Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant Problem


  • Please log in to reply
21 replies to this topic

#1 Shanmugaraja

Shanmugaraja

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 26 November 2009 - 03:02 PM

Hi,

I have an issue with my laptop which runs on Windows XP Professional SP3.

I ran AnitiMalwareBytes to clean up my system for malwares and I found few infections, I also tried to remove them and it said it removed, but after restarting the comp, I found the system to be slow, hence I just scanned it again using Altimalwarebytes. The same infections popped up again. I just tried to see what file is it, and it lead me to c:/Docu..Settings/shanshe/ApplicationData/Macromedia/Common/bf48c02419.exe and the registry entry related to it.

So, I deleted those files(same name dll and exe files in the above mentioned folder).. But after the restart, it popped up again. I thought of disabling all startup(unwanted) options, hence I opened SysConfig utility and tried to disable and it said "Access Denied error", I smelt something fishy, and I was trying to see what was wrong, noticed that there was a folder called HelpAssistant and after 'googling', I realised it to be common folder. and as I already knew about bleepingcomputer, I have landed here with the hope, you can help me out in cleaning my system.. Can you please?

Many thanks and kind regards,
Shan

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:00 AM

Posted 26 November 2009 - 05:57 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 AM

Posted 26 November 2009 - 07:53 PM

Hello and welcome. Please post the MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 27 November 2009 - 03:42 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Shanmugaraja

Shanmugaraja
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 27 November 2009 - 07:01 AM

Hi,

Here are the logs

Malwarebytes Log:
===================MBAM Log==============================
Malwarebytes' Anti-Malware 1.41
Database version: 3237
Windows 5.1.2600 Service Pack 3

11/27/2009 10:46:28 AM
mbam-log-2009-11-27 (10-46-17).txt

Scan type: Quick Scan
Objects scanned: 131673
Time elapsed: 13 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\shanshe\APPLIC~1\MACROM~1\Common\bf48c0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\shanshe\APPLIC~1\MACROM~1\Common\bf48c0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\shanshe\APPLIC~1\MACROM~1\Common\bf48c0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\shanshe\APPLIC~1\MACROM~1\Common\bf48c0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\shanshe\APPLIC~1\MACROM~1\Common\bf48c0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\shanshe\APPLIC~1\MACROM~1\Common\bf48c0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\shanshe\APPLIC~1\MACROM~1\Common\bf48c0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\shanshe\APPLIC~1\MACROM~1\Common\bf48c0241.dll) Good: (wdmaud.drv) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Application Data\Macromedia\Common\bf48c0241.dll (Hijack.Sound) -> No action taken.
===================MBAM Log Ends Here=======================






SUPER AntiSpyware Log:
===================SUPER AntiSpyware Log==============================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/27/2009 at 05:10 PM

Application Version : 4.31.1000

Core Rules Database Version : 4314
Trace Rules Database Version: 2177

Scan type : Complete Scan
Total Scan Time : 02:07:48

Memory items scanned : 390
Memory threats detected : 0
Registry items scanned : 6017
Registry threats detected : 0
File items scanned : 126827
File threats detected : 3

Trojan.SpoolSV-Fake
C:\WINDOWS\$NTSERVICEPACKUNINSTALL$\SPOOLSV.EXE

Trojan.SVCWINRA
C:\WINDOWS\RESFILTER32.EXE
C:\WINDOWS\SVCWINRA.EXE

===================SUPER AntiSpyware Log Ends Here=======================

Please let me know your feedback and what next ..

Thanks and kind regards,
Shan

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 AM

Posted 27 November 2009 - 03:56 PM

Hi Shan. the "No Action Taken" in the MBAM log may mran you did not click the Remove Selected button after the scan. If that is the csae update and rescan.

Are you still dealing with a HelpAssistant problem?



It appears like the user account "HelpAssistant" is enabled and an infection in the MBR (Master Boot Record)

Before proceding here See step One here and Backup your data!

Start XP recovery console from XP CD and run fixmbr.
After a reboot, disable HelpAssistant account and remove it from Administrators group. See below ***

Be very very cautious in the XP recovery console. It is not for casual users to use. It is a cryptic command line interface.

You can download a disk diagnostic tool from the website of the hard drive manufacturer. If necessary you can download a bootable version of the diagnostic from there and boot from it to test your hard drive.

Recovery Console tutorial located here: http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/
This is for the chkdsk, fixmbr, fixboot, and bootcfg commands if you can't get into Windows

Here's a link to an ISO of the XP Recovery Console if you don't have an XP CD. Search Google for "burn an ISO" (without the quotes) for tools and instructions on how to make a bootable CD. http://www.thecomputerparamedic.com/files/rc.iso




***Please follow these steps:


- Right Click on My Computer and select Manage

- Within the Computer Manager window, double click on Local Users and Groups

- Double click on the Users folder

- On the right side of that window, you will see all of the available user accounts within your computer. Right Click on the HelpAssistant user account and select Properties

- In the HelpAssistant Properties window, you will see an option to disable the account. Place a check mark in the box next to that option

- Click OK twice to close those windows

- Close the Computer Management window

- Restart the computer


Once you restart, the HelpAssistant user profile should not be listed under Document and Settings. If it is, simply delete it. Since you have disabled that user account, you will no longer continue to "lose" hard drive space. Please let us know if you have any problems.. (Thx to mphenterprises)



If this is all too much for you to attempt then let me know and we can move you to guided assistance.

Edited by boopme, 27 November 2009 - 04:13 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Shanmugaraja

Shanmugaraja
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 28 November 2009 - 04:34 PM

Hi,

I had not removed the infections via MBM as I thought you asked me only to scan. Anyways now I did that, disabled the HelpAssistant account, and resarted and I did not find the system any better.

Fortunately I already recovery console installed and as you said I ran fixmbr to fix the boot record. after this, it said MBR successfully created and the system looked to be back to normal.

But now a mysterious problem. I am not able to connect to internet at all!!, i.e my wireless says its enabled, device working fine, but it just doesnt dect any wireless networks, wherein my other notebook does(this one). Thats the reason why I am unable to give any log.

I really hope this can be solved by you quickly.

Kind regards,
Shan

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 AM

Posted 28 November 2009 - 06:07 PM

Ok, See if this fixes your Net issues .

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.


OR
Go Start > Run > type: "cmd" In the window that appears type: "ipconfig /flushdns". Close the command box.

OR
Go Start > Control Panel > Network Connections. Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties. Double-click on the Internet Protocol (TCP/IP) item. Select the radio button that says "Obtain DNS servers automatically". Reboot. Warning: Some Internet Service Providers need specific DNS settings. You need to make sure that you know if such DNS settings are required before you make this change.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Shanmugaraja

Shanmugaraja
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 29 November 2009 - 01:40 AM

No, I did that and it doesnt resolve the wireless network problem.

I am able to connect to internet via LAN
WLAN was working fine until I ran fixmbr
Even now WLAN doesnt show any error with the devided/driver, it says its working fine, enabled but it just doesnt detect any of the networks.

#9 Shanmugaraja

Shanmugaraja
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 01 December 2009 - 07:17 AM

Hi,

I hope someone is still looking at my issue. Just a polite reminder.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 AM

Posted 01 December 2009 - 11:11 AM

Try running System Restore (Windows XP System Restore Guide) to a date before all this started. See if that fixes your connection. But we may have restored the malware also so we will need to rescan with SUPER and MBAM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Shanmugaraja

Shanmugaraja
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 04 December 2009 - 05:04 PM

ok, I could restore the system back to its original state and also scanned with MBAM and SUPER. It looks ok now. But you said Master boot record is corrupted. How do I correct that now?, Should I run fixmbr again?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 AM

Posted 05 December 2009 - 11:37 AM

Let's check that out.

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

Edited by boopme, 05 December 2009 - 11:38 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Shanmugaraja

Shanmugaraja
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 12 December 2009 - 05:18 AM

Hi,

Apologies for the delay, due to my sickness.

Here is the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 AM

Posted 13 December 2009 - 02:38 PM

Ok much improved..

To remove the infection, run the command mbr.exe -f (note the space between the e and -f) from a command prompt. Reboot the machine, otherwise the next report may still show (false) infection. Then run mbr.exe again to confirm the removal.

Open Windows Explorer and rename the C:\mbr.log to C:\mbr.old
Go to Start > Run and type: cmd
press Ok.
At the command prompt, type: cd \
press Enter.
At the command prompt, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

It will produce a new report at C:\mbr.log. Please copy/paste the results in your next reply.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Edited by boopme, 13 December 2009 - 02:50 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Shanmugaraja

Shanmugaraja
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 13 December 2009 - 04:43 PM

Hi,

Here are the logs:

MBR log:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

================================

MBAM log:
Malwarebytes' Anti-Malware 1.42
Database version: 3355
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/14/2009 2:29:39 AM
mbam-log-2009-12-14 (02-29-39).txt

Scan type: Quick Scan
Objects scanned: 131651
Time elapsed: 32 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


=============================
RootRepeal report to follow shortly..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users