Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant Folder Reappears on Reboot


  • This topic is locked This topic is locked
34 replies to this topic

#1 junkit

junkit

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 06 March 2010 - 12:12 PM

Help Assistant keeps coming back
on normal boot, desktop shell is hijacked. Can boot to safe mode.

Avast doesn't detect on scan or boot
Malwarebyte's doesn't find anything.

Ran GMER .... attached

looks like the same problem identified in http://www.bleepingcomputer.com/forums/t/266834/mbr-rootkit-detected-helpassistant-folder-reappears-on-reboot/ only using a W2K machine.

any help or direction would be appreciated. this thing is driving me nuts....


Edited by junkit, 07 March 2010 - 11:02 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:43 PM

Posted 09 March 2010 - 06:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 junkit

junkit
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 11 March 2010 - 09:33 PM

Hi myrti,
Thank you for the prompt reply.
Attached are the output files requested. sorry for the delay, but it actually took a while as i ran it for the last 60 days for more detail.

Thank you again....J

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:43 PM

Posted 12 March 2010 - 09:27 AM

Hi,

if you are blanking out part of the user name please bear in mind that you need to change it back before running any fixes I post you where your name figures.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.



In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 junkit

junkit
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 12 March 2010 - 07:56 PM

Hi Myrti,
Yes the name is being blanked intentionally. I will do the changes to your script(s) as requested....
Unfortunately, the HelpAsst_mebroot_fix.exe download, once started, came up with the message:
"the tool is not compatible with your system..."
" press any key to continue...."
....and exits the dialog box once any key is pressed
The OS is Win2K Sp4
Thank You

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:43 PM

Posted 13 March 2010 - 02:37 PM

Hi,

ok let's do this manually then.
Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -f >"C:\mbr.log"
    Note: There is a blanke between mbr.exe and -t.
  • press Enter.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\). The file will not open automatically, you need to go to C:\mbr.log yourself and open it.
  • Copy and paste the results of the mbr.log in your next reply.

Then please run the following batch:
Open Notepad and copy/paste the code box below into a new text file.
CODE
@echo off
dir "C:\documents and settings" >"%temp%\log.txt"
net user >>"%temp%\log.txt"
reg query HKLM\SYSTEM\CurrentControlSet\Services\termservice\Parameters >>"%temp%\log.txt"
"%temp%\log.txt"
  • Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  • It will open a text file, please copy the content in your next reply.

Please try to run profiles.exe as well and post the log:
http://noahdfear.net/downloads/profiles.exe

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 junkit

junkit
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2010 - 05:48 PM

Hello Myrti,
I have executed as requested. Please see attached. Name Mask is enabled as xxxxxxx. The output is attached.

Your clarification on the space between the mbr.exe and the switch made note to option -t, rather than option -f , as requested in the execute command. The -f option was run for the attached output.

Thank you again for your input and analysis.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:43 PM

Posted 13 March 2010 - 06:41 PM

Hi,

yes very sorry about the mix up. -f will repair the MBR, while -t will add some additional info to the log. I wanted you to run mbr -f as you did. smile.gif

Please follow steps 1-3 behind this link to backup your registry with ERUNT (use current date while naming the location).

Open Notepad and copy/paste the code box below into a new text file.
CODE
@echo off
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
exit
  • Save the file as fix.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "fix.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).

Afterwards please reboot and let me know if the helpassistant folder reapears.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 junkit

junkit
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2010 - 10:14 PM

Hi Myrti,
Still there...about 525MB in size....
Typical desktop shell hijack also still present.....

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:43 PM

Posted 14 March 2010 - 06:44 AM

Hi,

Lets try this then:

Open Notepad and copy/paste the code box below into a new text file.
CODE
@echo off
C:\mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
exit
  • Save the file as fix.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "fix.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
If the folder is still present please delete it. Afterwards please reboot and let me know if the helpassistant folder reappears.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 junkit

junkit
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 14 March 2010 - 08:16 AM

Hello Myrti,
Ran the batch....reboot.....re-checked for HelpAssistant....still there.
Ran individual command from batch... here is the output.....and think i may be missing/or have redirect of some commands/variables

C:\>reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWO
RD /d 0x0 /f
'reg' is not recognized as an internal or external command,
operable program or batch file.

C:\>net stop RDSessMgr
System error 1060 has occurred.

The specified service does not exist as an installed service.


C:\>net user HelpAssistant /active:no >nul 2>&1

C:\>net localgroup Administrators HelpAssistant /delete >nul 2>&1

C:\>attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
Path not found - C:\docume~\HelpAssistant

C:\>del /s/q C:\docume~\HelpAssistant\*.*
The system cannot find the path specified.

....I did not run the remaining commands.....
thank you...

#12 junkit

junkit
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 14 March 2010 - 11:49 AM

Hi Myrti,
...(Good progress) smile.gif update...
Deleted HelpAssitant directory(s) successfully per your script (encapsulating full path).
Could not add registry entries with your command (reg is not in W2K os)
Could not find RDSessMgr service on W2K
...hope it helps.....
Thank You

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:43 PM

Posted 15 March 2010 - 05:56 PM

Hi,

yes I was afraid this would happen, I do not have a win2k system to cross check on before posting to you.

The most important part is done, namely to fix the HelpAssistant account and to remove the folder as well as to delete the MBR infection. The rest are leftovers, but the infection should be unable to respawn now. smile.gif

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    termsrv.dll
    termsrv32.dll
    :reg
    HKLM\SYSTEM\CurrentControlSet\Services\TermService /s
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 junkit

junkit
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 15 March 2010 - 09:49 PM

Hi Myrti,
I understand...it's a bit dated....but for that system, i need only w2k, and trying to salvage some older programs i don't have upgrade paths to.....

I ran the tool and attached is the output.

btw, I still have the hijacked desktop shell mad.gif

Thanks for your help, again!!! thumbup2.gif

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:43 PM

Posted 17 March 2010 - 03:56 AM

Hi,

has the folder reappeared? If not that would be a good thing. smile.gif

Please run a scan with Malwarebytes next:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users