Virus / Unable to access internet.

Hello.

Please help me to fix this.

I inserted flash drive into my desktop, and saw that my files are changed into shortcuts.
I used cmd command to show my original files in my flash drive.
“attrib -h -r -s /s /d f:*.* ”

I’ve scanned with avast and a virus was detected. I removed it, but am unable to access the internet.
I tried rebooting my computer and 644.js and 3b3b.js will automatically open up dreamweaver during startup.
Now I’m having difficulty accessing the internet on my PC.

Hi,

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

----- next -----

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Hello magna86,

Thank you for your reply! :slight_smile:

I have attached the reports.
Do let me know if I did anything wrongly.

Please download OTM and save it to your desktop.

[*] Double click on OTM.exe to launch a tool;
[*]Paste the following code under the “Paste Instructions for Items to be Moved” line;

:REG
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="http://www.google.com"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.google.com"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.google.com"
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}] 
[-HKEY_CLASSES_ROOT\CLSID\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{ae07101b-46d4-4a98-af68-0333ea26e113}"=-

:FILES
ipconfig /flushdns /c
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\user\AppData\Roaming\725f
C:\737e

:COMMANDS
[emptytemp]

[*] Click on MoveIt! button;
OTM may ask to reboot the machine. Please do so if asked.

[*]Copy/Paste the contents under the Results line here in your next reply.

[i]Note:It will also create a log in the C:_OTM\MovedFiles
- open the newest .log file present, and copy/paste the contents of that document back here in your next post.
[*]

Hello magna86,

this is the results I have from OTM.
I’ve attached the log in this reply too.
Thank you for you assist.

Results:

All processes killed
========== REGISTRY ==========
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\"Search Bar"|"http://www.google.com" /E : value set successfully!
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\"Search Page"|"http://www.google.com" /E : value set successfully!
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\"SearchAssistant"|"http://www.google.com" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ae07101b-46d4-4a98-af68-0333ea26e113}\ deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\user\Desktop\cmd.bat deleted successfully.
C:\Users\user\Desktop\cmd.txt deleted successfully.
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3b3b.js moved successfully.
C:\Users\user\AppData\Roaming\725f folder moved successfully.
C:\737e folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 57472 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: fbwuser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 128 bytes
->Flash cache emptied: 56478 bytes
 
User: Guest
->Temp folder emptied: 224620 bytes
->Temporary Internet Files folder emptied: 411963 bytes
->Flash cache emptied: 56478 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
 
User: user
->Temp folder emptied: 3927124917 bytes
->Temporary Internet Files folder emptied: 1480045 bytes
->Java cache emptied: 2148765 bytes
->FireFox cache emptied: 64987052 bytes
->Google Chrome cache emptied: 375131437 bytes
->Flash cache emptied: 58282 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 375758 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 211613767 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33298 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42339203 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 4,412.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 09052013_180202

Files moved on Reboot...
File C:\Users\user\AppData\Local\Temp\OICE_D42949FC-E490-4E6D-88B7-2C86434E5C37.0\CE2C843D. not found!
File C:\Users\user\AppData\Local\Temp\OICE_922675C6-E467-48BD-9E1C-0D7D69511C87.0\EE299AE4. not found!
File C:\Users\user\AppData\Local\Temp\OICE_65E36EEA-5653-4221-BA4B-9737B4747E0C.0\E5385317. not found!
File C:\Users\user\AppData\Local\Temp\OICE_42EE28BB-6810-4436-9897-E89C5EF5E88E.0\EF72116. not found!
File C:\Users\user\AppData\Local\Temp\OICE_24AE8BF6-7741-4212-ADCC-BBF21C6AD751.0\2EDBE0B3. not found!
File C:\Users\user\AppData\Local\Temp\OICE_0ACF0B64-224F-4FF1-B1EA-7E795BA87919.0\2FBEE961. not found!
File C:\Users\user\AppData\Local\Temp\OICE_0ACF0B64-224F-4FF1-B1EA-7E795BA87919.0\48277FEE. not found!
C:\Users\user\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\SysWow64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Looks good. Now I would like to confirm that + to preform AntiRootkit scan;

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

----- next -----

  • Re-run DDS and attach here fresh DDS.txt logreport.

Hell magna86,

Performed a AntiRootkit scan, found 2 malwares.
Did Cleanup. I’ve attached the system log, mbar log, dds and attach txt files.

  1. Follow this guide for running AdwCleaner and attach here AdwCleaner created log.

  2. How is your computer running now? 8)

  1. Followed the guide for running AdwCleaner from http://forum.avast.com/index.php?topic=53253.0
    I have attached the AdwCleaner log.

  2. 644.js and 3b3b.js does not automatically open with dreamweaver with startup now :smiley:

However, I am still unable to access the internet.
Having the issue - Unable to connect to the proxy server.

Please let me know if I did anything wrongly


I accidentally clicked on clean, will it affect anything? :frowning:
Have attached both scan and clean logs.

AdwCleaner[R0]: scan
AdwCleaner[S0] : clean

Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:

[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[
]Please copy and paste the log to your reply.

Hello magna86,

Done scanning with FSS.
I’ve also attached the FSS Log.

FSS Log:

Farbar Service Scanner Version: 05-09-2013
Ran by user (administrator) on 06-09-2013 at 01:00:05
Running from "C:\Users\user\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
IE proxy is enabled.
ProxyServer: http=127.0.0.1:8555


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
  1. Download Services Repair tool, available here, and save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.
    http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

  2. Re-run FSS and post here fresh created FSS log.

  3. Any good changes?

Hello magna86,

Downloaded and run Services Repair tool.
Re-run FFS and attached fresh created FSS log.

I am still unable to access the internet.

FSS doesn’t show reasons for your problem. To be more precisely, you do have internet access.

Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. IE proxy is enabled.

Can you please describe your problem onse more?

Hello Magna86,

;D I think the problem is solved!

I have checked my LAN settings and realized that under Proxy server, it was ticked.
Probably the virus have made to auto tick the proxy server. It was not tick previously
So happy that now my computer is solve.
I realized that my PC boot up have increased in speed.

Thanks a lot for you help and kind assistance! 8)

:slight_smile:

Let’s remove used tools: Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Okay! Downloaded and done the steps. 8)

Downloaded Mcshield too!
THANK YOU SOOOOOOOOOOOO MUCH for everything! :smiley: