Malicious Script HelpCtr.Exe

[Grape Crusher]

Running WinXP Home

I hope someone will bear with me and read this. It sounds complicated
I guess, but I have tried to pare it down to just a few words and that
just won't work. And if anyone has a better idea than reformatting and
reinstalling I would be SO grateful for the advice.

Problem began with a sudden drastic decline in dial-up connection
speed. Initially blamed my ISP, pretty much cursed them out over a
couple of day. (I have since apologized!)

After updating VirusScan and SpyBot, which I routinely do anyway, and
finding no problems there. I started the modem troubleshooter. Should
have begun there. Several pages into the troubleshooter I get a
Norton Warning Window that there is a Malicious Script HelpCtr.Exe and
recommends that I block it. It does not offer to quarantine it. I
delete it. It has no effect.

I have script blocking on as a default, but it appears not to have
caught this.

I do a search on the file name. I come up with 3 exact matches, and
one additional match with an extended string following the extension.
They are as follows:

helpctr.exe in C:\WINDOWD\$NtServicePackUninstall$ Aug/18/2001

helpctr.exe in C:\WINDOWS\ServicePackFiles|i386 Aug/29/2002

helpctr.exe in C:\WINDOWS\PCHEALTH\HELPCTR\binaries Aug/29/2002

HELPCTR.EXE-0BD5B31B.pf in C:\WINDOWS\prefetch Current date

All capitals are exactly as shown in the search result window.

The first three files appear to be legitimate. Their age and the
properties screen which says Microsoft is the origin lead me to
believe they are legitimate.

So I assumed the last one, with the long string followed by .pf was
the culprit. So I deleted it. No effect. If I disconnect and
reconnect, it is at the same low speed, and the trouble shooter finds
the script again. Rebooting does the same thing. Went through this
several times. Same result (non-result?)

(I also deleted ALL of them at one time,I got warnings of possible
instability which I ignored, But doing so immediately affected
everything! From mouse clicks to keyboard function! So I restored them
and rebooted!)

Obviously (to me) something unknown is regenerating this file! It is
this I must find! Anyone having a clue what is causing this?

In the last 2 days some other odd things have occurred which I will
not detail here, but it leads me to logically assume that whatever is
invading my system has more nasty things to do than just slowing down
my internet connection.

I did a search on Google/groups and there are literally thousands of
entries dealing with problems with HelpCtr.exe, all of them seemingly
affecting a different aspect of Windows. Some can't print. some can't
network, and on and on.

Looked it up on Symantec's page, got three hits, none of which related
in any way to my situation.

(And Norton, BTW, no longer supports a TWO YEAR OLD version of
AntiVirus. And even if you qualify for support they do not offer
support to get rid of a problem. Only support is for installation and
general use of the program. Have used Norton for 10 years. Never
again. End of rant)

The basic support from Dell is to Back up data, reformat and re
install. I'm at the point that I might be willing to do it BUT here's
at least one problem with that: If something is generating this
malicious script how am I to determine what is safe to backup and what
is not. Just backing it all up does not make any sense to me.

I hope I have not lost your interest by going on too long and that all
of this makes some sense.

Hopefully

Grape Crusher

 

[Karl Levinson [x y] mvp]

After updating VirusScan and SpyBot, which I routinely do anyway, and
finding no problems there. I started the modem troubleshooter. Should
have begun there. Several pages into the troubleshooter I get a
Norton Warning Window that there is a Malicious Script HelpCtr.Exe and
recommends that I block it. It does not offer to quarantine it. I
delete it. It has no effect.

If it was really malicious, it should have given you an exact virus name,
which you should have written down and then given to us and also looked up
in the virus database at www.sarc.com OR, if it gave no virus name, and
you have heuristics enabled in your NAV, then it is possible that it was a
false alarm, or a new virus that you should have submitted to Symantec so
that they could tell you what if anything it was and so that others might
not become infected with it, if it was something malicious.

If it really found malicious script in an .EXE file, then that makes me
suspect a false alarm. If Symantec can't resolve it for you, you might have
to exclude helpctr*.* or *.pf or the prefetch folder from being scanned,
especially in the on-access portion of NAV. I could be wrong, but AFAIK NAV
should not be looking for script in EXE files and is only doing so because
the Win XP prefetch feature has renamed the .EXE to .PF

HELPCTR.EXE-0BD5B31B.pf in C:\WINDOWS\prefetch Current date

So I assumed the last one, with the long string followed by .pf was
the culprit. So I deleted it. No effect. If I disconnect and
reconnect, it is at the same low speed, and the trouble shooter finds
the script again. Rebooting does the same thing. Went through this
several times. Same result (non-result?)

