Help with several trojans and search redirects needed

This started on the 25th with a pop-up while my wife was on facebook. It said windows had detected a trojan, and to click on the message to remove. I closed the popup using the red x at the upper right corner, but then got Avast messages that said quote:
Sign of “JS:FakeWarn-C [Trj]” has been found in "C:\Documents and Settings.…
Thought it had been stopped, so I didn’t run a scan until I noticed that my searches were being redirected whenever I clicked on any of the results.
Since then, Avast has warned me it found signs of “Nutcracker Family”, “Java:Agent-B [Trj]”, “HTML:IFrame-inf”, and “Win32:DNSChanger-VJ [Trj]”
I followed the suggested action each time.
I can no longer access the internet on the affected computer. It comes up with general svcexe errors at startup.
I have run Malwarebytes on it, and it says there is nothing found. I have also run both hijack this, and OTL and I am attaching the logs.

Thanks in advance for any help!

Have sendt PM to Essexboy, he usually enters the forum late UK time so be patient

I will need to start with a big hammer on this one

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks for the quick reply! Before I start something that cannot finish properly - the system that I am working on won’t access the internet. I can download ComboFix to an SD card and copy it to the desktop of the affected PC, but if it needs to install the Windows Recovery Console, there is no active internet connection to download through. Can I download and install Windows Recovery Console using the SD card? Where would I find it? Can the internet connection be fixed first? I do have the ethernet cable unplugged right now, because even though I can’t seem to get out, I don’t want to leave a path for someone to get in.

Thanks again for the help!

There is a way around that - We need the recovery console as a backstop help. Run this disconnected and on completion of Combofix try the net

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.


Download ComboFix from one of these locations:

Link 1
Link 2

Note: It is important that it is saved directly to your desktop


With malware infections being as they are today, it’s strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft’s website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that’s appropriate for your Operating System. Download the file & save it as it’s originally named.

Note: If you have SP3, use the SP2 package.


Transfer all files you just downloaded, to the desktop of the infected computer.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

[*]Drag the setup package onto ComboFix.exe and drop it.

[*]Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

http://img.photobucket.com/albums/v706/ried7/whatnext.png

[*]At the next prompt, click ‘Yes’ to run the full ComboFix scan.

[*]When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Followed all instructions and ran ComboFix. Partway through, it found “rootkit activity” and needed to reboot, which I okayed. After the reboot, it finished and generated the txt file which is attached.
Thank you, and I await further instruction!!

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected Restored copy from - Kitty had a snack :p
The redirector is dead - can you now get online ? If not what is the error you get

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hooked the cable back up to the router, and got an error - limited or no connectivity. I clicked on repair - cannot repair due to no IP address is being assigned. Avast was not loaded either. Rebooted the computer to see if it would assign an IP address. Got no errors, but when I looked for the Avast resident protection, it still wasn’t in the toolbar. Tried launching it manually and updating the virus definitions. Computer locked up and wouldn’t even respond to a shutdown command from taskmanager. Disconnected the cable from the router and 15 minutes later, I finally just shut it off manually.
I do have malwarebytes on the computer from earlier in this process, but of course, until I can access the internet, I can’t update it.

What next?

Lets check some settings on your system:

[*]Enter your Control Panel and double-click on Network Connections
[*]Then right click on your Default Connection

[*]Usually Local Area Connection for Cable and DSL, or AOL Connection.

[*]Left click on Properties
[*]Double-Click on the Internet Protocol (TCP/IP) item
[*]Select the radio dial that says Obtain DNS Servers Automatically
[]Press OK twice to get out of the properties screen
[
]Restart the computer

Go to StartRun->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

ipconfig /flushdns (The space between g and / is needed)
regsvr32 netshell.dll
regsvr32 netcfgx.dll
regsvr32 netman.dll
Exit

Restart the computer.

The Network settings were already set as you described, but I rebooted after verifying anyway.
Ran the DNS flush and commands as you set out - all reported operations successful.
Rebooted and I was able to update Malwarebytes, and I’m showing normal connection to the internet.
Running quick scan now, and I will copy and paste the report as soon as it finishes.

Updating this using the affected computer. Searches appear to be normal - no redirection to oddball sites. Things seem to be running okay, but the Avast! resident protection is not running. I have attached the log file from the quick scan of Malwarebytes.
How do I get Avast! resident protection back up, and is there anything else I need to do?

you can try avast repair

For a repair of avast. Windows, Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button from the pop-up window, scroll down to Repair, click next and follow.

I got an error popup when I tried repair. It said I could only do a full re-install. It also came up with an error log which I am attaching.
Even though I don’t have any icons for avast! in the system tray, Windows security shows avast! as reporting it is running and working fine. Also, task manager shows aawservice.exe, ashMaiSv.exe, ashServ.exe, ashWebSv.exe, and aswUpdSv.exe in the processes window.

You are a few files short

Download a new copy of Avast - uninstall the old and install the new then let me know if all is OK

Then I will remove my tools

Everything appears to be working the way it is supposed to now.

Sincerely - Thank you very much for all of your help, I appreciate it more than I can tell you!!

ready for removal of your tools…

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: