Trojan in Messenger

gal1998 · Aug 22, 2005

I am on my daughter's laptop. She is running XP Pro.
She "accidentally" clicked on a file someone sent her in Messenger and has some problems now.

I have ran Adaware..found 30
Spybot found 3 problems
Bitdefender came back clean.
RAV was clean
Ran CCleaner
She has McAfee Virus Scan Enterprise on here. The on-line scan, etc has been disabled by something. I did manually run a scan and found 3 trojans. Qhosts.apd
I then ran Hoster and restored hosts.

Tried to run Hijack this, but it keeps telling me it can't run it from a temp. file, although I have it in C://ProgramFiles

Any help would be appreciated.
Thanks
Gal

Also, it periodically closes all windows.

gal1998 · Aug 22, 2005

Well, I got it to open, but the program closes just as fast.

When it closes the program, my task bar also disappears, and I have to restart the computer to get task bar back.

Gal

gal1998 · Aug 22, 2005

I sure appreciate the help.

I cannot get into safe mode because this is a leased computer from tech school, and I cannot log in in safe mode.

Gal

gal1998 · Aug 22, 2005

I ran Ewido and am posting the log. When we starting updating, it found a virus in svchost..We cleaned that.

I also could run hijack now, so am including both logs.
Thanks
Gal

gal1998 · Aug 23, 2005

Just wondering what I am supposed to do now that I have posted the hijack log and the ewido scan log. I appreciate all the help.

Thanks
Gal

chaslang · Aug 23, 2005

First you need to install HJT properly per the instructions given. You are running it from the ZIP file.

C:\DOCUME~1\MEGARO~1\LOCALS~1\Temp\Temporary Directory 23 for hijackthis.zip\HijackThis.exe

gal1998 · Aug 23, 2005

I am sorry about having it in the wrong place. My daughter's computer is so different than mine,
I hope I have it right now.
Gal

chaslang · Aug 23, 2005

Since D3m3nt3d does not seem to be available, try this.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\system32\cqlcxn\svshost.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\cqlcxn <---- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Did you install Securexam Student? I'm referring to the below service.
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe

gal1998 · Aug 23, 2005

Here is the new log. I fixed the three, but could not boot into safe mode to delete the cqlcxn file. It is password protected and she can only go to her workstation with her password. I tried searching for it and found nothing. Also, looked in task manager and did not find it there. I ran CCleaner.
As for the SecureExamStudent I don't know the answer to that. She is going to be attending a technical college, so maybe has to do with that?

Gal

chaslang · Aug 23, 2005

Okay! At least it (svshost.exe) is no longer loading in the Startup processes.

Your log is clean now.

How are things working now?

chaslang · Aug 23, 2005

D3m3nt3d said:

I had her set to delete that file. Any searching I did found nothing but recommendations to remove it.
Click to expand...

No!

As far as I know it is for: Software Secure Service

Which may be this: http://www.softwaresecure.com/student.htm

See this too: http://www.anti-spy.info/process/ssisvr32.exe.html

gal1998 · Aug 23, 2005

Things seem to be working well, except for the fact her virus scan still stays on disabled? Should I uninstall Ewido and see if that helps that problem?
Gal

Thanks you so much for all the help. I hope she has leearned a good lesson.

chaslang · Aug 23, 2005

It should not be having a conflict with Ewido. Are you sure you do not have it manually disabled?

You may need to uninstall it, reboot, and then reinstall it. Perhaps something that needs to load is not loading at startup due to the malware problems that were on the PC before we cleaned it.

gal1998 · Aug 23, 2005

I will check it out and see what the settings are, otherwise, I will try the uninstalling and installing.

Thanks so much for the help.
Gal

chaslang · Aug 23, 2005

You're welcome. Once everything is all cleaned up, make sure you check out the steps in the below:

How to Protect yourself from malware!

Log in or Sign up

Trojan in Messenger

gal1998 solo-cob

gal1998 solo-cob

gal1998 solo-cob

gal1998 solo-cob

Attached Files:

hijackthis.log

Scan report_20050822.txt.txt

gal1998 solo-cob

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

gal1998 solo-cob

Attached Files:

hjt.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

gal1998 solo-cob

Attached Files:

hijackthis1.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

gal1998 solo-cob

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

gal1998 solo-cob

chaslang MajorGeeks Admin - Master Malware Expert Staff Member