Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with HelpAssistant


  • Please log in to reply
7 replies to this topic

#1 OneRing2Rule

OneRing2Rule

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 21 March 2010 - 03:34 PM

Hi, all.

I'm pretty sure that this laptop is infected with HelpAssistant. My mbr is infected, as shown by mbr.exe
First, real quick, I fix computers every day. I run a pretty successful side business cleaning out infections and fixing hardware problems. But this one has meh stumped....

HP Pavilion dv5000

HelpAssistant does NOT show up in the User Accounts section of the Control Panel, but there is one in the C:\Documents and Settings folder. And sure enough, it has what appears to be a duplicate of my main user account with files and such.

The computer is running very slow. Sounds are stuttering and often doubled, playing twice together fast.

I have done the prep work as detailed here on bleeping computers. System Restore is off. MBAM doesn't catch anything. It was during the CCleaner part of clean up that I saw all of the HelpAssistant entries.

Okay, so let's pretend I'm a n00b and we're starting from scratch. Can someone walk me through the cleanup? Cuz I'm hitting a wall here.....

THanks

OneRing2Rule

Edited by OneRing2Rule, 21 March 2010 - 03:36 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:24 PM

Posted 21 March 2010 - 07:48 PM

Hello and welcome.

Please download HelpAsst_mebroot_fix.exe by noahdfear, save it to your desktop.
  • Close out all other open programs and windows.
  • Double-click on it to run the tool and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, go to Posted Image > Run..., and in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.
*In the event the tool does not detect an mbr infection and completes, do this:
  • Go to Posted Image > Run... and in the Open dialog box, type: mbr -f
  • Click OK or press Enter.
  • Now, please do the Start > Run > mbr -f command a second time.
  • Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
  • After restart go to Posted Image > Run... and in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst and -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.
-- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 OneRing2Rule

OneRing2Rule
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 21 March 2010 - 10:08 PM

Ran the first file "HelpAssist_mebroot_fix.exe". Took a long time (15 minutes or so). Two boxes appeared, one said that Documents and Settings/HelpAsst was removed. The second window came up and said the the user mbr was replaced and ok (I think that's what it said. The program then closed. It DID NOT open and leave a log. I did find it on the root of the system drive. (C:\, in other words). It was named HelpAsst.txt and it shown below.

Since it found and cleaned the infection, I skipped the second portion.

I then reran MBAM as described above, updated and ran it.

Here are both logs:
From HelpAssist_mebroot_fix.exe:


Hang on, gotta reboot this non-infected computer...





OneRing2Rule

Edited by OneRing2Rule, 21 March 2010 - 10:49 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:24 PM

Posted 21 March 2010 - 10:16 PM

Ok, I may be off before your done but I'll check back tomorrow. Use Add Reply so I get notified.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 OneRing2Rule

OneRing2Rule
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 21 March 2010 - 10:59 PM

okay, computer rebooted. Sorry. I had a power surge on a usb port on this computer. Gots nothing to do with the problem, I stuck the USB stick in upside down. Duh.


C:\Documents and Settings\Jon\Desktop\HelpAsst_mebroot_fix.exe
Sun 03/21/2010 at 22:56:32.37

HelpAssistant account was found to be Active ~ attempting to de-activate

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1718515113-2557304798-2497903584-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK




and MBAM: You'll like this one.


Malwarebytes' Anti-Malware 1.44
Database version: 3897
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/21/2010 11:45:49 PM
mbam-log-2010-03-21 (23-45-49).txt

Scan type: Quick Scan
Objects scanned: 132976
Time elapsed: 22 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Sounds good so far. Whatcha think?

OneRing2Rule :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:24 PM

Posted 22 March 2010 - 09:49 AM

Looks good here.... Let me know after using it for a bit if all's good.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 OneRing2Rule

OneRing2Rule
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 March 2010 - 07:14 PM

This computer is ROCKING. I'm really pleased. Can I donate some $ or just buy you a beer somewhere?

:thumbsup:

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:24 PM

Posted 22 March 2010 - 08:58 PM

That's real good to hear.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.


Thanks for the offer... I do not accept donations nor does BC.. But I will recommend 2 routes if you'd like to contribute to something..
Either make a donation to some people here that would appreciate it. They help or developed some of the tools we use here to clean computers.

Look them up in the MEMBERS tab at the top right.
a_d_13
jpshortstuff
random/random
Old Timer
teacup61
Billy O'Neal

OR
If you would like to donate,I'd appreciate if you donated here. Goodwill Rescue Mission, Complete meal $1.98

I donate here often and serve Thanksgiving dinner every other year. They are non profit, honest and very dedicated. Thousands of people pass thru here in need of food ,clothing, furniture etc...
They run one in Newark,NJ and lower Manhattan,NYC.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users