Google search hijacked, all steps run

[HarrimusMaximus]

All my google searches were going to odd sites. Found this forum, and ran the steps. Before that...

McAfee full scan found and removed
Generic Rootkit.d!rootkit, file NTOSKRNL-HOOK
FakeAlert-FT, file c:\windows\system32\resdll.dll
Generic FakeAlert!htm, process IEXPLORE.EXE

Ad-Aware consistently found this in it's scans, and says reboot is required, but finds it again
Description: \\?\globalroot\systemroot\system32\uacrtaxvbkviw.dll Family Name: Win32.Trojan.Tdss Clean status: Reboot required Item ID: 942777 Family ID: 5401
Description: C:\WINDOWS\system32\UACqparpgjpfx.dll Family Name: Win32.Trojan.Tdss Clean status: Reboot required Item ID: 888515 Family ID: 5401
Description: C:\WINDOWS\system32\UACrtaxvbkviw.dll Family Name: Win32.Trojan.Tdss Clean status: Reboot required Item ID: 942777 Family ID: 5401
Description: C:\WINDOWS\system32\UACtjlalsmrnm.dll Family Name: Win32.Trojan.Tdss Clean status: Reboot required Item ID: 1243988 Family ID: 5401

Running the 8 steps...

Malwarebytes' AM seemed to install but would not run, finally renamed exe file and it ran. Did the same for SAS. All log files attached.

Can someone look at the logs and tell me if I am ok now and what I should do next?

 

[Tmagic650]

Turn off System Restore by going to Control Panel, System, Advanced... uncheck any checked boxes. Rerun the scans and if they are clean, reenable system restore. You are running McAfee, delete it and install one of the free AVAST, ADVIR, or AVG antivirus programs, and run it

 

[Bobbye]

I don't tell my users to uninstall a legitimate security program with an antivirus program that they have paid for. No one should be told to waste money. Should you decide to change the antivirus program, waiting until the subscription is due is more cost saving.

 

[Tmagic650]

Bobbye,
I understand your point here. When I see an infected system with McAfee or NOD32 or Symantec installed, these programs are immediately removed if possible. They contribute to the mess. My customers can reinstall these after the system is clean if they wish. Most of the time, these programs have expired or have failed to operate for one reason or another

 

[HarrimusMaximus]

System Restore Steps Complete

Ok, turned off system restore, reran scans, looks clean, turned system restore back on. attached are scal logs. Can you look and make sure everything looks ok?

Thanks

 

[Bobbye]

When I see an infected system with McAfee or NOD32 or Symantec installed, these programs are immediately removed if possible

These are all paid programs. Why have a user go through an uninstall- which in most cases require a special uninstaller to remove all the files, download a free AV, then go through a reinstall of the paid program.

Although some paid programs can be considered less effective against viruses, Worms, Trojans and the likes, I prefer to work with that AV on board during a cleaning. I then suggest that a user consider the possibility of replacing it with a more effective AV at the end of the subscription.

An exception is if the AV is only in a trial version status.

This became a hot issue here when people were misunderstanding Step 1 and reading it to mean they HAD to uninstall whatever AV they had and install Avira or Avast instead. If you search the board, you will find that this was resolved by making the AV an optional install rather than a mandatory install.

 

[Tmagic650]

So Bobbye,
you are quick to defend your methods but you are not providing any helpful information to the posters here. A good antivirus program can identify the malware infection, but many times, the antivirus program is turned off, crashed or not updated. You can't tell me that McAfee or Symantec antivirus never fails or contributes to crashed or infected computers... I learned a long time ago, that the good free antivirus programs can protect and defend a computer in many ways, better than the $50 something programs, for home use

 

[Tmagic650]

Ok, turned off system restore, reran scans, looks clean, turned system restore back on. attached are scal logs. Can you look and make sure everything looks ok?

Thanks

Looks good. Is McAfee running and updating properly?

 

[Bobbye]

I asm taking some training now which does not allow me to assist in malware cleaning on any site until I have finished. It was a difficult decision because we have so few people here to do the cleanings.

The information I left was not cleaning, but I think a better way to handle the System Restore feature.

However, in the information left by the user, I did not note any problem with the AV updating or crashing- but even that can be caused by an infection and changing the AV program isn't going to fix it. That's why online AV scanning was invented.

I hope you find that information helpful. I'm sorry you missed my point about not insisting that the user waste the money that was paid for a security program. I would rather consider that an optional decision.

 

[HarrimusMaximus]

Thanks guys

Tmagic650 vs. Bobbye in the AV battle of the century! Thanks for all the help, I really appreciate it. After being in the computer industry for 20+ years, from tech support to admin to manager (ugh), this was the first time my PC has ever gotten infected, and it was a real pain. McAfee was running and updated and I still got infected. It's possible my wife said yes to a McAfee warning and allowed something to install or change the registry. McAfee is free with Comcast, so it seemed like the way to go. I'll probably take this opportunity to remove it and install Avira or Avast. Again, I appreciate the help. You guys are awesome. I'm glad someone in some thread suggested renaming the scanner executables to something else. That actually worked for me. Have a good one. This post can be closed.

 

[Tmagic650]

That's great HarrimusMaximus,
yes all it takes is an errant "yes" to send an infection fast... McAfee is junk. They pay Comcast and other ISP's to halk their products just like Symantec does. I'm sure you have seen those 30-day Antivirus trials. Many computer users think "trial" means "good forever"

 

[Bobbye]

I'll leave you with a parting thought> no matter which antivirus program you have, the system can still get infected! Use an antivirus program that is known to have a good record in catching the bad stuff. Make sure the program is configured correctly and updated regularly.

And understand that an antivirus program is for viruses, Worms, some Trojans and other pests. It is NOT for spyware/adware! The AV program may tell you there is spyware/adware, but it isn't configured to either remove it or prevent it.

Use layers of protection:
1. An antivirus program as mentioned.
2. A bi-directional firewall: this means that it listens at both incoming AND outgoing ports. A router can also be used to enhance security with it's hardware firewall.
3. Use at least two spyware/adware programs> make sure they are different types of programs such as Spywareblaster plus Spybot Search & Destroy.
4. Always use a reputable, known site for downloads. SAVE the download to the desktop. Right click and scan with the AV and anti-malware before opening.

And always keep in mind: the user is the FIRST layer of protection, no matter what software security programs are on the system.