assistmypc

system · January 20, 2010, 8:36pm

Hi,
I guess this is a case of browser hijacking and I am not sure if this is the right place to ask this question.
My IE and Firefox home page always switches to assistmypc.org; no matter how many times I change my home page with it. I also tried using “hijackthis” and fixing the IE for few days, and again this page comes back.
I would really like to remove this particular thing, any help is welcome.
Thanks.

essexboy · January 20, 2010, 9:22pm

Hi I will need a quick look at your system first to see what is there

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
[*]Click Add Reply
[*]Under the reply panel is the Attachments Panel
[*]Browse for the attachment file you want to upload, then click the green Upload button
[*]Once it has uploaded, click the Manage Current Attachments drop down box
[*]Click on
http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png
to insert the attachment into your post

system · January 28, 2010, 7:10pm

sorry it took a long time before I could reply…

here’s the log file…

thanks in advance.

essexboy · January 28, 2010, 9:29pm

No problems ;D

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\] > -> 
YN -> HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\: Main\\"Start Page" -> http://assistmypc.org
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\ANIRBAN\Application Data\Mozilla\FireFox\Profiles\e4w0fs0o.default\prefs.js
YN -> browser.startup.homepage -> "http://assistmypc.org"
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{C55BBCD6-41AD-48AD-9953-3609C48EACC7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Drive Security" -> C:\Documents and Settings\ANIRBAN\Application Data\services.exe ["C:\Documents and Settings\ANIRBAN\Application Data\services.exe"  ]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{95545264-ce83-11de-9913-002185c55ea8} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95545264-ce83-11de-9913-002185c55ea8}\Shell\AutoRun\command -> 
YY -> \{95545264-ce83-11de-9913-002185c55ea8}\Shell\AutoRun\command\\"" -> K:\SecureDrive.exe [K:\SecureDrive.exe  ]
YN -> \{95545264-ce83-11de-9913-002185c55ea8} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95545264-ce83-11de-9913-002185c55ea8}\Shell\Explore\Command -> 
YY -> \{95545264-ce83-11de-9913-002185c55ea8}\Shell\Explore\Command\\"" -> K:\SecureDrive.exe [K:\SecureDrive.exe  ]
YN -> \{95545264-ce83-11de-9913-002185c55ea8} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95545264-ce83-11de-9913-002185c55ea8}\Shell\Open\Command -> 
YY -> \{95545264-ce83-11de-9913-002185c55ea8}\Shell\Open\Command\\"" -> K:\SecureDrive.exe [K:\SecureDrive.exe  ]
[Files/Folders - Modified Within 30 Days]
NY ->  821 C:\Documents and Settings\ANIRBAN\Local Settings\temp\*.tmp files -> C:\Documents and Settings\ANIRBAN\Local Settings\temp\*.tmp
NY ->  8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  249 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Custom Scans]
NY ->  1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp
[Alternate Data Streams]
NY -> @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
NY -> @Alternate Data Stream - 288 bytes -> C:\WINDOWS\explorer.exe:host.opts.db
NY -> @Alternate Data Stream - 8 bytes -> C:\WINDOWS\explorer.exe:extractor6.trg
NY -> @Alternate Data Stream - 896 bytes -> C:\WINDOWS\explorer.exe:httpcomm.set
NY -> @Alternate Data Stream - 9517 bytes -> C:\WINDOWS\explorer.exe:log.dump
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

system · January 30, 2010, 12:17am

I use zonealarm basic firewall and I did observe that the following program “C:\Documents and Settings\user\Local Settings\Temp~DF47E1094544485EF.exe” asks permission to run, and even if you deny the permission to run, during next boot the home page in IE and Firefox changes to assistmypc.org. A search for the file and properties look up states in program description - Network Access Protection Client UI, Company Microsoft Corporation, File version 5.1.2600.5512, file size 226 KB. I have observed this with IE8, and IE7. On my laptop though using windows never opened IE and neither the home page changes nor I have the above program asking permission. It may be a browser security flaw or a plugin issue.

system · February 2, 2010, 11:25am

I had the same problem…
It was fixed after I ran Malwarebytes…
Along with this my PC was also infected with “Adware Vundo/variant MSfake”
A ‘Security update’ started showing up in startup program with a target file C:/program files/websecurity/services.exe . I think i got this via pen drive which I used in a local net center.

Infection name was “Adware Vundo/variant MSfake”

Superantispyware free edition detected it and removed it. I hope it has been removed it completely.

Hope it works…
All the best…

system · February 8, 2010, 12:51pm

essexboy post:4:

No problems ;D

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\] > -> 
YN -> HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\: Main\\"Start Page" -> http://assistmypc.org
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\ANIRBAN\Application Data\Mozilla\FireFox\Profiles\e4w0fs0o.default\prefs.js
YN -> browser.startup.homepage -> "http://assistmypc.org"
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{C55BBCD6-41AD-48AD-9953-3609C48EACC7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1214440339-606747145-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Drive Security" -> C:\Documents and Settings\ANIRBAN\Application Data\services.exe ["C:\Documents and Settings\ANIRBAN\Application Data\services.exe"  ]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{95545264-ce83-11de-9913-002185c55ea8} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95545264-ce83-11de-9913-002185c55ea8}\Shell\AutoRun\command -> 
YY -> \{95545264-ce83-11de-9913-002185c55ea8}\Shell\AutoRun\command\\"" -> K:\SecureDrive.exe [K:\SecureDrive.exe  ]
YN -> \{95545264-ce83-11de-9913-002185c55ea8} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95545264-ce83-11de-9913-002185c55ea8}\Shell\Explore\Command -> 
YY -> \{95545264-ce83-11de-9913-002185c55ea8}\Shell\Explore\Command\\"" -> K:\SecureDrive.exe [K:\SecureDrive.exe  ]
YN -> \{95545264-ce83-11de-9913-002185c55ea8} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95545264-ce83-11de-9913-002185c55ea8}\Shell\Open\Command -> 
YY -> \{95545264-ce83-11de-9913-002185c55ea8}\Shell\Open\Command\\"" -> K:\SecureDrive.exe [K:\SecureDrive.exe  ]
[Files/Folders - Modified Within 30 Days]
NY ->  821 C:\Documents and Settings\ANIRBAN\Local Settings\temp\*.tmp files -> C:\Documents and Settings\ANIRBAN\Local Settings\temp\*.tmp
NY ->  8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  249 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Custom Scans]
NY ->  1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp
[Alternate Data Streams]
NY -> @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
NY -> @Alternate Data Stream - 288 bytes -> C:\WINDOWS\explorer.exe:host.opts.db
NY -> @Alternate Data Stream - 8 bytes -> C:\WINDOWS\explorer.exe:extractor6.trg
NY -> @Alternate Data Stream - 896 bytes -> C:\WINDOWS\explorer.exe:httpcomm.set
NY -> @Alternate Data Stream - 9517 bytes -> C:\WINDOWS\explorer.exe:log.dump
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

I ran the fix but it didnt throw any log file, instead my comp rebooted… after the reboot, I do not have any assistmypc in my IE or Firefix, as of now… so will check for few days and will let u know if it comes back…
Thanks.

essexboy · February 8, 2010, 8:16pm

Glad to hear - I will wait for the "It has not returned " report ;D

assistmypc

Announcements