Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant Folder Created without permission


  • Please log in to reply
12 replies to this topic

#1 rknreb

rknreb

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 13 January 2010 - 02:04 AM

Hello, I noticed a helpassistant folder created on my computer with all of my files present in the folder. I did not request this folder to be created. I have been reading about the same issue with other users. I dont want to harm my computer my following the advice given to others so I would like to know how to solve this problem.

windows XP service pack 2 is my operating system.

Thank You for reading.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:39 AM

Posted 15 January 2010 - 12:04 AM

It's possible that you have an infected Master Boot Record so lets check it to be sure.

Please download mbr.exe and save it to your desktop <- (Important!).
  • Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
  • A black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved on your desktop.
  • Copy and paste the results of the mbr.log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 rknreb

rknreb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 12:20 PM

Thank you for quick response! here is the log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x85f27458
\Driver\atapi -> 0x8636b1f8
NDIS: Intel® PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> 0x854bc450
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0BA4CF80
malicious code @ sector 0x0BA4CF83 !
PE file found in sector at 0x0BA4CF99 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:39 AM

Posted 15 January 2010 - 12:45 PM

First, open Windows Explorer and rename the C:\mbr.log to C:\mbrold.txt <- if the extension does not show, you need to Reconfigure Windows to show hidden file extensions for known file types.

Make sure mbr.exe is placed in the root directory, usually C:\ <- (Important!).
Then go to Posted Image > Run..., and in the Open dialog box, type: cmd
press Ok.
The command prompt needs to be at the root directory (C:\>_). To do that, type: cd \
press Enter.
At the command prompt C:\>_, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

-- If you're not sure how to use the command prompt, please refer to this guide: Introduction to the Command Prompt
-- Vista users can refer to these instructions to open a command prompt

Please download SystemScan and save it to your desktop.
  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click Ok.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- If Malwarebytes Anti-Malware results in any error messages, check the Help file's list of error codes within its program folder first. If you do not find any information, please refer to Common Issues, Questions, and their Solutions, Frequently Asked Questions. If the error you are receiving is not in the list, please report it here so the research team can investigate.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rknreb

rknreb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 01:14 PM

I am currently scanning and will post results. When i first noticed the problem I ran microsoft security essential and this is what came up;

ALL REMOVED

Exploit: Java/CVE-2008-5353.b
Trojan:Java/Selace.A
Exploit: Win32/Pdjsc.CM
TrojanDownloader:Win32/Sinowal.!
PWS: Win32/Sinowal.gen!Q
Trojan: Java/Selace.B
Exploit: HTML/Repl.D

#6 rknreb

rknreb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 01:21 PM

Scan is done.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x85f27458
\Driver\atapi -> 0x8636b1f8
NDIS: Intel® PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> 0x854bc450
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0BA4CF80
malicious code @ sector 0x0BA4CF83 !
PE file found in sector at 0x0BA4CF99 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !



SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP PROFESSIONAL Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Cameron\Desktop\sys27205.exe
Running in: User mode
Date: 1/15/2010
Time: 12:53:09 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Cameron
| Guest
| SUPPORT_388945a0 (Disabled)

### users folders

07/09/2009 01:06:31 (DIR) 0 byte 130 days old -- All Users
07/09/2009 01:07:36 (DIR) 0 byte 130 days old -- Default User
07/09/2009 01:10:59 (DIR) 0 byte 130 days old -- NetworkService
07/09/2009 01:11:28 (DIR) 0 byte 130 days old -- LocalService
11/01/2010 03:23:42 (DIR) 0 byte 4 days old -- Cameron
11/01/2010 03:25:36 (DIR) 0 byte 4 days old -- Administrator
11/01/2010 13:06:25 (DIR) 0 byte 4 days old -- HelpAssistant
12/01/2010 18:17:05 (DIR) 0 byte 3 days old -- HelpAssistant.CAMCOMP

### startup files in users folders

C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Cameron\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Cameron\Start Menu\Programs\Startup\MagicDisc.lnk
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\HelpAssistant\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\HelpAssistant\Start Menu\Programs\Startup\MagicDisc.lnk
C:\documents and settings\HelpAssistant.CAMCOMP\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\HelpAssistant.CAMCOMP\Start Menu\Programs\Startup\MagicDisc.lnk

==========================================
Scan completed in 0.1 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work




No Malicious Items were detected with Malwarebytes

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:39 AM

Posted 15 January 2010 - 01:40 PM

Your log indicates: original MBR restored successfully !

We need to confirm the results.
Restart the computer <- Important! (otherwise the next report may falsely show the infection as still present)
Then run mbr.exe the same way you did the first time.
It will create a new mbr.log.
Copy and paste the results in your next reply.

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Files
C:\documents and settings\HelpAssistant
C:\documents and settings\HelpAssistant.CAMCOMP

:Commands
[emptytemp]
[start explorer]
[reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rknreb

rknreb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 02:02 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0BA4CF80
malicious code @ sector 0x0BA4CF83 !
PE file found in sector at 0x0BA4CF99 !




All processes killed
Error: Unable to interpret <C:\documents and settings\HelpAssistant> in the current context!
Error: Unable to interpret <C:\documents and settings\HelpAssistant.CAMCOMP> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Cameron
->Temp folder emptied: 501018799 bytes
->Temporary Internet Files folder emptied: 42634412 bytes
->Java cache emptied: 9244 bytes
->FireFox cache emptied: 55447333 bytes
->Google Chrome cache emptied: 247207864 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: HelpAssistant
->Temp folder emptied: 343984982 bytes
->Temporary Internet Files folder emptied: 7582686 bytes
->Java cache emptied: 13300797 bytes
->FireFox cache emptied: 40557244 bytes
->Google Chrome cache emptied: 368715035 bytes

User: HelpAssistant.CAMCOMP
->Temp folder emptied: 229191285 bytes
->Temporary Internet Files folder emptied: 5544018 bytes
->Java cache emptied: 3846 bytes
->FireFox cache emptied: 5752400 bytes
->Google Chrome cache emptied: 1004752 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 141466 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 662702287 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 28572796 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,437.00 mb


OTM by OldTimer - Version 3.1.6.0 log created on 01152010_135406

Files moved on Reboot...

Registry entries deleted on Reboot...

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:39 AM

Posted 15 January 2010 - 03:19 PM

The primary MBR infection has been neutralized.

Do a search of your machine to see if any leftover HelpAssistant folders remain.

Also let me know how your computer is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 rknreb

rknreb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 03:22 PM

there are 2 folders.

C:\Documents and Settings\HelpAssistant

C:\Documents and Settings\HelpAssistant.CAMCOMP


Computer is running fine. Will it be ok to delete the 2 help assistant folders?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:39 AM

Posted 15 January 2010 - 03:28 PM

Yes you can remove those folders. That's what I tried to have OTM do but it threw an error while attempting to do that part but appears to have finished the rest of its routine successfully.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 rknreb

rknreb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 03:30 PM

Thank you so much. First virus ever and your help was invaluable.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:39 AM

Posted 15 January 2010 - 03:33 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Porn sites can lead to the Trojan.Mebroot MBR rootkit and other dangerous malware. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs and infections install themselves, read:Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
How to Maximize the Malware Protection of Your Removable Drives

Other related reading sources:• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users