Troj.serv.q

This thing has been annoying me for some time now, and i can't seem to get rid of it. I'm hoping someone can help me to rid this annoying dropper. Thank you all in advance. Here is my hijackthis log if it will help......

Edit by chaslang: Unrequested inline log removed

 

Do not post a HijackThis log unless requested. Never copy and paste your HJT log into your post, always post as an attachement. You have HJT installed in the wrong location; install HJT as requested below.

You have not done any of the steps in our READ ME FIRST.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

I'm sorry, i ran HJT yesterday before i found you guys and posted a old log. I did however run a few of the progs for read me first thread today and followed instructions as best i could, and so far they havent detected this trojan. Trendmicro detected it a few days ago and said it was'nt able to delete it.

I will run the rest of the programs on the list and tell you the results, and i wont post my HJT log unless you ask me first. Thanks for taking time to look at my log.

 

.NET appears to be broken, you will want to reinstall the .NET Framework from Microsoft.

 

I downloaded .net framework and its been installing for like 2 hours now, saying... Rolling back action:

Is this normal? Do i need to restart it or just let it run its course? Thanks in advance.

 

Shouldn't take that long, terminate the install. Wait until after we clean your system up before trying to install .NET again.

Please post you HijackThis log as an ATTACHMENT, if you have completed all the steps in teh READ ME FIRST.

 

Bitdefender detected and deleted 2 viruses, but none of the spy programs will let me update and my graphics are still acting really crazy. I really appreciate your help on this cause this thing is driving mr crazy.

 

- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

- Run HJT and save the log.

Now Post both logs as attachments.

 

Well now i cant boot to windows. I' getting this message....
Windows could not start because the following file is missing or corrupt: \windows\system32\config\system

I'm on my destop now but the virus is on my laptop. I think what happen is my puter was hung, so i did a hard boot by using the power button to turn it off, and i think thats what corrupt the file.

 

That is a Registry error, your registry has become corrupt.

How to recover from a corrupted registry that prevents Windows XP from starting
​

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
​

This article describes how to recover a Windows XP system that does not start because of corruption in the registry. This procedure does not guarantee full recovery of the system to a previous state; however, you should be able to recover data when you use this procedure.

Warning:Do not use the procedure that is described in this article if your computer has an OEM-installed operating system. The system hive on OEM installations creates passwords and user accounts that did not exist previously. If you use the procedure that is described in this article, you may not be able to log back into the recovery console to restore the original registry hives.

You can repair a corrupted registry in Windows XP. Corrupted registry files can cause a variety of different error messages. See the Microsoft Knowledge Base for articles about error messages that are related to registry issues.

This article assumes that typical recovery methods have failed and access to the system is not available except by using Recovery Console. If an Automatic System Recovery (ASR) backup exists, it is the preferred method for recovery. Microsoft recommends that you use the ASR backup before you try the procedure described in this article.

NOTE: Make sure to replace all five of the registry hives. If you only replace a single hive or two, this can cause potential issues because software and hardware may have settings in multiple locations in the registry.

When you try to start or restart your Windows XP-based computer, you may receive one of the following error messages:

Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM

Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE

Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate

System error: Lsass.exe
When trying to update a password the return status indicates that the value provided as the current password is not correct.

The procedure that this article describes uses Recovery Console and System Restore. This article also lists all the required steps in specific order to make sure that the process is fully completed. When you finish this procedure, the system returns to a state very close to the state before the problem occurred. If you have ever run NTBackup and completed a system state backup, you do not have to follow the procedures in parts two and three. You can go to part four.

Download and save regcopy1.txt and regcopy2.txt to Floppy

Part one
In part one, you start the Recovery Console, create a temporary folder, back up the existing registry files to a new location, delete the registry files at their existing location, and then copy the registry files from the repair folder to the System32\Config folder. When you have finished this procedure, a registry is created that you can use to start Windows XP. This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost.

To complete part one, follow these steps:

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.

2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

3. If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.

4. When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.

5. At the Recovery Console command prompt, type the following commands and press ENTER after each line:

copy a:\regcopy1.txt c:\
copy a:\regcopy2.txt c:\
batch regcopy1.txt

DO NOT run regcopy2.txt at this time, it is needed latter in Part three of this article.

6. Type exit to quit Recovery Console. Your computer will restart.

NOTE: This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_ folder if it is a different location.

Part two
To complete the procedure described in this section, you must be logged on as an administrator, or an administrative user (a user who has an account in the Administrators group). If you are using Windows XP Home Edition, you can log on as an administrative user. If you log on as an administrator, you must first start Windows XP Home Edition in Safe mode. To start the Windows XP Home Edition computer in Safe mode, follow these steps.

NOTE Print these instructions before you continue. You cannot view these instructions after you restart the computer in Safe Mode. If you use the NTFS file system, also print the instructions from Knowledge Base article KB309531.

1. Click Start, click Shut Down (or click Turn Off Computer), click Restart, and then click OK (or click Restart).

2. Press the F8 key.

On a computer that is configured to start to multiple operating systems, you can press F8 when you see the Startup menu.

3. Use the arrow keys to select the appropriate Safe mode option, and then press ENTER.

4. If you have a dual-boot or multiple-boot system, use the arrow keys to select the installation that you want to access, and then press ENTER.

In part two, you copy the registry files from their backed up location by using System Restore. This folder is not available in Recovery Console and is generally not visible during typical usage. Before you start this procedure, you must change several settings to make the folder visible:

1. Start Windows Explorer.

2. On the Tools menu, click Folder options.

3. Click the View tab.

4. Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.

5. Click Yes when the dialog box that confirms that you want to display these files appears.

6. Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive.

7. Open the System Volume Information folder. This folder is unavailable and appears dimmed because it is set as a super-hidden folder.

NOTE This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".

NOTE You may receive the following error message:

C:\System Volume Information is not accessible. Access is denied.

If you receive this message, see the following Microsoft Knowledge Base article to gain access to this folder and continue with the procedure:

309531 (http://support.microsoft.com/kb/309531/) How to gain access to the System Volume Information folder

8. Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points.

9. Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:

C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot

10. From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder:

_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
[font=&quot] [/font]_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

11. Rename the files in the C:\Windows\Tmp folder as follows:

Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM

These files are the backed up registry files from System Restore. Because you used the registry file that the Setup program created, this registry does not know that these restore points exist and are available. A new folder is created with a new GUID under System Volume Information and a restore point is created that includes a copy of the registry files that were copied during part one. Therefore, it is important not to use the most current folder, especially if the time stamp on the folder is the same as the current time.

The current system configuration is not aware of the previous restore points. You must have a previous copy of the registry from a previous restore point to make the previous restore points available again.

The registry files that were copied to the Tmp folder in the C:\Windows folder are moved to make sure that the files are available under Recovery Console. You must use these files to replace the registry files currently in the C:\Windows\System32\Config folder. By default, Recovery Console has limited folder access and cannot copy files from the System Volume folder.

NOTE The procedure described in this section assumes that you are running your computer with the FAT32 file system.

Part Three
In part three, you delete the existing registry files, and then copy the System Restore Registry files to the C:\Windows\System32\Config folder:

1. Start Recovery Console (or by using a Windows 98 Boot Disk).

2. At the command prompt, type the following command and press ENTER after you type the line:

batch regcopy2.txt

3. Type exit to quit Recovery Console. Your computer restarts.

NOTE This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

Part Four
1. Click Start, and then click All Programs.

2. Click Accessories, and then click System Tools.

3. Click System Restore, and then click Restore to a previous RestorePoint.

 

Ok, on part one where it says to do these steps..

copy a:\regcopy1.txt c:\
copy a:\regcopy2.txt c:\
batch regcopy1.txt
I run into a problem here because my laptop has no floppy drive. And i tried to replace a: with c: and that didnt work. Any suggestions?

I could burn the files on a cd, but then i would have to take out my windows cd to put that one in. Please tell me i'm not screwed.

 

Burn them to CD, copy them to the HDD, then put your Wndwos CD back in and run the commands, expect subsituted the HDD drive letter for a:

 

Ok i managed to get back to windows, but everttime at bootup it keeps asking me to choose a operating system , anywy i will procede with your instructions now and post both attachments. Thnx

 

Ok i am now going to go jump out the window. Eerytime i try to run a program, it says the RPC server is unavailable. I dont know what i've done.

 

Let's try restarting your RPC Service from the Recovery Console:

From the Recovery Console (followed by enter for each line)

enable rpcss SERVICE_AUTO_START
enable rasman SERVICE_DEMAND_START

Exit the Recovery Console and boot into Normal Mode.

 

Ok, i did that but its still not loading my driers and will not let me reload them, giing me the same message.

 

Sorry i meant to say drivers, my v key gets stuck sometimes.

 

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments.

 

I can do steps 1 and 2, but cant run the online scan because the computer cant get on the internet. Im on this site on my desktop, but the laptop is the computer that has the virus. I guess i could downoad thos progs to a disk then run them on the laptop and sae the log on a disk then attach it?

 

Do what you can and post the logs.

 

Ok used my camera's compact flash to get the files to this puter

 

Download
- Pocket Killbox
- Winsock XP Fix

Run Winsock XP Fix

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to NTBOOTMGR then right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows. Do this for NTLOAD and NTSVCMGR also.

Open HJT choose Open the Misc Tools Section and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

NTBOOTMGR
NTLOAD
NTSVCMGR

Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

 

None of these are in the services list.

 

I did all other steps as instructed except 023 and 023 as they were no listed either.

 

Here it is.

 

Is this log from Safe Mode? I don't see any Norton services running, or did you uninstall Norton?

If the log is from safe mode please reboot and run HJT from normal mode and post that log.

 

No, its from normal mode. I didnt uninstall but all my drivers and things like norton just stop working. Including the internet. I have no video drivers, and when i try to install them i get that RPC serice unavailable message. Nothing is coming up on my taskbar when i boot like it used to.

Edit: All this happen when i tried to use windows recovery after i couldnt boot up to windows.

 

You will have to do a Repair install of Windwos XP.

 

Sorry, i meant to say windows repair, not recovery. Also eerytime i reboot it ask me which operating system to boot. This didnt used to happen.

 

Will i be able to save my files i have?

 

Then you didn't do the repair correctly. Do this, Start -> Run, notepad c:\boot.ini; post a copy of your boot.ini.

 

sure thing

 

Replace the contents of your boot.ini wit this one:

 

Thank you. That fixed my booting problem.

 

How is your computer behaving?

 

Well its booting fine now, but still getting the RPS service is unavailable message.

 

OK, this is an issue for the Software forum. Please post there and after they get you fixed up, post back here if you are still having Malware issues.

 

k, thnx for all your help pal.