"malicious script" involving helpctr.exe & Norton

[Diana Man]

When I went to "start">Help and Support, a window opened
from Norton Antivirus warning me:

"Malicious script detected-HIGH RISK- Your computer is
halted and needs to do something about this script.

Object FileSystem Object
Activity GetFile
File helpctr.exe

Then I can choose one of the four following and press OK:
Stop this script (recommended)
Allow this activity once
Allow the entire script once
Authorize this script

My problem is that I don't know if I should choose to stop
the script. Is the script helpctr.exe? this seems like the
application to activate the HP Help and Support Center
(off-line), inwhich case, would I be making the Help
Center disfunctional or causing another problem ? I know
that sometimes, antivirus programs are on the cautious
side and recognize working scripts as potentially
dangerous and just draw it to your attention. Is
helpctr.exe dangerous? Someone must know what this file
is without me having to read 20 thousand writings which is
what the tech people at Norton have pointed out to do.

I found another community forum here at Microsoft with
someone with a similar problem but in trying to repond,
and sign in, I lost the forum...but not before copying the
response that was given:

question:

On one of my other computers i get a helpctr.exe is a
malicious script and since it said this i couldnt access
the internet, how can i fix this?

response:
"Helpctr.exe and other Windows programs make use of
scripting and of these scripts write to the registry and
Norton Antivirus recognises them as potentially harmful.If
it was really malicious, it should have given
you an exact virus name.
If you have heuristics enabled in your NAV, then it is
possible that it
was a false alarm."


Based on this response, an exact virus name is not given,
so I could be right which would mean that I should choose
to "Authorize this script" and not stop it...but how do I
find out and where is my NAV to find out if my heuistics
is enabled for a "possible" false alarm?

basically my question is:

What should I choose to do? Stop the script as recommended
or Authorize the script to perform in the future?

 

[Diana Man]

see bottom...for add-on

-----Original Message-----
When I went to "start">Help and Support, a window opened
from Norton Antivirus warning me:

"Malicious script detected-HIGH RISK- Your computer is
halted and needs to do something about this script.

Object FileSystem Object
Activity GetFile
File helpctr.exe

Then I can choose one of the four following and press OK:
Stop this script (recommended)
Allow this activity once
Allow the entire script once
Authorize this script

My problem is that I don't know if I should choose to stop
the script. Is the script helpctr.exe? this seems like the
application to activate the HP Help and Support Center
(off-line), inwhich case, would I be making the Help
Center disfunctional or causing another problem ? I know
that sometimes, antivirus programs are on the cautious
side and recognize working scripts as potentially
dangerous and just draw it to your attention. Is
helpctr.exe dangerous? Someone must know what this file
is without me having to read 20 thousand writings which is
what the tech people at Norton have pointed out to do.

I found another community forum here at Microsoft with
someone with a similar problem but in trying to repond,
and sign in, I lost the forum...but not before copying the
response that was given:

question:

response:
"Helpctr.exe and other Windows programs make use of
scripting and of these scripts write to the registry and
Norton Antivirus recognises them as potentially harmful.If
it was really malicious, it should have given
you an exact virus name.
If you have heuristics enabled in your NAV, then it is
possible that it
was a false alarm."


Based on this response, an exact virus name is not given,
so I could be right which would mean that I should choose
to "Authorize this script" and not stop it...but how do I
find out and where is my NAV to find out if my heuistics
is enabled for a "possible" false alarm?

basically my question is:

What should I choose to do? Stop the script as recommended
or Authorize the script to perform in the future?

One thing I failed to mention is that my computer seems to
be operating normally: scans, searches and even connects
with the internet....another reason for thinking that it
is a false alarm....What do you think? thanks, Diana

 

[Diana Man]

"If it was really malicious, it should have given
you an exact virus name. If you have heuristics enabled in
your NAV, then it is possible that it was a false alarm."

Ok, I figured out what this meant NAV=Norton Anti-Virus
(duh...)(in my case it is "Works") So I opened it>chose
Options>Norton Antivirus>click the arrow to the left
of "Auto-Protect">chose Bloodhound>Then it says:


Bloodhound
How to protect against new and unknown viruses
(Checked box) Enable Bloodhound heuristics (recommended)
Highest level of protection
XX Default level of protection (recomended)(checked box)
Lowest level of protection


So, my heuristics are turned on and Norton might be having
a false alarm. Anyone have thought on this?

 

[Jon]

Have a look at the helpctr.exe file in

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries

Right-click it and look at its Properties .. should be approx 724kb in size

If it is then double click it directly.. should start Help Centre or Norton
will object

If Help Centre starts ok then the problem is with the shortcut to Help
Centre (eg an attached script) rather than helpctr.exe itself.

[If it's nowhere near 724kb then you should have other (compressed) copies
of helpctr.exe on your computer which you could perhaps copy across to that
folder location and then decompress ( eg c:\windows\system32\dllcache)) to
replace the current file ]

Jon

 

[Guest]

Does it give you an option to quarantine? If so, why don't you do that and
then submit it to Norton:
http://service1.symantec.com/SUPPOR...88256a110007c1de?OpenDocument&src=bar_sch_nam

 

[Diana Man]

Thanks Jon for answering.
I followed your instructions; the size of helpctr.exe is
723kb. Now, when the original problem happened, the window
for the help center did open along with another window
from Norton about the malicious script. I have had them
open for 3 days trying to figure out if I should stop or
authorize. So, in following you directions, the window was
already open. As you directed, I double clicked on
helpctr.exe and a second help center window opened but it
says: "CANNOT DISPLAY THE PAGE
The page you are trying to view has an incorrect address
and cannot be displayed. Please try another page."

Could it be that the second window cannot open because
there already is one open or is it like you said with the
short cut to helpctr.exe?
Remember, I still have not chosen to stop or authorize ....
Any other thoughts? Thanks, Diana

-----Original Message-----
Have a look at the helpctr.exe file in

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries

Right-click it and look at its Properties .. should be approx 724kb in size

If it is then double click it directly.. should start Help Centre or Norton
will object

If Help Centre starts ok then the problem is with the shortcut to Help
Centre (eg an attached script) rather than helpctr.exe itself.

[If it's nowhere near 724kb then you should have other (compressed) copies
of helpctr.exe on your computer which you could perhaps copy across to that
folder location and then decompress ( eg

c:\windows\system32\dllcache)) to

replace the current file ]

Jon

see bottom...for add-on



One thing I failed to mention is that my computer seems to
be operating normally: scans, searches and even connects
with the internet....another reason for thinking that it
is a false alarm....What do you think? thanks, Diana

.

 

[Guest]

Thanks for answering.
I am only given 4 options and quarantine is not one! I
first directed this problem to Norton Techs but they seem
to be spinning their wheels on this and directing me to a
thousand links to read...maybe this is a microsoft issue
and not a Norton issue......Thanks, again, Diana

 

[Jon]

There are exploits around that can make use of an unpatched verson of
helpctr.exe to say delete files on your hard disk so it's wise to err on the
side of caution.

Leave the Help Centre and Norton Windows open and restart the computer
Start > Turn off > Restart

Then go along to Windows Update and make sure you have all the critical
updates for Windows XP , especially those for the Help Centre.

Retry the shortcut and / or clicking the file directly.


Jon

Thanks Jon for answering.
I followed your instructions; the size of helpctr.exe is
723kb. Now, when the original problem happened, the window
for the help center did open along with another window
from Norton about the malicious script. I have had them
open for 3 days trying to figure out if I should stop or
authorize. So, in following you directions, the window was
already open. As you directed, I double clicked on
helpctr.exe and a second help center window opened but it
says: "CANNOT DISPLAY THE PAGE
The page you are trying to view has an incorrect address
and cannot be displayed. Please try another page."

Could it be that the second window cannot open because
there already is one open or is it like you said with the
short cut to helpctr.exe?
Remember, I still have not chosen to stop or authorize ....
Any other thoughts? Thanks, Diana

-----Original Message-----
Have a look at the helpctr.exe file in

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries

Right-click it and look at its Properties .. should be approx 724kb in size

If it is then double click it directly.. should start Help Centre or Norton
will object

If Help Centre starts ok then the problem is with the shortcut to Help
Centre (eg an attached script) rather than helpctr.exe itself.

[If it's nowhere near 724kb then you should have other (compressed) copies
of helpctr.exe on your computer which you could perhaps copy across to that
folder location and then decompress ( eg

c:\windows\system32\dllcache)) to

replace the current file ]

Jon

see bottom...for add-on

-----Original Message-----
When I went to "start">Help and Support, a window opened
from Norton Antivirus warning me:

"Malicious script detected-HIGH RISK- Your computer is
halted and needs to do something about this script.

Object FileSystem Object
Activity GetFile
File helpctr.exe

Then I can choose one of the four following and press OK:
Stop this script (recommended)
Allow this activity once
Allow the entire script once
Authorize this script

My problem is that I don't know if I should choose to
stop
the script. Is the script helpctr.exe? this seems like
the
application to activate the HP Help and Support Center
(off-line), inwhich case, would I be making the Help
Center disfunctional or causing another problem ? I know
that sometimes, antivirus programs are on the cautious
side and recognize working scripts as potentially
dangerous and just draw it to your attention. Is
helpctr.exe dangerous? Someone must know what this file
is without me having to read 20 thousand writings which
is
what the tech people at Norton have pointed out to do.

I found another community forum here at Microsoft with
someone with a similar problem but in trying to repond,
and sign in, I lost the forum...but not before copying
the
response that was given:

question:
On one of my other computers i get a helpctr.exe is a
malicious script and since it said this i couldnt
access
the internet, how can i fix this?

response:
"Helpctr.exe and other Windows programs make use of
scripting and of these scripts write to the registry and
Norton Antivirus recognises them as potentially
harmful.If
it was really malicious, it should have given
you an exact virus name.
If you have heuristics enabled in your NAV, then it is
possible that it
was a false alarm."


Based on this response, an exact virus name is not given,
so I could be right which would mean that I should choose
to "Authorize this script" and not stop it...but how do I
find out and where is my NAV to find out if my heuistics
is enabled for a "possible" false alarm?

basically my question is:

What should I choose to do? Stop the script as
recommended
or Authorize the script to perform in the future?



One thing I failed to mention is that my computer seems to
be operating normally: scans, searches and even connects
with the internet....another reason for thinking that it
is a false alarm....What do you think? thanks, Diana

.

 

[Jon]

Ran across this link while in another Newsgroup today, which relates to ASP
but may also be relevant to running scripts locally (whether those scripts
are malicious or not)

http://www.aspfaq.com/show.asp?id=2180

ie you may need to turn off the script blocking in Norton to enable
non-malicious scripts to run locally.

Jon

Thanks Jon for answering.
I followed your instructions; the size of helpctr.exe is
723kb. Now, when the original problem happened, the window
for the help center did open along with another window
from Norton about the malicious script. I have had them
open for 3 days trying to figure out if I should stop or
authorize. So, in following you directions, the window was
already open. As you directed, I double clicked on
helpctr.exe and a second help center window opened but it
says: "CANNOT DISPLAY THE PAGE
The page you are trying to view has an incorrect address
and cannot be displayed. Please try another page."

Could it be that the second window cannot open because
there already is one open or is it like you said with the
short cut to helpctr.exe?
Remember, I still have not chosen to stop or authorize ....
Any other thoughts? Thanks, Diana

-----Original Message-----
Have a look at the helpctr.exe file in

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries

Right-click it and look at its Properties .. should be approx 724kb in size

If it is then double click it directly.. should start Help Centre or Norton
will object

If Help Centre starts ok then the problem is with the shortcut to Help
Centre (eg an attached script) rather than helpctr.exe itself.

[If it's nowhere near 724kb then you should have other (compressed) copies
of helpctr.exe on your computer which you could perhaps copy across to that
folder location and then decompress ( eg

c:\windows\system32\dllcache)) to

replace the current file ]

Jon

see bottom...for add-on

-----Original Message-----
When I went to "start">Help and Support, a window opened
from Norton Antivirus warning me:

"Malicious script detected-HIGH RISK- Your computer is
halted and needs to do something about this script.

Object FileSystem Object
Activity GetFile
File helpctr.exe

Then I can choose one of the four following and press OK:
Stop this script (recommended)
Allow this activity once
Allow the entire script once
Authorize this script

My problem is that I don't know if I should choose to
stop
the script. Is the script helpctr.exe? this seems like
the
application to activate the HP Help and Support Center
(off-line), inwhich case, would I be making the Help
Center disfunctional or causing another problem ? I know
that sometimes, antivirus programs are on the cautious
side and recognize working scripts as potentially
dangerous and just draw it to your attention. Is
helpctr.exe dangerous? Someone must know what this file
is without me having to read 20 thousand writings which
is
what the tech people at Norton have pointed out to do.

I found another community forum here at Microsoft with
someone with a similar problem but in trying to repond,
and sign in, I lost the forum...but not before copying
the
response that was given:

question:
On one of my other computers i get a helpctr.exe is a
malicious script and since it said this i couldnt
access
the internet, how can i fix this?

response:
"Helpctr.exe and other Windows programs make use of
scripting and of these scripts write to the registry and
Norton Antivirus recognises them as potentially
harmful.If
it was really malicious, it should have given
you an exact virus name.
If you have heuristics enabled in your NAV, then it is
possible that it
was a false alarm."


Based on this response, an exact virus name is not given,
so I could be right which would mean that I should choose
to "Authorize this script" and not stop it...but how do I
find out and where is my NAV to find out if my heuistics
is enabled for a "possible" false alarm?

basically my question is:

What should I choose to do? Stop the script as
recommended
or Authorize the script to perform in the future?



One thing I failed to mention is that my computer seems to
be operating normally: scans, searches and even connects
with the internet....another reason for thinking that it
is a false alarm....What do you think? thanks, Diana

.