Temmu's Win 2000 Server

Temmu · September 15, 2006, 09:07:46 PM

I followed the submit instructions
and submitted the ad aware log
and the hijack this log.

and posted the following at this post.

http://www.thespykiller.co.uk/forum/index.php?topic=2574.new#new

all this was done in "safe" mode

mcafee stinger found
c:\winnt\system32\i dbot.worm! ftp virus

ad aware found
hkey-local-machine:software\microsoft\windows nt\currentversion\winlogon"shell" (explorere.exe ms32.exe)

when browsing the file system, windows explorer immediately closes when opening the
c:\program files\spybot folder or
d:\spybot folder (cd)
or when one tries to launch spybot search & destroy.

windows explorer stayed open for as long as you like, browsing anything you like, but not when you hit any spybot related folder.

likewise, windows explorer crashed when microsoft's anti spy (giant software) program folder was opened.

ad aware ran fine.
===================================================
here's the ad aware log:

Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, September 15, 2006 3:15:29 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R123 14.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

9-15-2006 3:15:29 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 140
ThreadCreationTime : 9-15-2006 7:42:11 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 168
ThreadCreationTime : 9-15-2006 7:42:28 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 192
ThreadCreationTime : 9-15-2006 7:42:29 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 220
ThreadCreationTime : 9-15-2006 7:42:32 PM
BasePriority : Normal
FileVersion : 5.00.2195.7035
ProductVersion : 5.00.2195.7035
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 232
ThreadCreationTime : 9-15-2006 7:42:32 PM
BasePriority : Normal
FileVersion : 5.00.2195.7011
ProductVersion : 5.00.2195.7011
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 404
ThreadCreationTime : 9-15-2006 7:42:38 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 432
ThreadCreationTime : 9-15-2006 7:42:39 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

#:8 [ms32.exe]
FilePath : C:\WINNT\system32\
ProcessID : 204
ThreadCreationTime : 9-15-2006 7:46:05 PM
BasePriority : Normal

#:9 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 560
ThreadCreationTime : 9-15-2006 7:46:05 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 260
ThreadCreationTime : 9-15-2006 7:49:54 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Windows Object Recognized!
Type : RegData
Data : explorer.exe ms32.exe
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe ms32.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
11926 entries scanned.
New critical objects:0
Objects found so far: 1

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

3:20:07 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:37.718
Objects scanned:75072
Objects identified:1
Objects ignored:0
New critical objects:1

=========================================================

here's the hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 3:48:29 PM, on 9/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MS32.exe
C:\WINNT\Explorer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe MS32.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,MS32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Update Drivers] explorers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Ms Java for Windows NT] MS32.exe
O4 - HKCU\..\Run: [Microsoft Server] rserv.exe
O4 - HKCU\..\Run: [New Csnm Manager] csmn.exe
O4 - HKCU\..\Run: [Nokia Check] nokiacheck.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] MS32.exe
O4 - HKCU\..\RunServices: [New Csnm Manager] csmn.exe
O4 - HKCU\..\RunServices: [Nokia Check] nokiacheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123302801328
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA3B26BA-116E-40EA-9481-730A575C1296}: NameServer = 205.152.132.23,205.152.37.23
O23 - Service: A1Monitor6812165219 - Unknown owner - C:\Program Files\A1Monitor\VMonitor.EXE (file missing)
O23 - Service: VisNetic Firewall (DeerfieldFirewall) - 8Signs Ltd. - C:\Program Files\Deerfield.com\VisNetic Firewall\DFW.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Merak GroupWare Server (MerakCalendar) - IceWarp Software - C:\Program Files\Merak\cal.exe
O23 - Service: Merak Mail Server Web / Control (MerakControl) - IceWarp Software - C:\Program Files\Merak\control.exe
O23 - Service: Merak Instant Messaging Server (MerakIM) - IceWarp Software - C:\Program Files\Merak\im.exe
O23 - Service: Merak Mail Server POP3 / IMAP (MerakPOP3) - IceWarp Software - C:\Program Files\Merak\pop3.exe
O23 - Service: Merak Mail Server SMTP (MerakSMTP) - IceWarp Software - C:\Program Files\Merak\smtp.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINNT\system32\mousecrm.exe (file missing)
O23 - Service: Microsoft DCOM PC Service (mspcdcom) - Unknown owner - C:\WINNT\System32\mspcdcom.exe
O23 - Service: Resultant Set of Policy Provider (rspp) - Unknown owner - cmd /c start C:\WINNT\system32\wmiprvse.exe (file missing)

=================================

rsvp

Temmu · September 15, 2006, 09:40:39 PM

adding as reply as i couldn't edit -

also, when i opened task manager, it showed no applications running.
in processes, when i r clicked either ms32 or explorer and clicked end process tree, i was informed that the file handles were invalid or corrupt or something... and neither closed.

this is substantially different than when you try to close a system process and are denied because the process belongs to the system and would probably crash it if closed.

Corrine · September 15, 2006, 10:00:39 PM

Hello, my friend. If this machine is still connected to your network, I'd suggest removing it -- sooner rather than later. This is what my research has turned up so far:

MS32.exe:

QuoteAdded by the W32/Vanebot-H worm and IRC backdoor. W32/Vanebot-H spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares and MSSQL servers protected by weak passwords.

W32/Vanebot-H runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

add to that wmiprvse.exe, which is added by the SONEBOT-B worm:

QuoteThis file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

I'm working on putting something together, but want to make sure its "coherent". :D

Corrine · September 15, 2006, 11:53:00 PM

Hi, Temmu. I've looked at this two-ways to Sunday. You may be better off digging out that copy of the Ghost backup as this system has been badly compromised. However, you can try this.

A. Please download the following programs.

Download the Killbox © Option^Explicit.
Unzip it to the desktop
Please download ATF Cleaner by Atribune from http://www.atribune.org/public-beta/ATF-Cleaner.exe . Save it to your Desktop.
Download Prevx from here. Update as required.
Copy the part in code below into notepad and save it as Regfix.reg Save it to the desktop. Don't do anything with this yet.

Code Select


REGEDIT4 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"
"Shell"="Explorer.exe"
"System"=""

B. Let's take care of the services.

Go to Start > Run and type in Services.msc then click OK
Click the Extended tab.
Scroll down until you find the service Mouse Cursor Monitor
Click once on the service to highlight it.
Click Stop
Right-Click on the service.
Click on 'Properties'
Select the 'General' tab
Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
From the drop-down menu, click on 'Disabled'
Click the 'Apply' tab, then click 'OK'
Repeat the above steps for Resultant Set of Policy Provider
Press control-alt-delete to get into the task manager and end the following processes if they exist:
C:\WINDOWS\System32\mousecrm.exe
C:\WINNT\system32\wmiprvse.exe

C. Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if found, and press "Fix Checked":

F2 - REG:system.ini: Shell=Explorer.exe MS32.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,MS32.exe
O4 - HKLM\..\Run: [Ms Java for Windows NT] MS32.exe
O4 - HKCU\..\Run: [Microsoft Server] rserv.exe
O4 - HKCU\..\Run: [New Csnm Manager] csmn.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] MS32.exe
O4 - HKCU\..\RunServices: [New Csnm Manager] csmn.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINNT\system32\mousecrm.exe (file missing)
O23 - Service: Resultant Set of Policy Provider (rspp) - Unknown owner - cmd /c start C:\WINNT\system32\wmiprvse.exe (file missing)

D. Double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

E. Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINNT\system32\mousecrm.exe
C:\WINNT\system32\wmiprvse.exe

For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

F. Please change your settings to show hidden files. You can change the setting back when the cleanup is completed.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

G. Restart your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe Mode.
Login on your usual account.

If you need further assistance with Safe Mode, see Symantec

H. Search for/delete the files shown below if found.
rserv.exe
csmn.exe
MS32.exe

I. Run ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Shutdown/restart the computer.

J. Scan with Prevx, removing anything found.

K. Double-click the HijackThis icon on your desktop. Choose "Do a system scan and save logfile".

L. Post a reply with the new HijackThis log and let us know how your PC is doing. :rose:

Edit note: Regfix corrected for W2K system so no one else falls prey to my error.

Temmu · September 16, 2006, 03:26:54 AM

...hmmm... :blink: and, o, shucks.

1. ==thanks== corrine!
2. i printed your directions
3. it indeed has been unplugged from the network
4. why wouldn't mcafee have stopped this?? or was it that mcafee may have been installed after the infection??
5. i will let you know what happens. i'm v. busy this weekend, but may come inside to work on this...

again, thanks!

Temmu · September 18, 2006, 05:57:12 PM

well...

i got as far as all the way through step "e".

when the pc restarted, i logged on (in safe mode) and ... nothing. just a black screen with "safe mode" and a mouse pointer i could move. ctrl-esc did not bring up a menu, ctrl-alt-del did not bring up task mangler.
allowing it to sit for 20 or 30 seconds, and =poof= back to the logon screen.

likewise in unsafe mode.

Corrine · September 18, 2006, 10:11:42 PM

Well you got as far as e, but the problem was in step "d". Temmu, I screwed up. I missed something major in the regedit:

"Userinit"="C:\\~~WINDOWS~~WINNT\\system32\\userinit.exe,"

I know it isn't enough, but I offer my sincere apology.

SpyDie pointed me to a fix we used at the old LS forums when removing BlazeFind w/AAW changed userinit.exe. I edited his original instructions to fit W2K and asked him to take a look at it. However, you will need the recovery counsel. Is it installed on that machine? http://support.microsoft.com/?kbid=216417 I don't know if it will owrk though.

Temmu · September 19, 2006, 03:51:35 PM

well, corrine, it proves you're human. :) (and i thot you were an angel. still do, by the way) :)

i'll attempt to install the recovery console.

what next?

Corrine · September 19, 2006, 03:58:25 PM

Oh, so very human and feeling terrible. I sure hope this works.

In the following instructions, C:\WINNT\System32 shall be used as the System32 location. Change the path accordingly to accommodate for your installation directory.

First it is necessary to go to the recovery console. If you are unsure of how to get to recovery console please see http://support.microsoft.com/?kbid=229716 .

At the recovery console, it is necessary to replace the software hive with a previous good backup. It should look something like this:

C:\WINNT>cd system32\config
C:\WINNT\system32\config>ren software software.old
This renames the current software hive to software.old
C:\WINNT\system32\config>copy C:\WINNT\repair\software

It should indicate: "1 file(s) copied"

NOTE: After the next step, remove the CD, then boot into safe mode.

C:\WINNT\system32\config>exit

Now hit the F8 key and boot into safe mode. Logon to the administrator account when you reach the Welcome screen.

The next step is to edit the old registry to change the path to the userinit.exe file:

open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this, the next step will not work)
goto file - load hive...

Select your old registry file which should be in C:\WINNT\system32\config\software.old
It will ask you what to name it, if you don't understand, just type "test".

Navigate to the following:
HKEY_LOCAL_MACHINE\<what your named this in the previous step>\microsoft\windows nt\currentversion\winlogon.
Look at what the userinit value is. It is likely something like %system32%\userinit.exe which is invalid.

Next change the value to read C:\WINNT\system32\userinit.exe

Now close the registry editor, and go back to recovery console to put your original registry back. It should look like this:
C:\WINNT>cd system32\config
C:\WINNT\system32\config>del software
C:\WINNT\system32\config>ren software.old software
C:\WINNT\system32\config>exit

Temmu · September 19, 2006, 05:17:07 PM

the server is ancient.
it has a scsi cd-rom.
it detected my linux cd as bootable.
it won't boot it. the server is too old and the os is too new.

it won't boot my server 2000 cd.

i created bootable floppies.

i'll go flop after lunch! :D

Temmu · September 20, 2006, 05:04:38 PM

ok.

it's all ok.

which means, i followed your instructions, got it to log on, removed ms32, et al.

restarted the server, got my license info, and all is well in server-land. (the server is up & running.)

thanks again for your help, corrine! :rose:

Corrine · September 20, 2006, 08:53:26 PM

WHEW!!!

You cannot imagine how much a relief that is to me. I'm just sorry you had to go through all the extra work.

Temmu · September 20, 2006, 09:32:29 PM

actually, was quite interesting. :thumbsup: always ready to learn something new! :)

Corrine · September 20, 2006, 10:00:58 PM

You were very understanding and I certainly appreciate that.

Are both of those 023 services gone now?
Are MS06-40 and other MS updates installed?

Profixer · September 22, 2006, 01:53:23 PM

Corrine. In situations where things such as UserInit has been compromised and it is no longer possible to login (hence not possible to use the recovery console (thanks MS for making a recovery console which can only be used under certain conditions)), you can use an offline registry editor to correct the problem...

There are some commercial ones such as ERC Commander, but these cost alot of money....However, .I saw a post in the Lavasoft Support Forums a while back talking about how to create a Free Offline Registry editing tool

http://www.lavasoftsupport.com/index.php?showtopic=340

I hope this will help in the future if someone should accidentally write the wrong thing in UserInit or indeed in any other critical system key....

//Chunk