[Rollin' Rog]

Did you get the file name right? You are looking for winnt.exe not winnit.exe (a Win9x/ME file)

[sharlan881]

I may add no value here whatsoever, but I've had the same MSSvc.exe issue that the original writer had. I followed the information gived (ie - regedit) and for the first time in three months that freaking message isn't popping up.

I was having another problem that seemed to be related to the MSSvc.exe. This stupid little Windows Warning Box (with no title in the blue bar) kept popping up every 30 seconds or so. Through a Process tracker I downloaded, I found that there were two processes running that controlled that. There was a "services.exe" and under that there was a "csrss.exe". When I killed those processes, the stupid little box stopped popping up. Again, this may have been an unrelated problem, but it seemed to start happening about the same time.

Since I was the beneficiary of the help given in this thread, I thought I'd throw that little factoid out in case it helps anybody else.

Thanks!!!

[Rollin' Rog]

Thanks sharlan. Services.exe and csrss.exe, running from the system32 folder, should be the standard and required services. Terminating them of course just stops them from doing whatever odd and unknown thing they were doing at the time.

[caldog]

I mistyped - I meant winnt.exe. It wasn't there,so I don't have the ability to do a reinstall from within XP. My only option is to do a complete restore with the OEM's restore cd(not a windows xp cd - which I never got) I haven't had any of the annoying mssvc.exe error messages since following help tips posted on this thread. I know that the pc is still infected because I am still denied access to Administrative Services. Is there anything further that sharlan has suggested(re: csrss.exe) that I should also delete?
thanks

[Rollin' Rog]

I'm afraid that's a required service, not a viral file.

As of now the only documented resolutons for the Administrative access problems have come from reinstalls. I guess in your case that is going to be a destructive one.

If you have saved setup files for previously installed programs you can reinstall them without too much loss of time. But otherwise, you are back to your original configuration.

I'm a little confused, are both winnt.exe and winnt32.exe missing or just one of them?

They are relatively small files. If the rest of the cab stuff is there (for example there's a winnt32.hlp and a winnt32.msi) I could zip you the missing files.

[caldog]

I'm glad you asked about the 2 winnnt.exe files above. I went back and opened the I386 file again to see which of these i was missing. I went to WINNT32(there is no .exe). When I put the cursor over it it reads - 'stub folder for WINNT 32 setup.' When I clicked on it an error mesage reads: "Windows Setup - The option to upgrade will not be available at this time because setup was unable to load the file C\Windows\I386\WINNTUPG\NETUPGRD.DLL - The system cannot find the file specified." But after I hit ok I was taken to 'Welcome to windows Setup' It asked me for which type of installation - but the only option available is New Installation(advanced). The next click lead me to the user agreement page. I stopped here and thought I would ask :Is this the reinstall I have been looking for? I had never previosly opened WINNT32 because I thought I was looking for an 'exe' file?

[Rollin' Rog]

Interesting, I do not have that dll either or even the WINNTUPG folder. For what it's worth the reason you didn't see the "exe" may be because you have "hide file extensions" for known file types checked in Folder Options > View. This is never good to do as it will conceal double extensions which mask executables.

But to answer your question, I'm not sure of the answer. I *think* I have seen a previous thread where this screen was encountered and the user followed through -- the setup routine then reported that a "previous" installation has been detected, "do you want to repair?"

I can't guarantee this though. But you should see at some point a warning that proceeding will destroy all previous data if the setup is going to wipe everything out. If you get presented with an option to "partition" that is what is going to happen.

Do you have your ProductKey, by the way? If not, you can use the utility here to get it:

http://www.angelfire.com/va3/vic3/winkeys.htm

I would recommend trying it one way or another, just to ensure it matches what you think you have. Copy it exactly if it doesn't you may need it.

[sander66]

I have tried sybot, spyhunter and CoolWebShredder - to no avail
Help !!

Logfile of HijackThis v1.97.3
Scan saved at 11:30:13 AM, on 10/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\srvany.exe
C:\WINDOWS\System32\pppoe.exe
C:\WINDOWS\system32\slserv.exe
C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Valued Client\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F0 - system.ini: Shell=explorer.exe winlogin.exe
F2 - REG:system.ini: Shell=explorer.exe winlogin.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [NDplDeamon] winlogin.exe
O4 - HKLM\..\Run: [winlogon] winlogin.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Radio Free Virgin Player (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...910.3291087963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Rollin' Rog]

You are going to have to review this thread thoroughly. Disable the Adminisistrative Tools > Services startup for mssvc.exe, then edit the registry to remove the reference. Ultimately you will also have to reinstall XP to restore Administrative priveleges.

http://forums.techguy.org/showthread...53#post1154453

In addition to that you must clean these entries by checking and "fixing" with HijackThis:

F2 - REG:system.ini: Shell=explorer.exe winlogin.exe

O4 - HKLM\..\Run: [NDplDeamon] winlogin.exe
O4 - HKLM\..\Run: [winlogon] winlogin.exe

You will need to delete winlogin.exe Do NOT confuse it with winlogon.exe, a required process.

[sharlan881]

I did the XP reinstall as detailed above (I do have a Dell so I had the XP CD) and everything worked perfectly. MSSvc is now nothing more then a bad memory.

[Rollin' Rog]

Good to hear. I also have a Dell and that's one good reason to stick with them if you're not into system building yourself.

Be aware now you probably have to reinstall all the new patches and updates pronto. You should also enable the XP firewall if it is not incompatible with your ISP (AOL, Earthlink DSL...)