# HelpAssistant Account hacked?



## JimOliver

Hello all,

I have a problem, just noticed today, not sure how long it's been there.

My machine is an XP SP3 (tablet edition if that matters), on a home network with 2 computers with cable internet.

I'm running Avast 4.8.

This morning, Avast alerted me to a virus in the HelpAssistant account folder for temporary internet files (C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5). I had never heard of this account, but I've learned it's the RDP account. Anyway, I noticed that the TemporaryInternetFiles folder was growing at an alarming rate, about 3MB per minute. Looking in there were the standard files, some html, .js, etc, nothing unusual...but rapidly growing.

Alarmed, I went to disable the account, and turned up the logging in event viewer. Someone with NTAUTHORITY/SYSTEM keeps re-enabling the account. I tried changing password, same thing, NTAUTHORITY/SYSTEM changes the password again, and then I start getting thousands of internet files.

Is this normal?

I tried deleting old accounts, changing the Administrator logon, but nothing helps...is a trojan doing this? What steps can I do to identify and remove it? Or is it sombody logging in from the outside?

thanks in advance, any thoughts would be appreciated.

-Jim


----------



## Suncoast

You should be in one of the Security Forums Here.

http://www.techsupportforum.com/f27/


----------



## Madimad

Hi, I'm having the same problem. Don't know how to disable the HelpAssistant, so I deleted it using "net user HelpAssistant /Delete". That works but after rebooting the directory C:\Documents and Settings\HelpAssistant is back and growing ...
Anyone? Thanks!


----------



## lepr8

I have the same problem, there is a solution?


----------



## Pitta322

Hello,
the problem it's a trojan (win32.mebroot.bz) that install itself in the mbr.
Just start XP recovery console from XP CD and run fixmbr.
After a reboot, disable HelpAssistant account and remove it from Administrators group.


----------



## Madimad

Thanks Pitta322,
But running fixmbr reports: 
" *** Caution ***
This computer appears to have a non-standard or invalid master boot reord.
FIXMBR may damage your partition tables if you proceed. 
This could cause all the partitions on the current hard disk to become
inaccessible. 
If you're not having problems accessing your drive do not continue. "

Chicken? Me? Might be, but what if indeed all the partitions on my hard disk become inaccessible? :4-dontkno


----------



## Pitta322

Madimad,
I NEVER lose any data answering Yes to a fixmbr command.
In any case, if you can do a backup before it will be better.


----------



## johnwill

If you have used a 3rd partitioning program to format the disk, the FIXMBR command will nuke the partition! That warning is correct!


----------



## Madimad

If I am a chicken, I'm a brave one! :1angel:
The FIXMBR did work ok, the HelpAssistant user did not appear again and my disc seems pretty ok.
Thank you all! ray:


----------



## colinoc

I have add the same problem - new folder called HelpAssistant and loads of extra files in it + massive increase in files noticed on avg scan process 2 days ago. I would like to follow your plan but in checking the details in advance your suggestion "After a reboot, disable HelpAssistant account and remove it from Administrators group". I cant find where to delete it from the administrator group. This is my home PC - I've tried right clicking on My Computer/Manage but i dont see any groups to remove anything from. Can you help please?
Thanks in advance


----------



## colinoc

I am just recording information for others with this problem & to confirm the fixmbr also worked for me on a Dell running XP Home edition. I tracked a description of this trojan thro this link below:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=3

My AVG scan identified the trojan as SINOWAL and moved it to the vault OK but I couldnt stop the repeated reinstalling of HelpAssistant. The Symantec description explains the relation to the HelpASsistant and also the fact that the trojan actually opens up a remote access link to your PC - it did on mine.
I thought long and hard before using FixMbr on recovery console because of the Managers comment (nuking the partitions) but couldnt find an easy alternative. I'm not sure what nuked means but my hard disk had 3 partitions before I started and it still has after it - all with the same size as before - I believe one of them is where Dell store their factory settings for the shipped system (Dell System Restore DSR) but I was advised that doing a DSR restore would not cure the problem on the MBR. I suppose I will only know if it has been nuked when I come to use DSR but I live in hope. 
Another link I found may be of use to anyone thinking of using Dells System Restore (DSR)
http://www.goodells.net/dellrestore/fixes.htm and it also provides a fixDSR download facility if part of the original DSR is corrupt

Special thanks to Pitta322 and Madimad


----------



## imdunlap

I just have cleaned up the same issue.
- I was on my Yahoo Calendar settings, when computer began shutting down.

My AV nor Firewall detected it. After noticing degraded performance I ran ESET online Scan and it detected the Trojan. 
it had installed into the MBR, then rebooted machine.
Created helpassistant account with admin rights
created a profile for helpassistant and began copying my profile
into it.

After several cleaning with the ESET and then repairing the MBR I think I have finally removed this from my system.

However, I am concerned about the breach and possibility of third party access to my data while computer under attack. Does anyone know if data is transmitted or how to know if remote access was made during while computer was compromised? 
Thanks


----------

