Another "help assistant" sufferer

I think I just got hit with the help assistant virus....

Symptoms are:

under documents and settings, there is a folder called "help assistant" that all the files on my desktop seem to be getting copied to.

This happens even after using msconfig to set the system to a safe mode bootup.

Using f8 during startup gives a very odd "select boot device" screen I've never seen before (it's a blue and white box with many device names in it, definately not the usual MS safe mode boot screen)

Setup:

Windows xp sp3 (athlon xp) with Mcaffee running...last scan was saturday, all the latest MS patches installed as of friday.

How I got it:

It appeared to hit as a result of an ad on a site I visited this morning using firefox. I got a dialog which said something about a 3d update which I killed and then killed firefox, right after that the system started acting strange and doing constant disk accessing on the boot drive, didn't discover the Help assistant till later. I had not downloaded/installed anything today, I'm sure this is a new infection because it's hitting the disk very hard and the noise was immediately noticable.

Actions taken so far:
*I ran a Mcaffee critical system scan, detected nothing.
*set the system into safe mode using msconfig
*deleted some of the files in HelpAssistant because the HD was almost completely full by this time.
*disabled the HelpAssistant account, but it came back on reboot
*disconnected 2 big secondary drives I use for file storage, just in case

Questions:

After looking at other posts about removing HelpAssistant, wondering if I should try FIXMBR before continuing with the usual virus removal procedure in the majorgeeks readme? It's hard to run any tools now because the virus is filling the disk up so quickly.

There are several folders on the desktop that contain several gigs of pictures. Would it make recovery any easier if these were copied off to a thumb drive and deleted from the desktop, or does this virus just find something else to copy?

Any idea what this virus actually does? Does it infect/delete other disks/files, steal information or just do this copying thing on the boot disk to grief people?

Thanks in advance for the help!

 

Ok, went through the entire readme process but had some problems.

First off, I had my ethernet disconnected from earlier when the virus hit. I had downloaded superantyspyware, mallwarebytes and the updates for both those programs to a thumb drive from another computer. I installed installed and ran both of these as described in the readme.

Combofix.exe also ran ok, when it wanted to install the recovery console was the first time I put the network back on line. This also ran fine.

Went ahead and tried to run RootRepeal, My antivirus and firewall (mcaffee) were still disabled from before I ran combofix.exe RootRepeal started and sat on the "initializing" screen, but never got to the screen with the "files/scan" buttons as described in the instructions. I let it sit for 20 minutes but it never got to the point where I could start a scan.

At this point I killed RootRepeal and restarted the computer (net still connected) this was the first time during the process that the hard drive started banging away when nothing else was running. Nothing appeared to be getting copied though, disk space was still ok but the system was running real slow again.

Disabled mcaffee and firewall and tried running RootRepeal again, same behavior, just sits on "initializing" let it go for 5 minutes this time, never got "files/scan" so I killed it.

Then ran MGtools, after running for awhile i got an error dialog box that said:
c:\windows\system32\cmd.exe
NTVDM has encountered a system error c0h

Nothing in the readme about this, so I clicked ignore.

A bit later I got the same error again quickly followed by this one:

An unexpected error has occurred at procedure: modRegistry_iniGetString(sFile=system.ini,sSection=boot,svalue=shell)

error #5 invalid procedure call or argument

Windows version: Windows NT 5.01.2006
MSIE version 8.0.6001.18702
HijackThis version: 2.0.2

By the time MGTools finished running my disk space was again being eaten up, about 2 gb had been used and 1gb was left (falling fast)

At this point I thought the safest thing to do was pull the net connection so the virus couldn't send anything out, grab the logs and report in here.

Also, not sure if it's because I disconnected my two non-boot drives or if it's due to the virus, but my windows is saying I need to re-authorize it in the next 2 days. I haven't done this yet because I wanted to stick to your instructions as closely as possible.

So what's next? looks like the disk space eating virus is still in there.

 

Suggestion, warn people that helpasst_mebroot_fix takes a while before any prompts appear. For me it sat about 10 minutes on the "please wait" screen before anything happened.

helpasst_mebroot_fix found the MBR infection, did a fix and restarted the machine.

After the restart and 5 minute wait reconnected the network so combofix would be able to update itself, shut down the mcafee antivirus and firewalls then ran the combofix script.

Combofix updated and restarted itself, ran through all it's stages, did the file deletions and then it restarted the computer.

Ran mgtools\getlogs.bat and got the same "hijack this" error dialog I reported in the previous post

Re-enabled mcaffe virus/firewall. So far so good, help assistant account still disabled, no unusual disk accesses, free space staying stable at 6.34gb where it was before the virus hit.

Two things:
1. Either the virus or me taking my two bulk storage drives offline made windows require "activation" (just 2 days left) is it ok to do this now or might it interfere with any work we have left to do ?
2. I notice there is a "guest" and an ASPNET account that are enabled, should they be there and active?

Thanks!

 

I mentioned that I disconnected my two 1tb data storage drives from the machine just after the virus hit to protect them. Should I take any special precautions when I hook them back up? ie: could the virus have jumped to them or is it unlikely? Neither of these drives is bootable.

One interesting thing, I did some reading of docs this morning, just stuff on the HD, no browser use. Mcafee auto-installed an update while I was doing it. Later I shut the machine down and got a data execution exception from explorer. When explorer restarted itself, mcaffe alarmed on combofix saying it had a trojan and quarantined it. Probably a false alarm, but thought you might want to know about it when you are helping other people since prior to this morning's update mcafee had no complaints about combofix.

I will re-authorize my windows tonight, then perform your final steps. If anything weird happens I'll let you know.

Thank you very much for your help! Everything seems to run much better now!

 

Everything looks fine, windows authorized with no problems.

In case someone needs the info the trojan reported in combofix by the latest mcaffee was
Artemis!F9944212C5B3

It also reported a potentially unwanted program in mgtools.

I ignored both of these and did the uninstall as directed.

I assume it is also ok to delete the HelpAsst_backup folder now too?

Thanks again

 

It looks like I may still have a problem.

When this infection started I pulled my 500gb and 1.5tb storage drives off line.

I reconnected the 500gb without incident (did a SAS scan, clean)

Today I reconnected the 1.5tb and Norton alerted that Boot.Mebroot was detected on drive 0x81. It claimed the problem was fully removed, but on reboot I get the same alert and "successful removal" message again. Tried reboot one more time, same alert and successful removal message.

I SAS scanned the system drive and the 1.5tb drive, no spyware detected.

Disconnected the 1.5tb drive and rebooted, no alerts from norton.

I have barely used the machine since we finished cleaning it so I doubt this is a re-infection. Probably the virus got onto the 1.5tb drive during the original infection before I disconnected it. The 1.5tb drive is not bootable and has no OS on it, it's pure storage.

What steps should I take to clean off this drive?

 

Norton did not give a path and did not say a it found an infected file. It just says that it detected and "fully removed" a Boot.Mebroot on drive 0x81 (the 1.5tb storage drive on "L:"), this message repeats on every boot.

Neither SAS or Norton detected any problem files (haven't tried MBAM yet), so it sounds like Norton is detecting something in the MBR that it can block but can't remove.

If I reran HelpAsst_mebroot_fix.exe with this drive connected up would it clean the MBR? This drive wasn't hooked up when we were cleaning up the machine before.

 

Was gone for awhile (tax time) but am still trying to figure this out.

Norton still reports Boot.Mebroot on drive 0x81 and "fully removed" after every restart whenever this second (data storage) drive is connected. There is no autorun.inf file on this disk.

Drive 0x80 is the boot drive, no problems reported on it.

The drive is an INTERNAL (not usb) connected to a SATA controller.

I've rerun SAS, MBAM and HelpAsst_mebroot_fix they detect no problems

When I disconnect this drive, the problem goes away.

The only thing I can figure is that this second drive has an MBR that got bad code copied to it during the original infection, but since it's not the boot disk maybe none of the "cleaner" programs know how to fix it.

That norton warning on every boot is making me paranoid, but other than this there is no suspicious behavior.

What can I do now?

 

Small update to the above. I let the system just sit awhile doing nothing after making the above post. After awhile Norton ran a background scan and alerted on Boot.Mebroot on drive 0x81 again. However this time it said it could not remove it.

Still no suspicious activity though.

 

Could it be that the drive is infected but the virus never gets to run because it isn't the boot disk? Maybe the virus removal tool only runs against the boot drive, unless there is a way to change that from the command line?

Please let me know if you find a solution.

 

Is there a way to check if the drive is bootable, or will fixmbr not run on it if it isn't?

 

The drive was bought at Frys as a "retail kit", basically a bare unused drive and some SATA2 and power cables. I installed it in my machine and formatted it with segate's software.

There was never an OS installed on it, but I've seen some formatters that put an MBR on the drive by default, even if the drive isn't bootable, so maybe that's what Norton is detecting?

The machine has 3 drives, the boot drive, this 1.5tb seagate and a 500gb WD. The 500gb shows up clean. The 1.5tb is the one Norton complains about...It was attached to the primary controller when the main boot drive was infected so maybe they both got hit at the same time.

 

Oh...If I disconnect the 1.5tb drive's power and sata cables, the norton warnings go away. So I know it's this drive that's the problem.

 

I have not done message #19 yet, I wanted to get a backup of the drive just in case I accidentally wiped it doing this. Should be done soon, then I'll try.

By the way, when I booted the machine norton alarmed on drive 0x81, then it alarmed again on 0x81 when I plugged in the USB disk for backup.

How do I tell what path to use for fixmbr? Norton says it's drive 0x81, would that be \Device\HardDisk1 ?

 

Sorry for the long delay, finally got a complete backup of the drive.

When I run fixmbr \Device\HardDisk1 I get the message:

** Caution **

This computer appears to have a non-standard or invalid master boot record.

FIXMBR may damage your partition tables if you proceed.

This could cause all the partitions on the current hard disk to become inaccessible

If you are not having problems accessing your drive do not continue.

So should I go ahead with this? I'd really rather not clobber the drive if I can avoid it.