Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible mebroot/HelpAssistant virus, but not sure


  • This topic is locked This topic is locked
8 replies to this topic

#1 accuno

accuno

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 April 2010 - 03:44 PM

I have been having trouble with the HelpAssistant account re-creating itself on my Windows 2000 computer at boot-up for awhile now. I have done a lot of searching but I haven't found an identical problem to my own. Unlike many people, the HelpAssistant account does not seem to download a lot of .tmp files. I have tried a few things including running virus and malware scans, but nothing seems to work and I really don't know what the source of the problem really is. In the interest of saving some time I will list the things that I have tried:

1- Both quick and full scans using Malwarebytes' Anti-Malware, multiple times.
2- Full anti-virus scans using AVG free (which is installed) as well as on-line scanners from Kaspersky, TrendMicro and ESET.
3- I have tried a few of the scans suggest to people on this forum such as OTL and mbr.exe to see if anything would jump out at me, but I have to admit I really don't know what I am looking for and the mbr scan has always come back with this:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]device: opened successfullyuser: MBR read successfullykernel: MBR read successfullyuser & kernel MBR OK

4- I have actually found a sort of temp solution. By deleting, rather than disabling, the HelpAssistant account and starting my computer while it is disconnected from the internet, the account will not be created. After allowing the computer to boot into windows, I am than able to connect my LAN cable and use the computer without the account ever appearing, but if I start the computer connected to the network, the account will re-create again.

I have not tried the fixmbr command as I have read that it is possible that it will adversely affect partitions created using third-party software, and I honestly can't remember if some of the harddrives in this computer were partitioned with another program.

The reason I am the most concerned that there is some sort of virus or malware that I have been unable to detect, is that the other day I was redirected to an obvious phishing page after trying to login to my eBay account, and this is after I had run various scans without finding anything.

Like I said, I really don't know what goes into definitively detecting this rootkit, but it is apparent that there is something wrong with my computer. Any help would be greatly appreciated. Thanks

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 PM

Posted 13 April 2010 - 02:27 PM

Please download HAMeb_check.exe and save it to your desktop.
  • Double-click on HAMeb_check.exe to run the utility and it will create a log.
  • Copy and paste the contents of that log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 13 April 2010 - 06:41 PM

Hello quietman7, thanks for looking at this, here is the log:

J:\Documents and Settings\user\Desktop\HAMeb_check.exeTue 04/13/2010 at 18:35:31.84No HelpAssistant account in User list ~~ Checking profile list ~~S-1-5-21-861567501-1757981266-839522115-1003     %SystemDrive%\Documents and Settings\HelpAssistantS-1-5-21-861567501-1757981266-839522115-1004     %SystemDrive%\Documents and Settings\HelpAssistantS-1-5-21-861567501-1757981266-839522115-1005     %SystemDrive%\Documents and Settings\HelpAssistant ~~ Checking for HelpAssistant directories ~~none found ~~ Checking mbr ~~Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]device: opened successfullyuser: MBR read successfullycalled modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8588C648]<< kernel: MBR read successfullydetected MBR rootkit hooks:\Driver\ACPI -> 0x8588c648\Driver\atapi -> 0x85eac1f8Warning: possible MBR rootkit infection !user & kernel MBR OK Use "Recovery Console" command "fixmbr" to clear infection ! ~~ Checking for termsrv32.dll ~~termsrv32.dll was not foundError: Key: system\currentcontrolset\services\termservice\parameters does not exist! ~~ Checking firewall ports ~~[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]   "65533:TCP"=65533:TCP:*:Enabled:Services   "52344:TCP"=52344:TCP:*:Enabled:Services   "3246:TCP"=3246:TCP:*:Enabled:Services   "6481:TCP"=6481:TCP:*:Enabled:Services   "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop   "9926:TCP"=9926:TCP:*:Enabled:Services   "9927:TCP"=9927:TCP:*:Enabled:Services[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]   "65533:TCP"=65533:TCP:*:Enabled:Services   "52344:TCP"=52344:TCP:*:Enabled:Services   "3246:TCP"=3246:TCP:*:Enabled:Services   "6481:TCP"=6481:TCP:*:Enabled:Services   "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop   "9926:TCP"=9926:TCP:*:Enabled:Services   "9927:TCP"=9927:TCP:*:Enabled:Services ~~ EOF ~~

I ran the program after I had started my computer disconnected from the internet so the HelpAssistant account wasn't created, would it be helpful if I restarted while connected and ran it again?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 PM

Posted 13 April 2010 - 08:45 PM

Please download HelpAsst_mebroot_fix.exe by noahdfear, save it to your desktop.
  • Close out all other open programs and windows.
  • Double-click on it to run the tool and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, go to Posted Image > Run..., and in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.
*In the event the tool does not detect an mbr infection and completes, do this:
  • Go to Posted Image > Run... and in the Open dialog box, type: mbr -f
  • Click OK or press Enter.
  • Now, please do the Start > Run > mbr -f command a second time.
  • Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
  • After restart go to Posted Image > Run... and in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst and -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.
-- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 13 April 2010 - 10:14 PM

When I try to run the program it just says "This tool is not compatible with your system."

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 PM

Posted 14 April 2010 - 07:04 AM

Its a newer tool and the first time I asked someone with Windows 2000 to use it so I'm checking with the tool's developer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 PM

Posted 14 April 2010 - 07:45 AM

I have been advised its not compatible. As such, we will probably need to use more powerful tools than are allowed in this forum to investigate your system.

Just so you know, HelpAssistant is a Mebroot variant which infects the Master Boot Record. More specifically, this malware overwrites the Master Boot Record of the hard disk with its own code and stores a copy of the original master boot record at another sector while using rootkit techniques to hide itself. Mebroot uses the Remote Desktop (part of Windows) to get full access to the computer and when a remote session is active, it gets managed over the Helpassistant account. The newer variants in particular can be very difficult to remove. For more specific details about this infection, read:Mebroot is contracted and spread through ads in spam e-mail attachments, by using shared folders on peer-to-peer networkes, using Torrents, and via drive-by downloads when visiting porn and malicious websites using browser exploits.

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change all passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 14 April 2010 - 08:16 PM

I took my problem to the removal forum as you suggested, here is the link to my post:

http://www.bleepingcomputer.com/forums/t/309832/mebroot-on-windows-2000/

Thanks for taking the time to help me, I really do appreciate it.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 PM

Posted 14 April 2010 - 09:03 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users