ProgramFiles\Common\Helper.dll

On Saturday evening (11/8/08) when I turned on my computer an explorer window popped up from ProgramFiles\Common with two files in it; helper.dll and helper.sig. As best as I can tell something was accidentally loaded on Saturday morning while my mother was on eBay.

I found this thread http://forums.majorgeeks.com/showthread.php?t=35407 and followed all the instructions.

All that is happening now is that the explorer window still pops up but there are no files in it. I am hesitant to follow any of the other threads instructions from this point, because they all seem to be different.

Here are the logs from the scans suggested for the Malware Removal Tool:

 

Here is the last log:


Any help is greatly appreciated.

Thanks

 

We need to download and run FindAWF by noahdfear.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If you receive any security alerts and/or warnings please allow the utility to run.
• As instructed, press any key to continue.
  
• Use the following option: Press 2 then Enter to restore files from bak folders
  
• A text file opens called: files.txt
• Click below the line and paste the following list of files to be restored:

• Next, close and click Yes to save the changes.
  
• Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list, if running
  • Deletes the rogue file from the parent folder, if present
  • Copies the original file to the parent folder
• When done with the above, it automatically runs a new scan and opens a new log.
• Please provide the new FindAWF log in your reply.

 

Here is the log.

Don't know if this is important but after this program showed up, I began to receive speaking banner ads (very annoying) :mad promising a free Wii or WalMart gift certificate. After running the Read & Run me first they stopped, but a lot of my IE icons were screwed up. Also, Microsoft downloaded 5 updates soon after. Since then it semms atleast the icons have righted themselves, but the Common folder continues to surface on start up.

Thank you so much for your help on this issue.

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Step 5:
We need to run FindAWF once more.

• Double-click the FindAWF icon.
  • If you receive any security alerts and/or warnings please allow the utility to run.
• As instructed, press any key to continue.
  
• Use the following option: Press 3 then Enter to remove bak folders
  
• A text file opens called: folders.txt
• Click below the line and paste the following list of folders to be removed:

• Next, close and click Yes to save the changes.
  
• Once folders.txt is saved, FindAWF does the following:
  • It deletes the contents of the bak folders
  • Removes the bak folders
• When done with the above, it automatically runs a new scan and opens a new log.
• Please provide the new FindAWF log in your reply.

Step 6:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• FindAWF Log
• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Here are the latest logs.

I screwed up initially and ran MGtools.exe by mistake. After it finished I ran the correct file C:\MGtools\analyse.exe through the Start:Run process. I don't know if running MGtools.exe affected the rest of the instructions.

I did encounter a problem trying to run Combofix. It just wouldn't start, so I downloaded it again and it worked. Combofix restarted the computer and SAS and the Common Folder both came up on the restart.

All other instructions did not encounter any problems.

I restarted the computer after completing everything and the Common folder is still popping up at start up.

Let me know what the next steps may be or if I should repeat the process since I may have messed it up in the begining.

Thanks

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Finally, we need to run FindAWF one last time.

• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

Once you have completed all of these instructions, please attach the following logs. Also let me know how things are running.

• Avenger Log
• FindAWF Log

 

Thanks a bunch. That damn folder did not pop up on restart. Any clue as to what it was? Just curious.

Again, thanks for all your help, let me know if you see anything else in the logs I should be concerned about.

 

Your logs are clean, if you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. If we had you run Avenger, you can delete all files related to Avenger now.
5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
8. Go to add/remove programs and uninstall HijackThis.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Final steps completed, computer running fine. Thanks again for all your help.

 

You're Welcome!:major

 

I re installed yahoo messenger the other day, and upon restart the Common folder with helper.sig showed up again. I performed the Malware Removal Steps and the empty folder still shows up on startup. Here's are the logs. Please let me know what the next steps are and how I can avoid this in the future.

Thanks

 

And here is the last log.