Help Assistant

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by SVesely, Mar 28, 2010.

  1. SVesely

    SVesely Private E-2

    Possibly some helpful information in regard to how Help Assistant can infect/get installed on the computer:


    From the Adobe Flash Player Web site--Security Bulletin released 2/11/10: A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.

    Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2. Adobe recommends users of Adobe AIR version 1.5.3.9120 and earlier versions update to Adobe AIR 1.5.3.9130.

    ======================================

    I had an earlier version up until 3/27/10 when I updated to 10.0.45.2, and on 3/1/2010 the Help Assistant profile and associated folder and files were created. Help Assistant may have been able to be installed due to this vulnerability.

    Note: on my Cox home page there is the following message: For the best experience, please download and install the latest version of Adobe Flash Player.

    Also, on 3/1/10 I was viewing videos on NBCOlympics.com, which slowed my computer down to the point it froze at times, possibly disabling McAfee (Cox Security Suite), which, together with this vulnerability, may be how the Help Assistant profile was installed. In addition, the computer has 'crashed' (blue screen error) 4-5 times since 3/1/10.

    I have XP Home Edition and cannot easily disable this profile. I have not tried to delete it. 256 MB RAM.


    3/1/10:

    Help Assistant created.


    3/3/10:

    Uninstalled and re-installed McAfee.
    Blue screen: MPFP.sys -- McAfee Personal Firewall Plus driver


    3/14/10:

    Went to Finally Fast Web site and installed Ascentive Performance Center and SpeedScan. Ascentive Performance Center has not been uninstalled--it is not in the program list under Add/Remove programs nor is there an uninstall feature in the program list in the Start Menu.

    Ran McAfee scan--McAfee detected 2 PUPs, both Generic PUP.x!bc. Quarantined and removed GenericPUP.x!bc

    Additional information regarding PUPs detected:

    Detection name: GenericPUP.x!bc
    File: C:\Program Files\Ascentive\PerformanceCenter\APCLfb4f.rra

    Detection name: GenericPUP.x!bc
    File: C:\Program Files\Ascentive\PerformanceCenter\APCL14d7.rra


    3/18/10:

    Blue screen.


    3/19/10:

    Blue screen.


    3/21/10:

    Live Chat session with Ascentive to remove Performance Center. Ran program TeamViewer so rep could attempt to remove it, but the connection was lost and it was not removed.


    3/23/10:

    Uninstalled and reinstalled McAfee.


    3/24/10:

    1st Malwarebytes scan (full scan) results: 13 items -- after removal my system is noticeably faster:

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 9
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.


    2nd Malwarebytes scan (full scan) results: 0 items


    3/25/10:

    Blue screen. run32.dll
    mpfp.sys not present on this blue screen


    3/26/10:

    Malwarebytes scan (full scan) results: 0 items

    Searched for cookies with Windows Search Companion. Results:

    Cookies folder in C:\WINDOWS

    Cookies folder in C:\Documents and Settings\HelpAssistant\Application Data\Apple Computer

    Cookies folder in C:\Documents and Settings\Owner\Application Data\Apple Computer

    cookies text file in C:\Program Files\Common Files\Real\Common

    Cookies (file type QuickTime preferences) in C:\Documents and Settings\HelpAssistant\Application Data\Apple Computer\Cookies

    cookies text file in C:\Documents and Settings\HelpAssistant\Application Data\Real\RealPlayer

    Cookies (file type QuickTime preferences) in C:\Documents and Settings\Owner\Application Data\Apple Computer\Cookies

    cookies text file in C:\Documents and Settings\Owner\Application Data\Real\RealPlayer

    cookies (SOL file) in C:\Documents and Settings\HelpAssistant\Application Data\Macromedia\Flash Player\#SharedObjects\3FNWKRHR\polaris.classistatic.com

    cookies (SOL file) in C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\3FNWKRHR\polaris.classistatic.com



    Blue screen. no mpfp.sys

    SUPERAntiSpyware scan (complete scan) results: 366 items--365 Adware.tracking cookies (in HelpAssistant folder) and Trojan.Agent/Gen-Nullo[Short] C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF8EB7EC-B1D8-4DF4-A970-0233094958EF}\RP1483\A0198752.DL
     
    SVesely, Mar 28, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Am I correct to assume you wish assistance in fixing your problem?

    If so:
    Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
    Close out all other open programs and windows.
    Double click the file to run it and follow any prompts.
    If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
    Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.


    *In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

    mbr -f

    Now, please do the Start>Run>mbr -f command a second time.
    Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
    Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.

    **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

    Now:
    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.

    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this aother user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    TimW, Mar 28, 2010
    #2
  3. SVesely

    SVesely Private E-2

    Although I posted the first post back in March, I did not try to remove the Help Assistant user profile until today.

    I no longer have the Help Assistant user profile on my computer. I installed and ran HelpAsst_mebroot_fix.exe. After it created the log, I re-booted and then went to user profiles and deleted it. I then re-booted and checked again; it is no longer there. Deleting it freed up about 600 MB of disk space. And I did not go through the Read and Run Me first steps, except for add/remove programs--I removed Viewpoint Media Player.

    Re: Deleting it. There is now a delete button below the user profile list. About 4 months ago when Help Assistant first appeared on my computer, there was not a delete button. Based on what I have read, XP Home Edition does not have this button. I have noticed some differences and changes since upgrading to IE 8.0, which I did about a week ago. Overall performance is better: Faster overall, with Outlook Express e-mail loading much faster, for example.

    And since removing the Help Assistant profile, my antivirus/antispyware program loads faster at startup.

    In the HelpAsst_backup folder, there are 2 files: DomainGOPList, termsrv32.dll.

    I attached the log.
     

    Attached Files:

    SVesely, Jul 30, 2010
    #3
  4. SVesely

    SVesely Private E-2

    Continuation of the previous post:

    Here are the steps I followed:

    1. Add/remove programs--removed Viewpoint Media Player.

    2. Saved and ran HelpAsst_mebroot_fix.exe. After it created the log, I re-booted.

    3. Went to user profiles and deleted Help Assistant, then re-booted.

    4. Checked user profile list--Help Assistant not there. And no longer a Help Assistant folder.

    5. Ran HelpAsst_mebroot_fix.exe a 2nd time for another log.

    Attached is the 2nd log.
     

    Attached Files:

    SVesely, Jul 30, 2010
    #4
  5. SVesely

    SVesely Private E-2

    You know how Glenn Beck says take back your country...Take back your computer!:-D
     
    SVesely, Jul 30, 2010
    #5
  6. SVesely

    SVesely Private E-2

    What has also helped the performance: The Microsoft updates, including Windows updates and Windows security updates, that I installed about 2 days after upgrading to IE 8.
     
    SVesely, Jul 30, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you still having any malware issues?

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks!
     
    TimW, Jul 30, 2010
    #7
  8. SVesely

    SVesely Private E-2

    7/30/10

    I believe there still may be malware on my computer. Recent history and results of scans:

    Other programs (IObit 360, Microsoft Security Essentials, Malwarebytes, IObit Advanced SystemCare) have only detected tracking cookies since the Loaris Trojan Remover and AVG scan. Now that the Help Assistant profile has been removed, I will re-scan with these programs, plus SuperAntispyware. Do you recommend uninstalling and reinstalling programs such as Loaris Trojan Remover and Malwarebytes each time you scan? And I have difficulty distingushing real malware from false positives.


    7/29/10

    Add/remove programs--removed Viewpoint Media Player.

    Saved and ran HelpAsst_mebroot_fix.exe. Removed Help Assistant user profile.


    7/24/10

    Malwarebytes scan in safe mode: tracking cookies only.


    7/19/10

    Installed IE 8.


    7/17/10

    AVG Free scan in safe mode: 0 detected.


    6/27/10

    Loaris Trojan Remover (I only did the free scan; only the paid version can remove)

    C:\program~1\micros~3\office11\ieawsdc.dll-HEUR.Downloader.J

    File: C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0305000.dll

    File: c:\program files\common files\aol\ygppicdownload.dll-HEUR.TrojanDownloader.A

    File: C:\Program Files\Axis Communications\Axis Media Control Embedded\AxisMediaControlEmb.dll

    File: C:\WINDOWS\Downloaded Program Files\popcaploader.dll-Trojan.ActiveX: [PopCapLoader Object]

    File: C:\WINDOWS\system32\tree.com-Malware.OnlineGames

    File: C:\WINDOWS\downloaded program files\popcaploader.inf-Trojan.VistaAntispyware2010

    File: c:\CABS\Winxp\Utility\HOTFIX\KB823980E.exe-Worm.Win32.Bolgi

    C:\Program Files\Microsoft Office\OFFICE11\IEAWSDC.dll-HEUR.Downloader.J

    File: C:\WINDOWS\system32\pcpbios.exe-Packed.Win32.Krap.W



    6/26/10

    AVG: AVG cannot remove these. Says Object is Inaccessible.

    C:\WINDOWS\system32\services.exe(1004):\memory_00680000 Trojan Horse Cryptic.FJ

    C:\WINDOWS\system32\services.exe(996):\memory_00740000



    4/18/10:

    Avast

    Removeable media:
    *BOOTD: Error: The parameter is incorrect(87).
    D:\ Error: The device is not ready(21).
     
    SVesely, Jul 30, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I believe that everything Loaris Trojan Remover found are false positives. If you want to check for any other malware, let's do an online scan and see what it discovers.

    Using BitDefender Online Scan.
     
    TimW, Jul 31, 2010
    #9
  10. SVesely

    SVesely Private E-2

    I get a prompt to 'install the following add-on Bitdefender OnlineScanner from BitDefender LLC. If you trust the website and the add-on and want to install it, click here.' Then I am only given the option to install BitDefender, not run it. I did not install it. And I have not checked whether Java is up to date.

    And do you recommend being offline when running a scan?

    I have attached the Loaris Trojan Remover log. As you will see in the log, Axis Media Control is one of the items detected--I have Axis Media Control on my computer--there is an Axis Media Control folder. Can you tell by the scan results if these are real or false positives?
     

    Attached Files:

    Last edited: Jul 31, 2010
    SVesely, Jul 31, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't trust any software that requires you to purchase it before it will remove what it finds. I would rely more on SAS and MBAM. If they both are coming up clean, and you are not having any malware issues with your system, then I would uninstall that program and follow the suggestions in this thread:
    How to Protect yourself from malware!
     
    TimW, Jul 31, 2010
    #11
  12. SVesely

    SVesely Private E-2

    Today on 7/16/2011 I uninstalled Combofix, Help Asst mebroot fix.exe, RootRepeal, and MGTools.

    A note about MGTools--I ran it first so that the MGTools folder would be created, and then I double clicked on the MGclean.bat file to run the clean up program. I then re-booted and checked the hard disk space and I have an additional 3GB of space (it went from about 21.5GB to 24.3GB).

    Thank you for your help.
     
    SVesely, Jul 16, 2011
    #12
  13. SVesely

    SVesely Private E-2

    Additional feedback:

    I have not had a blue screen or signs or symptoms of malware since July 2010.
     
    SVesely, Jul 16, 2011
    #13
  14. SVesely

    SVesely Private E-2

    Below I pasted the Advanced SystemCare Deep Scan log from 7/16/2011--this scan was done AFTER removing those programs mentioned in the previous post. Note HelpAsst.exe



    Advanced SystemCare Log
    ====================================
    Application Version: 4.0.1
    Database Version: 53692
    Scan Mode: Manual
    Windows XP
    2011-07-16(18-51-28)
    ====================================
    [Registry Scan]: 17 Problems Detected
    ------Details------
    Deleted HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\HelpAsst.exe value=
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU value=a
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU value=MRUList
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\* value=a
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\* value=MRUList
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt value=a
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt value=MRUList
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\Documents and Settings\Owner\Desktop\combofix.exe
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\32788R22FWJFW\iexplore.exe
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\32788R22FWJFW\hidec.exe
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\32788R22FWJFW\n.pif
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\32788R22FWJFW\nircmd.cfxxe
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\32788R22FWJFW\NirCmdC.cfxxe
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\WINDOWS\NIRCMD.exe
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\MGtools.exe
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\MGtools\GetLogs.bat
    Deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\ value=C:\MGtools\MGclean.bat


     
    SVesely, Jul 16, 2011
    #14
  15. SVesely

    SVesely Private E-2

    Note also I installed and uninstalled Google toolbar on 7/14/2011 and while it was installed there was an Internet Explorer error pop-up.
     
    SVesely, Jul 16, 2011
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jul 17, 2011
    #16
  17. SVesely

    SVesely Private E-2

    The Help Assistant profile was installed 3/2010 and I ran HelpAsst mebroot fix tool in 7/2010 and since then Help Assistant folder is not there, but I see Help Assistant in a list of profiles in the registry.

    attached are logs--

    Note:
    SuperAntispyware--no log--0 items detected.
    Malwarebytes--no log--0 items detected.
    Combofix--no log because no log was created--it ran for 3 hours, with no scan results or log. [I suspect it did something--I ran ccleaner after I ran it and there was a long list of items]
    RootRepeal--no log--there was an error running it--exception address: 0x004eca19
    MGTools--log attached.

    HelpAssistant mebroot fix--log attached.
     

    Attached Files:

    SVesely, May 23, 2012
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are basically clean. Let's just do this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now use windows explorer to find and delete:
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At4.job

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, May 24, 2012
    #18
  19. SVesely

    SVesely Private E-2

    I did what you have instructed in the post below. Also I deleted some registry keys I saw in System info--under list of objects--these are also in the HijackThis log:

    o16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/cssrelease/bin/wizard.exe
    o16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    o16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
    o16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    o16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    o16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
    o16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    and another, which is not in the HJ log because I deleted it before running MGtools.
    {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} HTTP://DOWNLOAD.MICROSOFT.COM/DOWNLOAD/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VIRTUALEARTH3D.cab

    Note: those first 7 come back after I delete them when I reboot.
     

    Attached Files:

    SVesely, May 24, 2012
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Have you used CCLeaner to remove the left over reg. items?

    What actual malware issues are you having?

    Now download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon [​IMG]

    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Tell me what issues remain.
     
    TimW, May 25, 2012
    #20
  21. SVesely

    SVesely Private E-2

    Yes I ran CCleaner. I am not experiencing any symptoms, except a slow computer at times, but I have only 256MB RAM, so I don't know if the slowness is the memory or malware or both. I see Help Assistant and other profiles in the registry. Do you have any suggestions besides the steps in the Read me first thread? Any scans or diagnostic tools you recommend?

    Attached is the Avenger log.
     

    Attached Files:

    SVesely, May 25, 2012
    #21
  22. SVesely

    SVesely Private E-2

    The 7 registry keys referenced below have moved in the registry.


    The registry key that begins with 1F2F4...is located

    HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/LSSupCtl.dll [Under this I see 3 values: (default), .owner, and the registry key]

    HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/LSSupCtl.dll

    HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/LSSupCtl.dll



    registry key CE28D5

    HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SymAData.dll



    registry key 44990200

    HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlsi.dll



    registry key 44990301

    HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlsr.dll



    registry key 3451

    HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/SymAData.dll



    registry key E2883

    HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gp.ocx



    Also, under Module Usage I see common files/symantec shared/support controls and microsoft office/office11/ieawsdc.dll
     
    SVesely, May 25, 2012
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That is the reason for your slowness. I saw no other malware in your system. I can only suggest that you upgrade your amount of RAM. You can go to crucial.com and let it scan your system and tell you how much RAM your system will take.
     
    TimW, May 26, 2012
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds