On January 27th of this year I received a new user file in Documents and Settings Called "HelpAssistant". I've never checked the Remote Desktop box or the Remote Assistance box in the Computer properties. I do not know where it came from nor do I think it is legitimate. I access the "manage" user account settings to disable this user account (HelpAssistant); I then have to uncheck the Remote Desktop box in computer properties and press "ok"; then I have to remove the check in the box for remote desktop in firewall. What I'm doing restoring my original settings back to before this file appeared on my system in January. I restarted the system afterwards to ensure that all of my setttings are saved. When I log back on to windows XP, my changes are there exept for that user file (HelpAssistant)is still there. Then, after a short time, I notice that all of my settings for this local users account in computer management has been reactivated, the Box for remote desktop is mysteriously checked off again, and the firewall remote desktop box been rechecked. I'm getting annoyed with this file because it is duplicating all of my personal files and using up my hard drive space. I really do not trust what is happening here. I've scanned this file for Viruses and spyware with a fully updated version of Spysweeper and with the latest Microsoft Malicious Software removal Tool with no detectable viruses or spyware. Is it possible that someone has infiltrated my system through a service port to access my system without using malware? Or is this a legitimate function of the system based on a new system update? The user file (HelpAssistant) restores its functions, files, and everything that applies to it as if it is sharing administrative rights, contrary to my changes as an administraror. Is there a Microsoft security program expert out there who can give a detailed explanation for the existance of this file "HelpAssistant" and a reason for it to exist?Also, is there a reason for having "Remote Desktop" activated with no users on its access list?Update: I've changed my Windows XP Firewall settings by checking the box to "Allow No Exceptions" and that seems to have stopped whomever is changing my settings. It appears that I have several listed Firewall exceptions for "Services" with TCP port numbers that cannot be identified. I will not open Firewall for any unidentifiable exceptions until I get a satisfactory answer to my questions from a Microsoft Security Expert. The HelpAssistant user account has unsolicited access to my system by overriding and reactivating the Remote Desktop settings. Its files have grown to over 5GB in size and most of it is a duplication of "My Documents" "My Pictures" and other files which are private to my user account. For now, I have all of my firewall exceptions deactivated. Is there anyone who can give me some kind of an answer to my questions pertaining to this dilemma?I have all of my essential files backed to an external hard drive. If found necessary I will reinstall my original version of Windows XP on a new hard drive so that I can start all over from scratch with better security precautions. Update: In Windows Firewall "Exceptions" there are nine listed Services Ports. I performed an experiment to see what would happen if I unchecked them all and then check the box to allow all exceptions. In just a few minutes four exceptions Services and the exception for Remote Desktop was check off from an unknown outside source. In addition to that the User Account for HelpAssistant was changed from its disabled state by an outside source. The computer properties box for Remote Desktop was also changed with an added checkmark from an outside source. Services TCP Ports 65533, 52344, 3246, 2479 are what identifies the ones that are activated by an outside source first. I'm monitoring the other five ports (TCP 9835, 4133, 4109, 4054, and 3617,) to see if they are reactivated later. This only occurs when I am connected to the internet and when my firewall is open to allow exceptions. It is disturbing to see that unidentified outside source can change the exceptions for a firewall. My own personal home computer is a Dell XPS 600 which contains the original Windows XP Media Center 2005 and service pack 3. Everything is up to date as far as the system and Security using the latest version of Webroot Antivirus and Antispyware. I've downloaded used the Malicious Software Removal Tool. I can't find any online information which convinces me that these services ports are for a legitimate purpose and not just some tools used to violate my rights to privacy.I realize that there are some ligitimate services that are designed to insure the health of an operating system; however, I question the motives of this HelpAssistant user when it duplicates all of my personal files and fills up my hard drive. Any qualified help would be appreciated.Update: It seems as though someone is getting around my firewall event when "Exceptions" have been closed out. The intrusion begins when Services exceptions TCP 65533 and 52334 for Dynamic and/or Private Party and Services TCP 3246 for DVT System Port and TCP 2479 Secure Sight Event Logging Server are activated (checked off) from an outside source. Then the user account for "Help Assistant is reactivated" with the Remote Desktop box rechecked by an outside source. I just need to know why Remote Desktop is being activated and used by this outside source to collect information from my personal and email files which are configured as being "private". Blocking all exceptions in windows xp firewall seems to have little or no effect on what is happening here. I've searched every bit of information on the web to find out what is going on here in an effort to protect the security of my computer and I've found only vague and nonspecific info.The number of services TCP ports has increased to about 12 in the Exceptions tab for Windows Firewall. I tried deleting the user account file for HelpAssistant and disabling the user account itself, but when I open the exceptions tab in firewall and uncheck all of the Service ports, someone accesses my system and tries to restore all of these undesirable features. My firewall it supposed to block these intrusions and notify me according to. Is there anything that Microsoft can do to stop this from happening. I've already deleted the HelpAssistant file twice because it doesn't acknowledge the privacy settings on my personal and email files and because it is too large to exist on my hard drive. I use an external hard drive to store back ups of everything. PLEASE HELP ME TO UNDERSTAND WHAT IS GOING ON HERE!!!!!!! More info: This problem began with the new Services TCP ports being added to and opened up on Windows Firewall's Exceptions checklist when windows starts up.I personally remove these check marks before I connect to the internet so that they cannot be used to reinstall the HelpAssistant virus or trojan. My computer is infected with commands to override and change the system's firewall settings by rechecking services exceptions and by adding new services exceptions to the list at start up. If I'm connected to the internet, someone at remote site who is working through these ports reactivates the Help Assistant Account in the Computer Management Local user settings and then activates the Remote Desktop funtion without invitation. They keep adding Services ports to my firewall exceptions list trying to bypass my commands for them to stay off of my computer. The infections are directly related to the command-line functions infecting my computer at startup. There are several on-line complaints associated with this weakness (HelpAssistant Virus or Trojan) that has been found to be seriously affecting the privacy and security of the Windows XP operating system. I need more information from a reliable source on this subject before I start deleting these ports from firewall and deleting the Help assistant user account itself from the Computer Management list of Users.Update: I'm stuck with having to unplug from the internet when I restart my computer. Four services TCP ports are automatically rechecked on the firewall exceptions listwhen I boot back into windows XP. With the internet connection unplugged the outside source of this problem cannot initiate the reactivation of the HelpAssistant user profile, recheck the box for Remote Desktop, and add its corresponding HELPASSISTANT user account file. Out of these four services TCP ports there is one that alternates with four other TCP Ports which have been added to the list and they alternate each time I restart my computer. The Website iana.org identifies them as Unassigned. There is an instaneous display on the task bar that appears immediately to the right of the "start" button just before my Antispyware and Antivirus program is activated. As this systems Administrator there is nothing that I can do to remove the malware that was introduced to my system on January 27th of this year. I cannot afford to have a professional look at it, so that is why I'm asking for some on line guidence to get rid of this hard drive hogging malware or spyware, whether it is legitimate or not. PLEASE HELP ME TO IDENTIFY THE PROBLEM AND SO I CAN HAVE BETTER CONTROL OVER THE SECURITY OF MY PERSONAL HOME COMPUTER. I do not want some program installed on my computer which alters my firewall settings during restart to allow this intrusion.Is there a way to stop uninvited and unsolicited activations of Remote Desktop ( is there a way to stop this unknown outside source from checking this Box in System Properties)? Or am I stuck with having to guess which Services to uncheck and to block each time I boot up? Is there a way to stop this outside source from reactivating the HelpAssistant users Account after I've disabled it?How do I prevent whomever is activating Remote Desktop from downloading the HelpAssistant user file onto my Computer?If HelpAssistant is truly a legitimate file then why does it copy my private information (checked as private in properties) and make it accessible to other users in its copied files?Why does HelpAssistant keep a record of my recently opened documents and why aren't they deleted when I empty this file in my user account file? There is reason for me to alarmed here because all I can see is that an outside source is keeping a record of all of my private information in its user File (HelpAssistant). Why is this user file almost equal in size to my user file (which takes up too much of my hard drive space)? Why does this file contribute so much to the number of files that cannot be defragmented? What Services and Connections need to be permanently blocked and deleted from my list of exceptions in Windows Firewall to prevent this?I know that certain Services ports are made active on computer restart by .exe programs for legitimate purposes; however, those services ports that are opened to allow this intrusion need to be close or deleted permanently. The only problem is knowing which one is which. I started with nine Services ports (listed as exceptions in Firewall), now there are twelve of them. I do not want this HelpAssistant file on my system. I've never used the Remote Desktop Feature to invite anyone. Remote Assistance is always closed.In light of the conclusions for the cause of this problem, those very expensive and complex solutions which are being offered to fix it, and the lack of information provided by this forum and other forums; I've decided that the best solution is to back up all of my personal documents to an external hard drive and reinstalled my Windows XP operating system on a new hard drive. This time, hopefully, I can use better security precautions which will help me to keep a log of all new files or programs installed on it. It will be configured so as not to allow Remote Desktop and Remote Assistance from ever being activated or the HelpAssistant file from ever being downloaded. It will be configured in a way which firewall exceptions settings cannot be altered in any way during reboot by and .exe program or an outside source. The Services exceptions for Unassigned ports and the one Suspect system port will be deleted each time they appear or reappear on the list of firewall exceptions. As far as I'm concerned, I regard these situations as an uninvited stealthware (neospyware) intrusion and I'm very angry that there is so little information offered to prove to me that it is not a threat. I don't have the finacial resources to spend on this; for now, I'll have to make do with what I have.I found out that the Windows XP Firewall Exceptions list has one Services TCP port that is responsible for this intrusion. iana.org identifies it as DVT System Port TCP 3246. I've deleted this port only to have it restored and reactivated by the system when restarting my computer. Since, I have deleted the "HelpAssistant" user account folder several times from Documents and Settings; there have been several instances where this folder would be restored when this outside entity enters my system, checks the box to activate Remote Desktop, and downloads this file over and over again. I've edited my registry. I've looked at every startup file using WinPatrol. I've scanned for Viruses, Spyware, Windows Malicious Software tool, and Conficker without any detectable or verifiable results. I've tried disabling Remote desktop by using gpedit.msc and it still finds different ways to get through my firewall. It even adds exceptions to Firewall for Services and uses these alternate "Unassigned" TCP services ports in a deliberate effort to regain access to my system. I need to know what startup programs and what registry files need to be disabled or removed in order to keep this uninvited guest off of my computer and from downloading this blasted oversized and insecure file called HelpAssistant. Whomever is responsible for this activity from DVT System Port TCP 3246 needs to understand that this intrusion is not welcomed!!!!!

You've got a Trojan/keylogger (win32.mebroot.bz), and unfortunately reinstalling Windows won't fix it - it's sunk itself into your master boot record, which is why all the scanner programs can't see it. I just spent last night clearing the same thing off of my husband's computer. Here's how we fixed it: 1) Back up all your important document files, just in case. Do not do a system backup - copy folders to an external drive manually. I had no problems at all (nothing got corrupted), but I'm not going to take the fall if something is weird on your system. :P 2) Boot XP from the CD and enter the Recovery console (push 'R' at the 'welcome to XP' screen) 3) If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console. If you only have one option, hit 1. 4) When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER. 5) At the C:\ prompt, type FIXMBR (Notes from Microsoft resources: fixmbr [device_name ] Parameter device_name The device (drive) on which you want to write a new master boot record. The name can be obtained from the output of the map command. An example of a device name is: \Device\HardDisk0. Example The following example writes a new master boot record to the device specified: fixmbr \Device\HardDisk0 Note • If you do not specify a device_name , a new master boot record will be written to the boot device, which is the drive on which your primary system is loaded. • If an invalid or nonstandard partition table signature is detected, you will be prompted whether you want to continue. If you are not having problems accessing your drives, you should not continue. Writing a new master boot record to your system partition could damage your partition tables and cause your partitions to become inaccessible.) You will get the 'invalid or nonstandard partition table' error message. Hit OK. Again, we had no problems with this, but I have no idea what kind of partitioning you have on your system. 6) type EXIT and the computer will reboot. Go into C:\Documents and Settings and delete the HelpAssistant Directory. We ran CCleaner, SpyBot and AVG to clean up afterwards, and so far so good. Wireless is back, computer speed's back up, and the intrusions seem to have stopped.

Hello Gecko1534I think that you are right on the money about this Trojan/keylogger because of the symptoms I've been getting. One clue is that it overrides my mouse and keyboard when it activates Remote Desktop. I can hear the hardware disconnect alarm when it does. It will not function if I delete Services port TCP 3246 and all of these other unassigned TCP ports that it creates and switches with on each reboot. On the Computer Management Console there is a user account listed as "HelpAssistant, Remote Desktop Help Assistant Account" and is discribed as "Account For Providing Remote Assistance"; this is the listed user account that it is using to gain access to my system through these Services Ports. If I right click on properties and disable it, the account is reactivated through these services ports shortly before it adds the check mark to Remote Desktop to activate it after restarting my computer. It seems to be a combination of start up programs mixed with various registry keys supporting it.My little 250GB hard drive is five years old and it should be replaced. I have manually moved all of my personal files to an external hard drive. The only things listed on this external hard drive is personal files. All of the microsoft associated files have been removed from it as well as the "MY BOOK" backup quick-load features. I have my system set to display hidden file folders so as not to miss deleting those from the external drive as well. Is it possible for Malware to hide itself in combination with my personal files, such as in pictures, music files, or documents? If so, how do I find them? Would changing the names of my personal files before loading them onto a new computer help?It has always been my policy to never use a computer for banking or the storing information directly related to my social security and credit information. The only things that a hacker can use are family photos which identify the names of relatives and pets which are often used for identification purposes by banks and website log ins. I'm going to change these names to circumvent that approach.The "HelpAssistant" folder that I deleted from Documents and Settings contained all of my personal files from the system, including those stored on my external hard drive. What was especially alarming to me was that the personal files copied from the folders configured as "Private" from my user account were accessible through the Administrator Account in Safe Mode. While Logged in as Administrator in the Safe Mode I experimented by trying to access the "Private" folders in my account and access was denied. However, the same files copied to the "Help Assistant" folder could be viewed by anyone.For Now, my external drive is disconnected while online and recent documents are purged. All traces of personal documents have been removed from the operating system.When I buy a new computer, should I close out my current email account name and establish a new one, as well? Thank You very much for your inputAll information is most seriously appreciated,Spacejunkie1I detected a virus using the Safe Mode after a sequence of restarts. It is identified as Troj/Mbroot-H and it is located in physical drive0 between the cookies scan and the drive analysis. I tried to quarantine and delete this virus using spysweeper without success. I ran spysweeper in the safe mode four times and it detected each time. In normal mode, Windows does not see it because the scanning is too fast or there is some way it conceals itself from detection. it appears just after a file called administrator at msn 1 txt which is a link to a website and is not a true cookie. The Windows operating system and WinPatrol cannot recognize or detect this txt. This virus appears to be more like a phantom because it passes through any attempts to quarantine it and then delete it. I emailed Webroot to see what they think and I'm waiting to see what they have to say about this problem.Update: Webroot is having me run a series of tests through email correspondance. The HelpAssistant user account was originally designed for the temporary use of technicians during online Remote Assistance troubleshooting sessions with the primary user present. It is not supposed to be opened without the invitation of the computer's primary user during an online session. It is not supposed to operate in the background without the primary user's knowledge. This feature is being exploited by hackers and Microsoft needs to generate a series of updates and modifications to end this intrusion. I will not allow this program to exist on my computer if these security flaws cannot be addressed. I've taken steps to identify the eight alternating firewall exceptions ports, programs, and files responsible so that they can be shut down or deleted after each computer restart. This is a major breech of computer security that Microsoft needs to acknowledge and remedy. This is the by far the most intrusive malware to ever be introduced into the Windows XP operating system. I'm very angry that Microsoft has not explained to me their thoughts and their courses of action in regard to this potential threat to the security and privacy of my computer.

To all those concerned;Webroot has confirmed that there is a Master Boot Record (MBR) infection in my Windows XP operating system which allows hackers to abuse the HelpAssistant Remote Desktop features. Unfortunately, the infection cannot be removed from my system without damaging access to my operating system because of my custom boot partition. This situation will require the clean reinstallation of my operating system onto a new hard drive. I cannot afford to take my computer to a perfessional technician and it cannot be solved by email or phone correspondence because of the nature of the infection. For now, I'm stuck with it as it is until good fortune comes my way in this rough economy. All of my personal documents, photos, and other media have been manually moved to a malware-free external hard drive and detached from the system. I need to know if deleting the HelpAssistant account in the Users section of the Computer Management console will minimize the effects of this intrusion or will it be restored in the same way as the Services ports when the system is restarted. The control Panel console for User Accounts does show the HelpAssistant account, so it cannot be modified or deleted from there. The only way to prevent a hacker from activating it and using it for their background mischief may require deleting it from the computer in lieu of repairing the MBR. If I can identify the registry keys or files that it uses to activate these Services ports during system restart that may help as well. Any Help or advice would be appreciated.Thank YouSpacejunkie1Deleting the HelpAssistant User Account from the Computer Management console will stop intrusions if Windows Firewall is reset to its default settings, when the exceptions for Remote Assistance and Remote Desktop are unchecked, and when all Exceptions for Services TCP Ports are Deleted after restarting your computer. You must disconnect from the internet before you restart your computer and then delete all of the checked Services port exceptions each time you log on to the system before reconnecting to the internet. If you do not delete these services ports, the HelpAssistant account will be reinstalled and activated by the hacker that is using one of these ports.All of my questions have been answered and the solution is to use this strategy until I can afford to purchase a new computer.

