Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to Remove HelpAssistant


  • Please log in to reply
30 replies to this topic

#1 madex01

madex01

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 24 January 2010 - 10:47 AM

A short time ago I noticed that whenver I restarted my computer I could hear the processer continue to run for over 20 minutes after restart. Around this same time my anti virus SW, Avast, started reported at various times finding the following in the HelpAssistant folder:

Sign of "Win32:Trojan-gen"
Sign of "Win32:Small-NEQ[Drp]"
Sign of "Win32:Spyware-gen[Spy]"
Sign of "Win32:Malware-gen"
Sign of "Win32:VB-OCM[Trj]"
Sign of "Win32:Mebload[Trj]"

Looking at the HelpAssistant folder, it appeared to be a mirror image of most of folders under my current user. I attempted to delete the folder, but got an error (sorry, didn't write it down at the time) about a .dll file that was running and thus I couldn't delete. Looking under System Properties - User Profiles, I found OFFICE/HelpAssistant listed, and deleted it. However, when I restart it the processor continues to run and the file and user show up again (I presume that the processor is running this long to create the HelpAssistant file, wich is about 1.3 GB in size).

The computer is a Dell Dimension 4500S, with an Intel Pentium 4 CPU 1.8 GHz, 256 MB RAM
I have 27 GB of meneory, with 21 GB free
I am running Windows XP, Home Edition, with SP3 installed.


Can anybody help me get rid of HelpAssistant from my system?

Thanks
Mark

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,733 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:46 PM

Posted 24 January 2010 - 11:15 AM

Take a look, comments by mphenterprises, http://forums.pcworld.com/index.php?/topic...eeps-appearing/.

Louis

#3 madex01

madex01
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 24 January 2010 - 11:49 AM

Thanks Louis,


When I select Manage, I do not have a "Local Users and Groups" option. Reading further down the post you linked appears that opthers have the same problem. I also noticed that following these instructions did not resolve some of the problems, requiring a run of fixmbr in the XP recovery console. I understand doing this is not for the faint hearted, so before I go this rout does anyone have any other suggestions or words of wisdom?

Thanks

Mark



I have pasted the procedure referenced from mphenterprises below as reference:

It appears like the user account "HelpAssistant" is enabled. If you simply want to disable this user, please follow these steps:

- Right Click on My Computer and select Manage

- Within the Computer Manager window, double click on Local Users and Groups

- Double click on the Users folder

- On the right side of that window, you will see all of the available user accounts within your computer. Right Click on the HelpAssistant user account and select Properties

- In the HelpAssistant Properties window, you will see an option to disable the account. Place a check mark in the box next to that option

- Click OK twice to close those windows

- Close the Computer Management window

- Restart the computer

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,733 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:46 PM

Posted 24 January 2010 - 01:18 PM

<<Looking at the HelpAssistant folder,...>>

What is the file path for this folder? If it's a MS Office function, you should be able to turn it off in the Office configuration settings.

Louis

#5 madex01

madex01
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 24 January 2010 - 01:43 PM

Hi Louis,

The path is c:\\Documents and Settings\HelpAssistant

Thanks

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,733 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:46 PM

Posted 24 January 2010 - 02:06 PM

OK.

Then it should be reflected in User Accounts.

Go to Cotnrol Panel/User Accounts...and disable it or delete it. That should allow deletion of any folders for said user under Docs & Settings.

The MS Office Helper Assistant has nothing to do with this, since it's a function of having Office installed.

Louis

#7 madex01

madex01
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 24 January 2010 - 08:45 PM

Thanks, I had tried that but the problem is Helpassistant doesn't show up as a user, it only showed up when I went to Control Panel/System/Advanced/User Profiles/Settings. There I was able to remove it, however when I power back on it shows up again, which leads me to believe it is a virus or malware.

#8 hamluis

hamluis

    Moderator


  • Moderator
  • 55,733 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:46 PM

Posted 24 January 2010 - 09:32 PM

Hmmm...it coud be something Dell installed as part of your system.

My systems don't have such and I'm not familiar with what Dell may have done...but this item seems to be related to Macromedia.

So...rather than guess...I will pass on a related post for you to read and reflect upon: http://www.bleepingcomputer.com/forums/t/274170/helpassistant-problem/.

Louis

#9 petewills

petewills

  • Members
  • 1,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:09:46 PM

Posted 25 January 2010 - 09:40 AM

Mark has mentioned his view that the problem may be a virus or malware
but does not say whether or not he has run anything other than the Avast
Anti-virus scanner.

Perhaps he should consider running the well-proven scanners,
Malwarebytes and SuperAntiSpyware and see if it makes any difference.
They may be able to remove the 'signs of' Trojans, etc. reported by
Avast and clean up the Help Assistant folder.

Louis, in your link to 'mphenterprises' there is reference to the inability
of Malwarebytes to remove one particular trojan (win32.mebroot.bz)
but I don't see this in the information given by Mark, so I would
still consider scans to be worthwhile.

#10 madex01

madex01
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 26 January 2010 - 08:54 PM

Thanks Pete, I also did run Malwarebytes, but forgot to mention it. I have run it several times since I first noticed the HelpAssistant issue and don't remember eveything it removed, so I can't say for sure if it saw and removed that trojan or not. However the Helpassistant file still keeps showing up, but there are no detections by either Avest or MWB, just the computer taking 20 minutes to boot up.

#11 petewills

petewills

  • Members
  • 1,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:09:46 PM

Posted 27 January 2010 - 09:23 AM

You know about fixmbr, which seems to have worked for some people. If you have a windows XP disk and can boot
to the Recovery Console, see the following instructions, but back up your data first - there is divided opinion on
whether or not the command can destroy your data:

How To Repair the Master Boot Record In Windows XP

http://pcsupport.about.com/od/fixtheproblem/ht/repairmbr.htm

That might help with the HelpAssistant matter.

As regards startup problems:

1. Uncheck any unnecessary startup programs in msconfig;
(start / run / type 'msconfig' without the quotes, click OK and choose startup tab;

(or download Autoruns and disable startup programs there, if you prefer):

http://autoruns.en.softonic.com/

2. If you can boot from a Windows XP CD,
you could run chkdsk /r from the Recovery Console
and perform a disk check.

3. Toggle your DMA on/off, see info below:

http://www.microsoft.com/whdc/device/storage/IDE-DMA.mspx

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:46 PM

Posted 03 February 2010 - 12:19 AM

Hello madex01,

I have just been apprised that the problem you are experiencing is caused by a very bad rootkit which will require specialized tools restricted to the HJT forum to remove.

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you cannot produce the DDS logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:46 PM

Posted 03 February 2010 - 01:22 PM

HelpAssistant is a MBR variant which infects the Master Boot Record.

...During infection, it copies itself to the %temp% folder and starts as a service. This service overwrites the MBR with its own code and keeps a backup of original MBR in sector 62. It also overwrites sector 60 and 61 with rootkit loader code and rootkit components in the last sectors of the active partition. Later it restarts the system. Upon reboot, the infected MBR takes control of the system and gives control to the rootkit loader code. The loader code then patches the kernel to load and start its rootkit component.

StealthMBR Rootkit

Since you have not followed OB's instructions yet, do this:

Please download mbr.exe and save it to your desktop <- (Important!).
  • Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
  • A black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved on your desktop.
  • Copy and paste the results of the mbr.log in your next reply.
Also, go to Posted Image > Control Panel > User Accounts, then C:\Documents and Settings\ and let me know if there is a HelpAssistant account listed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 madex01

madex01
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 06 February 2010 - 03:00 PM

OB and quietman,

Thanks for the feedback. My apologies for not replying sooner, but I have been away all week on business. Anyway, here is the logfile from mbr.exe

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x04A8D082
malicious code @ sector 0x04A8D085 !
PE file found in sector at 0x04A8D09B !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Going to Start> Settings > Control Panel > User Accounts, Helpassistant is not listed (although everytime I checked previously it had not been listed their either). It is still listed in c:\Documents and Settings\.

Should I still go ahead and produce the DDS logs?

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:46 PM

Posted 06 February 2010 - 03:12 PM

Should I still go ahead and produce the DDS logs?

Not just yet or you will have to wait for assistance in the forum where they are to be posted and this thread will get closed.

Lets continue with removing the infection.

First, open Windows Explorer and rename the C:\mbr.log to C:\mbrold.txt <- if the extension does not show, you need to Reconfigure Windows to show hidden file extensions for known file types.

Make sure mbr.exe is placed in the root directory, usually C:\ <- (Important!).
Then go to Posted Image > Run..., and in the Open dialog box, type: cmd
press Ok.
The command prompt needs to be at the root directory (C:\>_). To do that, type: cd \
press Enter.
At the command prompt C:\>_, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

-- If you're not sure how to use the command prompt, please refer to this guide: Introduction to the Command Prompt
-- Vista users can refer to these instructions to open a command prompt
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users