• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
cear

Need Help with Log File/ Also "SysHelper" hijack

29 posts in this topic

I'll try to make my explanation clear....it all started when I was trying to get some help at live tech chat from RoadRunner. Everytime something called "SysHelper" would open up and steal my cursor. I couldn't stay in the live chat with RR and type my chat words. I ran Adaware & also Spybot, but that did not get rid of it.

 

SysHelper is then found as an application in TaskManager. Also seems when I end SysHelper, then IEXPLORE.EXE in the processes also leaves. So I was going to delete iexplore.exe, but from doing google search, it sounded like sometimes it is not a trojan but something needful, so I haven't deleted it yet.

 

Then I noticed also in the processes two listings for winhlp32.exe, and after doing a google search, decided it was a trojan. so in task manager I tried to end winhlp32.exe, but everytime it ends, in just 2 seconds it is right back. i cannot get rid of it.

 

So after hearing about HiJack This, I downloaded and ran it, and here is my log file. I"m wanting to go ahead and let it fix (does it remove??) winhlp32.exe, and also maybe msvcmm32.exe (seems like it was using the cpu at the very same time winhlp32.exe would). but wasn't sure about that. On the google search for msvcmm32.exe it sounds like it might be something connected with Movielink Manager, which I do have that program to watch movies.

 

Anyway, if someone could read my log file and please give me help with what things to let it fix, and especially about winhlp32.exe. Also, if you know ANYTHING about SysHelper, I would GREATLY appreciate it. That is so frustrating, that I cannot get rid of it. Maybe by getting rid of IEXPLORE.EXE, that would remove the SysHelper.

 

Thanks. Here is the log:

 

Logfile of HijackThis v1.97.7

Scan saved at 5:25:09 PM, on 6/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\sistray.EXE

C:\WINNT\System32\khooker.exe

C:\WINNT\system32\pctspk.exe

C:\WINNT\system32\msvcmm32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\Downloaded Program Files\winhlp32.exe

C:\WINNT\Downloaded Program Files\winhlp32.exe

C:\Documents and Settings\millie schmitt\Desktop\HijackThis.exe

C:\WINNT\system32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O1 - Hosts: 64.14.40.138 www.searchalot.com

O1 - Hosts: 64.14.40.138 searchalot.com

O1 - Hosts: 66.218.71.198 yahoo.com

O1 - Hosts: 207.68.173.245 www.hotmail.com

O1 - Hosts: 64.4.44.7 hotmail.com

O1 - Hosts: 205.188.160.120 aol.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\System32\khooker.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe

O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [system check] C:\WINNT\Downloaded Program Files\updater.exe

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab

O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.tutorials.com/plugins/Plugin050...eetnoagent7.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/support/chipdetect/SiSAutodetectnt.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/274efddaefb71642a300/netzip/RdxIE2.cab

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://www.mp3university.com/autoupdater.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://media.memphiszoo.org/AxisCamControl.ocx

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.8210648148

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Share this post


Link to post
Share on other sites

Hi,

Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

 

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Close Windows Explorer.

 

Next:

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O1 - Hosts: 64.14.40.138 www.searchalot.com

O1 - Hosts: 64.14.40.138 searchalot.com

O1 - Hosts: 66.218.71.198 yahoo.com

O1 - Hosts: 207.68.173.245 www.hotmail.com

O1 - Hosts: 64.4.44.7 hotmail.com

O1 - Hosts: 205.188.160.120 aol.com

O4 - HKLM\..\Run: [system check] C:\WINNT\Downloaded Program Files\updater.exe

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/274efddaefb71642a300/netzip/RdxIE2.cab

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

C:\WINNT\Downloaded Program Files\winhlp32.exe <--this file

C:\WINNT\Downloaded Program Files\updater.exe <--this file

 

Restart normally and then ...

 

Download: SpyBot-Search & Destroy 1.3

http://majorgeeks.com/download2471.html

 

Run a scan, "fix" everything marked in red and reboot.

 

After the above rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites

OK! I did everything you said to do -- some things happened along the way so I'll relate those before I post the latest log file for HiJack This.

 

As said I followed your instructions. When I came to checking all the things in HiJack This that you said to check, I did that. But after clicking "Fix checked" I got 2 messages, from Yahoo and AOL. Here is what it said:

 

An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: 205.188.160.120 aol.com)

Error #70 - Permission denied

 

Please email me at merijn@spywareinfo.com, reporting the following:

* What you were doing when the error occurred

* How you can reproduce the error

 

Windows version: Windows NT 5.00.2195

MSIE version: 6.0.2800.1106

HijackThis version: 1.97.7

 

This message has been copied to your clipboard.

 

As stated, I got the same message from Yahoo when it tried to "fix" the yahoo host thing. (I do have a yahoo email account, don't know if that matters or not.)

 

 

I did delete the C:\WINNT\Downloaded Program Files\winhlp32.exe file -- however, there was another file there called winhelp.exe. I didn't know whether to delete this one too or not, so I just left it. Now after seeing the latest HiJack this scan, I think I should have deleted winhelp.exe also.

 

Anyway, there was no C:\WINNT\Downloaded Program Files\updater. exe file to be found (all this was going on in Safe Mode) in Windows Explorer. I ran a search for this file, but the only thing that turned up was a file called QuickTimeUpdater.exe (144Kb) with the path of C:\Program Files\Quick Time. I started to just go ahead and delete it anyway (the exe file), but message came up saying if I did then Quick Time would not work. So I didn't delete it.

 

After restarting, I downloaded the newer version of Spybot, ran it, "fixed" everything it showed. Then rebooted and ran HiJack This again. So here is the new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:10:45 PM, on 6/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\sistray.EXE

C:\WINNT\System32\khooker.exe

C:\WINNT\system32\pctspk.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINNT\system32\msvcmm32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\Downloaded Program Files\winhlp32.exe

C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

C:\WINNT\Downloaded Program Files\winhlp32.exe

C:\WINNT\system32\wuauclt.exe

C:\Documents and Settings\millie schmitt\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/

O1 - Hosts: 66.218.71.198 yahoo.com

O1 - Hosts: 205.188.160.120 aol.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\System32\khooker.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe

O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab

O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.tutorials.com/plugins/Plugin050...eetnoagent7.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/support/chipdetect/SiSAutodetectnt.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://www.mp3university.com/autoupdater.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://media.memphiszoo.org/AxisCamControl.ocx

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.8210648148

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

 

 

I don't understand how some of these files can be back. I took my time and carefully checked everything you said to, and then clicked "Fix check" on that first go round. Are they still on my hard drive (just deleted) but still showing up, is that why it appears? I know you can tell this is the first time I've done something like this. Before I just ran SpyBot and let it go at that.....until all of this trouble appeared. But I did take my time and followed your instructions...that's why it has taken me so long to get back to you (I've gone ever so slowly).

 

Anyway, I appreciate your help. I don't know if you want to keep fooling with this or not. But if you do, all I can say is you have lots of patience, and many thanks to you.

 

Maybe I should have gone ahead and deleted the winhelp.exe file too. Just wasn't sure since you didn't mention that one. All of this has me stumped, don't know why these files are still showing up.

Share this post


Link to post
Share on other sites

Hi,

I did delete the C:\WINNT\Downloaded Program Files\winhlp32.exe file -- however, there was another file there called winhelp.exe.

It would seem that those 2 files may be related to "mp3university.com" as seen in this > thread

 

Start > Search (type) winhlp32.exe

The valid MS file should show up in your Windows (WINNT) folder.

It should have a "Question Mark" type icon.

 

The version that exists in C:\WINNT\Downloaded Program Files is bogus!

 

Start > Search (type) winhlp.exe

The valid MS file should show up in your Windows (WINNT) folder.

It should have a "Question Mark" type icon.

 

The version that exists in C:\WINNT\Downloaded Program Files is bogus!

--

Open Windows Explorer and delete:

C:\WINNT\Downloaded Program Files\winhlp.exe

 

Download: Process Viewer [freeware]

Unzip and run PrcView

Highlight winhlp32.exe, right-click and select: Kill

 

Open Windows Explorer and delete:

C:\WINNT\Downloaded Program Files\winhlp32.exe

 

I would recommend also removing the "mp3university" (see above thread)

 

Next:

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe

O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://www.mp3university.com/autoupdater.cab

 

Note: if you have any trouble with the above, repeat in Safe Mode.

 

Restart normally, rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites

Just as a quick reply, before I do what you stated above:

 

I realize what I deleted was the file winhlp32.exe that was in the WINNT folder. There was no file called winhlp32.exe in the WINNT\Downloaded Program Files. Unless it is going by another name....there were some files in there that were just numbers in the name. But I went over and over the Downloaded Program Files, and there was nothing in there named winhlp32.exe.

 

So I have already deleted from my recycle bin the WINNT folder file called winhlp32.exe. As said before, this is the first time I've done this, and since I didn't see the file in the specific Downloaded Program files folder, I thought this was the correct file. Anyway, hopefully it won't cause any harm to delete this file!!

 

Just wanted to state all of this before going any further. Thanks for your time.

Share this post


Link to post
Share on other sites

Hi,

what I deleted was the file winhlp32.exe that was in the WINNT folder

Ouch! that's the legit Windows Help file ...

 

Try this: Start > Search (type) winhlp32.exe

Place a check in: "Advanced Options", click Search Now

 

Does the bogus winhelp32 file show up in the "Downloaded Program Files" folder?

If so delete it ... do the same for: "winhlp.exe"

 

Next:

Go to: Microsoft DLL Help Database

(type) winhelp32.exe

It looks like "Version: 5.0.2195.6601" = Windows 2000 SP4

Located in your "\i386" folder, is the file you need to replace. (WINNT folder)

Share this post


Link to post
Share on other sites

I'm finally home and back to tackling this problem.

 

I just ran the search for winhlp32.exe and got 4 objects. I will list the paths that they show above when I click on them.

 

It says -- In Folder:

 

1) C:\WINDOWS

 

2) C:\WINNT\$NtServicePackUninstall$

 

3) C:\WINNT\ServicePackFiles\i386

 

4) C:\WINNT\system32

 

 

So according to your previous instructions, I don't know which ones to leave and which ones to delete!! And all of them do have the big Question Mark. And I did run the search with the advanced option checked.

 

I also did the search (advanced) for winhlp.exe and it came back with no objects found. I ran the search twice to be sure, and still no file was found.

 

Since it seems I still have possibly a valid winhlp32.exe (out of those four!!), I haven't gone to the Microsoft Help Database to get that file.

 

Also I haven't yet downloaded the Process Viewer -- I'll wait to hear from you which of those four files I should get rid of first.

 

After I hear from you then I'll also get rid of the mp3university thing too.

 

Thanks again so much for this help. I'd sure be lost otherwise.

Share this post


Link to post
Share on other sites

While I was in the Downloaded Program Files folder, I found the Active X control called Live Collaboration.

 

Its code base is: https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

 

That makes me think this is the control for the RoadRunner live chat (maybe I'm wrong, but the reason I thought it is because RoadRunner's web site of course is rr.com). Anyway, looking at its properties and Dependency, it lists 2 files "upon which Live Collaboration depends." These files are:

 

C:\WINNT\DOWNLOADED...\RNTX.DLL

 

C:\WINNT\DOWNLOADED P...\RNTX.INF

 

(I typed those exactly the way they were listed.)

 

So I ran a search, entered only RNTX.DLL (Search for files and folders). The search could not find that file.

 

I did the same search for RNTX.INF and again the search could not find that file. Also they are not listed in the Downloaded Program File that I can see just by looking (unless they are those files with numbers only for names).

 

This all may not mean anything, I really don't know (by now you know that!!!) But I just wondered if the Live Collaboration depended on those 2 files, and the 2 files are missing ---that seemed strange! And also maybe that is why I cannot have a live chat session with the RoadRunner technical chat room. As I said in my first post, an application called "SysHelper" opens when I start my chat in RR, and it steals my cursor (description in first post). Then the only way to get rid of this SysHelper is to end it in Task Manager.

 

Like I said, maybe these dependent files don't mean anything. I was just curious. And desperate to get rid of that SysHelper.

Share this post


Link to post
Share on other sites

Hi,

The 4 instances of winhlp32.exe are all valid, no further action needed.

The "winhelp.exe" in the WINNT folder is valid, no further action needed.

 

As for Live Collaboration ...

When you view that from the Downloaded Programs Files folder, the "ActiveX object" you should see a "Status" column, as long as that says "Installed", it should be Ok, if not right-click and select: Update. If it fails to update, right-click and select: Remove. Once you visit that site again you will be prompted to install that "ActiveX object", do that. Otherwise contact RR.

 

 

I found the Active X control called Live Collaboration

Most likely these 2 (from your HijackThis log)

 

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab

 

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

Share this post


Link to post
Share on other sites

Seems like things get wilder and wilder. I've done so much I almost can't remember what all I've done.

 

What I do know is that I cannot get rid of the C:\Windows\Downloaded Program Files\winhlp32.exe file, no matter what I try. I did install the spywareblaster and put the block on winhlp32 reactivator (as someone said to do in the post thread you had me read at winamp). I also tried to kill it with the process viewer (before putting the block on), and the process viewer would kill DPFwinhlp32.exe, but then it would come right back. Each time I killed it, it came right back.

 

I also have tried to kill it with HiJack This many times, but it is always back there when I scan again.

 

Also, after trying to kill it with the Process Viewer, I discovered there were about 12 different new files on my desktop, which I will give the names here:

 

backup-20040615-213519-663

 

backup-20040616-225923-409.dll

 

backup-20040615-213519-867.inf

 

This last file could be read with notepad, and this is what it says:

 

; INF file for Fun Web Products Easy Installer

[version]

; version signature (same for both NT and Win95) do not remove

signature="$CHICAGO$"

AdvancedINF=2.0

 

[setup Hooks]

FunWebProductsSetupHook=FunWebProductsSetupHook

 

[FunWebProductsSetupHook]

run=%EXTRACT_DIR%\f3Setup1.exe

 

 

; ====================== end of f3Setup1.inf =====================

 

 

You might know what all of that means, I don't.

 

Anyway, I did at least get rid of the mp3university thing with HiJackThis.

 

And also at the winamp thread, they suggested to someone to get rid of the Quick Time qttask.exe file - atbotttime. I had that file too so I got rid of it.

 

I also installed a trial version of TDS-3 Trojan finder & remover. When I ran the scan in it, it found the DPFwinhlp32.exe file, the updater.exe file, and another one (149efe.exe???can't remember). So I had it delete the files, but the DPF winhlp32.exe still came back. Not sure about the updater.exe --haven't run another scan with TDS-3 yet. It's getting late so I probably won't run it again tonight. I like the TDS-3, but think it might be too advanced for me.

 

Anyway, here is my log file for HiJack this:

 

Logfile of HijackThis v1.97.7

Scan saved at 1:14:35 AM, on 6/17/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\sistray.EXE

C:\WINNT\System32\khooker.exe

C:\WINNT\system32\pctspk.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINNT\system32\msvcmm32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

C:\WINNT\Downloaded Program Files\winhlp32.exe

C:\WINNT\system32\wuauclt.exe

C:\Documents and Settings\millie schmitt\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\millie schmitt\Desktop\PrcView\PrcView.exe

C:\WINNT\Downloaded Program Files\winhlp32.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/

O1 - Hosts: 66.218.71.198 yahoo.com

O1 - Hosts: 205.188.160.120 aol.com

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\System32\khooker.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe

O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [winhlp3.exe] C:\WINNT\system32\winhlp3.exe

O4 - HKLM\..\Run: [web] C:\WINNT\system32\149efe.exe

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/support/chipdetect/SiSAutodetectnt.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.8210648148

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

I forgot to mention that I tried to delete the file found in the Downloaded Program Files called Reactivator Class. Someone at the winamp thread said to delete that too. But mine will not delete....it says it is a share violation, that other programs are using it. It says to try closing other programs first, but the strange thing is I would have no other programs open at the time except the windows explorer. Anyway, in the properties it says for this Reactivator Class that it was created on June 6, 2004, that it is an Active X Control, its total size is 79KB, and it has no code base, says it is installed, and THE REALLY IMPORTANT PART is that the Dependency file is C:\WINNT\DOWNLO...\WINHLP32.EXE

 

Can you believe that??? This has to be the culprit to keep it active, especially since I can't delete it because its being shared. I put a block in the Process Viewer on it ....Reactivator Class ID {6C31790D-1EDF-4B05-83DC-925B3A8E2318}

 

So hopefully that will "protect against checked items." It's late now, so I'm headed to try to get some sleep. But in the morning or sometime during the day, I'll run some more scans and see if it is blocking both of these.

 

Again, thanks for your continued help.

Share this post


Link to post
Share on other sites

Hi,

I discovered there were about 12 different new files on my desktop

Those are the backups created by HijackThis. If you look, I mentioned about moving HijackThis to a legit folder, etc. in my first reply.

 

Download: KillBox

http://www.downloads.subratam.org/KillBox.zip

Unzip but don't run it yet.

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

O4 - HKLM\..\Run: [winhlp3.exe] C:\WINNT\system32\winhlp3.exe

O4 - HKLM\..\Run: [web] C:\WINNT\system32\149efe.exe

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

C:\WINNT\system32\winhlp3.exe <--this file

C:\WINNT\system32\149efe.exe <--this file

C:\WINNT\Downloaded Program Files\winhlp32.exe <--this file

 

 

Note: if you are unable to delete any of the above:

 

Run (double-click) killbox.exe

 

In the "Paste Full Path of File to Delete" box, (type):

 

C:\WINNT\Downloaded Program Files\winhlp32.exe

 

Next: click on the "Action" menu (up top)and select: "Delete on Reboot".

In the window that opens up, click on the File menu and select: "Add File".

The "C:\WINNT\Downloaded Program Files\winhlp32.exe" listing should show up in the window.

 

Then repeat the process, this time adding:

 

C:\WINNT\system32\winhlp3.exe

C:\WINNT\system32\149efe.exe

 

If that's successful you should have the three files listed.

 

In the same window choose the "Action" menu and select "Process and Reboot".

You'll be prompted to reboot, do so.

 

Note: I would also delete any other "SysHelper" related files you found in the "Downloaded Program Files".

Share this post


Link to post
Share on other sites

I thought I had HiJack This in a legit folder. Sorry, my error.

 

I did everything you said to do in the last instructions. When I was in Safe Mode - Windows Explorer, I couldn't find those 3 files..winhlp3.exe, 149efe.exe., or DPF\winhlp32.exe.

 

So I ran Killbox, and added those files to be deleted on reboot, and then rebooted.

 

Here is the HiJack This log file after doing all of the above:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:18:17 PM, on 6/17/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\sistray.EXE

C:\WINNT\System32\khooker.exe

C:\WINNT\system32\pctspk.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINNT\system32\msvcmm32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\millie schmitt\Desktop\PrcView\PrcView.exe

C:\Program Files\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/

O1 - Hosts: 66.218.71.198 yahoo.com

O1 - Hosts: 205.188.160.120 aol.com

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\System32\khooker.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe

O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/support/chipdetect/SiSAutodetectnt.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.8210648148

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

 

 

Seems like that DPFwinhlp32.exe is just about impossible to get rid of. When I open the DPF folder, there is, of course, no file listed called winhlp32.exe. And when I run just a basic search for a file called winhlp32.exe, just those four files show up that you said were legitimate. But this file is still showing up in the HiJack This log file, even after doing all the steps with KillBox. This must be one bad file!

 

I was able to delete the Reactivator Class file (which had for a dependent file the DPF\winhlp32.exe file). So something else must be keeping the DPF\winhlp32.exe file alive.

 

As for your comment about using KillBox for any "SysHelper" related files, I am really hindered there, because SysHelper never show up on any search I do for it. The only place it shows up is when it has suddenly opened (while I'm in the RoadRunner chat help), and then I go to Task Manager and it is listed as a running application. When I end it, then all other prgrams running at that time are ended also, for some reason. Guess it takes 'em down with it. But I can't enter it into KillBox because I don't know the whole path for it.

 

With all of this happening, I can see why the Security field is the fastest growing sector of the computer IT fields.

Share this post


Link to post
Share on other sites

Have to say I've been just surfing for a while, and just opened up Task Manager, and I don't see the winhlp32.exe running in processes. Maybe it is actually gone! It was always there before, and usually 2 of them.

 

I'll keep checking every now and then for it. I'm hopeful!!

Share this post


Link to post
Share on other sites

Hi,

Since Windows Explorer or Windows Search does not allow viewing individual files located in the Downloaded Program Files folder. Let's try it this way ...

 

Start | Run (type) cmd (click Ok)

 

(type) cd\WINNT\Downloaded Program Files (press Enter)

 

Next:

 

(type) dir /a /O:S D *.*>C:\dpf.txt (press Enter)

 

Open "dpf.txt" and paste the contents in your next post.

 

Note: in going back over your previous posts ...

You mentioned: C:\WINNT\Downloaded Program Files\RNTX.DLL

 

It looks like it could be part of the below:

http://www.pestpatrol.com/PestInfo/b/bridge.asp

 

That's why I wanted to get a file list to see exactly what's in that folder.

Share this post


Link to post
Share on other sites

Just a quick reply before I start following your last instructions. I read the link you had about the DPF\RNTX.DLL file. That was interesting, and also I noticed near the bottom of that article they mentioned the file a.exe.

 

I've been making notes all along, and on one of my earlier pages I had written down the name of that file -- a.exe, because I had seen it while looking for some of the other files and thought, now what kind of file is that, with a name like that!! I started to ask you about it, but I didn't want to get off track or add any more problems for you to have to deal with (thought this one had enough issues!).

 

So that was really interesting to find mention of that file in the article. Just wanted to mention that. I'll start on your instructions now.

Share this post


Link to post
Share on other sites

I'm in the cmd function....but I keep getting the message:

 

Parameter format not correct - "*.*".

 

I've tried twice and still get the same message. In fact I've tried skipping a space, etc., but that didn't work either!

 

Am I doing something wrong?

Share this post


Link to post
Share on other sites

I just did another scan with HiJack This, and I don't see the DPF\winhlp32.exe file on it....I can't believe it! This is the first time that it has not shown up there.

 

Maybe the block with the Process Viewer has put a stop to it. This is great. I used to continually hear my hard drive like every 4 or 5 seconds...now it's quiet. What a difference. Does this mean it's gone for good? Hopefully?

 

If that's true, then all I can say is thanks. I sure never would have even attempted (or known how to do) all of this myself.

 

I'm going to go in to the RR chat room, and see if the SysHelper application cuts in still.

 

Here is the latest HiJack This log file:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:50:12 PM, on 6/17/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\sistray.EXE

C:\WINNT\System32\khooker.exe

C:\WINNT\system32\pctspk.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINNT\system32\msvcmm32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/

O1 - Hosts: 66.218.71.198 yahoo.com

O1 - Hosts: 205.188.160.120 aol.com

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\System32\khooker.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe

O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/support/chipdetect/SiSAutodetectnt.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.8210648148

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

 

I still would like to get rid of those two instances of O14 - IERESET.INF: SEARCH_PAGE_URL=

Maybe that is possible. HiJack This just doesn't stop them from coming back. Also I'll probably delete that a.exe file. But the article mentioned about going into the registry, which is something I've never done. I'm not too sure about that. I might just try finding the file again and just deleting in Windows Explorer, and/or putting a block on it.

 

I'm really encouraged so much!! I just can't say thanks enough. Don't you think it looks like that DPF file has been successfully blocked or deleted?

Share this post


Link to post
Share on other sites

I just had to let you know....I went to the RoadRunner live chat, and "SysHelper" did NOT show up!!! I could actually carry on a conversation with the tech person. I told them what had been going on, getting cut off, etc.

 

Well, this is all just fantastic. It's really great that there are people out there like you who know what to do about all of these problems. And your patience is really admirable.

 

If you have any more comments about the other files I mentioned in my last post, that's fine. But if you are ready to end this, since the original problems of PDFwinhlp32.exe & SysHelper have apparently been solved, then I understand. You might have had enough of this ordeal! Just can't say enough how much I appreciate all your help.

Share this post


Link to post
Share on other sites

Hi,

Looks like you are making (good) progress ... (re: winhlp32.exe)

I just want to make sure there are no other culprits hiding there.

 

Parameter format not correct - "*.*".

Usually caused by typing it wrong, I tried it several times and it works here.

 

 

dir<space>/a<space>/O:S<space>D<space>*.*>C:\dpf.txt

 

Note: (that's the letter "O", not a zero) /O:S

 

I still would like to get rid of those two instances of O14 - IERESET.INF:

 

The "IERESET.INF" file is used by Windows when you go to Internet Options | Programs and hit the "Reset web settings" button. The "SEARCH_PAGE_URL=" is a standard entry, but part of the entry appears to be missing or corrupt.

 

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

 

If you open "iereset.inf" in Notepad and scroll down to:

(it should read as below)

 

 

If that entry is empty, simply edit it to read exactly as above, then File | Save.

Edited by WinHelp2002

Share this post


Link to post
Share on other sites

Microsoft Windows 2000 [Version 5.00.2195]

© Copyright 1985-2000 Microsoft Corp.

 

(I've omitted the first line with my name)

 

C:\WINNT\Downloaded Program Files>dir /a /O:S D *.*>C:\dpf.txt

 

C:\WINNT\Downloaded Program Files>dir /a /O:S D *.*>C:\dpf.txt

 

C:\WINNT\Downloaded Program Files>

 

 

This is what it gives me when I type it EXACTLY as you say. If I change it in some way, like not putting the spaces, then I get the message about the Parameter format not correct.

 

As you can see, I'm putting spaces where you say to put them. (Sorry, I know this is so elementary, must be somewhat painful for you....)

Share this post


Link to post
Share on other sites

cear,

Does "C:\dpf.txt" exist? (in your C: folder)

 

Did you fix the "iereset.inf" file? (was it missing those 2 lines?)

Share this post


Link to post
Share on other sites

I did a search and copied the contents of C:\dpf.txt. I'll answer your other question before I post the file contents.

 

I had 4 different iereset.inf files. One of them had 4 strings, so I edited that one and put in the 2 strings you posted.

 

The other 3 iereset.inf files had this string:

 

[strings]

SAFESITE_VALUE="ie.search.msn.com"

 

 

So I just left it. Should there be 4 iereset.inf files?? If not needed, I can delete the other 3.

 

Now here is the contents of the dpf.txt file (don't know if you actually wanted this or not, but thought I might as well post it):

 

Volume in drive C is DRIVE_C

Volume Serial Number is A881-AAB5

 

Directory of C:\WINNT\Downloaded Program Files

 

 

Directory of C:\WINNT\Downloaded Program Files

 

06/17/2004 10:02p <DIR> ..

06/15/2004 01:35p <DIR> rave

06/12/2004 11:41p <DIR> CONFLICT.1

06/17/2004 10:02p <DIR> .

