Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Can't run MSConfig...

Posted on 2007-11-14
8
Medium Priority
?
1,454 Views
Last Modified: 2013-12-28
Hi friends !

I am running Windwos NT 4.0 Server Service Pack 6.  My server is infected and I previously I couldn't run task manager, regedit and msconfig. The entry svchost.exe was replaced by svichosst.exe. I ran HijackThis and found the correpted entries.

Now, I am able to run regedit and also from Group Policy, I enabled Task Manager. But still I am not able to run msconfig from Run. Please tell me how I can be able to run it ? Can I copy msconfig file from CD or from system32 folder ? Is there any other file to go to System Configuration Utility and not MSConfig in NT 4.0 Server ?

Thanks,

Hemant
0
Comment
Question by:JatinHemant
  • 3
  • 3
  • 2
8 Comments
 
LVL 15

Accepted Solution

by:
f-king earned 390 total points
ID: 20279033
Hi
Try running it in safe mode!
or you can download it;
http://www.techadvice.com/win2000/m/msconfig_w2k.htm
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 360 total points
ID: 20279040
Looks like an SDBot variant, do you have a hijackthis log that we can look at?

Or just run these these tools:
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


2.  Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
LVL 15

Assisted Solution

by:f-king
f-king earned 390 total points
ID: 20279043
Also after being heavily infected like that I would suggest a Windows repair install or Format later on.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 360 total points
ID: 20279075
Not being able to run regedit, task manager, msconfig are just symptoms of this variant "svichosst.exe" you can fix the symptoms but they'll come up again eventually if the worm is still there, so it's better to fix it by removing the caused/culprit. And removing what other nasties that reside in the system.

0
 

Author Comment

by:JatinHemant
ID: 20279105
Hi friends !

Is there no way to download this file from the CD or some other location. As f-king has given the link, but it seems that link is for Windows 2000. Will it work with my NT 4.0 Service Pack 6.0 also.

Thanks,

Hemant
0
 
LVL 15

Assisted Solution

by:f-king
f-king earned 390 total points
ID: 20279382
You can try it and see if it accepts it
0
 

Author Comment

by:JatinHemant
ID: 20280861
Well, let me try the link provided by f-king.

Please also see the HijackThis logs before and after making manual changes...

HijackThis Log Before Fixing Anything:
******************************************************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:44 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\SVICHOSSST.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINNT\system32\SVICHOSSST.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\sfmprint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Profiles\Administrator\Desktop\backups\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
F2 - REG:system.ini: Shell=Explorer.exe SVICHOSSST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe
O4 - HKUS\S-1-5-21-1494121696-514794618-1423778804-500\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe (User 'Default user')
O4 - S-1-5-21-1494121696-514794618-1423778804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

--
End of file - 3020 bytes
******************************************************************************************************************************


HijackThis Log After Making Manual Correction in Registries:
******************************************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:11 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\sfmprint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\sfmsvc.exe
C:\WINNT\Profiles\Administrator\Desktop\backups\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - S-1-5-21-1494121696-514794618-1423778804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

--
End of file - 2539 bytes
******************************************************************************************************************************

Regards,

Hemant




0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 360 total points
ID: 20318651
Did you run SDFix too? can we look at the SDFix.txt?

If SDFix didn't remove it, download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please show us the contents of C:\MsnCleaner.txt
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question