Hi Guys, having a problem. Found a forum on another site talking about it but its old and no one is responding. Can you take a look? the guy posted a bit of a solution, but I'm looking for more help. My post is at the bottom.
Thanks
See http://www.the-scream.co.uk/forums/showthread.php?t=11604&page=1&pp=15
From the URL above...
Problem-copied and pasted, someone else wrote
------------------------------------------------
I hope someone will bear with me and read this. It sounds complicated
I guess, but I have tried to pare it down to just a few words and that
just won't work. And if anyone has a better idea than reformatting and
reinstalling I would be SO grateful for the advice.
Problem began with a sudden drastic decline in dial-up connection
speed. Initially blamed my ISP, pretty much cursed them out over a
couple of day. (I have since apologized!)
After updating VirusScan and SpyBot, which I routinely do anyway, and
finding no problems there. I started the modem troubleshooter. Should
have begun there. Several pages into the troubleshooter I get a
Norton Warning Window that there is a Malicious Script HelpCtr.Exe and
recommends that I block it. It does not offer to quarantine it. I
delete it. It has no effect.
I have script blocking on as a default, but it appears not to have
caught this.
I do a search on the file name. I come up with 3 exact matches, and
one additional match with an extended string following the extension.
They are as follows:
helpctr.exe in CWINDOWD\$NtServicePackUninstall$ Aug/18/2001
helpctr.exe in CWINDOWS\ServicePackFiles|i386 Aug/29/2002
helpctr.exe in CWINDOWS\PCHEALTH\HELPCTR\binaries Aug/29/2002
HELPCTR.EXE-0BD5B31B.pf in CWINDOWS\prefetch Current date
All capitals are exactly as shown in the search result window.
The first three files appear to be legitimate. Their age and the
properties screen which says Microsoft is the origin lead me to
believe they are legitimate.
So I assumed the last one, with the long string followed by .pf was
the culprit. So I deleted it. No effect. If I disconnect and
reconnect, it is at the same low speed, and the trouble shooter finds
the script again. Rebooting does the same thing. Went through this
several times. Same result (non-result?)
(I also deleted ALL of them at one time,I got warnings of possible
instability which I ignored, But doing so immediately affected
everything! From mouse clicks to keyboard function! So I restored them
and rebooted!)
Obviously (to me) something unknown is regenerating this file! It is
this I must find! Anyone having a clue what is causing this?
In the last 2 days some other odd things have occurred which I will
not detail here, but it leads me to logically assume that whatever is
invading my system has more nasty things to do than just slowing down
my internet connection.
I did a search on Google/groups and there are literally thousands of
entries dealing with problems with HelpCtr.exe, all of them seemingly
affecting a different aspect of Windows. Some can't print. some can't
network, and on and on.
Looked it up on Symantec's page, got three hits, none of which related
in any way to my situation.
(And Norton, BTW, no longer supports a TWO YEAR OLD version of
AntiVirus. And even if you qualify for support they do not offer
support to get rid of a problem. Only support is for installation and
general use of the program. Have used Norton for 10 years. Never
again. End of rant)
The basic support from Dell is to Back up data, reformat and re
install. I'm at the point that I might be willing to do it BUT here's
at least one problem with that: If something is generating this
malicious script how am I to determine what is safe to backup and what
is not. Just backing it all up does not make any sense to me.
I hope I have not lost your interest by going on too long and that all
of this makes some sense.
-------------------------------------------------
Solution?
--------------------------------------------------------------
Thanks,again,Zero,but our faithful Spybot was correct.
The primary infected key was:
HK_LM:RUN MSConfig CWINDOWS\PCHEALTH\Helpctr\binaries /auto
plus secondary keys pertaining to MSCONFIG32.EXE
I spent hours talking to Microsoft,ensuring it DEFINATELY was not a legitimate auto-heal service,or similar.
I am worried about those weird looking "tools" still on my harddrive.
The key kept regenerating itself after having been deleted in safemode.Booted into normal mode,then back into safe-the key was back,because another "APP" was calling it.
---------------------------------------------------------------------------------------------
Finally, what I wrote:
------------------------------------------------------------------
P.C Dunder - Thanks recording your problem so well. I'm having the same problem and can't find any solutions on the web except your last post.
Do you (or anyone) have more details? I don't know exactly what to do from your last post.
Thanks
P.S. This happened right after I downloaded the eDonkey update. (clicked link on eDonkey front page) Installed it and one of my virus-checkers reported something ugly about a backdoor issue from the eDonkey install, so I made sure to click all the 'lock' choices for my security software that asked about eDonkey permissions. Ran updated spybot and nav about 3 times.... nothing found.
Searched helpctr.exe, renamed 2 of them and deleted the pf file. Stopped the service and now I get the infinite popups saying Help & Support cant be found/started.
Thanks
See http://www.the-scream.co.uk/forums/showthread.php?t=11604&page=1&pp=15
From the URL above...
Problem-copied and pasted, someone else wrote
------------------------------------------------
I hope someone will bear with me and read this. It sounds complicated
I guess, but I have tried to pare it down to just a few words and that
just won't work. And if anyone has a better idea than reformatting and
reinstalling I would be SO grateful for the advice.
Problem began with a sudden drastic decline in dial-up connection
speed. Initially blamed my ISP, pretty much cursed them out over a
couple of day. (I have since apologized!)
After updating VirusScan and SpyBot, which I routinely do anyway, and
finding no problems there. I started the modem troubleshooter. Should
have begun there. Several pages into the troubleshooter I get a
Norton Warning Window that there is a Malicious Script HelpCtr.Exe and
recommends that I block it. It does not offer to quarantine it. I
delete it. It has no effect.
I have script blocking on as a default, but it appears not to have
caught this.
I do a search on the file name. I come up with 3 exact matches, and
one additional match with an extended string following the extension.
They are as follows:
helpctr.exe in CWINDOWD\$NtServicePackUninstall$ Aug/18/2001
helpctr.exe in CWINDOWS\ServicePackFiles|i386 Aug/29/2002
helpctr.exe in CWINDOWS\PCHEALTH\HELPCTR\binaries Aug/29/2002
HELPCTR.EXE-0BD5B31B.pf in CWINDOWS\prefetch Current date
All capitals are exactly as shown in the search result window.
The first three files appear to be legitimate. Their age and the
properties screen which says Microsoft is the origin lead me to
believe they are legitimate.
So I assumed the last one, with the long string followed by .pf was
the culprit. So I deleted it. No effect. If I disconnect and
reconnect, it is at the same low speed, and the trouble shooter finds
the script again. Rebooting does the same thing. Went through this
several times. Same result (non-result?)
(I also deleted ALL of them at one time,I got warnings of possible
instability which I ignored, But doing so immediately affected
everything! From mouse clicks to keyboard function! So I restored them
and rebooted!)
Obviously (to me) something unknown is regenerating this file! It is
this I must find! Anyone having a clue what is causing this?
In the last 2 days some other odd things have occurred which I will
not detail here, but it leads me to logically assume that whatever is
invading my system has more nasty things to do than just slowing down
my internet connection.
I did a search on Google/groups and there are literally thousands of
entries dealing with problems with HelpCtr.exe, all of them seemingly
affecting a different aspect of Windows. Some can't print. some can't
network, and on and on.
Looked it up on Symantec's page, got three hits, none of which related
in any way to my situation.
(And Norton, BTW, no longer supports a TWO YEAR OLD version of
AntiVirus. And even if you qualify for support they do not offer
support to get rid of a problem. Only support is for installation and
general use of the program. Have used Norton for 10 years. Never
again. End of rant)
The basic support from Dell is to Back up data, reformat and re
install. I'm at the point that I might be willing to do it BUT here's
at least one problem with that: If something is generating this
malicious script how am I to determine what is safe to backup and what
is not. Just backing it all up does not make any sense to me.
I hope I have not lost your interest by going on too long and that all
of this makes some sense.
-------------------------------------------------
Solution?
--------------------------------------------------------------
Thanks,again,Zero,but our faithful Spybot was correct.
The primary infected key was:
HK_LM:RUN MSConfig CWINDOWS\PCHEALTH\Helpctr\binaries /auto
plus secondary keys pertaining to MSCONFIG32.EXE
I spent hours talking to Microsoft,ensuring it DEFINATELY was not a legitimate auto-heal service,or similar.
I am worried about those weird looking "tools" still on my harddrive.
The key kept regenerating itself after having been deleted in safemode.Booted into normal mode,then back into safe-the key was back,because another "APP" was calling it.
---------------------------------------------------------------------------------------------
Finally, what I wrote:
------------------------------------------------------------------
P.C Dunder - Thanks recording your problem so well. I'm having the same problem and can't find any solutions on the web except your last post.
Do you (or anyone) have more details? I don't know exactly what to do from your last post.
Thanks
P.S. This happened right after I downloaded the eDonkey update. (clicked link on eDonkey front page) Installed it and one of my virus-checkers reported something ugly about a backdoor issue from the eDonkey install, so I made sure to click all the 'lock' choices for my security software that asked about eDonkey permissions. Ran updated spybot and nav about 3 times.... nothing found.
Searched helpctr.exe, renamed 2 of them and deleted the pf file. Stopped the service and now I get the infinite popups saying Help & Support cant be found/started.
Facebook
Twitter