Help With Malware not very technical

[essexboy]

Do you have AIS  as that is usually a sandbox sign

[JAGUARD77]

Since I do not have any idea what AIS is my guess would be that I do not have it. Still without Internet Explorer. :'(

[essexboy]

OK time to come in from the left field - 

First uninstall IE8, that will revert to IE7.  Give it a whirl and see if IE works
 

Re-reading the thread - you appear to have Avast Internet security 

Open AIS at this page and see if IE is in there if it is remove it from virtualisation

[JAGUARD77]

Eureka! Well almost. Internet Explorer finally came up but only partially. It comes up with Yahoo because that is my home page but only with the top menu and the rest is blank. I can finally see the light at the end of the tunnel, should I now update to IE8 or what? Also, Avast Internet Security cannot update it says "cannot connect to server".

[JAGUARD77]

I only see my home page; I try to open any other page and it looks like is processing but nothing happens. Super slow.

[essexboy]

OK now re-update to IE8 http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx 

Then run OTS for me so that I can check that all files are correct

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[JAGUARD77]

Eureka!!!
Finally Internet Explorer is up and running; you are the man. Here is the latest OTS file. Funny thing though, this morning my Internet Service Provider blocked my internet access because according to them I still had a virus. I did a virus scan with Avast and Marlwarebytes scan and they both came back clean. Only issue I have left is that since the virus attack I can't update the Avast; it says it can't connet to the site and it is still connecting slow in comparison with the other laptop that shares the same connection.
Thank you for all of your help, there was a moment when I thought about throwing it away.

[JAGUARD77]

Spoke too soon. IE was running perfect yesterday, I come back to work and the same problem. I click on the icon, hour glass shows up but then it disapperars. For some reason I believe that my computer might still be infected and it is blocking my internet access. Sometimes it shows a slow connection warning, no connection, connection unsecure, or it just cannot detect a network. I friend of mine recommended reinstalling the operating system CD but I am not sure that that will solve the issue.

[essexboy]

I can now see a proxy reset so I will clear that

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > ->
YN -> HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 1
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=localhost:1361
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > ->
YN -> HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 1
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=localhost:1361
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-571339875-3353412711-4101707973-1003\] > ->
YN -> HKEY_USERS\S-1-5-21-571339875-3353412711-4101707973-1003\: "ProxyServer" -> http=localhost:1361
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-571339875-3353412711-4101707973-1003\] > -> HKEY_USERS\S-1-5-21-571339875-3353412711-4101707973-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[JAGUARD77]

Here is the new OTL file after the fix. Still without Internet Explorer, when I restart the computer it says ImApp.exe and iexplorer.exe not responding. It was working fine yesterday when I upgraded to IE8, but this morning when I came to work nothing back to Zero. When I ran Hitman Pro at the beginning of this issue it also said i had a proxy problem but nothing else.

[essexboy]

I am beginning to think file infector here which is not good news - I would like to check that out.  This scan may take a while 

Download Dr.Web CureIt to the desktop.

• Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, chose the Complete Scan.
  
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look and see if you can click the following icon next to the files found:

• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.  You may need to rename it to .Txt
  

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

[JAGUARD77]

Dr. Web Cure It just finished the short and full scan. Attached is the report. The one thing I did not see in the full scan report is what the short report found. The short report showed: BackDoor.MaosBoot.35
Do you have any idea what that is? Also, my friend recommended an online service that can log in to your computer remotely and clean your computer. They said that there might be some files that might have been destroyed and that is why sometimes I can log in to IE and then sometimes I can't. They advised that the best solution would be Reinstalling the Operating System CD, what do you think?
You have helped throughout the whole problem and I honestly would trust more your advise than any other. Thanks again for your help.

[essexboy]

The good news - it is not a file infector

I am still concerned about IE working and then 24 hours later not working -  Could you uninstall Incredimail as that is part of the ImApp.exe problem and may have a knock on effect to IE

[essexboy]

Hi there is a new infection found yesterday that I would like to check out

• Click on the Start button and choose Run... (if you do not see Run... listed, you can alternatively press Windows Key + R)
  
• In the Run dialog, type cmd and click OK - a black box will appear with a blinking cursor
  
• Copy the code below into the black box (to paste the code in the black box, right-click and choose Paste)
  

Code: [Select]

net user HelpAssistant>%temp%\temp0
start notepad %temp%\temp0
exit
cls

• Press the Enter key to run the code
  
• Type Exit (or click the X in the corner of the box) to close the black box
  

Please post the contents of the resulting log.

[JAGUARD77]

Here is the log report from the cmd log you asked. One more question, do you know why since the infection I cannot update Avast or the automatic virus update. It says it can't connect to server, everything else works great on Avast except the auto update. Thanks again for the help.