1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Help! Please.....I deactivated a service I think

Discussion in 'Virus & Other Malware Removal' started by Cookiegal, Sep 22, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,486
    I disabled the RPC thing in services yesterday because there was a lot of activity on my firewall and I thought that might help.

    Today when I started up my computer it says that it can't confirm the status of my Norton A/V and if it acts strangely it could be that a virus has tried to disable it.

    Late last night I got one of those famous Microsoft e-mails with a virus attached to it. I didn't open it and my Norton detected that Sven virus and deleted it. I don't know if this has anything to do with the problem.

    I tried to change the deactivated setting in services by right clicking and when I click on properties it doesn't open up so I can change it.

    Also, I can't do a search for files or programs created because they don't appear.

    For what it's worth, I'm posting my Hijack This log. I see a program called mmc.exe in the running processes. I have no idea what that is.

    Please, I could use all the help I can get. I think I really screwed something up this time.

    I hope someone can help me with this.

    Cookie

    Edited to add - I tried to install PC-Cillin since Norton may not be working properly and it wouldn't allow me to install it because something was missing. I can't remember what the message was unfortunately.


    Logfile of HijackThis v1.96.2
    Scan saved at 18:39:45, on 2003-09-22
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SYSTEM32\starter.exe
    C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\WINNT\system32\mmc.exe
    C:\WINNT\System32\locator.exe
    C:\Program Files\Fichiers communs\Symantec Shared\NMain.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\EnterNet.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.6905092593
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553528000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Aaron.W

    Aaron.W

    Joined:
    May 8, 2003
    Messages:
    485
    Whoa! That shouldn't even be possible!

    Oh well, let's see if a key transplant helps. Save the following as "LEGACY_RPCSS.REG" and then double-click on it.
    If you get a message like this:
    [​IMG]
    . . . answer yes and then reboot. Don't worry if you get an error at this point.
     

    Attached Files:

  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  4. Aaron.W

    Aaron.W

    Joined:
    May 8, 2003
    Messages:
    485
    In case that text is hard to handle or doesn't work, here is a TXT file. Delete the ".TXT" from "LEGACY_RPCSS.REG.TXT" to make it work.
     

    Attached Files:

  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,486
    OMG, this is way over my head.

    thanks Aaron and Rollin' Rog for replying.

    I can't get any of the links to open when I click on them in both of your posts.

    Aaron, I don't understand your instructions. I looked at the registry keys that you mention and they all look like they are what you have shown except:

    Legacy=dword: mine has an extra 0x at the beginning and

    Configflags=dword: mine also has an extra 0x at the front.

    When you say to save that info, where do I save it to and what do I do with it after?

    I'm sorry, I thought I knew a bit about computers but it scares me to make changes to the registry because I don't really know what I'm doing. I'm willing to try though if I understand the instructions properly.

    I appreciate your patience. I've learned my lesson about deactivating things before asking about it.

    Hope you can walk me through this,

    Also, I wanted to mention that when I try to open the properties of the RPC service, it seems to open it but it's hidden somewhere that I can't see. When I try to click on the window to close it, I get a message that says to close all properties windows before closing services. This is really weird.

    I hope there's still hope for me,

    Cookie
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    For the attachments, try right clicking on them and selecting "save target as"

    Here's another one to try. Download this to the desktop. Then right click on it and rename it

    reghelp.bat

    The icon should change when the extension is .bat

    Then double click it to run
     

    Attached Files:

  7. Aaron.W

    Aaron.W

    Joined:
    May 8, 2003
    Messages:
    485
    Try minimizing windows until you can see a corner of that property page. If you can just click on that thing it will come up front and you can start it and set it to automatic again.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,486
    I really appreciate you both trying to help me but it looks like I'll have to take the computer to the hospital.

    Rollin' Rog, I downloaded that reghelp and changed the name to end in .bat, like you said, but I can't open it. I click on it twice and it appears to open for a flash second and then it disappears. I think this is what's happening when I click on properties in services, it's as if it opens but it goes somewhere that I can't see it because I get messages to close all properties pages before closing services, so I can never close services.

    I'm beginning to wonder if it's not just disabled the RPC that is causing all of this, but it seems to be it all started at that time. I just did a PC-Cillin scan from their site and it comes up clean. I still don't know if my Norton is working, it doesn't open properly.

    I can't even search for programs or files either because that screen doesn't come up.

    Again, I do appreciate the assistance I received, it's just that I'm not computer savvy enough to execute the instructions.

    I have learned a lot from this site however and will continue to visit, once I'm back up and running properly.

    Cookie
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,486
    I can't believe it! I fixed it! I'm so happy, can you tell?

    I did a Google search for RPC services and then went to the Black Viper site. Apparently, I'm not the only idiot who's ever deactivated RPC. There they had a link to fix the RPC setting back to automatic. I downloaded a zip file to my desktop and then in safe mode clicked on the link to change the registry. It did the trick, the setting for RPC was changed back to automatic. Then I was able to reboot in normal mode and everything is back to normal.

    I'm a happy camper :)

    Cookie
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Actually that's all that .bat file does, it edits the registry and then closes; I should have told you. Did you reboot and see whether things had changed after that?

    What is the link you used so we can refer others to it in the future?

    I guess this was it...

    http://www.blackviper.com/WIN2K/Files/RpcRepair.zip

    Looking at it, I'm a little surprised it worked, as I think that particular approach had failed for some in the past, not sure why though.
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator Thread Starter

    Joined:
    Aug 27, 2003
    Messages:
    111,486
    Yes, that's the link. They did say that if that didn't work the other option is to reinstall Windows on top of the old installation.

    After I installed the .bat file I thought it would be a program that opened up so when it didn't I thought it wasn't working properly so I didn't reboot right away. It's possible that fixed the problem and I didn't know until I rebooted later on after downloading the other fix. I know it wasn't fixed before rebooting though because things still didn't work.

    At least it's another option for anyone else to try if they run into this problem.

    One thing's for sure, I will never disable RPC again!

    Thanks again,

    Cookie
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166679

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice