HelpAssistant, rootkit and freezing weirdness

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mr_pink, Dec 11, 2009.

  1. mr_pink

    mr_pink Private E-2

    Hi there,

    I am almost at my wit's end with this problem, really hope someone can help.

    Here are the symptoms:

    1. every time the PC starts up, there is a flurry of disk activity. Process Monitor, alerted me to the fact that services.exe was copying files from various Documents & Settings user folders to the HelpAssistant user folder.

    3. I tried disabling and then removing the HelpAssistant folder, but each time it is recreated.

    4. As well as HelpAssistant, it was creating a user called 'user' and adding both to the Administrators group.

    5. Running Avast! I didn't find anything

    6. I did some research and downloaded various tools
    - Malwarebytes
    - gmer
    - combofix
    - mbr.exe
    - MS Recovery console
    - SuperAntiSpyware

    Malwarebytes found nothing (scheduled boot-time scan). gmer (or combofix, don't remember) detected rootkit activity and restarted my PC to continue scanning. At that time I didn't have the MS recovery console, so I don't think it fixed anything (but I didn't see any warnings in the gmer results about a rootkit).

    I then installed the recovery console, but for some unknown reason (perhaps to do with my RAID setup) it would BSOD whenever I tried to run it. I changed a setting in my BIOS, said to resolve the problem (now changed back).

    I then ran combofix again, and although it didn't say it fixed a rootkit infection I think it did something because the 'user' acount is no longer created. gmer says my MBR is clean. I ran mbr.exe for good measure and it also said it was clean (of that particular stealth rootkit it checks for). Ran SuperAntiSpyware, it found nothing bad.

    The problem now is that the HelpAssistant is still always recreated on startup and added to the Administrators group. The 'user' account is no longer created though. (Not sure what normal behaviour is for HelpAssistant, but I'm guessing all this file copying isn't right).

    But the biggest problem though, and the reason I'm not able to post any logs is that the PC now freezes after 30/40 mins after startup, not giving me enough time to generate the various logs. Argh! :cry I may have better luck in safe mode, but I'm not holding my breath and I don't know if that's ok for the purpose of analysis? Is there another AV tool that might yield results where others have failed?

    Only thing I can guess is that it's some new rootkit virus that these programs can't see?

    I would be massively grateful for any assistance. I'm going to keep trying to get those logs in the meantime.

    Thanks!
     
  2. mr_pink

    mr_pink Private E-2

    Ok, so I manged to generate the logs (MGtools to follow in the next message).

    Combofix said it detected rootkit activity and rebooted the PC to continue.

    Btw. I couldn't run Rootrepeal with the MBR setting because it would crash the PC with a BSOD.

    I am still getting that damn HelpAssistant user being re-renabled and all files from Documents & settings for other users are copied to the HelpAssistant user (this happens a couple of minutes after startup). I can't shut down the PC normally anymore and it will hang eventually.

    Had a quick look at the logs, to my untrained eye they look ok? Something is definitely not right here.

    I remember also that zonealarm alerted me to a change in services.exe, this was around the time that the problems started.
     

    Attached Files:

  3. mr_pink

    mr_pink Private E-2

    Here is that final log from MGtools.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You have a Master Boot Record infection. We will need to boot to the Recovery Console ( you installed it while you installed ComboFix) to remove this infection.

    Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command and boot back to normal mode, continue with the below.


    You need to put ComboFix on your Desktop as requested so you can follow later instructions. You put it in the below folder:
    c:\temp\installers\ComboFix.exe


    Uninstall the below old versions of software:
    Java(TM) 6 Update 15
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 13
    Messenger Plus! Live <-- this one is up to you but be very careful with this since it is a spreader of malware via sponsor programs

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    If you need the Sun Java Development kit you can get it here: http://java.sun.com/javase/downloads/index.jsp

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\alex\Local Settings\temp\

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. mr_pink

    mr_pink Private E-2

    Many thanks for your reply chas,

    Unfortunately, all my efforts to load the recovery console have been thwarted by the good old BSOD. I think it may be that it needs extra raid drivers. I can't load these via a floppy drive as I don't have one. I was also unable to make it get them off a USB stick. I then tried to insert the drivers into an installed copy of the recovery console (in c:\cmdcons) using a guide I found, but that didn't work either. Lastly I went into the BIOS and turned off AHCI, as I read that might do the trick - no joy.

    My last resort is to use a program called MBR fix (http://www.sysint.no/nedlasting/mbrfix.htm). I am currently backing up my most precious data in case it all goes south then I intend to run it and pray...

    If it works, I will report back with my findings and follow the other steps you kindly described.

    Thanks!

     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes please let us know if it works for you.
     
  7. mr_pink

    mr_pink Private E-2

    w00t. I think it's fixed. I had to get dell to send me an OS installation CD with the correct RAID drivers on it. Then I was able to run the recovery console and fixmbr.

    The HelpAssistant folder is now no longer recreated and combofix etc. don't find any problems with rootkit viruses.

    Thank you very much for your time on this btw. I think it's really great that that people are volunteering to help out with these kinds of problems.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. I suggest that you complete the instructions I gave in message # 4 and attach the follow up logs so that we can verify all is good.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds