Infected (Google search results redirecting) and cannot install Spybot, MGTools, HJT

Hi there,

I have searched this and other forums, and cannot find an answer. Everyone here seems very helpful so I hope someone can help me with my problem.

The Google search results on my Vista laptop are redirecting to various sites including Blinkx and Ebay, and Windows Defender keeps popping up telling me about Win32RemosJM Trojan (?).

I am trying to follow instructions posted here, but I cannot install Spybot (keeps telling me I do not have permissions to access my C Drive) or HJT (same sort of error). I have tried running as administrator (right click and selecting that option), and I have tried it in Safe Mode too. No luck. Cannot get MGTools to work either. Won't allow me to save to the C drive, and if I try to run the .exe from my desktop, it just stops.

So I haven't a clue how to start fixing the problem. I am by no means a techie, but sort of okay with computers and managed to fix a virus problem with help from internet forums once before. This though has me totally stumped. And I am moving house on Friday so won't have the internet for a while - there were some things I needed to do before then :-(

I would really appreciate any help anybody could offer.

Thanks

Beck

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hello
Thank you very much for your helpful reply. I don't think I followed the steps properly at first so apologies for that. I have now followed the Vista cleaning procedure very carefully. Not all of it worked but this is what happened.

1. SUPERAntiSpyware found Trojan.Dropper/win-NV. It quarantined and removed that virus and asked for a reboot. After reboot, I could not get back into the program to obtain the log - it said "you may not have the appropriate permissions".

2. Malwarebytes Anti-Malware. Downloaded and run the program, and after clicking on 'Perform Quick Scan' and then 'Scan' a further dialogue box appeared and then disappeared pretty quickly. Nothing else happened and there was no log. I tried this a few times but this kept happening.

3. Combofix log popped up, and after that no programs worked, but we did a manual shutdown and then upon reboot, the programs started working again and the log was there (see attached).

4. Rootrepeal - I just could not download it. The windows popped up to download but it just was not on the desktop when I tried to extract the file. I tried this several times, because the download seemed as though it had worked, but he file never appeared.

5. MGTools. I think this worked, and the file is attached.

There is another file that has appeared, called bug.txt - I don't know what this is but have not attached it as I was trying to follow instructions exactly.

Many thanks in advance for any help you can offer - I know that you guys do this in your spare time and it is really appreciated.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Okay, thanks for your continued help. This is really frustrating but I appreciate your assistance.

Firstly, double clicking on analyse.exe brought up an error saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions..." etc. This seems to happen when I try to run a lot of the anti-malware programs.

Secondly, I could not download either of the files you specified. Every time I tried, they just disappeared and were nowhere to be found, even though it appeared as though they had downloaded normally. I tried saving to different locations but nothing worked.

Then I got another computer, downloaded the items to that machine and put them on a CD to download onto this machine. I was able to do this, and I then did a scan with MGTools as instructed.

When I tried to run FixAvp the command prompt came up really briefly and then disappeared. Nothing happened. I tried this a few times, but it did not work.

So I have attached the most recent log from MGTools in case this is of any help.

Also: there are two greyed out files called 'desktop.ini' on my desktop. When I put the CD in from the other machine, the 'desktop.ini' file tried to write itself to the CD. Not sure if this information will be of use but I am getting quite desperate.

Please could you tell me if I should enable my firewall and AVG Resident Sheild again (they were switched off as part of the cleaning procedure) or not?

Would really appreciate your advice on what to do next. I am currently at my parents' house using their wireless internet connection but at the end of this week, my own broadband will be set up (I have just moved house). Should I set this up on my infected laptop or wait until it is fixed?

Many thanks.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi, thanks for the reply.

I am still having problems. This is what happened:

I tried extracting Avenger.exe to my desktop, and it just created that empty folder - several times. I changed the settings to get it to extract directly to the desktop (rather than creating the Avenger folder) and that didn't work either. It just wouldn't extract. Is this because of the virus?

Anyway, I then used WinRAR, and managed to extract the .exe to the desktop. Then I tried FixAVP and again, it just flashed up the command prompt very briefly - it was really just a flicker and no more - and then stopped. I tried this several times. I couldn't get it to run.

In desperation I then tried to run Avenger on its own and this seemed to work, but I'm not sure it found anything. I probably shouldn't have done this but I wanted to try and progress something.

I did another scan with MGTools afterwards, in case that would be useful. It is so frustrating as I don't seem to be able to use half the stuff on my machine. Before I did all of this, I tried double clicking on C:\MGTools\analyse.exe again and got the permissions error again.

Should I switch my anti virus etc back on now, or wait till this is fixed? Thanks again, I do appreciate the help. The laptop is quite new so it is very frustrating!

Edited as I forgot to attach the log file...sorry. Also, I forgot to add a the start of my thread that we are pretty sure that the infection was acquired on 31 August. In case this helps.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi there

OK. First of all, I still cannot download anything to the desktop (or anywhere else on the machine). When I attempt to download a file it just disappears - there's nothing there.

So what I did was I downloaded to another machine, copied to CD, and then copied Win32kDiag to the desktop in that way. This worked and the log is attached.

I could not find MGTools.exe, so tried the analyse.exe again in case that is what you meant. This did not work - I got the permissions error. Not sure what to do so I ran GetLogs.Bat and the resulting log is attached, but I'm not sure if this is what you wanted or not.

Thanks for your continued help...this is doing my head in! I am thinking about reinstalling Vista but would really prefer to be able to fix this.

By the way, although I have the problem with permissions, my Google search results are no longer redirecting.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi there

I still cannot download to this machine (as the files just disappear - they are nowhere to be seen) but I used a CD and another machine, and the logs are attached.

I was able to run Combofix and attached that log to an earlier message but I have also run it again, and there is a new log attached.

Search results are no longer being hijacked but there is still a permissions problem.

Many thanks.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Okay, thanks. I downloaded inherit.exe (NB: I had to do this using another machine).

Then I ran through the stuff in the Vista Cleaning Procedue that I could not do before because of permissions errors. I have not included Combofix since I was able to run that the other day but I was able to run:

SUPERAntiSpyware - when completed a dialogue box with "No harmful items found" popped up. In the scan log section the log from tonight appeared and also the log from previously (6 Sep when we were unable to access the log). Both are attached.

Malwarebytes Anti-Malware - scan completed successfully and upon completion a dialogue box came up saying that no malicious items had been detected. Log attached.

Rootrepeal - scan started fine but once it reached c:\windows\winsxs\Manifests it stopped and did nothing for about 40 minutes. We took a screengrab and it is attached. After stopping Rootrepeal we got an error saying "Could not read our index block" and "Could not read attribute list data".

We then followed the steps about Avenger, FixAVP, MGTools following your instructions posted on September 10th. MGTools was fine (new log attached), but FixAVP had the same problem. No permissions error but the black box just flashed up for a matter of seconds and then disappeared and nothing happened after that. We tried with Inherit also, but the same thing happened.

All of the log files are attached - thanks again ... do you think we are close to being healed?

Also: the problem with downloaded files disappearing (or rather not appearing at all) - some internet research suggests this may not be virus related but due to a conflict with Vista and AVG; have you heard of this sort of thing?
I intend to uninstall AVG and replace with something else but will wait until I know we are clean first.

I will attach the RootRepeal screenshot to a new post as I can only attach 4 files. Thank you again

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

And here is the RootRepeal screenshot in case it is of any use...thanks.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi, thanks again for your help. I have followed your instructions and have come across problems again. I've used another computer to download MGTools and Inherit burnt them to CD and used them in the locations you specified on the infected machine. I ran MGTools, and that worked fine, and placed Inherit on the desktop. However, when looking in c:\MGTools folder I could not find the FixPerm.bat file. The only Fix.bat files present were FixBagle.bat, FixCF.bat and FixFA.bat. I did not run any of those.

I then tried to download MGTools and Inherit directly from the infected machine, and again the download happened but the downloaded files were nowhere to be seen.

I then used used the MGTools and Inherit from the CD again, and still there was no FixPerm.bat file to be found.

I've attached the MGLogs just in case this is of any use.

Thanks again for all your help!

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Thanks again TimW!

Okay, in answer to your first question, I usually have my downloads set to save to the desktop. However, just to give you a clearer idea of the problem I also tried downloading to the C:\ drive and the D:\ drive (using MGTools as the download guinea pig) and whilst all the usual download pop-up window with progress bar appeared, the downloaded file did not appear in any of those areas.

With that trial over I then reverted to downloading exeHelper and MGTools on the non-infected machine, burning the two programs and transferring the CD to the infected machine.

I copied over exeHelper to the desktop and it ran without a hitch. The fix ran and no 'Error deleting file' message appeared. I have attached the log.

I then tried to run the online fix. I got to the 'Stage 4 - Run the Scanner' step of the instructions, clicked 'Run' on the pop window and nothing happened. There was no 'Click here to start' button and no 'Scan your Computer' button.

I then pasted the downloaded version of MGTools from the CD to my C:\ drive. I then ran the .exe file as administrator. I've attached the new set of logs.

I also had a look in the MGTools folder in the C:\ drive to see if the FixPerm.bat file had appeared. It still wasn't there.

Many thanks again. Hope we're getting close to the finish line

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Thanks for the reply - new MGTools log is attached.

But I still could not see fixPerm.bat - I have attached two screenshots to show you what I mean. The first shows the contents of the MGTools folder, with no fixPerm.bat, and the second shows when MGTools was last downloaded so that you can see it was tonight.

I used a different machine to download and transfer this version, even saving it to a new folder just in case.

One thing: when I copied the .exe to CD to transfer to the infected machine, I got an error message saying it (the file) had data attached to it that would be lost if I copied it across. Would this have anything to do with it? Please help - I am baffled!

Thanks.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Thanks again Tim!

Here's the latest:

The browser currently being used on the infected laptop is Internet Explorer. I have tried downloading files on the infected laptop to several locations (c:\ drive, d:\ drive, desktop, the 'My Downloads' folder) and the same thing happens - the pop-up dialogue box appears and you can see the progress of each download from 0% to 100%, but when progress reaches 100% the dialogue box disappears despite the 'Close dialogue box when download is complete' tickbox remaining unchecked. If I then go to the locations where I expected the downloaded file to be placed then there is no download to be seen.

I followed the Start > Run instructions and have attached the Win32Diag.txt file. One thig I did notice whilst the command prompt screen was running was that a lot of the time-stamps that appeared as the command prompt was going through the motions all had today's date on them but the time displayed was for way earlier than when I started this bit of the instruction. In fact, the time-stamps were showing a time that was a full 30 mins before I had even powered on the laptop.

Also, I attempted to download MG Tools on the infected machine direct to C:\Windows\ and. as always, despite the progress bar appearing there was no sign of the downloaded MGTools.exe file. I did notice in the C:\Windows folder that quite afew other files (PFRO.log, bootstat.dat and WindowsUpdate.log) had been created. The PFRO.log and the bootstat.dat files had date and time-stamps that matched exactly to the irregular one seen when I was obtaining the Win32Diag.txt log. I have attached all three of these files in case they are of any use.

I then had to download MGTools on my non-infected desktop PC (this also uses Internet Explorer, but uses XP as opposed to the infected laptop's Vista), and burnt the MGTools.exe onto CD to use on the infected laptop. I copied it to c:\Windows and ran the file as administrator. It ran to completion. The log file and the MGTools folder appeared in the c:\ drive and not in the C:\Windows folder as expected. I had a look in the new c:\MGtools folder and there was still no FixPerm.bat file.

Hopefully the attached files will shed some light on the problems. Due to the attachment restrictions, I will need to post again to attach the latest MGTool log. I just wanted to mention that so it doesn't get seen as bumping the thread.

Many thanks again Tim for all your hard work!

EDIT: Could not upload the WindowsUpdate.log file as it was 1,486kb. And could not upload the bootstat.dat file as it was an unrecognised format.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Thanks again Tim for your continued assistance.

As usual the FixPerm.bat and junction.zip could not be downloaded direct to the infected laptop, so they were transferred from the healthy desktop via CD.

I run the Start > Run command and part way through the process, while the command prompt was doing the scan, a pop-up box appeared asking for a restart because it said important files were trying to be accessed and this could only happen after a restart. I postponed the restart and let it complete all the way through. I then run the FixPerm.bat, as an Administrator because I'm using Vista, a black command prompt appeared, and almost immediately a further grey pop-up window entitled 'Finish' appeared with just the words 'OK' inside and an 'OK' button. I clicked it, and as soon as I did it reappeared again. So I kept clicking 'Ok' for what must have been over 20 times before both Command Prompt and the 'Finish' pop-up window finally disappeared.

I had a look in the MGLogs.zip and the junclog.txt had been added but there was no data inside the file.

I then thought I'd restart the computewr, just in case this would help get better results.

During the restart before Windows Vista starts up there was a Configuration Update screen (much like a Windows Updates screen) were it said there were 3 stages to be updated, when this had completed Vista started up.

I then run the Start>Run instruction again and this seemed to take a bit longer than previous runs. Also, part way through the run, a security pop-up in the bottom right hand corner appeared. It was a notification with the red shield with a white cross on saying that there were multiple security threats detected on the laptop and to click the balloon to fix them. I didn't and carried on following your instruction.

I have attached Win32Diag.txt log.

I the run as administrator the FixPerm.bat again. This followed exactly the same process as the first run with 'Finish' pop-up window with OK button, and then reappearing once the button had been clicked. Again this happened about 25 times.

I have attached the new MGLogs.zip file.

Many thanks again Tim. I'm just pleased that I finally got to see the FixPerm.bat file.... I didn't think one ever existed!

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi Tim!

Thanks again. I think this last set of instructions has produced some very positive results. Let me take you through the outcome.

Firstly, the dragging the analyse.exe file onto the inherit.exe didn't run MGTools. Instead I just got the small 'Finish' pop-up window with the 'OK' button in it. This was the same pop-up as I got 20 times running the last set of instructions, only in this case I got only 1 pop-up.

I then deleted the files as requested.

I run the SuperAntiSpyware online scan, and for the first time this worked fine. Whereas previously I couldn't get to the stage where I could run the scan, this time I could. Once scanning was complete I received the pop-up window with 'No harmful software detected.' Although you didn't ask for it, I've attached the SAS log.

I then managed to downloaded Firefox onto the infected laptop. This was a first, the first download in months that has gone through the downloading process with the file actually appearing, and appearing where it was supposed in the correct location.

Using Firefox, I then managed to download ExplorerXP and downloaded it to c:\Windows.

I then managed to copy FixPerm.bat from C:\Windows and paste it into the MGTools folder.

So success all round, apart from the first stage of trying to run analyse.exe using inherit.exe. I tried this first before the other instructions and haven't tried it since.

Many thanks again Tim. I definitely think this is progress.

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi Tim,

I run it, and again got the black command pop-up screen followed by the pop-up entitled 'Finish' with just the OK button inside it. I again had to hit 'OK' about 25 times before it would vanish. I don't know if it's supposed to do this.

Anyway, the MGTools zip file is attached.

Many thanks!

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi Tim,

Yes, you're right. I had downloaded the Junction.zip but not unzipped it. I followed your instructions. Initially the black command prompt screen appeared and the same 'Finish' pop up dialogue box with the 'OK' button appeared. I had to click that about 10 times and then Junction.exe terms and conditions user agreement pop-up appeared. I clicked the 'agree' and although there was no sign that anything was actually happening, the command prompt screen stayed up and the processor light on the keyboard started whirring away rapidly. The command prompt screen vanished of its own accord.

Was a bit suspicious if it had done anything, so I had a look in the MGTools log, and the Junction log actually has some info in it this time.

I've attached the log file.

Many thanks again, hopefully this is all good progress!

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi Tim,

It's a bit difficult to say because since picking up the malware I've stopped using the infected laptop in favour of a desktop. Having dismantled all the virus protection software on the laptop I wanted to get the thumbs-up from you guys before using it in the normal way again.

At the time, clicking on Google search results meant I was being redirected to other sites. Also, saving files to any area on the laptop just wouldn't happen, and neither would installing programs as I was denied access and permission rights to do a lot of this.

I think, from following your instructions, the downloading and permissions problems may now be rectified. I can't say for sure because I've only used the infected laptop to follow your instructions, and tried this on installing the programs you've directed me to save and run.

I just don't know about the Google redirects as I haven't tried.

Given that some of the issues we were having (downloading, permissions, etc) now seem to be sorted out, do you think it would be worth trying to run HiJack This again? The laptop may be able to produce a log now.

Other than that, if you can't see any further problems, is there a process to help return the laptop back to normal? By that, I mean switching back on anti-virus software and rectifying the UAC. Also, are there any best practice guidelines to help prevent a future recurrance and pointers on how to tighten the laptop's security?

All the best!

 

Re: Infected (Google search results redirecting) and cannot install Spybot, MGTools,

Hi Tim,

Again many thanks for all your support and knowledge through this. I have followed your final steps and come across a few quirks - nothing major, I hope!

Firstly, I could not remove Hijack This from my Desktop. All the other programs were fine to uninstall. I think HijackThis was a problem because originally I could never download it to the infected laptop, so I downloaded it on an uninfected PC, burnt the file to a CD and copied it straight to the desktop on the infected laptop. When I try I get a pop-up window that says 'Destination Folder Access Denied' and 'You do not have permission to perform this action'.

Another quirk was when I was disabling the system restore. When I went to System Properties and the System Protection under the section marked 'Automatic Restore Points' in the 'Available Disks' list were the C and D drives, as expected. However, along with them was another folder entitled PQSERVICE. I have no idea what this is or what it is there for? I don't recall seeing it before.

Also I have been following the 'How to protect yourself against Malware' guide. I have decided to keep my Anti-Virus Software (AVG) but to change my Firewall. Previously my firewall was provided by Windows, as I'm running Vista. I decided to use Comodo for this update. However, I'm a bit concerned that when downloading the Comodo Firewall I may have chosen the wrong options. When I was installing it I was faced with a choice of Firewall or Firewall plus something that helps against malware. I said no to the latter as I already have AVG. After I selected just the firewall it then recommended that I also install 'Leak Protection', as it sounded like anti-virus software I declined this also. Did I do the right thing? Also, is there a possible check to ensue that just the Comodo firewall is running? I don't want Comodo Anti-virus and AVG running simultaneously. Sorry if these questions sound like real no-brainers, but I'm a bit of a novice when it comes to computers.

Many thanks again for all your help!