Moms pc is infected

Status
Not open for further replies.
D

drneves7

Posts: 78   +0
Moms pc is infected logs attached now!

My moms pc is infected with adware and trojans. I bought her this pc a couple of years ago and set it up with all the proper security software and she didnt' like them so she removed them. I am reinstalling most of them. But have a question. Is there a firewall that doesn't have all of the pop ups like zone alarm and the other one listed in the 8 step removal process?

And I am doing to 8 steps right now and will post the reports when I am done.

Thanks a bunch Dominic

Okay added logs thanks a bunch :)
 
The Java is out of date. Please update to v7u10 here: http://java.com/en/download/manual.jsp

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [A00F590A9C49.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F590A9C49.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
Click to expand...
Question: I\Did you set her up on a VPN:
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://s.vpn.uprr.com/dana-cached/setup/JuniperSetupSP1.cab
Click to expand...
IF not, please have this entry removed.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> type in ''msconfig' without the quotes> Selective Start-up> Startup tab> UNCHECK everything except the antivirus and firewall> Apply> OK.

Start> Run> services.msc> right click on Java Quick Starter> Properties> Change Startup type to Disabled.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
all Java programs except v7u10
WeatherBug
WildTangent
Click to expand...
Reboot> Close the nag message that comes up after checking 'don't show this message again'.

I'd like you to run ComboFix because of the additional entries in SuperAntispyware, after Malwarebytes was run and in HijackThis. We may have to use a special uninstaller for the Weather program We'll see.

Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
*Please disable all security programs, such as antiviruses, antispywares, and firewalls.
*Also disable your internet connection.

Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

**Do not click on the ComoboFix window, as it may cause it to stall.

Please rerun HijackThis after Combofix and attach both logs.
 
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://s.vpn.uprr.com/dana-cached/s...erSetupSP1.cab
Click to expand...
I kept this separate so you could review it first, but all is not lost. You should be able to start it up again if all you did was stop this one entry:
Do a search in the computer for the JuniperSetupSP1 Once you find it, double click to run and reinstall. I think that will handle it.

ComBoFix shows the other files still installed so you should be okay.

You should update the Adobe reader. The current version is v9, but I would like to make a suggestion. There is a free PDF Reader program named FoxIt. It does the same thing as Adobe, but doesn't come with all the bloat adobe has. Have HijackThis remove the entries below, either way:
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
Click to expand...
Here are the URLs for either the update or the new program. Choose the one you want:
Adobe v9: http://www.adobe.com/products/reader/
FoxIt: http://www.foxitsoftware.com/pdf/rd_intro.php (click on Get It Free)

One restriction was removed, but there is still one in place:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Click to expand...
Please review the meaning of these settings here: http://www.pctools.com/guides/registry/detail/543/

And review the information in this Microsoft TechNet article. Decide how to handle it according to the policies of her network:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93490.mspx?mfr=true

I don't see the new Java v6u10 loading and I see the 2 old Java still installed. Please be sure you run the update, and have HijackThis remove the following:
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
Click to expand...
Unfortunately, Java updates don't overwrite the previous version so we have to clean up ourselves.

You know the drill to remove the entries and change the Java Service to Disabled.
When through, run one more HJijackThis scan and if okay, we will remove the cleaning programs and old restore points.
 
The only Junipersp1setup I found was a .cab file not sure what to do with that. It asks where to extract it and when you open it says it is an activex control and blah blah so of course I stop there.

And doing the rest that you listed right after posting this.

Thanks Dominic
 
The 016 entries in the Hijack This log ARE Active X objects. That's what you removed. Use that file.
 
Okay removed what I could. From everything I can see Java v6u10 is installed if you are still seeing different something is definitely wrong.

I didn't see these on HJT or in the folders as listed.
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
Click to expand...

And I am having no luck reinstalling that activex deal when i try and open it I am asked am I sure I want to open this because it is an activex control and I say yes then it asks what to open it with and that is as far as I can get.

Thanks once again for you patience
Dominic
 
Dominic, I am copying these from your HijackThis log in the Running Processes section. If you open the logs, you're going to see the same thing. What I put here is a copy and paste- it's not a string I just wrote in:
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
Click to expand...
and this is the last entry in the log:
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
Click to expand...
I do not see anything for the Java v6u10 loading.

As for the VPN: I set it up to bring your attention to it separately. It shouldn't have been removed unless it was checked first which I suggested. If this is through her work, it will most likely have to be set up again. Is there an IT person who could help her with that?

There is one entry in the Global Startup section which I missed- you might want to remove it:
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
Click to expand...

* Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

As an FYI: if she has any speed issue, there are numerous processes starting at boot that don't need to. You can work on that. The ONLY processes that need to start on boot are the antivirus program, firewall, touchpad if laptop and network process if on network. Nothing else. I covered that in my Post #2 using msconfig.
 
Status
Not open for further replies.

Similar threads

I
I need help with a program deleted
Replies
1
Views
870
bazz2004
B
M
Virus warning popup
Replies
1
Views
538
Mark Fuller
M
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back