1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

mssvc.exe

Discussion in 'Virus & Other Malware Removal' started by caldog, Oct 1, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Did you get the file name right? You are looking for winnt.exe not winnit.exe (a Win9x/ME file)
     
  2. sharlan881

    sharlan881

    Joined:
    Oct 13, 2003
    Messages:
    4
    I may add no value here whatsoever, but I've had the same MSSvc.exe issue that the original writer had. I followed the information gived (ie - regedit) and for the first time in three months that freaking message isn't popping up.

    I was having another problem that seemed to be related to the MSSvc.exe. This stupid little Windows Warning Box (with no title in the blue bar) kept popping up every 30 seconds or so. Through a Process tracker I downloaded, I found that there were two processes running that controlled that. There was a "services.exe" and under that there was a "csrss.exe". When I killed those processes, the stupid little box stopped popping up. Again, this may have been an unrelated problem, but it seemed to start happening about the same time.

    Since I was the beneficiary of the help given in this thread, I thought I'd throw that little factoid out in case it helps anybody else.

    Thanks!!!
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Thanks sharlan. Services.exe and csrss.exe, running from the system32 folder, should be the standard and required services. Terminating them of course just stops them from doing whatever odd and unknown thing they were doing at the time.
     
  4. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    I mistyped - I meant winnt.exe. It wasn't there,so I don't have the ability to do a reinstall from within XP. My only option is to do a complete restore with the OEM's restore cd(not a windows xp cd - which I never got) I haven't had any of the annoying mssvc.exe error messages since following help tips posted on this thread. I know that the pc is still infected because I am still denied access to Administrative Services. Is there anything further that sharlan has suggested(re: csrss.exe) that I should also delete?
    thanks
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I'm afraid that's a required service, not a viral file.

    As of now the only documented resolutons for the Administrative access problems have come from reinstalls. I guess in your case that is going to be a destructive one.

    If you have saved setup files for previously installed programs you can reinstall them without too much loss of time. But otherwise, you are back to your original configuration.

    I'm a little confused, are both winnt.exe and winnt32.exe missing or just one of them?

    They are relatively small files. If the rest of the cab stuff is there (for example there's a winnt32.hlp and a winnt32.msi) I could zip you the missing files.
     
  6. caldog

    caldog Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    19
    I'm glad you asked about the 2 winnnt.exe files above. I went back and opened the I386 file again to see which of these i was missing. I went to WINNT32(there is no .exe). When I put the cursor over it it reads - 'stub folder for WINNT 32 setup.' When I clicked on it an error mesage reads: "Windows Setup - The option to upgrade will not be available at this time because setup was unable to load the file C\Windows\I386\WINNTUPG\NETUPGRD.DLL - The system cannot find the file specified." But after I hit ok I was taken to 'Welcome to windows Setup' It asked me for which type of installation - but the only option available is New Installation(advanced). The next click lead me to the user agreement page. I stopped here and thought I would ask :Is this the reinstall I have been looking for? I had never previosly opened WINNT32 because I thought I was looking for an 'exe' file?
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Interesting, I do not have that dll either or even the WINNTUPG folder. For what it's worth the reason you didn't see the "exe" may be because you have "hide file extensions" for known file types checked in Folder Options > View. This is never good to do as it will conceal double extensions which mask executables.

    But to answer your question, I'm not sure of the answer. I *think* I have seen a previous thread where this screen was encountered and the user followed through -- the setup routine then reported that a "previous" installation has been detected, "do you want to repair?"

    I can't guarantee this though. But you should see at some point a warning that proceeding will destroy all previous data if the setup is going to wipe everything out. If you get presented with an option to "partition" that is what is going to happen.

    Do you have your ProductKey, by the way? If not, you can use the utility here to get it:

    http://www.angelfire.com/va3/vic3/winkeys.htm

    I would recommend trying it one way or another, just to ensure it matches what you think you have. Copy it exactly if it doesn't you may need it.
     
  8. sander66

    sander66

    Joined:
    Oct 16, 2003
    Messages:
    1
    I have tried sybot, spyhunter and CoolWebShredder - to no avail
    Help !!

    Logfile of HijackThis v1.97.3
    Scan saved at 11:30:13 AM, on 10/16/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\srvany.exe
    C:\WINDOWS\System32\pppoe.exe
    C:\WINDOWS\system32\slserv.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Valued Client\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    F0 - system.ini: Shell=explorer.exe winlogin.exe
    F2 - REG:system.ini: Shell=explorer.exe winlogin.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [NDplDeamon] winlogin.exe
    O4 - HKLM\..\Run: [winlogon] winlogin.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Radio Free Virgin Player (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.3291087963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You are going to have to review this thread thoroughly. Disable the Adminisistrative Tools > Services startup for mssvc.exe, then edit the registry to remove the reference. Ultimately you will also have to reinstall XP to restore Administrative priveleges.

    http://forums.techguy.org/showthread.php?postid=1154453#post1154453

    In addition to that you must clean these entries by checking and "fixing" with HijackThis:

    F2 - REG:system.ini: Shell=explorer.exe winlogin.exe

    O4 - HKLM\..\Run: [NDplDeamon] winlogin.exe
    O4 - HKLM\..\Run: [winlogon] winlogin.exe

    You will need to delete winlogin.exe Do NOT confuse it with winlogon.exe, a required process.
     
  10. sharlan881

    sharlan881

    Joined:
    Oct 13, 2003
    Messages:
    4
    I did the XP reinstall as detailed above (I do have a Dell so I had the XP CD) and everything worked perfectly. MSSvc is now nothing more then a bad memory.
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Good to hear. I also have a Dell and that's one good reason to stick with them if you're not into system building yourself.

    Be aware now you probably have to reinstall all the new patches and updates pronto. You should also enable the XP firewall if it is not incompatible with your ISP (AOL, Earthlink DSL...)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168815