Windows XP is regenerating the file to speed the boot up system. There is
insufficient evidence here that this is anything malicious or is the cause
of your slow Internet speed. Googling for "windows prefetch" gives this:

http://www.prabhums.org/weblogs/?postid=70
http://www.google.com/search?q=windows+prefetch

For any question about whether there is an antivirus false alarm or an
actual virus, submit the file to one or more antivirus companies [in case it
is a brand new virus or malware that is not caught by antivirus] and also
run a second opinion scan from a different antivirus product, such as by
going to http://housecall.antivirus.com or others.

(And Norton, BTW, no longer supports a TWO YEAR OLD version of
AntiVirus. And even if you qualify for support they do not offer
support to get rid of a problem. Only support is for installation and
general use of the program. Have used Norton for 10 years. Never
again. End of rant)

I don't find this so objectionable or unusual compared to other antivirus
companies. AV software becomes obsolete when new virus types come out that
require a major engine upgrade to be able to detect them. If your AV is too
old that it can't detect new viruses, that causes expensive support problems
for the manufacturer. You really shouldn't expect good results from a two
year old AV engine. Every AV company I know of charges money for phone help
removing viruses, and rightly so, since there are plenty of free support
sites and discussion groups like this one out there. Also, paying $25 for
antivirus software should not entitle you to several years worth of
unlimited phone support for removing viruses. They would go broke very
quickly, especially with some people continuing to get infected again and
again due to user error and not updating.

I advise using the AV that works best for you... especially since I believe
other AV companies to provide more or less the same support [if not worse]
than Symantec. You might switch to www.grisoft.com which is free antivirus,
but support is not free.

Last, note that Microsoft does offer free phone support to anyone for
dealing with viruses. Not sure how good the support is or whether they
would have been able to correctly diagnose a false alarm however.
866-PC-SAFETY

 

[Doug Knox MS-MVP]

Helpctr.exe and other Windows programs, make use of scripting to accomplish their tasks. Some of these scripts write to the registry and or file system, and Norton flags them as potentially harmful. They're not.

 

[Grape Crusher]

Thanks for taking the time to respond. Some comments are threaded.

If it was really malicious, it should have given you an exact virus name,
which you should have written down and then given to us and also looked up
in the virus database at www.sarc.com OR, if it gave no virus name, and

I gave what information was available to me.

you have heuristics enabled in your NAV, then it is possible that it was a
false alarm, or a new virus that you should have submitted to Symantec so
that they could tell you what if anything it was and so that others might
not become infected with it, if it was something malicious.

If Symantec allowed me to submit it I would have. I tried. My version
is not supported. Therefore they won't accept anything referring to
NAV 2002. Further comments on this matter are near the end of this
thread.

If it really found malicious script in an .EXE file, then that makes me
suspect a false alarm. If Symantec can't resolve it for you, you might have
to exclude helpctr*.* or *.pf or the prefetch folder from being scanned,
especially in the on-access portion of NAV. I could be wrong, but AFAIK NAV
should not be looking for script in EXE files and is only doing so because
the Win XP prefetch feature has renamed the .EXE to .PF



Windows XP is regenerating the file to speed the boot up system. There is
insufficient evidence here that this is anything malicious or is the cause
of your slow Internet speed. Googling for "windows prefetch" gives this:

I have no reason to doubt your conclusion that this is a false alarm,
that my diagnosis is incorrect. I am basically tilting at windmills. I
am definitely not a techie. Just a guy using a computer for basic
stuff and for entertainment. So I must assume you are correct.

However, something is definitely doing something to my computer.

And in some way or another many many people, as evidenced by that
google search I mentioned, are having problems in one way or another
connected to some form of HELPCTR.EXE. That is not to say you are
incorrect. Just that others are in trouble with this too.

The slowdown of connection speed is not due to any hardware problem at
either end.

I have always had a really good phone connection, dating back to the
years when a 14.4 modem was considered to be lightning fast. My
connections have always been near the maximum range for whatever modem
I had at the time. Until this began my typical connection was between
50.6 and 52 kps. Pretty much optimal speeds.

I've asked the phone company if any sort of failure or work or
anything else might have happened on this line, and my ISP has done
the same. They are a small, independent company that I have used for
about 10 years. I have no reason to doubt them. They have always been
extremely helpful, and also correct when offering solutions to
previous problems. SOMETHING is causing this.

