Saturday, February 27, 2010

Dangerous computer virus that mystifies geniuses, helpassistant, still unresolved

The text below shows what I incorrectly thought was the case when I thought I had this ultratough virus beat. Actually After I restarted once helpassistant folder was not recreated, then a second restart failed, on third restart, the help assistant folder had reappeared in C:\Documents and Settings

Incorrect blog post I made when I thought I had the virus beat:

My computer was attacked by a virus, which installed helpassistant and HelpAssistant.S-COMPUTER folders in C:\Documents and Settings, and enabled the help assistant user (the help assistant user is disabled by default, it can be found through right click on my computer, manage, local users and groups, users). The word on the internet is that the virus is a trojan, the technical name for it being is also called mebroot.

The internet pages that dealt with the subject said: this is one of the worst and most sophisticated viruses ever; it is a virus that has stolen huge amounts of private info, passwords etc from banks; it is an extremely difficult virus to deal with. Many brilliant sounding writers on the internet gave very complex descriptions of how the virus works, without even attempting to provide a solution. I saw three pages of a forum which featured someone trying to coach a victim of the virus through one very complex solution after another to cure the virus, none of which worked (I marvelled at the patience of the victim and his coach). The internet offered many fantastically complicated and dangerous sounding methods for ridding the computer of the virus.

The most common solution was to run the recovery console and then fixmbr. However, opinion was divided as to whether such an action would produce a disastrous result of the loss of data in the computer. The general opinion was that one should be expert before using the recovery console because a mistake could result in a loss of all data in the computer and the need to reinstall the operating system. There were warnings to back up all data before proceeding with the recovery console solution. The two folders the virus created contained multi-gigabyte copies of folders on my computer such as desktop, my documents, favorites, and others. This filled up my computer to the point where it was 99% full. Twice after the virus invaded my computer, the computer operation, while I was viewing the vancouver2010 olympics pages, was interrupted by a scary 'stop error screen' that said:

"A problem has been detected and windows has shut down to prevent damage to your computer.
If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Run a system diagnostic utility supplied by your hardware manufacturer. In particular, run a memory check, and check for faulty or mismatched memory. Try changing video adapters.
Disable or remove any newly installed hardware and drivers. Disable or remove any newly installed software. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select advanced startup options, and then select safe mode.
Technical information:STOP: 0x0000007F (0x00000008, 0x80042000, 0x00000000, 0x00000000).
Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance."

The computer became so stuffed with files due to the virus, that disk cleanup would not function. Seemed the computer being so stuffed with files was causing the 'stop error screen'. Needless to say, the computer getting stuffed with files restricted my ability to add new files to the computer. I had heard that the virus enabled those who controlled to take control of the entire computer. I was worried that the virus might cause even more problems in the future. I like most everyone whose computer has been infected by this virus, had a strong desire to get rid of it.

The whole thing was a big pain in the ass because I was afraid that if I simply deleted the copies of folders the virus had made, I might delete something that I would end up sorely missing, something that had been copied with the original removed.

I deleted the helpassistant and helpassistant.s-computer folders. On restart, the helpassistant folder re-appeared. After repeated deletes of this folder, it kept reappearing.

I decided to implement a couple of the simpler and safer methods advised on the internet for dealing with the virus: I disabled the help assistant user previously mentioned as found via right click in my computer, and changed the name of the helpassistant folder and then deleted it. But on restart, the help assistant user had somehow been enabled again, and the helpassistant folder reappeared.

So next I simply deleted the help assistant user in my computer, and again changed the name of the helpassistant folder and deleted it. On restart, to my surprise--success. The helpassistant folder did not reappear, and the help assistant user identity did not reappear in my computer.

Perhaps one reason I was able to succeed, was that when the virus first downloaded, I found it's exe because it was suspicious looking, via Windows Defender - software explorer, and deleted it. Windows defender gave the following information on the virus exes:

File Name: ltkpsftav.exeDisplay Name: ltkpsftav.exeDescription: Not AvailablePublisher: Not AvailableDigitally Signed By: NOT SIGNEDFile Type: ApplicationAuto Start: YesFile Path: C:\Documents and Settings\Owner\Local Settings\Application Data\aniccw\ltkpsftav.exeFile Size: 278784File Version: Not AvailableDate Installed: 2/25/2010 8:12:15 AMProcess ID: 192User Name: S-COMPUTER\OwnerClassification: Not yet classifiedShips with Operating System: No

The other exe from the same virus that I deleted was:

C:\Documents and Settings\Owner\Local Settings\Temp\FrPx.exe

However according to the prevx antivirus program, which unlike windows defender and the trial version of spyware doctor found the virus, the virus is still on my computer at "c:\$mbr.0 [PX5: 99AA2E4B009FF0F80185002040C95900259D9CD1] Malware Group: Rootkit.MBR". Maybe this remnant of the virus will cause a problem, don't know. But prevx wants to be paid $35 for the full version before they will delete $mbr.0. The prevx paid version says it will provide real time protection against such viruses. As for me, I am now planning on switching to the Google Chrome browser, using it instead of Internet Explorer.

This all seems to be yet another example of how: the internet becomes filled with fantastically overcomplicated solutions to problems; the wise thing to do is to patiently search for simple solutions, and try them, or combinations or modifications of them, before plunging into some very complex or dangerous solution. Seems people, including myself to some extent, tend to become absorbed in the fascinating intellectually challenging details of overly complex solutions, when the wiser thing would be to step back, look at the big picture, and make better decisions regarding which solution should be attempted in the first place.

Regarding those who created this virus, my first reaction was extreme hatred. However in their favor at least it can be said, that the virus did not delete important files and folders, it just copied them.

Labels: , ,


Post a Comment

<< Home