Help to protect from assistmypc.org

Solved
By smk.bluebird
Mar 28, 2010
Topic Status:
Not open for further replies.
  1. Help to protect from assistmypc.org
    hi gurus

    eversince my last issues , i had been very cautious on net. but last week i found my browser home page hijacked by website called assistmypc.org. whenever i open the browser for first time the hompage gets automatically re directed to this site.

    i am afraid whether this is any tojan or malware please help me.

    i am using windows xp edition , mozilla browser , nortan 360 security

    thanks in advance

    gurus sorry for reposting the topic , earlier i could not reply be coz of sudden un expected death in family.

    moderator please help
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, we'll start here again since there was no information on the original thread. I just closed that thread!

    I left this for you then:
    Please follow the preliminary Virus and Malware Removal steps HERE. When you have finished, please paste the 3 logs into your next reply.

    I'm going to need that information before I can be of any help.
  3. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    avast report

    thanks bobbye

    as instructed first i had downloaded avast , stopped nortan and installed avast . it did a scanning here is the attached log of it.

    i wam doing the rest of things . will keep you posted.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please read the instructions on the thread carefully. You were NOT told to remove Norton and install Avast. That step says that if you don't have any antivirus program running, then install either Avira or Avast.

    Unfortunately, Avast doesn't say what was found and moved.

    Please go back to the steps, follow them all carefully, and leave the 3 logs requested.
  5. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    logs attached

    sirs , as directed i am attaching the logs. please guide me on further progress

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Sorry for the delay.

    You have both Norton and Avast running now. If you Norton is current and updating, you need to remove Avast. You can use this tool for that:
    Avast Removal

    Please reopen HijackThis to [b['do system scan only.'[/b] Check the following entries if present:
    C:\Documents and Settings\Administrator\Local Settings\Temp\~DF47E4527011938EF.exe
    C:\Program Files\WebSecurity\services.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')


    Close all Windows except HijackThis and click on "Fix Checked."

    If you have removed Avast:
    Use Windows Explorer: Right click on Start> Explore> My Computer> Double click Local Drive (C)> Programs> if the Avast folder is still there do a right click> Delete.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    And follow with: Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Then rescan with HijackThis. Leave the report from Combofix, the Eset scan log and the new HijackThis log. Hopefully we will find and remove the adware.
  7. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    dear bob,
    actually my nortan expires today, i dont know whether to subscribe it or shall i use avast.
    i am in dilemma. please guide me for some decision.

    hence i am not removing avast now , i will wait for your reply and then proceed.

    thanks
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

  9. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    dear bob ,

    thanks i am retaining avast , tried to remove nortan but it is not happening , though i tried both 360 4 version , 360 3 version , nothing is happening , a black window flashes and then it is over , nothing happens after that ( note my nortan is expired now ) .
    will you please guide me on what is happening and how to proceed.
    thanks
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Click on Start> Run> type in services.msc> Double click on CLTNetCnService> Change the Startup type to Disabled> Stop the Service.
    Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> find Ccsvchst.exe and Uncheck it> Click on Apply> OK

    Now see if the Removal Tool will run for you.
    NOTE: when you boot back in to Normal Mode the first time after making a change with msconfig, you will get a nag message that you can ignore and Close after checking 'don't show this message again.' Stay in Selective Startup.
  11. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    dear bob

    this is not working. i dont know why but it says the file is not found.
    thanks
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'm sorry- I made 2 mistakes and led you on a wild chase! I have corrected both below:

    Click on Start> Run> type in services.msc> Double click on CLTNetCnService> Change the Startup type to Disabled> Stop the Service.

    The Norton Removal reads like you want to uninstall it to reinstall it! So they refer to the license key and the CD- neither of which you need.

    You do not need to download the BUDump.exe file
    Here are the steps:

    1. .Download the Norton Removal Tool. Save the file to the Windows desktop.
    2 .On the Windows desktop, double-click the Norton Removal Tool icon.
    3. Follow the on-screen instructions.
    4. Restart the computer.

    Regarding this note: Your computer may be restarted more than once, > this is the only part that may refer to you.
  13. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    dear bob

    had done as instructed . i could not find the eset online scanner log. hence i am attaching the rest of things.

    thanks

    Attached Files:

     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Found it! It's an addon in Firefox:


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    
    Folder::
    
    Firefox::
    FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pa6hia1r.default\
    Firefox -: prefs.js: browser.startup.homepage - hxxp://assistmypc.org/
    
    Registry::
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    NOTES:
    1. It looks like you are using the vtiger crm and the database on Mysql 510. Do I have that right. Make sure they are configured correctly.
    2. There is duplication in PDF converter programs. Review and make sure you need all- if not, remove the extra ones.
    3. You still have Norton/Symantec entries loading. Best you run the Norton Removal Tool
    4. There are also multiple online scanners loading. Review and stop those you don't need.

    Let me know if this handles the assistmypc.org
    Be sure to include the new log that is produced so I can make sure the entry was removed.
  15. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    dear bob

    i had done as requested.i am afraid we are yet to nail it because when i opened the browser it again opened with assist my pc.org file. ( also check whether it repeated because of super anti spyware )

    please see the log attached.

    thanks

    Attached Files:

  16. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    you are right , i am running v tiger crm , but nowadays not using it so much.

    yes there are two pdf converter programs. i will remove one .

    online scanners ?? actually i dont run anything consicously , if anything is there please let me know how to stop it . i will do so.
    thanks
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please don't add or remove anything unless I instruct you to The entries below add an enormous number of new files. It doesn't look like malware. I need you to have as stable as system as possible while I'm working with you. It's important that every time I look at a new log, it only shows the results of what I have asked you to do, or continued malware.

    The Combofix report you left is not the one that was generated after the fix. I need that log. The report you left has 10.5KB MORE in it- it should have had less! So now I don't know whether you added it or whether malware did!
    ===================================
    Can you tell me what these entries are? Lines and line of them- you shouldn't be loading the system with more and more files while I'm helping you clean it!

    + 2010-04-05 17:14 . 2010-04-05 17:14 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll


    They are all on 4/5/2010, all using C:\WINDOWS\assembly\NativeImages_v2.0.50215_32\System.Web\4f4928ed491b4d36bf9f5755e45b1f7a\
  18. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    dear bob

    sorry for what has happened. i dont know how these many files are added. one that is on 05/04/2010 was i downloaded the image form my nokia. else i dont understand waht has happened. from today i will try and stop all my activities as possible.

    i am aslo attaching the combe fix tool log which is made today. this is after adding the script file as advised by you.

    thanks in advance

    Attached Files:

  19. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    hi bob
    something has happend after that scan, nowadays i am not getting that as home page.

    still i am worried whether it is in my system / in any of pen drive i am using.

    also i remember last time when we get this virus my wifey clicked windows firewall notification tray. ( atleast she claims so).

    even now i get this notification though my avast is running. i dont know what to do?
    please help me.

    thanks in advance.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    We aren't communicating very well. You asked to get rid of assistmypc.org. It was set as your homepage and until the Firefox entry is removed and the homepage is reset, it's not going to stay away. So do the removal once more. None of the logs you have left indicate the removal was attempted.


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    Extra::
    Firefox::
    Firefox-: Profile-  c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pa6hia1r.default\
    Firefox-: prefs.js:  Startup.homepage
    
    Folder::
    
    Registry::
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    You can do one more step and that is to block the Domain in the browser. Please do the following-in Firefox
    Open Firefox> Tools> Options> Security> check all 3 boxes in the top section> click on Exceptions and type the following in:
    *.assistmypc.org
    Then click on Block
    Close
    ==============
    You can also reset the Firefox Cookies as follows:
    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    This should keep that Domain out of the system.
  21. jobeard

    jobeard TS Ambassador Posts: 13,010   +218

    fast and permanent means to inhibit assistmypc.org
    in the file
    \windows\system32\drivers\etc\hosts​
    reset the R/O using

    attrib -r \windows\system32\drivers\etc\hosts​
    then edit the file and insert

    127.0.0.1 .assistmypc.org
    save​
    and protect it again

    attrib +r \windows\system32\drivers\etc\hosts​

    restart your DNS
    net stop "dns client"
    net start "dns client"​
    if your browser home page still points there, (which Bobbye is trying to get you to delete)
    you will get an error, something like 404 Page Not Found
  22. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    dear bob

    thanks for reverting. i had done exactly as said by you.

    the following is what happened

    1. i did the script file
    2. i drag it into combo fix file
    3. the combo fix got loaded.
    4. it asks me to allow download recent version.
    5. i said ok
    6. it downloaded and started to scan.
    7. after ten minutes teh log is created

    8. the log is attached for your reference.

    thanks.

    Attached Files:

  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    It appears that your homepage has been reset correctly. And you should not be getting assistmypc.org. Let me know if this is correct and I'll have you remove the cleaning tools.
  24. smk.bluebird

    smk.bluebird Newcomer, in training Topic Starter Posts: 28

    yes bob you are right. my home page is reset. ( hurrAH) for beating this adware .

    thanks bob it is a great job .

    our forum has never failed us.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're welcome. Glad it finally worked out!

    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Please let me know if I can be of help in the future. I'll close this thread now since the problem has been resolved.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.