Helpassistant Virus

ekhishana · Mar 27, 2010

Hello,

Yesterday, when one of my family members was browsing the web, my PC suddenly rebooted. Ever since, it has slowed down significantly, and it has a huge folder "Helpassistant" (> 400MB) created in Documents and Settings. My Winpatrol software has been popping "Hosts" file changes every now and then. Within the helpassistant folder, I can see shortcuts to all my files on the hard disks. I can also see shortcuts to my tax documents which has sensitive personal information - and that has clearly got me very nervous!

I would sincerely appreciate any direction/help you could provide. I know there are other similar problem/resolutions on the forum - but I keep running into the "Dont follow instructions for other user problems" warning - hence the inaction.

Thanks!

C

chaslang · Mar 27, 2010

Welcome to Major Geeks!

Please download HelpAsst_mebroot_fix.exe and save it to your Desktop.

Exit out of all other open programs and windows.

Double click the abobe downloaded file to run it and follow any prompts.

If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.

Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

No matter what happens above, continue on with the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

ekhishana · Mar 27, 2010

Hello Sir,

Thanks much for the quick response. I ran the HelpAsst_mebroot_fix.exe application and the run suggested that an mbr infection was detected. However, when the machine was rebooted, and I ran the "helpasst -mbrt" command, an anti-spyware I had downloaded recently to help resolve this issue (Stopzilla) stopped execution and asked if I wanted to remove the script.

I then stopped the Stopzilla services, and tried to re-run the "helpasst -mbrt" command; but it would not run (came back with helpasst is not a recognized program). I tried running the "mbr -f" command and it came back with "mbr" not found. I have tried redownloading HelpAsst_mebroot_fix.exe and following the whole procedure again. but to no avail. Sorry if I complicated things by forgetting to switch off Stopzilla (I have now switched the Stopzilla services to be on a manual start schedule).

However, when I reboot the computer now, I do not get the HelpAssistant folder back in Documents and Settings (not sure if that means the infection is cleared).

Please advise! AND AS ALWAYS, THANKS A LOT FOR THE HELP

C

chaslang · Mar 27, 2010

I suggest that you continue on with execution of the below and attach the logs that are requested so we can verify your status:

READ & RUN ME FIRST. Malware Removal Guide

ekhishana · Mar 28, 2010

Hello Chaslang,

Please find attached all the logs you requested. Please let me know what you find when you have a chance.

THANKS AS ALWAYS!

C

ekhishana · Mar 28, 2010

Hello Chaslang

Sorry I forgot to attach the HelpAsst.log that was also created.

I have added the above log along with the other relevant logs that you wanted to see.

Thanks as always!!

chaslang · Mar 28, 2010

You did not attach the MGlogs.zip file requested from running MGtools.

ekhishana · Mar 28, 2010

Oops...Sorry for the Goof up...Please find attached all the Logs in order as requested.

chaslang · Mar 29, 2010

Your logs are clean. Looks like the infection has been removed. You should uninstall the below old Sun Java versions though as we requested:

J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 3

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

ekhishana · Mar 29, 2010

Thanks chaslang,

Really appreciate all your help and guidance. I really appreciate it.

One last thing as per your guidlines for "How to protect yourself from malware!" (one of the steps wherein it is recommended to use a software firewall-Step 3 , I had installed "Outpost Firewall 2009" ).

Now I get this warning box as shown in the image file attached.

My guess is its from the Norton Anti-Virus thats installed on my PC...right?

Is it something to worry about?

Please let me know!

chaslang · Mar 29, 2010

You're welcome.

Yes, navex15 is a driver for your Norton program.

Log in or Sign up

Helpassistant Virus

ekhishana Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ekhishana Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ekhishana Private E-2

Attached Files:

logs_to_MGF.zip

ekhishana Private E-2

Attached Files:

logs_to_MGF.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ekhishana Private E-2

Attached Files:

logs_to_MGF.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ekhishana Private E-2

Attached Files:

NAVEX15.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member