Help: _helper.dll, _helper.sig and helper.sig

By Swanny00
Nov 30, 2008
  1. When my computer boots up a window labeled Common opens containing the three files in the title. After following the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions I found several trojans on my computer including (but not limited to) Monder, Dropper.Gen, Spy.Agent and Dlkroha.

    I followed all of the 8 steps but still have the same problem (along with slowed performance). I've attached the requested logs.

    Thanks in advance for any help.
  2. rf6647

    rf6647 TS Maniac Posts: 829

    Welcome to TS. Your description is helpful. Your logs show found and removed items. For your case, we will supplement our guide with a special scan / tool.

    Overview -
    • ComboFix is a very effective tool that scans / fixes hard to clean infections. Additionally, it includes diagnostic information.
    • Uninstall old copy of ComboFix
    Supplement to guide. Successive scans used to uncover additional infections.
    • Update both MBAM & SAS. Rerun them both.

    • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.

    • Follow ComboFix instructions referenced below.

    • Scan with HJT. (part of instructions for ComboFix)

    • Posts logs. Report progress & what changes are observed. Include logs that found infections.

  3. Swanny00

    Swanny00 TS Rookie Topic Starter

    Thank you for the response. I'll follow your suggestions when I get home this evening and respond with the requested logs.

    Just to be clear, when you suggest:

    Are you implying I should continue to rerun the two in succession until they report all clear or unfixable? If so, should I expect to have to run these programs more than twice?

    Thank you again.
  4. rf6647

    rf6647 TS Maniac Posts: 829

    One re-run is the norm. SAS is the "canary" here. It reported a 'trojan.trace'. The scanners after applying fixes, then uncover additional infections. As I said, one run is the norm since MBAB is good at what it finds. ComboFix will be examined for confirmation that the trace referred to by SAS, is residue and not an active infection.
  5. Swanny00

    Swanny00 TS Rookie Topic Starter

    Hello again.

    I've follwed your instructions and attached the following logs:
    *2 MWBM logs (first one found 6 instances of the Vundo trojan and the second all clear)
    *2 SASW logs (first one only found tracking cookies...second all clear)
    *Combofix log
    *HJT log

    I am still getting a window titled 'Common' upon restart that contains now 2 files (_helper.dll and _helper.sig). Previously it contained a file titled helper.sig but I believe Combofix deleted that file.

    Please advise on next suggestions.

    Thank you again.
  6. Swanny00

    Swanny00 TS Rookie Topic Starter

    Here is the HJT log (exceeded 5 attachments on previous post).
  7. Swanny00

    Swanny00 TS Rookie Topic Starter

    Okay, so I'm a tiny bit impatient so I've tried a few more things.

    Based on another thread on this site, I installed and ran BFU to try to get rid of the _helper.dll and helper.sig files and I think it worked as the files no longer show up when I reboot. I also re-ran MBAM, SASW and HJT and have attached logs. WIll someone be so kind as to check and make sure I look all clear.

    The only (new) thing I'm noticing now is that the icon next to this website (in the IE address bar and tab) is actually the logo for my bank. I'm not sure if that's an indication of something odd going on but it's got me a tad nervous.

    Thanks in advance.
  8. rf6647

    rf6647 TS Maniac Posts: 829

    Swanny00, your findings are surprising. At the end of this reply, I will use a quote box to highlight findings in the logs. I will ask the tool developer to review the results.

    The ‘fixit’ tool cleaned the folder ‘Common’. ‘SecTaskMan’ folder is now being discussed in other forums. ComboFix scan did not discriminate against these folders.

    As a next step, I suggest updating the tools & repeat scans: MBAM, SAS, ComboFix. HJT. These tools are updated quite frequently.

    ComboFix log shows the suspect folder modified after the create date. Will look for similar pattern.

  9. mflynn

    mflynn TS Rookie Posts: 2,655

    I looked thu all an it looks clean Rich did you a good job.

    The spelling is OK!

    The Icon was likely off the screen before. Malware would not put it there to draw your attention.

    You sound a little paranoid so if you wish run the 2 procedures below and take a look with other eyes.
    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Download OTScanIt:
    Close all Apps and Browsers

    Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

    If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

    Enter the OTScanit folder and run OTScanit.exe.

    In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

    Top Left click Run Scan.

    The scan can take some time so allow it time.

    Then finished a log will open, save log, copy post as an Attachment.

  10. Swanny00

    Swanny00 TS Rookie Topic Starter

    Thanks for the responses and the help Rich and Mike. I ran mbam and sas again along with OTScanIt and SDFix and have attached the logs/reports. Everything seems to be clean and working smoothly. Thanks again for the help.

    Should I do any final cleanup? I now have a ton of anti-malware software (and logs) that I presume I don't need anymore. Should I worry about setting a new restore point? Anything else I may be missing?
  11. rf6647

    rf6647 TS Maniac Posts: 829

    Edited for content.......Rich
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Correction for above cleanup.

    Not OTScanit but OTCleanit as below.

    Please download OTCleanIt

    Save to desktop.

    This will remove all the tools we used to clean your computer.
    These tools update so often they require downloading again later if needed.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

    If prompted to Reboot click Yes.
    OTCleanit will delete itself when finished, if not delete it by yourself.

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...