Common Folder: Helper.dll and Helper.sig

Welcome to Major Geeks!

This is a problem from Spyware Doctor. Uninstall Spyware Doctor now. Also answer a question. Is Spyware Doctor a trial program or a paid version? And if paid, did it include and antivirus?



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O18 - Filter hijack: text/html - {c607ebe5-23f2-4771-a860-e45f573dd8c2} - (no file)

Also we recommend you fix the below unless you are really sure it is absolutely required.
O15 - Trusted Zone: *.nobl.net

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It is fine. I just want to be sure exactly what you were running from them. If it was a trial version I would have asked you to uninstall it. If it had no antivirus, I would have asked you to install one. Online Armor is fine too.

If it is telling you that you already posted the ComboFix log, it means it is the same log as previously posted. This means you did not get the instructions for that procedure to run properly. Shutdown Spyware Doctor ( as much of it as possible) and try from the ComboFix procedure thru to the end again. Make sure you create the CFScript.txt file properly and make sure you drag it ontop of the ComboFix.exe file as instructed.

 

Slow startup can be quite normal when a PC has lots of things to load at startup. And you are loading many things you probably don't need. Like for example do you really need and use all of the below

Also your protection software takes time to properly hooked into your operating system so that it can protect you. Also Spyware Doctor may be conflicting with the protection of Online Armor.

You really should be more concerned about PC performance after you startup. Online Armor can severely slow down startup and it also gets in the way of programs like ComboFix and prevents them from running properly. As stated in the READ & RUN ME's early steps, you really should not have installed or run anything else but what we requested until we finished with malware removal.

We still have not gotten the infection removed.


Copy the bold text below to notepad. Save it as fixMFF.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now please go to this link:http://live.sysinternals.com/

• find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
• Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
• For you the prompt should show C:\Documents and Settings\owner>
• Now type cd Desktop and hit the enter key. There is a space after the cd. If you do this properly, your prompt will change to C:\Documents and Settings\owner\Desktop>
• Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.
  • psexec -s -i regedit
• In the Registry Editor click File, Import and then navigate to the fixMFF.reg file on your Desktop from the previous fix and double click on it to import it into your registry. If it works properly you should get a success message.
• If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now download Registry Search (see the link titled RegSearch Download Link)

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter mff in the top area of the form and then click "OK".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

Now run Ccleaner!

Now please download and run the current version of MGtools.exe




Then attach the below logs:

• avenger.txt
• RegSearch.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We gave you the below link in step 1 of the READ & RUN ME. Check it out:

Dealing with Startup Processes

It is quote normal for some scanners to reset certain things including home pages to some benign setting just to be safe. The scanners do not know every possible valid home page everyone in the world wants to use but they are at the same time trying to remove possible malware settings. Thus they choose something benign like msn or google ....etc.

That C:\WINDOWS\system32\mmf.sys was deleted by Avanger but has still come back. Can you see if you can put a copy of this into a ZIP file and attach it here.

Other than slow startup, how is everything working?