TechSpot

Google searches are redirecting and I have a false anti-virus auto-installed

Solved
By SirCarnifex
Jul 31, 2010
  1. Hello,

    I've recently gotten a virus which installed a fake anti-virus program called Antimalware Doctor. It automatically started running during a routine scan I do with McAfee (and consequently stalled the McAfee scan). I used alt-F4 to close the program as fast as I could and then immediately started researching it online to see how I could remove it from my computer.

    The advice I got seemed to work at first - remove certain files from the registry, close the process and deleting some files from the computer. It seemed to solve the problem of that false program popping up, but I was then getting redirects to my Google searches and randomly popping ads that came up in new tabs.

    I started doing more research on that and while I was doing so, Antimalware Doctor popped up again with the same "scanning, your computer may be infected" thing. So now I'm here and looking for help to get rid of the redirects and the false anti-virus.

    I started on the eight basic steps to do. I got the temporary files folders cleaned with TFC and then moved onto step 3 - malware bytes. This is where I got stuck. Malwarebytes tells me that it cannot connect to the server when it tries to update. If I'm supposed to update it before running and it can't update, should I just go ahead and run the scan? Or is there another way I can update it.

    Due to the above I don't have any logs yet, sadly. I wish I had.

    Thanks for any assistance. I'll be very, very happy to have this pesky virus gone from my computer!!!
     
  2. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    Skip Malwarebytes and complete rest of the steps.
     
  3. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Thanks for the quick reply.

    I've run Gmer and DDS and skipped Malwarebytes as instructed.

    gmer kept rebooting the computer whenever I tried running it until I did safe mode. Safe mode did the scan but didn't provide a log so I went back to normal mode and opened gmer and a log instantly appeared. Hopefully I did it right...

    GMER log:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-07-31 22:43:08
    Windows 5.1.2600 Service Pack 3
    Running: pliimpjb.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\ufliaaog.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6C7678A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB6C76821]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB6C76738]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB6C7674C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6C76835]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6C76861]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB6C768CF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB6C768B9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6C767CA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6C768FB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB6C7680D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6C76710]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6C76724]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6C7679E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB6C76937]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6C768A3]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB6C7688D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6C7684B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6C76923]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6C7690F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6C76776]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6C76762]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB6C76877]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6C767F9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6C768E5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6C767E0]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6C767B4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 8AD10EC5

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  4. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    Cool :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I'm having trouble with posting anything more. I keep getting "connection reset". I can't seem to paste the DDS log in here OR upload it onto the forum.

    Any suggestions?
     
  6. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Trying to attach them zipped...

    ...It worked!

    Oh, and Combo... is that something that will take awhile because I can't be around to computer too much longer tonight.

    Thanks!

    EDIT: Oh, and one more question. By disconnecting to the internet does that mean just closing the browsers or actually disconnecting by disabling the modem, unplugging the cable, or some other means?
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    It depends on your computer state. Normally, it shouldn't take more than 10-15 minutes, but with heavy infection, it may take longer.
    Combofix will disconnect you by itself. You dont' have to do anything.
     
  8. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    I unzipped your logs...
     

    Attached Files:

  9. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I cannot get ComboFix. I got an error that it could not be modified (I didn't try to modify it -- didn't even get it downloaded!) and then McAfee came up and said that it blocked a Trojan.

    Suggestions? Trying to download the link now just comes up with a page saying it can't load the page. :(
     
  10. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    Unfortunately, McAfee is not too smart and it has a history of blocking Combofix (will they ever learn?)
    Disable McAfee AV part first (you'll have to to run Combo anyway) and try to download again.
    If still no go, let me know...
     
  11. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I can't even load the page to get to the file now.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    Fine, let me upload the file for you somewhere else.
    Give me a few minutes.
     
  13. Broni

    Broni Malware Annihilator Posts: 48,004   +271

  14. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    It downloaded just fine. Can I run it as broni.exe then? Or do I need to change it back? Pardon the [most likely] obvious question. I'm quite new to all this.

    Thanks!
     
  15. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    Yes. Just double click on broni.exe
     
  16. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    You've been doing perfectly fine.
    You should ask questions, when in doubt :)
     
  17. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I ran ComboFix and it started fine...

    It asked to install the recovery console and I chose yes. It went through the EULA, etc. blah blah blah, then started running. Well, I figured since it would take 10 to 20 minutes that I'd leave for a few to do something else and come back.

    When I came back, Windows had restarted and it said I have three days to activate Windows and that I have to do it because significant changes to hardware were made. Well, since I hadn't read a thing about this and it seemed off I clicked NO. I figured that if that's the wrong choice I can always go back an activate it.

    Anyway, I did NOT get any report from ComboFix so I decided to log back online and ask some more questions, but my internet was not connected back yet. Tried a reboot. Nothing (except for the activation notice again). I'm posting this from another computer.


    So....the questions:

    1. Do I run ComboFix again? Did installing the Recovery Console cause a reboot and that's why I didn't get a report log?

    2. Do I activate Windows like it asks me to or is this part of a virus trying to get me to do things I shouldn't?

    Thanks once again for your time!

    P.S. I may or may not respond tonight as it is getting very late. If I don't I'll definitely be back tomorrow.
     
  18. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    Are you saying, you can't boot at all?
    How far does it go?
     
  19. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I can boot just fine. I just get the message saying I have three days to activate Windows. Internet is not active, however.

    Basically I can run everything fine right now EXCEPT internet. The Windows activation message is the only odd thing besides that. It also comes up in the toolbar with a message saying that I have three days as well.

    I can't stay online any longer tonight, but I'll be sure to check back in tomorrow. I really appreciate the help!

    EDIT: Oh, and as I said, no log from ComboFix. Need to know if I should try running it again or what.
     
  20. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    Yes, please, re-run Combofix.
     
  21. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    I ran it again and this time I got a log. However, I still do not have internet access with that computer even after a reboot.

    I still get the activation notice upon startup. I also cannot turn the Windows firewall back on. I get a message about the Windows firewall settings cannot be displayed because the connection is inactive or some such note. I can't remember it exactly and didn't write it down (duh!).

    If I can get access to the internet with that computer I'll post a log. I notice that ComboFix removed some stuff that I had removed previously via regedit (before I came to this site).

    So where to from here?

    Thanks again for the help!
     
  22. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    We have to try to solve one issue at a time...

    Use USB flash drive to transfer Combofix log to your working computer and post it here.

    BEFORE you do it...
    On your good computer...

    Download, and run Flash Disinfector, and save it to your desktop.

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
     
  23. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    This particular ancient computer I'm on right now doesn't have USB, but I got the flash drive available and I'll upload the log as soon as I get access to a computer that does have USB.
     
  24. Broni

    Broni Malware Annihilator Posts: 48,004   +271

    OK :).........
     
  25. SirCarnifex

    SirCarnifex TS Rookie Topic Starter Posts: 68

    Alrighty, I got ComboFix.txt uploaded.
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.