JatinHemant
asked on
Can't run MSConfig...
Hi friends !
I am running Windwos NT 4.0 Server Service Pack 6. My server is infected and I previously I couldn't run task manager, regedit and msconfig. The entry svchost.exe was replaced by svichosst.exe. I ran HijackThis and found the correpted entries.
Now, I am able to run regedit and also from Group Policy, I enabled Task Manager. But still I am not able to run msconfig from Run. Please tell me how I can be able to run it ? Can I copy msconfig file from CD or from system32 folder ? Is there any other file to go to System Configuration Utility and not MSConfig in NT 4.0 Server ?
Thanks,
Hemant
I am running Windwos NT 4.0 Server Service Pack 6. My server is infected and I previously I couldn't run task manager, regedit and msconfig. The entry svchost.exe was replaced by svichosst.exe. I ran HijackThis and found the correpted entries.
Now, I am able to run regedit and also from Group Policy, I enabled Task Manager. But still I am not able to run msconfig from Run. Please tell me how I can be able to run it ? Can I copy msconfig file from CD or from system32 folder ? Is there any other file to go to System Configuration Utility and not MSConfig in NT 4.0 Server ?
Thanks,
Hemant
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, let me try the link provided by f-king.
Please also see the HijackThis logs before and after making manual changes...
HijackThis Log Before Fixing Anything:
************************** ********** ********** ********** ********** ********** ********** ********** ********** ********** **********
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:44 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.e xe
C:\PROGRA~1\Ahead\NEROTO~1 \DRIVES~1. EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\SVICHOSS ST.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON .EXE
C:\WINNT\system32\SVICHOSS ST.exe
C:\WINNT\system32\spoolss. exe
C:\WINNT\System32\llssrv.e xe
C:\WINNT\system32\sfmprint .exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.ex e
C:\WINNT\system32\tcpsvcs. exe
C:\WINNT\System32\ZipToA.e xe
C:\WINNT\System32\NMSSvc.e xe
c:\winnt\system32\pstores. exe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\Profiles\Administ rator\Desk top\backup s\HiJackTh is.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
F2 - REG:system.ini: Shell=Explorer.exe SVICHOSSST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1 \DRIVES~1. EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSS ST.exe
O4 - HKUS\S-1-5-21-1494121696-5 14794618-1 423778804- 500\..\Run : [Yahoo Messengger] C:\WINNT\System32\SVICHOSS ST.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSS ST.exe (User 'Default user')
O4 - S-1-5-21-1494121696-514794 618-142377 8804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST. exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST. exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON .EXE
O7 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Policies\ System, DisableRegedit=1
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1 \Plugins\N PDocBox.dl l
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.e xe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.e xe
--
End of file - 3020 bytes
************************** ********** ********** ********** ********** ********** ********** ********** ********** ********** **********
HijackThis Log After Making Manual Correction in Registries:
************************** ********** ********** ********** ********** ********** ********** ********** ********** ********** **********
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:11 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.e xe
C:\PROGRA~1\Ahead\NEROTO~1 \DRIVES~1. EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON .EXE
C:\WINNT\system32\spoolss. exe
C:\WINNT\System32\llssrv.e xe
C:\WINNT\system32\sfmprint .exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.ex e
C:\WINNT\system32\tcpsvcs. exe
C:\WINNT\System32\ZipToA.e xe
C:\WINNT\System32\NMSSvc.e xe
c:\winnt\system32\pstores. exe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\system32\sfmsvc.e xe
C:\WINNT\Profiles\Administ rator\Desk top\backup s\HiJackTh is.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1 \DRIVES~1. EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - S-1-5-21-1494121696-514794 618-142377 8804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST. exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST. exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON .EXE
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1 \Plugins\N PDocBox.dl l
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.e xe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.e xe
--
End of file - 2539 bytes
************************** ********** ********** ********** ********** ********** ********** ********** ********** ********** **********
Regards,
Hemant
Please also see the HijackThis logs before and after making manual changes...
HijackThis Log Before Fixing Anything:
**************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:44 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.e
C:\PROGRA~1\Ahead\NEROTO~1
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\SVICHOSS
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON
C:\WINNT\system32\SVICHOSS
C:\WINNT\system32\spoolss.
C:\WINNT\System32\llssrv.e
C:\WINNT\system32\sfmprint
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.ex
C:\WINNT\system32\tcpsvcs.
C:\WINNT\System32\ZipToA.e
C:\WINNT\System32\NMSSvc.e
c:\winnt\system32\pstores.
C:\WINNT\system32\MSTask.e
C:\WINNT\Profiles\Administ
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: Shell=Explorer.exe SVICHOSSST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSS
O4 - HKUS\S-1-5-21-1494121696-5
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSS
O4 - S-1-5-21-1494121696-514794
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON
O7 - HKCU\Software\Microsoft\Wi
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.e
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.e
--
End of file - 3020 bytes
**************************
HijackThis Log After Making Manual Correction in Registries:
**************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:11 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.e
C:\PROGRA~1\Ahead\NEROTO~1
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON
C:\WINNT\system32\spoolss.
C:\WINNT\System32\llssrv.e
C:\WINNT\system32\sfmprint
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.ex
C:\WINNT\system32\tcpsvcs.
C:\WINNT\System32\ZipToA.e
C:\WINNT\System32\NMSSvc.e
c:\winnt\system32\pstores.
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\sfmsvc.e
C:\WINNT\Profiles\Administ
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - S-1-5-21-1494121696-514794
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.e
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.e
--
End of file - 2539 bytes
**************************
Regards,
Hemant
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there no way to download this file from the CD or some other location. As f-king has given the link, but it seems that link is for Windows 2000. Will it work with my NT 4.0 Service Pack 6.0 also.
Thanks,
Hemant