[Victim.]

Well..

I started watching a movie at a website today and it gets to a certain point and its like the internet disconnects, But it doesn't. I try to load another page in Firefox and IE7 and it just stops and there is a white blank page in both browsers. But yet it seems i have no internet connection because WLM disconnects. But it says that there is a connection on the modem. All i have to do is restart the PC and everything works again. But it happens 2 to 3 times a day and it's getting quite annoying now.

I don't think its a virus or anything like that although i haven't scanned yet. I have cleaned up my registry with TuneUp Utilities 2008 and ran a few other programs within TuneUp Utilities 2008 and i haven't tested to see if it does it again yet.

But please note: It does not just happen when i am watching a movie or video, it will happen alot whilst I'm just browsing the internet.

Please help as soon as possible.

Thanks - Victim

- Edit: Another problem, I am using Windows XP SP2 and my automatic updates are not installing either. They will download and everything but when it comes to installing, it wont even begin installing the first one, then a few seconds later it will come up with a list of all the updates and failed next to all of them. I have over 80 updates i need to install now and it wont install them! I have tryed installing them from the Microsoft update website and it will bring 1 update up before i can install the rest (Windows Genuine Tool or something like that - Something to make sure you are using a Genuine version of Windows XP anyway) and that doesn't install either, so then i cannot continue to install the rest of the updates. I have no idea what is causing this problem. Please help as soon as possible.

[Jason]

Please could you post an Hijackthislog:

Make sure you have the LATEST version of HJT (currently 2.0.0.2) from HERE.

* Double-click on the file you just downloaded.
* Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
* Please do not change the default install location.

Now go to the HJT directory and right click on the HijackThis.exe file. Choose rename and click in the title box. Hit the enter key to clear what`s there and rename HijackThis.exe to Crusty.exe.

Right click on the crusty.exe file and choose send to desktop, create shortcut.

Run Hijackthis

* Next click on the "Do a system scan and save a log file" button.
* Hijackthis will scan and then a log will open in notepad.
* Post the HJT log as an attachment.

You can post attachments by clicking on the post reply button and then scrolling down and clicking on the manage Attachments button.

I'll let evilfantasy know so he can check your log, to make sure you aren't infected.

Regards Jason

[Victim.]

OK.. Done..

The log is attached.

[evilfantasy]

Thread moved to Malware Removal


Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll (file missing)
O20 - Winlogon Notify: ssqnkig - ssqnkig.dll (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
• Finally add the contents of the Report.txt and a NEW Hijackthis log in your next post.

----------

Next post please attach
SDFix log
New Hijackthis log

[Victim.]

Follow your instructions and completed them without any problems.

Files that you requested are attached.

[evilfantasy]

Delete malicious file

Download OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  C:\WINDOWS\system32\qnmsftce.dll
  

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.

• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

Fix malicious entries

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02C69464-4269-4E42-850A-BFDDC889FB65} - C:\WINDOWS\system32\qnmsftce.dll
O2 - BHO: (no name) - {089EF936-FCCB-434B-B920-2A56FE75975c} - C:\WINDOWS\system32\qnmsftce.dll

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

CleanUp!

Download and install CleanUp!.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
• Make sure the arrow is set to Standard CleanUp!
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

----------

Scan suspicious file

Upload a File to Virustotal

Please visit Virustotal

Copy this file path - c:\windows\system32\ESENT.dll

• Click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
• Next click Send File
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• VirusTotal will perform a scan across 30+ different virus scanning engines.
• Please wait for all of the scanning engines to complete.
• Copy and then Paste the results in the next reply.

----------

Next post
OTMoveIt log
VirusTotal results

[Victim.]

Quote:

Originally Posted by evilfantasy

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02C69464-4269-4E42-850A-BFDDC889FB65} - C:\WINDOWS\system32\qnmsftce.dll
O2 - BHO: (no name) - {089EF936-FCCB-434B-B920-2A56FE75975c} - C:\WINDOWS\system32\qnmsftce.dll

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

So, you just want me to check those 2 files then exit Hijackthis? That seems pointless.

Did you forget to tell me to do something after checking those 2 files?

[evilfantasy]

No, I didn't.

Quote:

Important: Close all windows except for Hijackthis and then click Fix checked.

[Victim.]

OK, mis-read that part.

Sorry, will continue following instructions now.

I cannot provide the OTMoveIt log, i did copy the results of the move but i forgot to paste them into notepad, then when i copied the path of that file, the results of the OTMoveIt log were overwritten. But i do believe that it completed with no problems although i am not 100% sure. I did enter the path of the file again, and it said file not found or something similar so I'm guessing that it moved with no problems.

Anyway, here are the VirusTotal results:

File ESENT.dll received on 02.10.2008 05:05:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 8.
Estimated start time is between 60 and 86 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.08 -
Authentium 4.93.8 2008.02.08 -
Avast 4.7.1098.0 2008.02.09 -
AVG 7.5.0.516 2008.02.09 -
BitDefender 7.2 2008.02.10 -
CAT-QuickHeal None 2008.02.08 -
ClamAV 0.92 2008.02.10 -
DrWeb 4.44.0.09170 2008.02.09 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5522 2008.02.08 -
Ewido 4.0 2008.02.09 -
FileAdvisor 1 2008.02.10 -
Fortinet 3.14.0.0 2008.02.10 -
F-Prot 4.4.2.54 2008.02.10 -
F-Secure 6.70.13260.0 2008.02.09 -
Ikarus T3.1.1.20 2008.02.10 -
Kaspersky 7.0.0.125 2008.02.10 -
McAfee 5226 2008.02.08 -
Microsoft 1.3204 2008.02.10 -
NOD32v2 2861 2008.02.09 -
Norman 5.80.02 2008.02.08 -
Panda 9.0.0.4 2008.02.09 -
Prevx1 V2 2008.02.10 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.09 -
Sunbelt 2.2.907.0 2008.02.09 -
Symantec 10 2008.02.09 -
TheHacker 6.2.9.215 2008.02.09 -
VBA32 3.12.6.0 2008.02.09 -
VirusBuster 4.3.26:9 2008.02.09 -
Webwasher-Gateway 6.6.2 2008.02.10 -
Additional information
File size: 1082368 bytes
MD5: a57b8acd54afbe482042c285c2767ebf
SHA1: 09aded46fb07509641597a5a2433e03c58f5fd83
PEiD: -

Did i do something wrong?

[evilfantasy]

Go to C:\_OTMoveIt\MovedFiles\ and get the log from there. You can just copy and paste the results.

Also please run a new Hijackthis scan and post the log.

Let me know how the computer is now. (check to see if the update problem still exists)

[Victim.]

OTMoveIt log:

C:\WINDOWS\system32\qnmsftce.dll unregistered successfully.
C:\WINDOWS\system32\qnmsftce.dll moved successfully.

OTMoveIt2 v1.0.19 log created on 02102008_034915

Then another 2 logs saying file not found (those are when i tryed to get the results again)

Hijack this file log attached to post.

I'll check see if the problem is still there now, but if it is i will need to reboot to get internet back so i might not reply for a few minutes.

Yep, the problem is still occurring.

[evilfantasy]

I just noticed you have a Symantec service running. This needs to be fixed.

Open Hijackthis and have it fix this entry

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Now, go to Start > Run, and copy/paste the following into the Open box:

Quote:

sc delete CLTNetCnService

Click: OK

----------

Lets do another scan to see if anything is hiding.

Use the Kaspersky Online Scanner

• Click Accept.
• Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer

When the scan is done, in the Scan is complete window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.



To obtain the report:
Click on: Save Report As... (shown above)
Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area, use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please add the Kaspersky Online Scanner Report in your next post.

---------------

This scan will take a while so just be patient and let it finish. If anything else is there then it will find it.

We will work on the update problem once we are sure the malware is gone.

Next post
Kscan log

[Victim.]

Corrected the entry you told me to, continued to the kaspersky bit and when it came up with accept or decline.. I tryed to click accept and it woudn't do nothing although the decline button was working. Can u provide a link after clicking the accept button?

EDIT: Nevermind - It works in IE7. I'll continue to follow the instructions you provided now.

[evilfantasy]

This scan will take a while so please be patient and let it finish. If anything else is hiding though, it will find it.

[Victim.]

Argh.. The scan has stopped at 64% and has been stuck for 6 minutes on the same file.

Guess I'm going to have to restart it which means it will take even longer.

:frown:

[evilfantasy]

If it happens again, or you are willing to start it again. Then run this and then start it over.

Download and install CleanUp!.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
• Make sure the arrow is set to Standard CleanUp!
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Then run the scan.

[Victim.]

OK - In the 64% that it scanned it found 1 virus and 5 infected objects.

I'll run the the CleanUp! program then restart the scan then reply with the full report.

[evilfantasy]

EDIT: Sorry I just realized I had you run CleanUp! already.


Lets do this first, it is a much faster scan.


Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
• Double click combofix.exe & follow the prompts.
  • From the keyboard select 1 and press Enter
• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

Next post
Combofix log

[Victim.]

OK - I'll do that now.

ComboFix log attached.

Let me know what to do next.

[evilfantasy]

I think that was a success

It's now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website here --> http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Thanks to Bleeping Computer for the guide.

----------

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
• An Express Scan of your PC notice will appear.
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button.
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
• Copy and paste that log in the next reply

----------

Next post
Dr Web log
And a NEW Hijackthis log ran after the Dr Web steps are complete.