This topic is locked
I was out of town for a week and left my computer running as I host a web server on my win2k machine. I came back to find spyware had taken over my computer. A few problems I've had:
Task manager button is disabled, if I go to run and type "taskmon" it says a component is missing.
Wallpaper has been changed, I cannot change it in my display properties.
A dozen icons or so added to desktop, several more to start menu.
...I've ran spybot and adaware several times to no avail. After a while these programs began freezing partway through the scan and were of no use. I had a couple BHO things in my HJT log and deleted a few other items. I went into safe mode with command prompt and did a "dir /O-D /P" and deleted all the files that had been created in my C:\winnt\system32 while I was gone and also deleted a phony svchost.exe and svchoct.exe from C:\winnt. I rebooted my computer and since have been unable to open windows. As soon as I login, the wallpaper shows, the busy cursor shows for approximately 5 seconds and then the system just pauses. The mouse still moves, I can control-alt-delete, but I have no access to the task manager button. Biggest problem right now is that I don't have access to any Windows CDs. Any help would be appreciated.
I just booted into safe mode with command prompt which was successful, and when I typed "explorer" it said there was no file "C:\winnt\explorer.exe" so I'm going to guess that's part of the problem. I'll go ahead and google "download win2k explorer.exe" and see if that can't help.
Thanks,
-Rod
EDIT: I can't seem to find anywhere to download explorer.exe, any ideas?
RE-EDIT: I just realized explorer.exe is still on my system; however, if i type "explorer.exe" it tells me the system cannot find the specified file.
LATEST EDIT:
I found a fix on another site for this problem which involved changing registry values and now I can use task manager as well as boot into windows. Now I am unable to remove kmlrp.exe and mhgyflo.exe. I also have recently noticed Ceres popups coming out of nowhere. I have ran ad-aware and spybot S&D and still experience these problems. I have ran HJT and have posted the log below. Everytime I remove the BHO, kmlrp, and mhgyflo entries they simply add themselves back within a minute. Thanks again in advance.
Logfile of HijackThis v1.99.1
Scan saved at 6:34:53 PM, on 7/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Apache Group\Apache\Apache.exe
D:\Program Files\Apache Group\Apache\Apache.exe
C:\WINNT\System32\svchost.exe
D:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
D:\Program Files\AIM95\aim.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\EmpirePoker\EmpirePoker.exe
D:\Program Files\allSnap\allSnap.exe
D:\Program Files\Winamp5\winamp.exe
C:\WINNT\explorer.exe
c:\winnt\system32\mhgyflo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\cleanmgr.exe
C:\WINNT\system32\kmllrp.exe
C:\WINNT\system32\taskmgr.exe
D:\program files\Lavasoft\Ad-Aware SE Personal\ad-Aware.exe
F:\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mhgyflo] c:\winnt\system32\mhgyflo.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\kmllrp.exe reg_run
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O20 - Winlogon Notify: Fonts - C:\WINNT\system32\crosys.dll
O23 - Service: Apache - Unknown owner - D:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-nt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: svchoct.exe (yuto) - Unknown owner - C:\WINNT\svchoct.exe (file missing)
Edited by RMRazavi, 10 July 2005 - 04:34 PM.
Sign In
Create Account