I have the HelpAssitant problem, too, and I'm able to control it with Spacejunkie's suggestions of deleting the exceptions for Service TCP ports in the firewall and deleting the Help Assistant folder in Documents and Settings. At that point, I can reconnect my cable modem and all runs fine until the next boot when deleting the Services exceptions has to be repeated. The Help Assistant folder has not returned after being deleted the first time, but I understand that's because I shut down the Services exceptions while disconnected from the Internet. I'm working on following Gecko's suggestion above about the MBR fix.

I'm confused about your tips about the partition messages. I booted the computer using the win XP CD, hit R, went to C:\ and got this response from the map [arc] command: ?Fat 16 47 mb \DEVICE\HARDDISK0\PARTITION1 C:NTFS 233609 MB \DEVICE\HARDDISK0\PARTITION2 E FAT32 4754 MB \DEVICE\HARDDISK0\PARTITION3 D: \DEVICE\CDROM0 Could you please be more specific about what you'd do about the fixmbr\device command ? I'd assume it would be the partition2 item, but I'd appreciate knowing more before I mess something up. I am able to use the computer as explained below, but I'd like to get rid of this thing.

Hello Myrmyd; Have you been reading the blogs about this virus in the other forums? It is very confusing to me as well because some people are successful at removing this virus and restoring their systems to normal and others are using the same technics without success. Some are losing access to their hard drives by using fixmbr the wrong way or because of the complexity of their boot partition and the progressive changes to files and registy caused by this virus. There's some blogs on the Dell forum's that suggest there is a problem using the older Dell OSM Windows XP SP 2 disc to repair a partition related to the service pack 3 update. All I know is that I can detect the Virus only in the safe mode and it cannot be quarantined after Webroots "Sophos" antivirus engine detects it. It probably replicates itself on each attempt. If you try googling "HelpAssistant" you will see the various solutions presented on other forum sites. There is something mentioned about a low-level rewrite of the boot partition of the affected drive or Drive C: windows XP along with using Malwarebytes to identify the infected files and registry for deletion as well as removing the virus. It appears that you have two other devices sharing your partition in addition to Drive C. It is beyond the scope of my knowledge to advise you how to proceed because your confuration may be too complex to risk any changes to remove this virus. I've had mine examined by a computer professional and he recommended a total reinstallation of everything. Installing the original XP service pack 2 with a simple single version of the Windows partition (and not the Dell version), with updated drivers and Service pack 3 on a new hard drive. The virus has changed to many essential windows and internet files and has created too many registry changes to sort through. I know that your situation is different than mine in some ways, because you may have to detach these other drives or visa versa and have them checked for viruses before you make any changes. The Drive C: partition 2 is your windows xp drive and is probably the one to select. However, you'll need to get more info on what to do about the other drives before you proceed. All I can tell you is to close your services ports and watch for subtle changes when you go on line because, whoever this hacker is, he has found a way to identify and use other means of getting into the system. I had one instance the other day where the hacker was accessing my computer through the IP or Email port. I unplugged from the internet after the hacker had reinstalled the HelpAssistant user account to the Computer Management Console, reactivated Remote Desktop in the System Properties, and downloaded part of that oversized HelpAssistant File folder in Documents and Settings. I checked my Windows Firewall Settings and nothing was checked off and all of the services exceptions were still deleted. How did this hacker get past a closed firewall, undetected? It seems that this hacker has been able to access our systems and sneak past the ISP's noses undetected with the help of that virus. I hope that you'll have better success that I've had. Good Luck; Spacejunkie1

Hey back spacejunkie1, Thanks for your reply at least as a fellow sufferer. I've just been using that infected computer offline as I suspected that it might not be secure even with the steps I was taking on startup. I haven't looked at other forums for a week hoping that new fixes would start to show up. As I started looking tonight, I found your reply. My computer is a Dell, and evidently that's why it has extra partitions. I've considered calling Dell's tech support about the fixmbr command, but I haven't yet as I don't have a lot of confidence that I'd reach a service person that really had experience in that area. I noticed some small missing things in my mirc.ini file. I am getting more memory dump blue screens and lockups even when booting offline and shutting down the services exceptions first thing. I still haven't had the helpassistant folder come back, though. I've always been totally opposed to the wipe/reinstall solution, but that might be where I have to go. I'll keep looking and go read that forum at Dell. thanks myr

Hello Myr; I did get a hit by the HelpAssistant hacker a few hours ago even with all of the Firewall Exceptions turned off. I left the internet plugged in this time when using a website to troubleshoot my sister's car. I went outside to work on the car while the system was still on that website. When I returned the HelpAsstant hacker found a way to get in through the internet and add six exceptions to Windows Firewall complete with checkmarks. Four of them were for the services that I had previously deleted, the remote desktop was activated in firewall and system properties and the hacker added a management access to the list of exceptions in Windows Firewall. I discovered this just as this hacker was loading the HelpAssistant file folder itself. I immediately deleted that blasted folder and the account again and unchecked the remote desktop several times until the hacker gave up rechecking it each time. All of my personal and sensitive info has been removed from the system, so there is nothing of value left for a hacker to use. I have been losing some template files associated with Corel Photo Album and others. It appears that this hacker is helping themselves to my templates for picture frames, photo album pages, collages, and other photography related graphics. When I had a dual boot system I could replace them easily by copying them from the same program installed on the other operating system. Now, I would have to run a repair from the original source disk which adds some things that I don't need. I get an occasional blue screen, now and then, that is memory related. It appears that my Dell XPS 600 Motherboard has two failing electrolytic capacitors that are leaking intermittantly through the diaelectric barriers. The capacitors are located on a sensitive area of the mobo where the memory modules are located. I do have extensive experience with repairing printed circuit boards, however, because of the strong possiblity of static discharges from tools and heat sources for soldering and from the replacement capacitors themselves; that would not be practical. Dell has no technical specs on this propriatary Dell Nvidia SLI Foxconn LS-36 nforce4 mobo and no replacement parts or version for it. I can't afford to replace anything, now. So, I'll have to make do with what I have. and try to keep these intrusions to a minimum. Since Dell has not been reliable as for replacing parts during the life of its products; my next computer will be generic or custom built using parts that will be readily available from many sources. Dell has not been very helpful in way of do-it-yourself resources that do not cost more than an arm or a leg. I downloaded the free version of Malwarebytes and found about ninteen infected objects in the registry and other files. All of them proved to be ligitimate hits, so I deleted them. The Troj/MBroot-H cannot be removed using this program. Removing this one will require using fixmbr to rewrite the MBR. The red Dell OEM version of Windows XP Media Center Edition 2005 (part # YD337) reinstallation DVD, that came with my computer, may not have a compatible version of fxmbr. When my system was changed to the dual-boot configuration the mbr was modified to accomodate both the XP and Vista operating systems, so this disk would not be compatible for repairs to the MBR or restoring my system to a single boot configuration. If I had a good mobo, I would have already reloaded (clean install) the MBR and the Windows XP operating system in a single drive configuration. Unfortunately, I can't afford to do that right now. I hope you find what you're looking for Best Regards Spacejunkie1

Hi Spacejunkie1, Has you problem been solved or is your pc still infected. If still infected follow the steps in the following post http://www.bleepingcomputer.com/forums/topic302621.html . you can also join the forum and get help removing the Mebroot trojan/virus. Let me know if this helped . thanks.

Hello Waterbender; It has already been determined that the only way to remove this virus is to start all over with clean install of the operating system and MBR. I can't afford to replace my computer or to do any servicing at this time, so I will have to make do with what I have. I've been having problems with a failing mobo, so replacement may be my only option. I removed eighteen infected registry files and system files after a scan with Malwarebytes. The boot sector virus can be detected with Webroot's Sophos antivirus program, but it cannot be removed because the virus replicates itself each time it is quarantined. The best I can do for now is to find ways to render the virus ineffective by deleting the HelpAssistant Account and Files and Restoring Windows XP Firewall to its default settings after each restart while off-line. I'm currently trying to identify the files or registry that the virus uses to configure the system to add four or five active items to the Firewall Exceptions list after each system restart. If I can delete, override, or disable them then that would render the virus ineffective. By doing this I can regain full control over Windows XP Firewall which is the way the system was originally designed to work. I can't tolerate the idea of having an outside source having this kind of control over my computer where they can add TCP or UDP ports to Windows Firewall at will and without my knowledge and consent. I have seen the solutions offered from the website you've suggested and others. The technicians I've consulted with advise a complete clean reinstall of everything. I would appreciate any help you can offer in regaining full control over my Windows XP Firewall. Thanks Spacejunkie1

Hi Spacejunkie1, I see thta you have started the help thread on bleepingcomputers.com , They will assist you in removing the malware . Your pc is infected by a rootkit trojan "Mebroot" . It can be cured. I see from your comments you have dual boot system , with xp and vista. If you have the vista install disk , you can boot from the CD/DVD ( for this you must go into the Bios settings of your computer to change the boot order from harddisk which should be set First to CDROM , hence changing the order ) and once booted from the vista install cd , it will bring you to the install process , then it will give you the option of installing vista or repairing it , you should choose to repair it by pressing "R" key . The instructions to do this are given at microsoft site " http://support.microsoft.com/default.aspx/kb/927392?p=1 " . You need to choose the command prompt and run the following command : bootrec /FixMbr . After that type "exit" and after reboot start the system in "SAFE MODE" and run Malwarebyte program to do full sacn . I have given this instructions assuming you know things like getting in BIOS settings , Running windows in safe mode , and other technical know how. If you don't feel comfortable with these technical asspects , i would advise you follow the Bleeping computers thread and they will help you get rid of this malware. Good luck. Waterbender

Hey Spacejunkie1, Just letting you know that I followed waterbender's advice to post on bleepingcomputer.com and someone started helping me with the problem yesterday (Thursday 4/8). The url is here: http://www.bleepingcomputer.com/forums/topic307037.html I see that waterbender says you are posting over there, too, but I couldn't find it. *fingers crossed* that we find some help. Myr

I was just passing by when i noticed this thread :) It seems to me that if you cannot attck the virus itself, you could always deny it access. Locate your remote desktop .exe (or what ever the correct name is) and move the exe into a new folder. Then archive that folder using winzip or similar program. This isnt going to cure the virus, but it might prevent it from doing whatever its trying to do to your computer. I hope thats helpful, it was an idea i had.

"I've considered calling Dell's tech support about the fixmbr command, but I haven't yet as I don't have a lot of confidence that I'd reach a service person that really had experience in that area." myr, I'm sure whichever Dell tech you contact would know that fixing the mbr may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. Dell's forum currently has a thread in progress in which this rootkit was suspected. However, in your case judging from the information provided at Bleeping Computer, you have a Backdoor.Trojan and that is nothing to fool with. Sorry, but for your peace of mind, the wipe/reinstall is the best way to go with something like that.

Well that seems to be unanimous advice, and I finally caved in a couple of days ago and took my computer to a shop for a wipe/reinstall. I should have investigated this before, but what would the "press a key on startup and revert...to a factory delivered state" have done in this case? Would it have eliminated the backdoor.trojan? I guess that's not true or folks would have suggested that path...just wondering. myr

Hi myrmyd, Actually i saw you post on bleeping computers . It seems that you are taking your computer to a shop , if doing so please make sure that they are aware of how to fix the Mebroot trojan that infects the master boot record. Reinstalling the OS will not clean the virus. Make sure the technician who works on your computer knows how to remove the mebroot virus. Hope this helps in getting your computer fixed properly. good luck.

Running XP. Boys and girls. I first had something wierd begin on my laptop in that after flawless ability in going into STANDBY or HIBERNATION, it started misbehaving and failing to do so. I since then noticed the HELPASSISTANT folder. Further investigation shows that the HELPASSISANT user would always re-enable itself. After reading his and other forums, the conclusion was this Backdoor MBR virus. I also remember seeing something cynical at the time of infection (a rogue "10bb.tmp" file in my temporary directory, (and a flashing of my desktop), that my AV software didnt react to - this was because my AV software wasnt set to check TMP files! Since remedied!) The answer was simple. As advised in this and other forums, simple boot to repair console with the XP install disk, and at the command prompt, type FIXMBR. After that I was able to delete the HELPASSISTANT directory, disable (and stay disabled!) the HELPASSISTANT user, and delete the following 2 files: C:\WINDOWS\Temp\$$$dq3e C:\WINDOWS\Temp\$67we.$ (you will have to set to display ALL FILES to view these). Job done! Now the virus is gone, disk space is saved, remote admin/keylogging removed, and my laptop goes to standy again. I hate viruses. And I hate those that create them! If only they were infected by a human ROOT virus right in the depths of their bodies and infests away until their end.

Well jimimaseye, I wish you had come along a little sooner, and maybe I would have tried your way. I did boot to the recovery console so that part was successful, but then here come all these warnings about messing up the MBR on a Dell computer with partitions. I backed out of the recovery console to try to find more info. I never could get an answer I understood on whether the simple fixmbr would work on said Dell. And other folks, including the folks helping me at bleepingcomputer.com, were convinced that one can never be sure that a backdoor keylogger is gone even with the fixmbr fix. This last question is the one that made me decide to just wipe and reinstall. Recovering from that is going well so far, easier than I expected. Folks need to see a plan to deal with helpassistant, so thanks for sharing your success story. Maybe next time. Myr

