Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Assistant Removal


  • This topic is locked This topic is locked
12 replies to this topic

#1 caronsale

caronsale

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 29 March 2010 - 09:49 AM

Hi,

I am having this problem - Helpassitant folder created in my document and settings folder, every time i reboot my computer.
I have many problems because of this.. like slow booting up... freezing computer..

Any help is really appreciated
Thanks for you time and efforts in advance.

Disha

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:33 AM

Posted 29 March 2010 - 10:31 AM

Hello my name is Sempai and welcome to Bleeping Computer. smile.gif
*We apologize for the delay. Forum has been busy.

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.




+++++++++++++++++++


1. Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.



2. Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy and Paste the following code into the Custom Scan box. Do not include the word "Code"

    CODE

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them when you reply.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 caronsale

caronsale
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 29 March 2010 - 01:28 PM

Hi Sempai,

I ran gmer.exe


Edited by caronsale, 30 March 2010 - 10:55 AM.


#4 caronsale

caronsale
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 29 March 2010 - 02:03 PM

Ok Sempai..

Here are the files.. I rerun OTL


Edited by caronsale, 30 March 2010 - 10:55 AM.


#5 caronsale

caronsale
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 30 March 2010 - 08:06 AM

Hi Sempai,

Sorry for the bugging you.. but did you happen to look at the logs ?

Thanks
Disha

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:33 AM

Posted 30 March 2010 - 08:08 AM

Hi Disha,

Sorry for the delay, I have work on weekdays so I can only reply on my free time after work. I am currently reading your logs and post the instructions after a few minutes. Thanks.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:33 AM

Posted 30 March 2010 - 08:25 AM

Hi, please do the following.

++++++++++++++


1. Download this tool and save it in your Root directory (C:\).: --> mbr.exe
Double click (Run as administrator for Vista) on mbr.exe & post the log it creates. (or find it at C:\mbr.log)



2. Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you don't know how.

Please include the C:\ComboFix.txt in your next reply for further review.


~Semp


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 caronsale

caronsale
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 30 March 2010 - 09:36 AM

Thanks for the reply..

I had a question.. Does running Combofix.. crash the computer..
Do i need to back up my data ?

This is my work computer.. so really dont want that to happen..

I hope you understand.. and really appreciate your help..

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:33 AM

Posted 30 March 2010 - 09:51 AM

Making back is a good idea, Is this an office PC? Please make that clear before we proceed.

Combofix can cause irreversible damage if it's not used correctly.

Do not backup any programs/applications/installers like .exe, .scr, .htm, .html, .xml, .zip/.rar files...
The reason for this is because these files may be infected also. If you replace them after the re installation of OS, it will surely reinfect you again.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 caronsale

caronsale
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 30 March 2010 - 10:01 AM

Sorry.. if i caused any problem.. but it is work pc..

So if thats the case.. let it be.. and let me know if i have to uninstall OTL and gmer..

I was just totally done with this help assistant and our IT is too busy to handle it apparently...

Sorry again for causing you trouble but if you can just let me know what to do.. to uninstall OTL and GMEr...

Thanks for the time and efforts

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:33 AM

Posted 30 March 2010 - 10:09 AM

Hi, I really want to help you but you must seek the help of your IT department fist.

You can safely delete GMER.

To properly remove OTL:
  • Double click OTL.exe to launch the program.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • When finished exit out of OTL
  • The tool will delete itself once it finishes, if not delete it by yourself.

~Semp



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 caronsale

caronsale
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 30 March 2010 - 10:54 AM

Thanks a lot Sempai..

Sorry for the trouble.. You can close the topic now...

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:33 AM

Posted 30 March 2010 - 11:15 AM

You're welcome.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users