Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep getting infected with EVERYTHING


  • This topic is locked This topic is locked
8 replies to this topic

#1 pekingese727

pekingese727

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 18 February 2010 - 10:06 AM

I keep getting into antivirus soft somewhere, and i'm not sure where at (no i dont surf porn, cracks and wares sites or games). I have windows firewall up, use windows defender and avg 9 and iobit360. I also scan often with malware bytes, scan with my iobit360 and also scan with housecall, windowslive, super antispyware and cc cleaner. I use dr web too but that one will not run right now.
I recently had a ton of issues which seemed to be cleared up, then i kept getting reinfected with antivrus soft...it APPEARS i got rid of it. But lately my computer has been shutting down while i'm working or during the day when i'm gone.
I also got a re-direct on ebay, when i tried to log in, before the shut downs started happening...so like a dummy i thought it was legitimate and i gave them all my info...my credit sucks anyway, if they steal my identity, they'll give it back. trust me. lol. but i am worried about that now, although i dont know what to do other than wait and see if i start having problems with my credit, identity etc...Ugh!!! But like i said, at the time, i didnt know there was anything wrong with my pc til i already gave them all that info...but that's neither here nor there really unless someone knows something premptive i can do about that.
Anyway, on to the issue...i keep getting into antivirus soft as i said...i THINK i got rid of it thru a tutorial here and then i got it twice more so i did a system restore and it went away. All scans were coming back clean.
Well the last few days as i've mentioned my pc gets so much going on at once, that it is causing it to shut down and it's overloading during the day and shutting off. I found several trojans with malware bytes and i removed them but it said they were in the help assistant folder. I looked for said folder and sure enough, there it was, and it was duplicating my entire hard drive by copying all my files to it.
I looked for my symptoms and came up with what i believe it to be is help assistant virus. I keep deleting the folder but it comes back up on start up so i delete it over and over when i reboot or my system gets so taxed it won't run. I tried to use the mbr.exe file i saw in a similar post and it said everything was fine and did not locate anything. But there's definitely something wrong!!!
I'm running malware bytes right now, i tried to run dr web but it just shut down my system and rebooted it. I haven't tried to do that in safe mode yet.
Again, even though i'm learning i'm a total beginner at getting rid of this crap on my pc so easy explanations of what i have to do would be appreciated greatly!
Oh and one more thing...i'm running windows xp home edition with a pentium 3. i know this because when i called the place i bought my refurbished pc like 3 years ago, they have been great til now. They offered to wipe my system for free or for a small fee, they'd remove the problems without a wipe because of me having bought it there. Till they asked me what i was running and i said how do i know, and he asked me a couple questions and determined that was what i have. He said they no longer support/work on the pentium 3, that if he loads xp into it, with all the updates etc...i'll have a lot of crashes and it will run horribly. Any truth to that or does he just want me to come in and get a new pc? This one will be 4 years old this coming christmas (well 4 years old to me. not sure how long it was on the floor before i bought it) And where can i get ahold of an xp disk if thats not true, because they dont give you one when you buy and he wont do it now either.
Thanks!!!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:23 PM

Posted 18 February 2010 - 10:29 AM

HelpAssistant is a MBR (Mebroot) variant which infects the Master Boot Record. The infection is contracted and spread through ads in spam e-mail attachments, by using shared folders on peer-to-peer networkes, using Torrents, and via drive-by downloads when visiting porn and malicious websites using browser exploits. For more specific details about this infection, read:Please download mbr.exe and save it to your desktop <- (Important!).
  • Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
  • A black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved on your desktop.
  • Copy and paste the results of the mbr.log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 pekingese727

pekingese727
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 18 February 2010 - 10:35 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:23 PM

Posted 18 February 2010 - 11:02 AM

Yep, mbr.exe is not showing anything. First time I have encountered that.

Please post the results of your last MBAM scan for review and the new one you are doing now.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 pekingese727

pekingese727
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 18 February 2010 - 11:14 AM

Unless that's not what i have...but yup the help assistant folder came back again on reboot of my system after running malware bytes.
Now this was run on 2-16....

Malwarebytes' Anti-Malware 1.44
Database version: 3748
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/16/2010 9:02:04 PM
mbam-log-2010-02-16 (21-02-04).txt

Scan type: Quick Scan
Objects scanned: 126899
Time elapsed: 12 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\173.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\174.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\177.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\knGo.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\knGo.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\QLLO259V\eH9bb71be9V03007f35002R420318ea102Td0cd6316Q000002fd901801F002a000aJ10000601l0409K5c7ba2f830dP000301080[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\TEU0YUXD\eH9bb71be9V03007f35002R420318ea102Td0cd62f8Q000002fd901801F002a000aJ10000601l0409K5c7ba2f83180[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\U44L8ZKV\eU230d9c2eH9bb71be9V03f01730002R8ba94b41102Td0c1aeecQ000002fd901801F002a000aJ00000000l0409Kd825d5f730dP000301080[1] (Trojan.Dropper) -> Quarantined and deleted successfully.


i ran one on 2-17 and it came back 100% clean...today i re-ran just now and this is what it says....

Malwarebytes' Anti-Malware 1.44
Database version: 3754
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/18/2010 9:48:34 AM
mbam-log-2010-02-18 (09-48-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 185092
Time elapsed: 1 hour(s), 1 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{368EEE7D-1518-4CBC-AFF9-9147C1EF62DE}\RP484\A0064728.dll (Trojan.Dropper) -> Quarantined and deleted successfully.


I called the place i got my pc again and told them what was going on, that i keep getting reinfected, and to tell me what not to do, so that i could avoid this in the future, and they suggested perhaps its not reinfection over and over, but that there are dormant viruses laying in wait from the first time i got into whatever it is i got into and those files keep opening up? And it's almost impossible to get rid of that when that happens without their help...but i'm willing to work thru this with you all first if we can fix it.

and by the way i run firefox if that helps

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:23 PM

Posted 18 February 2010 - 11:25 AM

In your first post, you indicated a re-direct on ebay which is one of the symptoms of the infection. The redirects go to phishing sites asking for personal info such as SS number, Credit card number, ATM pin... Is that still happening? Are there still HelpAssistant folders on your system and/or in the Control Panel > User Account?

The detected _restore{GUID}\RP***\A00*****.xxx file identified by your last scan is in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 pekingese727

pekingese727
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 18 February 2010 - 11:37 AM

I did do a restore the other night back to a point that i THOUGHT was clean. Obviously it was not. But my scans were coming back okay...so I thought i was good.
And the help assistant folder is not there now, but it's because i deleted it. It came back when i rebooted the pc after running the malware bytes. So yes that is still happening.
And yes, still re-directing me on ebay as well. I just checked.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:23 PM

Posted 18 February 2010 - 12:10 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:23 PM

Posted 18 February 2010 - 04:52 PM

Hello,

Now that you have posted a log here: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users