My phone company called me back about 3 hours after my inquiry to
inform me that no work had been done, no damage reported, nothing
whatever had occured that would affect data transmission.

And some other very odd things are beginning to happen. Like certain
Mouse functions not working in some programs. Like somehow the
information in my User Profile in this software (Forte Agent) somehow
getting changed to gobbledygook.

So if you, or anyone else has some suggestion as to where else I
should look other than this "malicious script", some other possible
cause, I would be grateful.

http://www.prabhums.org/weblogs/?postid=70
http://www.google.com/search?q=windows+prefetch

For any question about whether there is an antivirus false alarm or an
actual virus, submit the file to one or more antivirus companies [in case it
is a brand new virus or malware that is not caught by antivirus] and also
run a second opinion scan from a different antivirus product, such as by
going to http://housecall.antivirus.com or others.

Did that. Negative. But as I write this it occurs to me that I
probably should have disabled NAV before doing it. Hmmm?

It is the following passage of yours that I take exception to. Rather
strong objection..

If Norton had informed me, when asking for subscription renewal, that
support would no longer be available, I would in all likelihood have
upgraded. I had done that in the past, a number of times. But no.
they just took my 20 bucks and ran.

I don't find this so objectionable or unusual compared to other antivirus
companies. AV software becomes obsolete when new virus types come out that
require a major engine upgrade to be able to detect them. If your AV is too
old that it can't detect new viruses, that causes expensive support problems
for the manufacturer. You really shouldn't expect good results from a two
year old AV engine.

Why not? The engine was supposedly upgraded to V2003 some months ago.
My help screen says I have the 2003 engine.

And I bought and paid for this program less than 16 months ago!

Every AV company I know of charges money for phone help
removing viruses, and rightly so, since there are plenty of free support
sites and discussion groups like this one out there. Also, paying $25 for
antivirus software should not entitle you to several years worth of
unlimited phone support for removing viruses.

Did I say phone support, anywhere? Did I say unlimited?

I do not think two years is sufficient time before obsolescence takes
over. And as far as the type of support available, there used to be a
forum on the Symantec site. What little support I had ever needed in
the past, which was miniscule, I was able to get there.

From what I was able to gather in exploring the site prior to seeking
some assistance here, The ONLY support offered is via eMail. I could
find nothing about phone support, paid or otherwise. For any version.
And anything beyond assistance with installation and basic use is
29.95 per incident via eMail. And they do not offer ANY support of any
kind to help a user repair and infected computer.

But my real objection is that I was not informed. They wanted my
subscription fee. No offer of upgrade was made.

I've used NAV for about 10 years. In the past when a version was to
become obsolete, they would ALWAYS inform you of that at subscription
renewal time, and usually offer a discount on the upgrade.

And in the past, for months before the release of a new version I
would be offered "advanced pricing" etc. Not a word from them. I am
definitely on their mailing list, and recieve regular bulletins. It
was not for lack of knowing who I was that no offer was recieved.

I should have been informed that support for my version would no
longer be offered, in addition to asking for subscription renewal.

At minimum this was shitty business practice.

I am very definitely a capitalist, and have no objection to profit. I
do object to such rapid obsolescence. And I definitely object to
devious sales policies. They may have gained a $20 subscription, but
have lost a long time user.

Last, note that Microsoft does offer free phone support to anyone for
dealing with viruses. Not sure how good the support is or whether they
would have been able to correctly diagnose a false alarm however.
866-PC-SAFETY

Well this is real news to me. Something free. And from Microsoft! Will
wonders never cease. Thank you for that information.

Please do not take offense at the angry tone of my remarks re:
Symantec. They are not directed at you, and are the result of intense
frustration. I do appreciate that you took the time to respond.

Grape Crusher

 

[MAP]

I also have HELPCTR.EXE-0BD5B31B.pf in my prefetch and
have no problems.

 

[Grape Crusher]

Thank you for the feedback.

Based on your feedback, and Mr. Levinson's and further searching by
me, I am pretty well convinced that this "malicious Script" is a false
alarm, just an unfortunate coincidence with my actual problem:

My dial-up connection speed has suddenly and drastically reduced, and
I am in a total quandary as to what to do, where else to look. The
slowdown has pretty much ruined my on-line life.

Dell has one basic advice to any and all requests for help: Re Install
the OS. Seems like a far too drastic measure to take.

If you or anyone else has any idea where I might look for a solution
to this problem I would be very grateful.

Thanks again for the feedback.

Grape Crusher