Solved Help to protect from assistmypc.org

Status
Not open for further replies.

smk.bluebird

Posts: 28   +0
Help to protect from assistmypc.org
hi gurus

eversince my last issues , i had been very cautious on net. but last week i found my browser home page hijacked by website called assistmypc.org. whenever i open the browser for first time the hompage gets automatically re directed to this site.

i am afraid whether this is any tojan or malware please help me.

i am using windows xp edition , mozilla browser , nortan 360 security

thanks in advance

gurus sorry for reposting the topic , earlier i could not reply be coz of sudden un expected death in family.

moderator please help
 
Okay, we'll start here again since there was no information on the original thread. I just closed that thread!

I left this for you then:
A quick fix is this:
Control Panel> Internet Options> Security tab> Restricted sites> Sites> type in the following:
*.assistmypc.org
Then click on Apply> OK.

To follow: go through the steps in out Preliminary Virus and Malware Removal HERE

When finished, attach the 3 logs for us to review for additional entries.

Edit: Move your internet security level to Medium. I'm using Firefox and the page won't load.

Please follow the preliminary Virus and Malware Removal steps HERE. When you have finished, please paste the 3 logs into your next reply.

I'm going to need that information before I can be of any help.
 
avast report

thanks bobbye

as instructed first I had downloaded avast , stopped nortan and installed avast . it did a scanning here is the attached log of it.

I wam doing the rest of things . will keep you posted.
 

Attachments

  • aswClnTg.txt
    214 bytes · Views: 3
  • aswInfTg.txt
    444 bytes · Views: 2
Please read the instructions on the thread carefully. You were NOT told to remove Norton and install Avast. That step says that if you don't have any antivirus program running, then install either Avira or Avast.

Unfortunately, Avast doesn't say what was found and moved.

Please go back to the steps, follow them all carefully, and leave the 3 logs requested.
 
logs attached

sirs , as directed I am attaching the logs. please guide me on further progress
 

Attachments

  • SUPERAntiSpyware Scan Log - 03-29-2010 - 23-39-32.log
    1 KB · Views: 1
  • mbam-log-2010-03-29 (22-53-19).txt
    866 bytes · Views: 1
  • hijackthis.log
    9.1 KB · Views: 2
Sorry for the delay.

You have both Norton and Avast running now. If you Norton is current and updating, you need to remove Avast. You can use this tool for that:
Avast Removal

Please reopen HijackThis to [b['do system scan only.'[/b] Check the following entries if present:
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF47E4527011938EF.exe
C:\Program Files\WebSecurity\services.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')


Close all Windows except HijackThis and click on "Fix Checked."

If you have removed Avast:
Use Windows Explorer: Right click on Start> Explore> My Computer> Double click Local Drive (C)> Programs> if the Avast folder is still there do a right click> Delete.

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.
And follow with: Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Then rescan with HijackThis. Leave the report from Combofix, the Eset scan log and the new HijackThis log. Hopefully we will find and remove the adware.
 
dear bob,
actually my nortan expires today, i dont know whether to subscribe it or shall i use avast.
i am in dilemma. please guide me for some decision.

hence i am not removing avast now , i will wait for your reply and then proceed.

thanks
 
dear bob ,

thanks i am retaining avast , tried to remove nortan but it is not happening , though i tried both 360 4 version , 360 3 version , nothing is happening , a black window flashes and then it is over , nothing happens after that ( note my nortan is expired now ) .
will you please guide me on what is happening and how to proceed.
thanks
 
Please Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Click on Start> Run> type in services.msc> Double click on CLTNetCnService> Change the Startup type to Disabled> Stop the Service.
Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> find Ccsvchst.exe and Uncheck it> Click on Apply> OK

Now see if the Removal Tool will run for you.
NOTE: when you boot back in to Normal Mode the first time after making a change with msconfig, you will get a nag message that you can ignore and Close after checking 'don't show this message again.' Stay in Selective Startup.
 
I'm sorry- I made 2 mistakes and led you on a wild chase! I have corrected both below:

Click on Start> Run> type in services.msc> Double click on CLTNetCnService> Change the Startup type to Disabled> Stop the Service.

The Norton Removal reads like you want to uninstall it to reinstall it! So they refer to the license key and the CD- neither of which you need.

You do not need to download the BUDump.exe file
Here are the steps:

1. .Download the Norton Removal Tool. Save the file to the Windows desktop.
2 .On the Windows desktop, double-click the Norton Removal Tool icon.
3. Follow the on-screen instructions.
4. Restart the computer.

Regarding this note: Your computer may be restarted more than once, > this is the only part that may refer to you.
 
