HelpAssistant Account hacked?

JimOliver · 08-22-2009, 07:58 PM

Hello all,

I have a problem, just noticed today, not sure how long it's been there.

My machine is an XP SP3 (tablet edition if that matters), on a home network with 2 computers with cable internet.

I'm running Avast 4.8.

This morning, Avast alerted me to a virus in the HelpAssistant account folder for temporary internet files (C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5). I had never heard of this account, but I've learned it's the RDP account. Anyway, I noticed that the TemporaryInternetFiles folder was growing at an alarming rate, about 3MB per minute. Looking in there were the standard files, some html, .js, etc, nothing unusual...but rapidly growing.

Alarmed, I went to disable the account, and turned up the logging in event viewer. Someone with NTAUTHORITY/SYSTEM keeps re-enabling the account. I tried changing password, same thing, NTAUTHORITY/SYSTEM changes the password again, and then I start getting thousands of internet files.

Is this normal?

I tried deleting old accounts, changing the Administrator logon, but nothing helps...is a trojan doing this? What steps can I do to identify and remove it? Or is it sombody logging in from the outside?

thanks in advance, any thoughts would be appreciated.

-Jim

Suncoast · 08-25-2009, 02:54 PM

You should be in one of the Security Forums Here.

http://www.techsupportforum.com/security-center/

Madimad · 10-28-2009, 07:08 AM

Hi, I'm having the same problem. Don't know how to disable the HelpAssistant, so I deleted it using "net user HelpAssistant /Delete". That works but after rebooting the directory C:\Documents and Settings\HelpAssistant is back and growing ...
Anyone? Thanks!

lepr8 · 10-29-2009, 01:16 AM

I have the same problem, there is a solution?

Pitta322 · 10-29-2009, 04:26 AM

Hello,
the problem it's a trojan (win32.mebroot.bz) that install itself in the mbr.
Just start XP recovery console from XP CD and run fixmbr.
After a reboot, disable HelpAssistant account and remove it from Administrators group.

Madimad · 10-30-2009, 04:10 AM

Thanks Pitta322,
But running fixmbr reports:
" *** Caution ***
This computer appears to have a non-standard or invalid master boot reord.
FIXMBR may damage your partition tables if you proceed.
This could cause all the partitions on the current hard disk to become
inaccessible.
If you're not having problems accessing your drive do not continue. "

Chicken? Me? Might be, but what if indeed all the partitions on my hard disk become inaccessible?

Pitta322 · 10-30-2009, 07:05 AM

Madimad,
I NEVER lose any data answering Yes to a fixmbr command.
In any case, if you can do a backup before it will be better.

**johnwill** · 10-30-2009, 08:09 AM

If you have used a 3rd partitioning program to format the disk, the FIXMBR command will nuke the partition! That warning is correct!

Madimad · 10-30-2009, 09:38 AM

If I am a chicken, I'm a brave one!

The FIXMBR did work ok, the HelpAssistant user did not appear again and my disc seems pretty ok.
Thank you all!

08-22-2009, 07:58 PM	#1 (permalink)
JimOliver Registered User Join Date: Aug 2009 Posts: 1 OS: XP SP3	HelpAssistant Account hacked? Hello all, I have a problem, just noticed today, not sure how long it's been there. My machine is an XP SP3 (tablet edition if that matters), on a home network with 2 computers with cable internet. I'm running Avast 4.8. This morning, Avast alerted me to a virus in the HelpAssistant account folder for temporary internet files (C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5). I had never heard of this account, but I've learned it's the RDP account. Anyway, I noticed that the TemporaryInternetFiles folder was growing at an alarming rate, about 3MB per minute. Looking in there were the standard files, some html, .js, etc, nothing unusual...but rapidly growing. Alarmed, I went to disable the account, and turned up the logging in event viewer. Someone with NTAUTHORITY/SYSTEM keeps re-enabling the account. I tried changing password, same thing, NTAUTHORITY/SYSTEM changes the password again, and then I start getting thousands of internet files. Is this normal? I tried deleting old accounts, changing the Administrator logon, but nothing helps...is a trojan doing this? What steps can I do to identify and remove it? Or is it sombody logging in from the outside? thanks in advance, any thoughts would be appreciated. -Jim

08-25-2009, 02:54 PM	#2 (permalink)
Suncoast Registered User Join Date: Jul 2009 Location: Largo, FL, USA Posts: 389 OS: XPP, Linux, 2003, Cisco	Re: HelpAssistant Account hacked? You should be in one of the Security Forums Here. http://www.techsupportforum.com/security-center/

10-28-2009, 07:08 AM	#3 (permalink)
Madimad Registered User Join Date: Oct 2009 Location: Dutch, but living in Spain Posts: 3 OS: WinXP SP3	Re: HelpAssistant Account hacked? Hi, I'm having the same problem. Don't know how to disable the HelpAssistant, so I deleted it using "net user HelpAssistant /Delete". That works but after rebooting the directory C:\Documents and Settings\HelpAssistant is back and growing ... Anyone? Thanks!

10-29-2009, 01:16 AM	#4 (permalink)
lepr8 Registered User Join Date: Oct 2009 Posts: 1 OS: Xp Sp3	Re: HelpAssistant Account hacked? I have the same problem, there is a solution?

10-29-2009, 04:26 AM	#5 (permalink)
Pitta322 Registered User Join Date: Oct 2009 Posts: 2 OS: XP SP3	Re: HelpAssistant Account hacked? Hello, the problem it's a trojan (win32.mebroot.bz) that install itself in the mbr. Just start XP recovery console from XP CD and run fixmbr. After a reboot, disable HelpAssistant account and remove it from Administrators group.

10-30-2009, 04:10 AM	#6 (permalink)
Madimad Registered User Join Date: Oct 2009 Location: Dutch, but living in Spain Posts: 3 OS: WinXP SP3	Re: HelpAssistant Account hacked? Thanks Pitta322, But running fixmbr reports: " * Caution * This computer appears to have a non-standard or invalid master boot reord. FIXMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible. If you're not having problems accessing your drive do not continue. " Chicken? Me? Might be, but what if indeed all the partitions on my hard disk become inaccessible?

10-30-2009, 07:05 AM	#7 (permalink)
Pitta322 Registered User Join Date: Oct 2009 Posts: 2 OS: XP SP3	Re: HelpAssistant Account hacked? Madimad, I NEVER lose any data answering Yes to a fixmbr command. In any case, if you can do a backup before it will be better.

10-30-2009, 08:09 AM	#8 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,580 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: HelpAssistant Account hacked? If you have used a 3rd partitioning program to format the disk, the FIXMBR command will nuke the partition! That warning is correct! __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

10-30-2009, 09:38 AM	#9 (permalink)
Madimad Registered User Join Date: Oct 2009 Location: Dutch, but living in Spain Posts: 3 OS: WinXP SP3	Re: HelpAssistant Account hacked? If I am a chicken, I'm a brave one! The FIXMBR did work ok, the HelpAssistant user did not appear again and my disc seems pretty ok. Thank you all!