Hi Myr Indeed. Sorry I wasnt able to bring something to you sooner. (That said, if I was able to then it means I would have already had this virus at an earlier time and maybe I wouldnt have been so fortunate to have found my answer so easily. So then again.....) For what its worth, this isnt the first time I have had to 'experiment' (based on suggestion and forum answers) with FIXMBR. I can tell you that I have 2 separate partitions on my harddrive (the other being a linux EXT3 partition) AND..., get this,... my MBR of my harddrive actually contained a LINUX boot manager ('grub') and not the default windows one. And still it was infected by this poxy windows attack. It is true that when you run FIXMBR it will always warn you, warn you again, frighten you if you ignore the warnings and then convince you you are about to make the biggest mistake of your life in running FIXMBR. But having ran it several times, on several machines, at different times and in the main ALWAYS having more than one partition of various formats on the harddrive, I have not yet fell foul the the devil that the warnings advise you of. It always just....worked.... without a problem. It is true that in my case it does wipe out my (linux) bootmanager (as it does wipe the MBR and rewrite it with the windows version) and consequently when I switch on it goes STRAIGHT to XP without offering my OS choices. But this is a minor discomfort remedied by a simple reload of the boot manager software. Its worth noting that Microsoft (and others) actually advise on running FIXMBR for people that WANT to remove 3rd-party bootmanagers (people such as I who maybe have had and want to remove a linux OS). It doesn't kill the partition, just the reference to it at boot time. I believe that disk-management software will still see the (untouched) partition as it has always been. I do acknowledge that this was the first (and only, and hopefully the LAST) experience of an MBR-based virus I have had to deal with and maybe this one was relatively easy to fix. Maybe the ease of my experience does not necessarily apply to all MBR-based viruses. But for sure I wont shy away from running FIXMBR if that is the advice given in these situations. By the way, going slightly off-note, I know that sometimes these viruses will claim to leave your harddrive unusable and many people then throw them away. I do remember downloading a small executable once called WIPE.EXE that simply writes to your harddrive a series of zeros starting at the very first byte/sector/cluster including (and therefore completely wiping over) the MBR and everything o the disk effectively wiping it from anything that exists on it. Used it once and dos exactly what it says. Very simple tiny program. I have now changed my main user account to that of a LIMITED ACCOUNT type (as I should have done at the start) to help prevent these viruses in the future. Hopefully this will eliminate my infections although I do consider myself quite a careful and conscientious user in avoiding such things). But I can tell that there is a reason I loaded linux on my laptop. And avoiding these attacks was the VERY reason! (Unfortunately I have to venture into windows occasionally). Just some knowledge that may help people save their harddrive before they throw it away unnecessarily.

People, just for those who are seeking a remedy, there is further information for you. I have noticed (and searches confirm) that I have had 4 exceptions appeared in my windows firewall, all under the name "SERVICES". They simple point to opening a TCP port and these for ports seem random. So you may wish to delete these exceptions as well as part of your recovery.

Hey jimimaseye, About those services exceptions opening ports...my firewall always showed 4 services exceptions and the ports were the same as spacejunkie1's - Services TCP Ports 65533, 52344, 3246, 2479. For the entire 5 weeks that I fought this trojan, I had to delete those exceptions with exactly the same ports every time I rebooted my computer even when it was disconnected from the internet and when the help assistant folder had been deleted and the firewall was set to allow no exceptions. I hope your exceptions aren't continuing to appear. Just for info for others, the helpassistant folder was always easy to delete for me -- it set itself up twice under my watch and once under the computer shop's where I took my computer to be wiped. If I didn't leave the computer connected to the cable modem and always shut down the 4 exceptions first thing, then the helpassistant folder wouldn't reappear -- my observation, anyway -- and I could at least use the computer and save its files, etc. I'm still paranoid and checking my wiped and reinstalled computer for those exceptions and the helpassistant folder, but no sign of it. I didn't throw away my harddrive, just had it wiped. Thus the paranoia. Btw...amen to your pox on the slimeball that created this thing. Myr

Its possible the port numbers are the same for me but I didnt REALLY take note. Maybe not random but hard-coded into the virus setup. Anyways, I believe that with the MBR wiped and the 2 files out of the temp directory gone, the virus is essentially 'booted' (no pun intended). The deletion of the helpassistant folder and exceptions would then be final. I have to say that I am glad and fortunate that I am behind a NAT router/firewall in that even though the exceptions appeared in my windows firewall, the uninvited access wouldnt get through that to steal my PC or its information (at least I HOPE!). After all, that was the point of the virus. If you want to continue your paranoia, I suggest, having had the virus for 5 weeks, you should review and change all of your online logins and passwords.

Hi Myrmyd, The ports you metion 65533, 52344, 3246, 2479 are the ports associated with the mebroot virus/trojan. And i thought you were taking your infected PC to a computer shop to remove the virus. If you haven't done that then do try to boot into recovery console and run the FIXMBR command. And the run the tools to remove the membroot virus . Hope this helps.