Jerzak1976
asked on
Error on startup Windows 2003 terminal server
I'm getting the following message when log on via my terminal servers it seems to be happnening on most profiles:
Windows cannot find 'C:\docume~1\Admin~1.MSC\L
Desktop
Cannot load or run C:'C:\docume~1\Admin~1.MSC
I have run antivirus scans - CA etrust & pest patrol without any luck. I've asl run Malwarebytes and nothing has shown up?
Can some one please help me?
Windows cannot find 'C:\docume~1\Admin~1.MSC\L
Desktop
Cannot load or run C:'C:\docume~1\Admin~1.MSC
I have run antivirus scans - CA etrust & pest patrol without any luck. I've asl run Malwarebytes and nothing has shown up?
Can some one please help me?
ASKER
Have check this and the missing file is not in here at all. The only one I am not sure of is conhost.exe?
Yes antivirus was running on all the machines. Its a terminal server and it comes up on all servers when they load the infected profiles!
Yes antivirus was running on all the machines. Its a terminal server and it comes up on all servers when they load the infected profiles!
It's good that the missing file is not in the temp file. Do you mean you checked the registry and it's not there, either?
ASKER
yes check in the registry and its not there either!
Hm. You could check in the HKEY Current User branch, logged in as one of the users getting the message. I figured since it was affecting all the profiles it would be in the HKLM... but perhaps not.
ASKER
It seems to be affecting myself, the admin, and one other user! Cant seem to find it in HKey current either!
The next step for registry is doing a search for it. Search for csrss.exe in the whole registry and see if there are any suspicious lines that come up. As I said, it is a vital windows program, too, so don't just delete them all.
ASKER
yes I found it in Hey current user\software\microsoft\wi
I deleted it and then log off and log back on - seemed to be fine. I then logged off and back on again and up it popped again.. Also the Shareppoint server which hold our intranet isnt working for these particular users!!
I deleted it and then log off and log back on - seemed to be fine. I then logged off and back on again and up it popped again.. Also the Shareppoint server which hold our intranet isnt working for these particular users!!
The fact that one of the users affected is an admin leads me to believe you have an infected machine somewhere and the malware has acquired admin privileges. From there it can cause problems with profiles on other machines, and this is one way the several of the Nimda variants spread. You may be looking at systematically isolating and rebuilding each component of your network.
Then definitely check the RUN key more closely - there is something there respawning the trojan/malware process that adds that info to the registry. Find that process, find out what's running it, and delete the source.
Might be a good start to empty the TEMP folder in question, too - anything that it can't delete will be a running program (or locked for some other reason), and might be your culprit. Look at the running processes on the server and see what doesn't look right.
Might be a good start to empty the TEMP folder in question, too - anything that it can't delete will be a running program (or locked for some other reason), and might be your culprit. Look at the running processes on the server and see what doesn't look right.
ASKER
now I feel sick. I've checked in Run nothing unusual in there, emptyied the Temp directory, logged off logged back on and still no luck. I just cant seem to find where is is located. I've run Hijackthis killed the process and still no luck with it.. Only affecting my profile (which is a domain admin account) the local admin account on three of the terminal servers, and one other user who is an admin as well.
Since you ran hijackthis, post the log and let's see if anyone can pick anything out.
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is dwm.exe apart of it as well?
ASKER
tired all of this but it keeps on coming back.. Is there any software that gets rid of it?
dwm.exe - Yes, probably - it also seems to be a Windows 7 specific file that shouldn't be running on a Win2003 server. I'm so used to seeing that one it never jumped out at me. It was a running process, but I don't see anything in the HJT log that would spawn it.
If all that didn't solve the problem, then it's deeper in the system. Here's a page at malwarebytes that goes through some steps to hopefully get rid of it.
http://forums.malwarebytes.org/index.php?showtopic=63688
And also check here:
http://www.bleepingcomputer.com/forums/topic304517.html
If all that didn't solve the problem, then it's deeper in the system. Here's a page at malwarebytes that goes through some steps to hopefully get rid of it.
http://forums.malwarebytes.org/index.php?showtopic=63688
And also check here:
http://www.bleepingcomputer.com/forums/topic304517.html
HKLM\Software\Microsoft\Wi
You should be able to delete the line out of there that runs the missing file and the error will stop.
Did you have an av client running on it before this occurred? Sometimes what happens is it only catches a part of the process of infection, and there are a few little things left to clean up (like maybe your A/V stopped the creation of that file in the temp folder, but didn't find any problem with it writing to the registry).