I can see in the HJT log above that there are several references to winlogon.

    Any ideas would be very gratefully received.

    Many thanks

    Rimbaud

  3. #3
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    Rimbaud:

    Really think you ought to get your company's IT person involved in this. We generally don't provide help for a for profit company.

    The logs shows a vundo infection, possable VX2 and a trojan that monitors your internet activity. Possible spread through your server.

    Plus you stated that you had done the things we ask before posting a log, but you failed to do the one line scans. Your HJT log will always show this.

    BG

  4. #4
    Member Rimbaud's Avatar
    Join Date
    Nov 2003
    Location
    London
    Posts
    16
    Points
    0

    Default

    Understand your position on that; currently without an IT department (of previously one person). Thanks for looking at the log regardless; am unsure what you meant by one line scans however.

    I will run through the procedures in the article again. Before you close this topic, please can you suggest any additional available software that would be necessary/suitable for removing the infections mentioned?

    Thanks again.

  5. #5
    Member Rimbaud's Avatar
    Join Date
    Nov 2003
    Location
    London
    Posts
    16
    Points
    0

    Default

    Oh - I understand you meant the online Panda and Housecall scans. I struggled to get those to work on this machine, will try again.

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Thank you for understanding that we are only really here to help individuals, and they must get priority ... if you hadn't said it was a work computer, we wouldn't have been any the wiser...

    It only takes me ten seconds to post this "canned response" for you... please follow up with the requested logs...

    Please download and run these :-

    Download CCleaner from :-

    http://www.filehippo.com/download_ccleaner/ (click the download tab)

    During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

    doubleclick the ccsetup.exe file and install the program...

    After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

    Make sure the "windows" tab is selected

    Under "internet explorer" tick...

    Temporary internet files
    Cookies* > see Note below
    History
    Recently typed URL's
    (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
    Delete index.dat files
    Last download location
    Autocomplete form history


    under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

    Other explorer MRU's
    (leave this unticked if you DON'T want to clear lists such as the start\run list)

    under "System"

    Tick ALL these ...


    under "Advanced"

    no need to tick any of these (but you can if you want, and realise what they do)


    Applications tab...

    These will mostly clean out old log files for these applications...

    Clean:- (if you use them)

    Firefox/Mozilla (optional - leave the cookies - see note)
    Opera
    Sun Java
    ZoneAlarm

    ...
    Personally I clean everything in the applications tab... but you tick what you want...

    Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.

    click "analyse" if you want to see a list of what is going to be removed, before it is removed.

    Or

    click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

    "This process will permanently delete files from your system. Are you sure you wish to proceed?"

    click OK.

    THEN........

    Download ewido security suite install, update and run it.

    Please set up as :-

    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    2. Run Ewido --- When you run it for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    3. From the main ewido screen, click on update in the left menu, then click the Start update button.

    4. After the update finishes (the status bar at the bottom will display "Update successful")

    5. You may need to manually update the definitions which you can get HERE

    6. Exit Ewido. DO NOT scan yet.

    Boot into safemode...and scan with Ewido

    7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.

    Important - You need to click "Save report" and Save it to your desktop, or you wont have a log

    reboot

    post a new hijackthis log + the ewido log

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member Rimbaud's Avatar
    Join Date
    Nov 2003
    Location
    London
    Posts
    16
    Points
    0

    Default

    Many thanks for that. You've helped me on my home pc before also, so I'll say thank you in the best way.... Will run the above tomorrow at work and post results. I managed to knock out, or seemingly so, the vundo elements using vundofix.

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Vundo ?

    you mean these ?

    O2 - BHO: CIEPl Object - {6BB18EFE-F2C7-457C-81FE-705757171FA0} - C:\WINNT\system32\ws_3s32.dll
    O20 - Winlogon Notify: ws_3s32 - C:\WINNT\SYSTEM32\ws_3s32.dll

    I expect these similar ones to show up in Ewido as Trojan downloader conhook aa or ab:-

    O2 - BHO: (no name) - {A1972652-A269-4058-91DC-11AF8125F006} - C:\WINNT\system32\rqghivpp.dll
    O20 - Winlogon Notify: iygkrvwo - C:\WINNT\SYSTEM32\iygkrvwo.dll
    O20 - Winlogon Notify: meyxbgyp - C:\WINNT\SYSTEM32\meyxbgyp.dll
    O20 - Winlogon Notify: rmktwdpm - C:\WINNT\SYSTEM32\rmktwdpm.dll

    Will await the logs tomorrow...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Member Rimbaud's Avatar
    Join Date
    Nov 2003
    Location
    London
    Posts
    16
    Points
    0

    Default

    Right, thanks.

    Two problems, both of my making I think. One: I am unable to log-in in safe mode, which I imagine is to do with my profile rights? Either that, or it is connected with the winlogon.exe error that unceremoniously reboots me fairly frequently. As I'm not in safe mode, I could only run ewido in normal windows, log posted in any case.

    Two: I missed the option to deselect ewido guard, so it loaded fully. I will uninstall later I suppose.

    Here are the logs: I notice the winlogon entries in the HJT log are as immovable as ever. What do these signify?

    Logfile of HijackThis v1.99.1
    Scan saved at 11:01:34, on 06/07/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Documents and Settings\sknowles\My Documents\My Pictures\New Folder\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\WINNT\system32\internat.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Documents and Settings\sknowles\My Documents\My Pictures\New Folder\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151665203517
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtta.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtta.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mtta.co.uk
    O20 - Winlogon Notify: icwuixik - C:\WINNT\SYSTEM32\icwuixik.dll
    O20 - Winlogon Notify: iygkrvwo - C:\WINNT\SYSTEM32\iygkrvwo.dll
    O20 - Winlogon Notify: meyxbgyp - C:\WINNT\SYSTEM32\meyxbgyp.dll
    O20 - Winlogon Notify: rmktwdpm - C:\WINNT\SYSTEM32\rmktwdpm.dll
    O21 - SSODL: IEFilter - {60ED4E2E-52A2-4716-ADE4-67BC49763958} - C:\WINNT\system32\IEFilter.dll (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\sknowles\My Documents\My Pictures\New Folder\ewido anti-spyware 4.0\guard.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

    And ewido:

    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 10:52:37 06/07/2006

    + Scan result:



    C:\Documents and Settings\gnoon\Cookies\gnoon@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@cz5.clickzs[1].txt -> TrackingCookie.Clickzs : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@cz6.clickzs[3].txt -> TrackingCookie.Clickzs : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@com[1].txt -> TrackingCookie.Com : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@ehg-tfl.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@ilead.itrack[2].txt -> TrackingCookie.Itrack : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@ivwbox[1].txt -> TrackingCookie.Ivwbox : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@komtrack[2].txt -> TrackingCookie.Komtrack : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@image.masterstats[2].txt -> TrackingCookie.Masterstats : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@banner.newyorkcasino[1].txt -> TrackingCookie.Newyorkcasino : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@questionmarket[10].txt -> TrackingCookie.Questionmarket : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@questionmarket[9].txt -> TrackingCookie.Questionmarket : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@serving-sys[5].txt -> TrackingCookie.Serving-sys : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@serving-sys[7].txt -> TrackingCookie.Serving-sys : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@server3.web-stat[1].txt -> TrackingCookie.Web-stat : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@web-stat[1].txt -> TrackingCookie.Web-stat : No action taken.
    C:\Documents and Settings\gnoon\Cookies\gnoon@www.web-stat[1].txt -> TrackingCookie.Web-stat : No action taken.
    C:\Documents and Settings\sknowles\My Documents\My Pictures\New Folder\backups\backup-20060705-112155-316.dll -> Trojan.Virtumod : No action taken.
    C:\Documents and Settings\sknowles\My Documents\My Pictures\New Folder\backups\backup-20060705-143809-198.dll -> Trojan.Virtumod : No action taken.


    ::Report end

    In terms of actions, I deleted all the cookies it picked up, and quarantined the virtumod nasty.

    Ta again

    Rimbaud

  10. #10
    Member Spyware Fighter Clark76's Avatar
    Join Date
    Feb 2006
    Location
    Cleveland, Ohio
    Posts
    1,359
    Points
    239

    Default

    Hello

    To get into safe mode in windows 2000 follow these steps

    1
    Restart the computer.
    2
    When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key.
    3
    In the Windows 2000 Advanced Options Menu, use the arrow keys to select Safe mode.
    4
    Press Enter.
    Windows starts in Safe mode. (This can take several minutes.)


    After you finish working in Safe mode, restart the computer without using the F8 key.

    benc

Page 1 of 2 12 LastLast