Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dang...another computer! [RESOLVED]


  • This topic is locked This topic is locked

#1
EmilyPam

EmilyPam

    Member

  • Member
  • PipPip
  • 75 posts
Morning everyone....

I have the Dr. Temp folder in my Winnt area! I have ran everything that I could but it won't leave!

Thanks in advance for all your help!

Em

Here's the log

Logfile of HijackThis v1.99.1
Scan saved at 11:41:11 AM, on 5/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115056631785
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\atlqy32.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Emily,

Is this another one or is it part of what we have already fixed?

Edited by usetobe, 28 May 2005 - 05:51 AM.

  • 0

#3
EmilyPam

EmilyPam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
:tazz: Hiya Usetobe

It's another computer....the other one is working just fine

Emily
  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Emily,

Please post a fresh HJT log
  • 0

#5
EmilyPam

EmilyPam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Okay....here is the freshest log....

Thanks in advance for your help!

Em

Logfile of HijackThis v1.99.1
Scan saved at 8:12:32 AM, on 5/31/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115056631785
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\atlqy32.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi emily,

This one is quite easy,

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Service: Remote Procedure Call (RPC) Helper .
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Then reboot into SAFE MODE.

Run HJT and click on MISC TOOLS. Then click on Delete an NT Service.

In the popup box copy and paste the following

11F#`I

IT IS IMPORTANT THAT THERE IS A SPACE BEFORE THE FIRST NUMBER 1 OR IT WILL NO WORK

Now rescan with HJT and check the following

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\atlqy32.exe (file missing)


Reboot pc normally and then rescan with HJT and post the log back
  • 0

#7
EmilyPam

EmilyPam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Hi usetobe....I have a problem

When I typed in services.msc an error message came up.

It says MMC cannot open the file C:WINNT\System32\services.msc

This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.

After I got this error message I searched the computer for the file and it was there and when I clicked on it, it gave this error message again. I am also logged under administrator rights. So I dont know what to do now.

Thanks, Em
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi emily,

Before we can go any further, i notice that there are no sercice packs installed on this pc.

The first step in this process is to apply Service Pack 1a for Windows XP, or Service Pack 4 if you are running Win2k. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#9
EmilyPam

EmilyPam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Okay, I couldn't get the update page to load! It was just a blank web page! I finally got it....somehow...lol. I updated, rebooted, and here is my freshest log.

Thanks in advance again...Em :tazz:

P.S. I also tried to do that run that you asked me to do earlier and it still gave me that error message.

Logfile of HijackThis v1.99.1
Scan saved at 4:30:47 PM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115056631785
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\atlqy32.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Emily,

Can you reboot into safe mode by tapping the F8 key on startup and see if you can do it.

Start>run>type services.msc ok

Let me know

Edited by usetobe, 03 June 2005 - 10:40 AM.

  • 0

Advertisements


#11
EmilyPam

EmilyPam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Hiya Use........ :tazz:

Nope...didn't work

Em
  • 0

#12
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi eM,

Lets try this one then :tazz:

Click on start>control panel>double click administrative tools>double click computer management> click + sign next to services and applications, thern click on services....does that give you a list of services in right hand window?
  • 0

#13
EmilyPam

EmilyPam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
It didn't let me...

I went to the control panel, i tried it from there and i clicked on computer managent and it gave me that error message! I even tried from right clicking the start button, explore, control panel, admin tools, computer management

I even clicked on the properties of computer management, find target, clicked on that and it gave me the error message

I right clicked the computer management, run as, and check to see if i could change the settings.

I am logged under Administrator, but that button was checked on the other user's name. When I went to click it off, it took but then I opened it back up and it had reset itself back to that other's user name

What's up w/that! lol

Em :tazz:
  • 0

#14
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi EM,

Let me know if you can do this

Start>run>type msconfig then ok....do you get new box up?

Run HJT and click on Misc tools

Then click on Delete an NT Service.

In the popup box paste the following

11F#`I

MAKE SURE THERE IS A SPACE IN FRONT OF THE FIRST NUMBER 1

Reboot, rescan with HJT and submit new log
  • 0

#15
EmilyPam

EmilyPam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Hiya Use....

Okay when I typed up msconfig....the boxed popped up but what do i do w/it now? lol

I ran the HJT and followed your directions and I got this message....

The service 11F#`I is enabled/or running. Disable it first, using HighJackthis itself (from the scan results) or the Services.msc window

Thanks....Em
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP