[Resolved] Help! Please.....I deactivated a service I think

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,607
First Name
Karen
I disabled the RPC thing in services yesterday because there was a lot of activity on my firewall and I thought that might help.

Today when I started up my computer it says that it can't confirm the status of my Norton A/V and if it acts strangely it could be that a virus has tried to disable it.

Late last night I got one of those famous Microsoft e-mails with a virus attached to it. I didn't open it and my Norton detected that Sven virus and deleted it. I don't know if this has anything to do with the problem.

I tried to change the deactivated setting in services by right clicking and when I click on properties it doesn't open up so I can change it.

Also, I can't do a search for files or programs created because they don't appear.

For what it's worth, I'm posting my Hijack This log. I see a program called mmc.exe in the running processes. I have no idea what that is.

Please, I could use all the help I can get. I think I really screwed something up this time.

I hope someone can help me with this.

Cookie

Edited to add - I tried to install PC-Cillin since Norton may not be working properly and it wouldn't allow me to install it because something was missing. I can't remember what the message was unfortunately.


Logfile of HijackThis v1.96.2
Scan saved at 18:39:45, on 2003-09-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Fichiers communs\Symantec Shared\NMain.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\EnterNet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.6905092593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553528000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
May 8, 2003
Messages
485
Whoa! That shouldn't even be possible!

Oh well, let's see if a key transplant helps. Save the following as "LEGACY_RPCSS.REG" and then double-click on it.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCSS]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCSS\0000]
"Service"="RpcSs"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Remote Procedure Call (RPC)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCSS\0000\Control]
"ActiveService"="RpcSs"
If you get a message like this:

. . . answer yes and then reboot. Don't worry if you get an error at this point.
 

Attachments

Joined
May 8, 2003
Messages
485
In case that text is hard to handle or doesn't work, here is a TXT file. Delete the ".TXT" from "LEGACY_RPCSS.REG.TXT" to make it work.
 

Attachments

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,607
First Name
Karen
OMG, this is way over my head.

thanks Aaron and Rollin' Rog for replying.

I can't get any of the links to open when I click on them in both of your posts.

Aaron, I don't understand your instructions. I looked at the registry keys that you mention and they all look like they are what you have shown except:

Legacy=dword: mine has an extra 0x at the beginning and

Configflags=dword: mine also has an extra 0x at the front.

When you say to save that info, where do I save it to and what do I do with it after?

I'm sorry, I thought I knew a bit about computers but it scares me to make changes to the registry because I don't really know what I'm doing. I'm willing to try though if I understand the instructions properly.

I appreciate your patience. I've learned my lesson about deactivating things before asking about it.

Hope you can walk me through this,

Also, I wanted to mention that when I try to open the properties of the RPC service, it seems to open it but it's hidden somewhere that I can't see. When I try to click on the window to close it, I get a message that says to close all properties windows before closing services. This is really weird.

I hope there's still hope for me,

Cookie
 
Joined
Dec 9, 2000
Messages
45,855
For the attachments, try right clicking on them and selecting "save target as"

Here's another one to try. Download this to the desktop. Then right click on it and rename it

reghelp.bat

The icon should change when the extension is .bat

Then double click it to run
 

Attachments

Joined
May 8, 2003
Messages
485
Try minimizing windows until you can see a corner of that property page. If you can just click on that thing it will come up front and you can start it and set it to automatic again.
 

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,607
First Name
Karen
I really appreciate you both trying to help me but it looks like I'll have to take the computer to the hospital.

Rollin' Rog, I downloaded that reghelp and changed the name to end in .bat, like you said, but I can't open it. I click on it twice and it appears to open for a flash second and then it disappears. I think this is what's happening when I click on properties in services, it's as if it opens but it goes somewhere that I can't see it because I get messages to close all properties pages before closing services, so I can never close services.

I'm beginning to wonder if it's not just disabled the RPC that is causing all of this, but it seems to be it all started at that time. I just did a PC-Cillin scan from their site and it comes up clean. I still don't know if my Norton is working, it doesn't open properly.

I can't even search for programs or files either because that screen doesn't come up.

Again, I do appreciate the assistance I received, it's just that I'm not computer savvy enough to execute the instructions.

I have learned a lot from this site however and will continue to visit, once I'm back up and running properly.

Cookie
 

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,607
First Name
Karen
I can't believe it! I fixed it! I'm so happy, can you tell?

I did a Google search for RPC services and then went to the Black Viper site. Apparently, I'm not the only idiot who's ever deactivated RPC. There they had a link to fix the RPC setting back to automatic. I downloaded a zip file to my desktop and then in safe mode clicked on the link to change the registry. It did the trick, the setting for RPC was changed back to automatic. Then I was able to reboot in normal mode and everything is back to normal.

I'm a happy camper :)

Cookie
 
Joined
Dec 9, 2000
Messages
45,855
Actually that's all that .bat file does, it edits the registry and then closes; I should have told you. Did you reboot and see whether things had changed after that?

What is the link you used so we can refer others to it in the future?

I guess this was it...

http://www.blackviper.com/WIN2K/Files/RpcRepair.zip

Looking at it, I'm a little surprised it worked, as I think that particular approach had failed for some in the past, not sure why though.
 

Cookiegal

Thread Starter
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,607
First Name
Karen
Yes, that's the link. They did say that if that didn't work the other option is to reinstall Windows on top of the old installation.

After I installed the .bat file I thought it would be a program that opened up so when it didn't I thought it wasn't working properly so I didn't reboot right away. It's possible that fixed the problem and I didn't know until I rebooted later on after downloading the other fix. I know it wasn't fixed before rebooting though because things still didn't work.

At least it's another option for anyone else to try if they run into this problem.

One thing's for sure, I will never disable RPC again!

Thanks again,

Cookie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top