Dear bob

had done as instructed . I could not find the eset online scanner log. hence I am attaching the rest of things.

thanks
 

Attachments

  • ComboFix.txt
    25.4 KB · Views: 1
  • hijackthis1.log
    7.8 KB · Views: 0
Found it! It's an addon in Firefox:


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:

Code:
File::

Folder::

Firefox::
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pa6hia1r.default\
Firefox -: prefs.js: browser.startup.homepage - hxxp://assistmypc.org/

Registry::

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
NOTES:
1. It looks like you are using the vtiger crm and the database on Mysql 510. Do I have that right. Make sure they are configured correctly.
2. There is duplication in PDF converter programs. Review and make sure you need all- if not, remove the extra ones.
3. You still have Norton/Symantec entries loading. Best you run the Norton Removal Tool
4. There are also multiple online scanners loading. Review and stop those you don't need.

Let me know if this handles the assistmypc.org
Be sure to include the new log that is produced so I can make sure the entry was removed.
 
Dear bob

I had done as requested.I am afraid we are yet to nail it because when I opened the browser it again opened with assist my pc.org file. ( also check whether it repeated because of super anti spyware )

please see the log attached.

thanks
 

Attachments

  • cfix.txt
    35.9 KB · Views: 4
you are right , i am running v tiger crm , but nowadays not using it so much.

yes there are two pdf converter programs. i will remove one .

online scanners ?? actually i dont run anything consicously , if anything is there please let me know how to stop it . i will do so.
thanks
 
Please don't add or remove anything unless I instruct you to The entries below add an enormous number of new files. It doesn't look like malware. I need you to have as stable as system as possible while I'm working with you. It's important that every time I look at a new log, it only shows the results of what I have asked you to do, or continued malware.

The Combofix report you left is not the one that was generated after the fix. I need that log. The report you left has 10.5KB MORE in it- it should have had less! So now I don't know whether you added it or whether malware did!
===================================
Can you tell me what these entries are? Lines and line of them- you shouldn't be loading the system with more and more files while I'm helping you clean it!

+ 2010-04-05 17:14 . 2010-04-05 17:14 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll


They are all on 4/5/2010, all using C:\WINDOWS\assembly\NativeImages_v2.0.50215_32\System.Web\4f4928ed491b4d36bf9f5755e45b1f7a\
 
Dear bob

sorry for what has happened. I dont know how these many files are added. one that is on 05/04/2010 was I downloaded the image form my nokia. else I dont understand waht has happened. from today I will try and stop all my activities as possible.

I am aslo attaching the combe fix tool log which is made today. this is after adding the script file as advised by you.

thanks in advance
 

Attachments

  • log1.txt
    24.4 KB · Views: 1
hi bob
something has happend after that scan, nowadays i am not getting that as home page.

still i am worried whether it is in my system / in any of pen drive i am using.

also i remember last time when we get this virus my wifey clicked windows firewall notification tray. ( atleast she claims so).

even now i get this notification though my avast is running. i dont know what to do?
please help me.

thanks in advance.
 
We aren't communicating very well. You asked to get rid of assistmypc.org. It was set as your homepage and until the Firefox entry is removed and the homepage is reset, it's not going to stay away. So do the removal once more. None of the logs you have left indicate the removal was attempted.


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
Extra::
Firefox::
Firefox-: Profile-  c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pa6hia1r.default\
Firefox-: prefs.js:  Startup.homepage

Folder::

Registry::

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
You can do one more step and that is to block the Domain in the browser. Please do the following-in Firefox
Open Firefox> Tools> Options> Security> check all 3 boxes in the top section> click on Exceptions and type the following in:
*.assistmypc.org
Then click on Block
Close
==============
You can also reset the Firefox Cookies as follows:
For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

This should keep that Domain out of the system.
 
fast and permanent means to inhibit assistmypc.org
in the file
\windows\system32\drivers\etc\hosts​
reset the R/O using

attrib -r \windows\system32\drivers\etc\hosts​
then edit the file and insert

127.0.0.1 .assistmypc.org
save​
and protect it again

attrib +r \windows\system32\drivers\etc\hosts​

restart your DNS
net stop "dns client"
net start "dns client"​
if your browser home page still points there, (which Bobbye is trying to get you to delete)
you will get an error, something like 404 Page Not Found
 
Dear bob

thanks for reverting. I had done exactly as said by you.

the following is what happened

1. I did the script file
2. I drag it into combo fix file
3. the combo fix got loaded.
4. it asks me to allow download recent version.
5. I said ok
6. it downloaded and started to scan.
7. after ten minutes teh log is created

8. the log is attached for your reference.

thanks.
 

Attachments

  • ComboFix.txt
    24.5 KB · Views: 1
It appears that your homepage has been reset correctly. And you should not be getting assistmypc.org. Let me know if this is correct and I'll have you remove the cleaning tools.
 
yes bob you are right. my home page is reset. ( hurrAH) for beating this adware .

thanks bob it is a great job .

our forum has never failed us.
 
You're welcome. Glad it finally worked out!

Remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Please let me know if I can be of help in the future. I'll close this thread now since the problem has been resolved.
 
Status
Not open for further replies.
Back