Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SpySheriff/Winstall - win2k won't boot


  • This topic is locked This topic is locked

#1
RMRazavi

RMRazavi

    New Member

  • Member
  • Pip
  • 2 posts
I had similar problems as listed in this post: http://www.geekstogo...lem-t39588.html


I was out of town for a week and left my computer running as I host a web server on my win2k machine. I came back to find spyware had taken over my computer. A few problems I've had:

Task manager button is disabled, if I go to run and type "taskmon" it says a component is missing.

Wallpaper has been changed, I cannot change it in my display properties.

A dozen icons or so added to desktop, several more to start menu.



...I've ran spybot and adaware several times to no avail. After a while these programs began freezing partway through the scan and were of no use. I had a couple BHO things in my HJT log and deleted a few other items. I went into safe mode with command prompt and did a "dir /O-D /P" and deleted all the files that had been created in my C:\winnt\system32 while I was gone and also deleted a phony svchost.exe and svchoct.exe from C:\winnt. I rebooted my computer and since have been unable to open windows. As soon as I login, the wallpaper shows, the busy cursor shows for approximately 5 seconds and then the system just pauses. The mouse still moves, I can control-alt-delete, but I have no access to the task manager button. Biggest problem right now is that I don't have access to any Windows CDs. Any help would be appreciated.

I just booted into safe mode with command prompt which was successful, and when I typed "explorer" it said there was no file "C:\winnt\explorer.exe" so I'm going to guess that's part of the problem. I'll go ahead and google "download win2k explorer.exe" and see if that can't help.

Thanks,
-Rod


EDIT: I can't seem to find anywhere to download explorer.exe, any ideas?

RE-EDIT: I just realized explorer.exe is still on my system; however, if i type "explorer.exe" it tells me the system cannot find the specified file.



LATEST EDIT:

I found a fix on another site for this problem which involved changing registry values and now I can use task manager as well as boot into windows. Now I am unable to remove kmlrp.exe and mhgyflo.exe. I also have recently noticed Ceres popups coming out of nowhere. I have ran ad-aware and spybot S&D and still experience these problems. I have ran HJT and have posted the log below. Everytime I remove the BHO, kmlrp, and mhgyflo entries they simply add themselves back within a minute. Thanks again in advance.

Logfile of HijackThis v1.99.1
Scan saved at 6:34:53 PM, on 7/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Apache Group\Apache\Apache.exe
D:\Program Files\Apache Group\Apache\Apache.exe
C:\WINNT\System32\svchost.exe
D:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
D:\Program Files\AIM95\aim.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\EmpirePoker\EmpirePoker.exe
D:\Program Files\allSnap\allSnap.exe
D:\Program Files\Winamp5\winamp.exe
C:\WINNT\explorer.exe
c:\winnt\system32\mhgyflo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\cleanmgr.exe
C:\WINNT\system32\kmllrp.exe
C:\WINNT\system32\taskmgr.exe
D:\program files\Lavasoft\Ad-Aware SE Personal\ad-Aware.exe
F:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mhgyflo] c:\winnt\system32\mhgyflo.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\kmllrp.exe reg_run
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O20 - Winlogon Notify: Fonts - C:\WINNT\system32\crosys.dll
O23 - Service: Apache - Unknown owner - D:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-nt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: svchoct.exe (yuto) - Unknown owner - C:\WINNT\svchoct.exe (file missing)

Edited by RMRazavi, 10 July 2005 - 04:34 PM.

  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
RMRazavi

RMRazavi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
3 days after I posted this message some of the spyware/malware had corrupted some of my windows files, including NTDetect.com, and I was forced to reformat. So I guess in some ways, problem solved.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP