How do I get remote desktop to stop turning itself on? I've unchecked the box that says "Allow users to connect remotely to this computer" and I restart.... then the box is checked again. I have a windows xp pro desktop, it isn't on a network or anything. How do I get it so the box is always unchecked? Thank you. http://i39.tinypic.com/2w5oqk2.jpg1 person needs an answerI do too

Anyone have any ideas? Thank you.

Hi You may be affected by the HELPASISTANT virus. See this thread, read and dothe checks. (Search for my name 'jimimaseye' which will take you straight to easy-to-follow story where you can indentify it yourself): http://social.answers.microsoft.com/Forums/en-US/xpsecurity/thread/41c1d91e-a661-4209-9641-7e352822fecb

Hello, thanks for your reply! I'm not sure if I have the helpassistant virus or not. I read all of the topics that led to one another that talk about it, how to get rid of it, etc. The only thing I've noticed with my computer is the "Allows users to connect remotely to this computer" keep rechecking itself. As for my firewall.... I use norton 360 permier edition. In my windows firewall I have not noticed any random numbers, exceptions or anything like that. The only thing I wonder about for exceptions is Apache HTTP Server, but I guess that has something to do with nvidia, which has to do with my graphics card. As for the Help Assistant user account, I deleted it when I reinstalled the operating system.... it has not recreated itself. The only random file I've found is a file on my C drive... named ".rnd" which is exactly 1kb which was created Tuesday, April 20th, 2010 at 2:14am. I'm not sure what it's for... any ideas? As for my computer making churning sounds or any of that.... I don't have any problems. But just to make sure I looked the topics over, and ran the tools, and generated the logs. The tool mbr.exe couldn't find a helpassist user account. And gmer says it has found a system modification which may have been caused by rootkit activity. So I tried doing the whole "fixmbr" thing.... what happened was I ran into an error. I turned off my computer, and while it was restarting it gave me a list of options... I selected the Microsoft Windows Recovery Console thing... and it was loading.... then my computer bluescreened. The bluescreen error message I got was... PROCESS1_INITIALIZATION_FAILED STOP: 0X0000006B (0XC000003A, 0X00000002, 0X00000000, 0X00000000) How can I redo my mbt, if I can't open the microsoft windows recovery console? I used a program to install it... because I didn't have it installed before. I'm not sure which program, but it was one of the ones mentioned in one of the topics... combofix installed it or something. Was I supposed to insert a system disc or anything while running the recovery console? Because I didn't. But anyways microsoft windows recovery console will not open, it bluescreens, I tried it twice. What do I do now? Thanks.

Well... First of all my friend I will tell you that I personally am no more qualified than you, but I will share with you what knowledge I know for sure. (I learn from dabbling, and I share because I rely on others sharing with me). Ill not claim or preach anything that I am guessing at as it doesnt necessary help. Facts only. First, a simple manual check regarding the help assistant virus: 1, From the desktop, RIGHT-CLICK on 'My Computer' and select 'Management' 2, Select 'Users and Groups' 3, On the right, double-click 'USERS' 4, You may see a user called 'HELPASSISTANT'. If you do, double click to open it. This account SHOULD BE 'disabled'. !! IF IT IS NOT DISABLED, THEN YOU MAY HAVE A PROBLEM !! Continue,....... Next, Close all windows and continue here: 5, Double-click on 'MY COMPUTER' 6, Open C: 7, Open 'DOCUMENTS AND SETTINGS' 8, At the top, click 'TOOLS', and select 'FOLDERS OPTIONS'. Then select the 'VIEW' tab. 9, Ensure to click 'Show All Files and Folders'. Then click OK. Then UNTICK "Hide Protected System files (recommended) " 10, Now you should see various 'user' folders including some hidden ones called 'LocalService' and 'NetworkService'. !! IF YOU SEE "HELP ASSISTANT " THEN YOU HAVE A PROBLEM !! There are other symptoms too. For example the 4 ports opened in firewall exceptions and the 2 files: C:\WINDOWS\Temp\$$$dq3e C:\WINDOWS\Temp\$67we.$ If you see any of them then you MAY have a problem that for sure will require further work. My personal remedy was listed in the forum posting (above, link already supplied). In my opinion, though, irrespective of whether you find evidence of this particular 'HelpAssistant MBR' virus, I personally think from what youve said that there is definite sinister symptoms that something [else] may exist. Honestly, my advice would be at least to stop using this PC for anything that you dont want the world to know or see (work as if all browsing, passwords etc are all open and viewable). At least until you can be SURE, and then DOUBLY-SURE that you have no problems (that cant be explained) By the way, even though I evidently had a virus, my AV software didnt detect it even when I was looking at it in action. Thats the 'beauty' (ahem!....not sure if the word is right) about ROOTKITS - they can change/hide the appearance of files and can be invisible. And MBR viruses are loaded even before your PC knows of operating systems on your harddrive, yet alone rely on them. Regarding the Recovery Console... you can access this from a Windows Install Disk (note, my experience is ONLY with Win XP. I know nothing of any OS more recent). Insert the disk into CDROM, boot from CDROM, and during the Windows Setup (blue screen) and after the RAID/ SCSI Driver request (if I remember), it will tell you that you can press R to go to repair (or continue with install). From there it will take you through to the recovery console. (You WILL need the 'Administrator' account password). As its booting from the original official CD (unaffected by any virus or 'combofix' program), I would expect it to load and not crash. Of course from here you may be able to then run the FIXMBR. Now this: "The only thing I wonder about for exceptions is Apache HTTP Server, but I guess that has something to do with nvidia, which has to do with my graphics card. " Worrying! Apache HTTP server is a web server allowing http connections INTO your PC. If yo havent set it up (which I am guessing you havent as you dont know what it is) then its rogue and very worrying. (For sure its nothing to do with nvidia). Whats more I think Apache Servers are linux/unix based servers anyway. So the fact yo have a firewall exception for it listed in your windows machine really rings alarms to me. In any case, delete the exception. "*.RND" - dont know what this is. Sorry. Thats it for now. Im interested to see how you get on.

Hi, I have Windows XP Home, and just wanted to remark here that I've had similar virus invasion. I finally found the "hidden" folder, within the HelpAssistant folder, that had copied my entire User Profile into it. I just deleted the whole thing. There are several HKEY additions and changes, that Malwarebytes detected and removed, and now I'm finding more and more little "mystery" items, like in HKEY/Software/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks. I think this is malware, but don't know for sure and not being detected by AV, so I haven't deleted it from the Registry yet. Plus, I don't want to directly mess with the Registry either. I'm being attacked by so many viruses, and AV is blocking most of them, yet another 4 quarantined today. Windows Shell Execute Hooks is being "allowed" at startup, and I don't know if that is good or not! The more I search, the more I find. I have McAfee Internet Security with my at&t ISP. I also found folders called "ZFSendToTarget" and "MAPIMAIL", created on the same day and time as the other malware. Ever heard of them? Meanwhile, after all this work, my computer isn't working any better. I've freed up lots of HD space, after deleter the malware User, but still insanely slow browsing, Windows Explorer errors, IE hanging up, very, very long hang on any login pages. My Yahoo login page looks different as well, wider & font changed. Yes, I've stopped going into my online banking or anything sensitive for now. Do you have any suggestions for my system? I'd sure appreciate it. Thx, Suzanne

The HELPASSISTANT user is disabled on my computer, and I've been checking it randomly... and it has been staying disabled, I have not had any problems with it enabling itself. I do not have any randomly named files that you described in my C:\WINDOWS\Temp folder I deleted the Apache HTTP Server exception from my windows firewall AND my norton program rules (yes it was in there also) So if the Apache HTTP Server thing tries to connect to the internet again, I will at least be alerted. As for the .RND file I have that is 1kb that is on my C drive.... does anyone have any idea on what that is? As for now I'm going to do the Recovery Console thing you mentioned jimimaseye. I get on the internet via wifi, so of course my computer is more vulnerable to random things happening :P

I have started a topic at Bleeping Computer.... http://www.bleepingcomputer.com/forums/topic312176.html My computer is having more issues than what I knew of. So hopefully they can let me know how to fix it. I thank everyone for their help... and if you have any ideas, please let me know, thanks.

Suzanne In my opinion it sounds like you have been hammered by viruses (plural!) that with all the will in the world is going to be a nightmare to remove. If your AV software isnt detecting it then it would seem you are beyond the conventional help as the virus will probably either installed itself via as a 'rootkit' (stealthing itself from visibility to windows) or has already overtaken your AV software. If you want to take on and remove the HELPASSISTANT virus then read my posting (referenced earlier in this thread), but I think its pointless as it seems by te MAPIMAIL folder (and others) your machine may now be a zombie and sending email scams out too (suggesting more than 1 virus at work). My advice would be as follows (one or more may apply): A, attempt to clear it manually: Try using the ONLINE 'stinger' type detectors from the AV providers like Sophos, McAfee, Symantec etc. These programs are not installed onto your PC (they are web-based or downloaded as an single executable) and therefore are less susceptible to being modified by the virus. Visits the websites individually and search for the equivalent programs (I know McAfee program is called 'Stinger'). Alternatively, as 'thatguyep101' has done, go to bleepingcomputer.com and log your problem on there. From what Ive seen if you do manage to get help they are quite thorough and will guide you through methodically. B, Accept defeat and go for the sledge hammer approach that is wipe your disk and reinstall. For sure this would be the simplest approach but it is more draconian (losing files and installed programs all that will need reloading afterwards); however in the long run, despite it taking 3 or 4 hours or so, it could also be quicker than taking on the virus cleanup with software. If you are to do this, make sure that you wipe your MBR sector of your harddrive (see earlier comments on this thread on how to do this) as well as format your partition (formatting partition alone will not be enough if you have an MBR virus - you will just get it back after youve reinstalled windows). Let us know how you get on. thatguyep101 You eat me too it as I was going to suggest you try the bleepingcomputer route to see what they say. Having just read what yo have logged with them, I also think you have something more than just the HELPASSISTANT virus (which I think you may have got rid of now). I hope you get an answer (I too logged a question with them and got no answer), and if so let us know how you get on. As far as the .RND file goes: try renaming it and then see if it comes back another time. Also, why not download processexplorer (google it or find it on microsoft website, from sysinternals) and when you run that you can do a search of your processes for the file and see if there is any process using it. That may give you a clue where to go too. I would.

I have deleted the ".rnd" file on my C drive. And I posted a topic at Bleeping Computer, and am waiting for them to help me. http://www.bleepingcomputer.com/forums/topic312417.html They mentioned that I not have topics requesting assistance on different sites. So I'm going to let them do their thing, and try my best to get these issues resolved. I thank you all for your help, thank you!