Can't run MSConfig...

Hi friends !

I am running Windwos NT 4.0 Server Service Pack 6.  My server is infected and I previously I couldn't run task manager, regedit and msconfig. The entry svchost.exe was replaced by svichosst.exe. I ran HijackThis and found the correpted entries.

Now, I am able to run regedit and also from Group Policy, I enabled Task Manager. But still I am not able to run msconfig from Run. Please tell me how I can be able to run it ? Can I copy msconfig file from CD or from system32 folder ? Is there any other file to go to System Configuration Utility and not MSConfig in NT 4.0 Server ?

Thanks,

Hemant
JatinHemantAsked:
Who is Participating?
 
f-kingIT support technicianCommented:
Hi
Try running it in safe mode!
or you can download it;
http://www.techadvice.com/win2000/m/msconfig_w2k.htm
0
 
rpggamergirlCommented:
Looks like an SDBot variant, do you have a hijackthis log that we can look at?

Or just run these these tools:
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


2.  Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
f-kingIT support technicianCommented:
Also after being heavily infected like that I would suggest a Windows repair install or Format later on.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
rpggamergirlCommented:
Not being able to run regedit, task manager, msconfig are just symptoms of this variant "svichosst.exe" you can fix the symptoms but they'll come up again eventually if the worm is still there, so it's better to fix it by removing the caused/culprit. And removing what other nasties that reside in the system.

0
 
JatinHemantAuthor Commented:
Hi friends !

Is there no way to download this file from the CD or some other location. As f-king has given the link, but it seems that link is for Windows 2000. Will it work with my NT 4.0 Service Pack 6.0 also.

Thanks,

Hemant
0
 
f-kingIT support technicianCommented:
You can try it and see if it accepts it
0
 
JatinHemantAuthor Commented:
Well, let me try the link provided by f-king.

Please also see the HijackThis logs before and after making manual changes...

HijackThis Log Before Fixing Anything:
******************************************************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:44 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\SVICHOSSST.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINNT\system32\SVICHOSSST.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\sfmprint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Profiles\Administrator\Desktop\backups\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
F2 - REG:system.ini: Shell=Explorer.exe SVICHOSSST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe
O4 - HKUS\S-1-5-21-1494121696-514794618-1423778804-500\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe (User 'Default user')
O4 - S-1-5-21-1494121696-514794618-1423778804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

--
End of file - 3020 bytes
******************************************************************************************************************************


HijackThis Log After Making Manual Correction in Registries:
******************************************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:11 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\sfmprint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\sfmsvc.exe
C:\WINNT\Profiles\Administrator\Desktop\backups\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - S-1-5-21-1494121696-514794618-1423778804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

--
End of file - 2539 bytes
******************************************************************************************************************************

Regards,

Hemant




0
 
rpggamergirlCommented:
Did you run SDFix too? can we look at the SDFix.txt?

If SDFix didn't remove it, download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please show us the contents of C:\MsnCleaner.txt
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.