Just FYI I battled this one all day a couple days ago, or at least it was one where HelpAssistant seemed involved. Clients computer is an XP Pro, Media Center Edition, HP Pavilion, Pentium D 2.8GHZ, 2 Gigs RAM. Looking into the HelpAssistant's files I could see a complete copy of the sole users (HP_Administrator) My Documents which might help explain all the thrashing at startup.
The main symptoms I was called in to address were slow boot up with lots of disk activity and then system crashes after about 7 minutes of up time. Mostly it would hang by not recognizing keyboard commands and then clicking on things with the mouse would produce no result, which I suspect was the system running out of resources (RAM). I came to believe this virus/malware is just poorly written code-housekeeping-wise and unintentionally eats up RAM until none is left by not releasing memory properly (like a couple of times when I tired to run a tool from Kaspersky, a 1 gig .exe, it might say not enough memory). I read this "weird freezing" was happening in 10 minutes to another similarly infected computer.
The computer was remarkably "clean" as the user regularly ran Windows Cleanup, Defrag and Windows Update. It was running a legit copy of Kaspersky Internet Security 2009 when infected, infection became noticed around last Thursday, December 24th. Kaspersky would not uninstall nicely. I had to reinstall it and use their removal tool to uninstall it. ComboFix (as of yesterday) saw Rootkit activity, and so rebooted to proceed further but apparently didn't fully remove it. Malwarebytes quick scan saw Rookit problems but didn't fully remove it either. However the slow boot was resolved by that point. Crashing still remained but only as quickly when I ran IE8 it seemed, even after resetting IE8 (Advanced Menu--Reset). I could sometimes go 30 minutes or more running Firefox or Chrome, the time just depended on what I was doing with the computer.
I booted into Microsoft Recovery Console and did the FixMBR command, then ran ComboFix again and Malwarebytes quick scan. I installed AVAST and had it do its Scan-on-Boot scan (didn't seem to find anything). I next ran the Windows XP SP3 Post Updates from logistixonline.com mainly because I wanted to redo IE8 even further than its own Reset feature, and when I went to run it afterwords it did a reinstall by downloading the IE8 package from Microsoft which I didn't expect it to do but was okay with. Finally I also put SuperAntiSpyware (trial) on it, for now. (Note: The client uses Yahoo Webmail and another symptom became IE8 would not download even the small .txt attachments he needed to download each day, they would never finish downloading and would not get to the Save As screen. They would download instantly in Firefox though. When I was done this worked again too.)
After all that it has run without a crash, running IE8 etc. Full scans of Malwarebytes and SuperAntiSpyware don't find anything. Seems to be okay for now. I've left the HelpAssistant account on for now, taking it out of the Administrators Group and disabling it. I've also turned off Remote Assistance and Remote Desktop. The HP_Administrator account even has a password now.
Edited by rgreenlee, 30 December 2009 - 03:39 AM.