Solved

Can't run MSConfig...

Posted on 2007-11-14
8
1,436 Views
Last Modified: 2013-12-28
Hi friends !

I am running Windwos NT 4.0 Server Service Pack 6.  My server is infected and I previously I couldn't run task manager, regedit and msconfig. The entry svchost.exe was replaced by svichosst.exe. I ran HijackThis and found the correpted entries.

Now, I am able to run regedit and also from Group Policy, I enabled Task Manager. But still I am not able to run msconfig from Run. Please tell me how I can be able to run it ? Can I copy msconfig file from CD or from system32 folder ? Is there any other file to go to System Configuration Utility and not MSConfig in NT 4.0 Server ?

Thanks,

Hemant
0
Comment
Question by:JatinHemant
  • 3
  • 3
  • 2
8 Comments
 
LVL 15

Accepted Solution

by:
f-king earned 130 total points
ID: 20279033
Hi
Try running it in safe mode!
or you can download it;
http://www.techadvice.com/win2000/m/msconfig_w2k.htm
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 120 total points
ID: 20279040
Looks like an SDBot variant, do you have a hijackthis log that we can look at?

Or just run these these tools:
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


2.  Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
LVL 15

Assisted Solution

by:f-king
f-king earned 130 total points
ID: 20279043
Also after being heavily infected like that I would suggest a Windows repair install or Format later on.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 120 total points
ID: 20279075
Not being able to run regedit, task manager, msconfig are just symptoms of this variant "svichosst.exe" you can fix the symptoms but they'll come up again eventually if the worm is still there, so it's better to fix it by removing the caused/culprit. And removing what other nasties that reside in the system.

0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:JatinHemant
ID: 20279105
Hi friends !

Is there no way to download this file from the CD or some other location. As f-king has given the link, but it seems that link is for Windows 2000. Will it work with my NT 4.0 Service Pack 6.0 also.

Thanks,

Hemant
0
 
LVL 15

Assisted Solution

by:f-king
f-king earned 130 total points
ID: 20279382
You can try it and see if it accepts it
0
 

Author Comment

by:JatinHemant
ID: 20280861
Well, let me try the link provided by f-king.

Please also see the HijackThis logs before and after making manual changes...

HijackThis Log Before Fixing Anything:
******************************************************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:44 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\SVICHOSSST.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINNT\system32\SVICHOSSST.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\sfmprint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Profiles\Administrator\Desktop\backups\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
F2 - REG:system.ini: Shell=Explorer.exe SVICHOSSST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe
O4 - HKUS\S-1-5-21-1494121696-514794618-1423778804-500\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe (User 'Default user')
O4 - S-1-5-21-1494121696-514794618-1423778804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

--
End of file - 3020 bytes
******************************************************************************************************************************


HijackThis Log After Making Manual Correction in Registries:
******************************************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:11 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\sfmprint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\sfmsvc.exe
C:\WINNT\Profiles\Administrator\Desktop\backups\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - S-1-5-21-1494121696-514794618-1423778804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

--
End of file - 2539 bytes
******************************************************************************************************************************

Regards,

Hemant




0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 120 total points
ID: 20318651
Did you run SDFix too? can we look at the SDFix.txt?

If SDFix didn't remove it, download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please show us the contents of C:\MsnCleaner.txt
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

A few months ago I had an issue with LaserJet 1020 printer which was installed to XP and Windows 7.  It was installed to XP and working, but when I tried to connect from a Windows 7 PC, it would attempt connection and then fail.  Sometimes the Spool…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now