Remove HelpAssistant

[JKW]

I posted this topic last week, but it has since been closed, so I'm posting again.

I have a Lenovo N200 0769AUU laptop with Windows XP Professional. Recently, it has been very sluggish and often will stall. I then have to perform a cold boot in order for it to even run, and then it will only run for a while. I've noticed that there is a HelpAssitant user and a user folder as well. I have disabled this user, but the moment I log out and log back in, the HelpAssistant user is available again. Also, I have been trying to load AVG 9.0 on this computer, but I keep receiving an error message. I think this is all connected to the same issue. Any and all help would be appreciated. Thank you!

I received this response--

Check MBR

[JKW]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\ACPI -> 0x86585418

NDIS: Broadcom NetLink Fast Ethernet -> SendCompleteHandler -> 0x8583e690

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 61 !

copy of MBR has been found in sector 62 !

copy of MBR has been found in sector 0x012A18AC1

malicious code @ sector 0x012A18AC4 !

PE file found in sector at 0x012A18ADA !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

[JKW]

C:\Documents and Settings\gbrewer.PALCO\Local Settings\Temporary Internet Files\Content.IE5\6CW38DD7\HAMeb_check[1].exe

Mon 03/15/2010 at 14:34:43.88

Full Name HelpAssistant

Account active Yes

Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1494491169-1871384279-3475444973-1007

%SystemDrive%\Documents and Settings\HelpAssistant.VOAGA.000

S-1-5-21-1494491169-1871384279-3475444973-1010

%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86585418]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\ACPI -> 0x86585418

NDIS: Broadcom NetLink Fast Ethernet -> SendCompleteHandler -> 0x8583e690

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 61 !

copy of MBR has been found in sector 62 !

copy of MBR has been found in sector 0x012A18AC1

malicious code @ sector 0x012A18AC4 !

PE file found in sector at 0x012A18ADA !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters

ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

"65533:TCP"=65533:TCP:*:Enabled:Services

"52344:TCP"=52344:TCP:*:Enabled:Services

"2479:TCP"=2479:TCP:*:Enabled:Services

"3246:TCP"=3246:TCP:*:Enabled:Services

"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"65533:TCP"=65533:TCP:*:Enabled:Services

"52344:TCP"=52344:TCP:*:Enabled:Services

"2479:TCP"=2479:TCP:*:Enabled:Services

"3246:TCP"=3246:TCP:*:Enabled:Services

"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

~~ EOF ~~

[screen317]

Hi and welcome to Malwarebytes.

Do you still need help?

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!