asked on

Can't run MSConfig...

Hi friends !

I am running Windwos NT 4.0 Server Service Pack 6. My server is infected and I previously I couldn't run task manager, regedit and msconfig. The entry svchost.exe was replaced by svichosst.exe. I ran HijackThis and found the correpted entries.

Now, I am able to run regedit and also from Group Policy, I enabled Task Manager. But still I am not able to run msconfig from Run. Please tell me how I can be able to run it ? Can I copy msconfig file from CD or from system32 folder ? Is there any other file to go to System Configuration Utility and not MSConfig in NT 4.0 Server ?

Thanks,

Hemant

ASKER CERTIFIED SOLUTION

f-king

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

rpggamergirl

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

f-king

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

rpggamergirl

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

JatinHemant

ASKER

Hi friends !

Is there no way to download this file from the CD or some other location. As f-king has given the link, but it seems that link is for Windows 2000. Will it work with my NT 4.0 Service Pack 6.0 also.

Thanks,

Hemant

SOLUTION

f-king

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

JatinHemant

ASKER

Well, let me try the link provided by f-king.

Please also see the HijackThis logs before and after making manual changes...

HijackThis Log Before Fixing Anything:
******************************************************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:44 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\SVICHOSSST.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINNT\system32\SVICHOSSST.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\sfmprint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Profiles\Administrator\Desktop\backups\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
F2 - REG:system.ini: Shell=Explorer.exe SVICHOSSST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe
O4 - HKUS\S-1-5-21-1494121696-514794618-1423778804-500\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\System32\SVICHOSSST.exe (User 'Default user')
O4 - S-1-5-21-1494121696-514794618-1423778804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

--
End of file - 3020 bytes
******************************************************************************************************************************

HijackThis Log After Making Manual Correction in Registries:
******************************************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:11 PM, on 11/11/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\sfmprint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\sfmsvc.exe
C:\WINNT\Profiles\Administrator\Desktop\backups\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Harf Information Tech.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - S-1-5-21-1494121696-514794618-1423778804-500 Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe (User '?')
O4 - Startup: PEARLrip 5.1r1a.lnk = C:\data_G\Pearlrip\PRESST.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

--
End of file - 2539 bytes
******************************************************************************************************************************

Regards,

Hemant

SOLUTION

rpggamergirl

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial