Google searches are redirecting and I have a false anti-virus auto-installed

Hello,

I've recently gotten a virus which installed a fake anti-virus program called Antimalware Doctor. It automatically started running during a routine scan I do with McAfee (and consequently stalled the McAfee scan). I used alt-F4 to close the program as fast as I could and then immediately started researching it online to see how I could remove it from my computer.

The advice I got seemed to work at first - remove certain files from the registry, close the process and deleting some files from the computer. It seemed to solve the problem of that false program popping up, but I was then getting redirects to my Google searches and randomly popping ads that came up in new tabs.

I started doing more research on that and while I was doing so, Antimalware Doctor popped up again with the same "scanning, your computer may be infected" thing. So now I'm here and looking for help to get rid of the redirects and the false anti-virus.

I started on the eight basic steps to do. I got the temporary files folders cleaned with TFC and then moved onto step 3 - malware bytes. This is where I got stuck. Malwarebytes tells me that it cannot connect to the server when it tries to update. If I'm supposed to update it before running and it can't update, should I just go ahead and run the scan? Or is there another way I can update it.

Due to the above I don't have any logs yet, sadly. I wish I had.

Thanks for any assistance. I'll be very, very happy to have this pesky virus gone from my computer!!!

Thanks for the quick reply.

I've run Gmer and DDS and skipped Malwarebytes as instructed.

gmer kept rebooting the computer whenever I tried running it until I did safe mode. Safe mode did the scan but didn't provide a log so I went back to normal mode and opened gmer and a log instantly appeared. Hopefully I did it right...

GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-31 22:43:08
Windows 5.1.2600 Service Pack 3
Running: pliimpjb.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\ufliaaog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6C7678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB6C76821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB6C76738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB6C7674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6C76835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6C76861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB6C768CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB6C768B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6C767CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6C768FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB6C7680D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6C76710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6C76724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6C7679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB6C76937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6C768A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB6C7688D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6C7684B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6C76923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6C7690F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6C76776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6C76762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB6C76877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6C767F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6C768E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6C767E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6C767B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8AD10EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

I'm having trouble with posting anything more. I keep getting "connection reset". I can't seem to paste the DDS log in here OR upload it onto the forum.

Any suggestions?

Trying to attach them zipped...

...It worked!

Oh, and Combo... is that something that will take awhile because I can't be around to computer too much longer tonight.

Thanks!

EDIT: Oh, and one more question. By disconnecting to the internet does that mean just closing the browsers or actually disconnecting by disabling the modem, unplugging the cable, or some other means?

I cannot get ComboFix. I got an error that it could not be modified (I didn't try to modify it -- didn't even get it downloaded!) and then McAfee came up and said that it blocked a Trojan.

Suggestions? Trying to download the link now just comes up with a page saying it can't load the page.

I can't even load the page to get to the file now.

It downloaded just fine. Can I run it as broni.exe then? Or do I need to change it back? Pardon the [most likely] obvious question. I'm quite new to all this.

Thanks!

I ran ComboFix and it started fine...

It asked to install the recovery console and I chose yes. It went through the EULA, etc. blah blah blah, then started running. Well, I figured since it would take 10 to 20 minutes that I'd leave for a few to do something else and come back.

When I came back, Windows had restarted and it said I have three days to activate Windows and that I have to do it because significant changes to hardware were made. Well, since I hadn't read a thing about this and it seemed off I clicked NO. I figured that if that's the wrong choice I can always go back an activate it.

Anyway, I did NOT get any report from ComboFix so I decided to log back online and ask some more questions, but my internet was not connected back yet. Tried a reboot. Nothing (except for the activation notice again). I'm posting this from another computer.


So....the questions:

1. Do I run ComboFix again? Did installing the Recovery Console cause a reboot and that's why I didn't get a report log?

2. Do I activate Windows like it asks me to or is this part of a virus trying to get me to do things I shouldn't?

Thanks once again for your time!

P.S. I may or may not respond tonight as it is getting very late. If I don't I'll definitely be back tomorrow.

I can boot just fine. I just get the message saying I have three days to activate Windows. Internet is not active, however.

Basically I can run everything fine right now EXCEPT internet. The Windows activation message is the only odd thing besides that. It also comes up in the toolbar with a message saying that I have three days as well.

I can't stay online any longer tonight, but I'll be sure to check back in tomorrow. I really appreciate the help!

EDIT: Oh, and as I said, no log from ComboFix. Need to know if I should try running it again or what.