06/11/2003 09:17p <DIR> temp

06/06/2004 02:30p 57 res.htm

06/12/2003 08:54p 65 desktop.ini

09/13/2002 10:56a 144 QTPlugin.inf

06/17/2004 10:53a 156 get_xml.php

08/27/2002 09:59a 173 setup.inf

02/06/2003 04:38p 209 RntX.inf

08/12/2003 03:13p 231 activate.inf

06/02/2003 03:32p 232 Mnviewer.inf

05/25/2003 02:47p 233 yacscom.inf

10/23/2001 01:18p 243 yacsui.inf

10/24/2003 02:01p 278 MsnChat45.inf

05/03/2004 03:40p 306 SASSCLN.INF

06/15/2004 08:59a 350 autoupdate.xml

03/05/2003 08:27p 381 ravupdt.ini

12/11/2002 02:08a 395 tgctlar.inf

06/16/2004 11:07a 404 get_xml.php.user

07/04/2003 06:21p 411 OSInfo.inf

09/05/2001 05:22a 411 isetup.inf

07/04/2003 05:16p 453 SiS_OCX.inf

06/06/2003 05:23p 477 play365.inf

08/07/2003 09:06a 525 asinst.inf

09/04/2003 03:02p 583 ravonline.inf

06/09/2003 02:17p 618 PCPitstop.inf

10/14/1997 06:52p 697 DirectAnimation Java Classes.osd

04/16/2003 03:24p 698 ChatSpace Full Java Client 4.0.0.300.osd

07/27/2002 04:25p 733 ymmapi.inf

11/25/2003 09:32a 754 Rovion.inf

03/13/2003 11:03a 962 IPIXX.inf

08/25/2003 06:12p 1,096 iuctl.inf

01/20/2000 03:25p 1,162 Microsoft XML Parser for Java.osd

03/28/2002 05:05p 1,268 erma.inf

11/17/1999 05:41p 1,522 voxmsdec.inf

05/01/2000 07:06p 1,988 wmvax.inf

03/02/2001 02:43p 2,132 wmv8ax.inf

08/11/2000 04:31p 2,140 msscrnax.inf

12/08/2003 01:58p 3,759 swflash.inf

06/17/2004 10:02p 4,068 dpf.txt

04/18/2003 08:11p 6,638 ravllio.vxd

10/18/2000 05:21p 7,288 awswax.inf

06/26/2003 07:41p 7,736 UGO20.exe

06/15/2004 01:35p 11,381 update.log

03/21/2002 01:53a 16,202 sdclicense.txt

09/05/2001 05:22a 24,576 iSetup.dll

04/18/2003 01:59p 53,248 DiskFAU.dll

06/08/2003 08:52p 59,556 Doremi.ttf

02/13/2003 11:07p 102,400 RntX.dll

06/02/2000 11:29a 102,912 ipixx.ocx

08/07/2003 09:02a 110,592 asinst.dll

08/12/2003 03:00p 110,592 activate.dll

05/03/2004 03:39p 118,784 SassCln.dll

10/20/2001 12:08a 155,648 yacsui.dll

07/27/2002 04:21p 155,714 ymmapi.dll

09/05/2001 05:21a 159,744 iSetup.exe

09/04/2003 02:33p 167,936 ravscan.dll

09/04/2003 03:00p 200,704 ravonline.dll

06/02/2003 03:46p 233,472 mnviewer.dll

05/27/2003 06:24p 233,472 yacscom.dll

06/11/2003 05:31p 249,856 PCPitstop.dll

09/04/2003 02:34p 290,816 ravupdt.dll

11/25/2003 09:22a 307,200 Rovion.dll

06/06/2003 06:06p 335,872 Play365.dll

05/16/2004 11:48a 393,216 imloader.exe

10/27/2003 11:35a 510,552 MSNChat45.ocx

07/11/2003 02:57a 562,160 QuickTimeInstaller.exe

03/22/2002 01:59p 565,248 RdxIE.dll

07/11/2003 02:59a 5,201,532 QuickTimeInstallCache.qdat

01/16/2004 11:25p 19,979,192 iTunesSetup.exe

67 File(s) 30,464,553 bytes

5 Dir(s) 3,332,952,064 bytes free

Share this post


Link to post
Share on other sites

Hi,

Should there be 4 iereset.inf files??

The one you need to edit and use should be located in your Winnt\Inf folder.

 

The "Strings" section should look like:

 

As for the files in Downloaded Program Files, you need to delete:

 

06/26/2003 07:41p 7,736 UGO20.exe

05/03/2004 03:40p 306 SASSCLN.INF

02/13/2003 11:07p 102,400 RntX.dll

03/22/2002 01:59p 565,248 RdxIE.dll

 

Start | Run (type) cmd (click Ok)

 

(type) cd\WINNT\Downloaded Program Files (press Enter)

 

Next:

 

(type) del UGO20.exe (press Enter after each)

(type) del SASSCLN.INF

(type) del RntX.dll

(type) del RdxIE.dll

Edited by WinHelp2002

Share this post


Link to post
Share on other sites

Microsoft Windows 2000 [Version 5.00.2195]

© Copyright 1985-2000 Microsoft Corp.

 

 

C:\WINNT\Downloaded Program Files>del UGO20.exe

 

C:\WINNT\Downloaded Program Files>del SASSCLN.INF

 

C:\WINNT\Downloaded Program Files>del RntX.dll

 

C:\WINNT\Downloaded Program Files>del RdxIE.dll

 

C:\WINNT\Downloaded Program Files>

 

 

 

Hopefully, all of that looks right to you...just thought I would post what I did just to be sure.

 

I did add the SAFESITE string to the iereset.inf file in the Winnt\Inf folder and deleted the other three iereset.inf files.

 

I also ran another Spybot scan and it came up with nothing! First time that has happened! Sounds like my computer is finally getting in good shape.

 

I don't know if I need to reboot for those files to actually be deleted and not show up. But think I will reboot and bring up the dpf.txt file and maybe post the updated copy.

Share this post


Link to post
Share on other sites

Well, seems they are still there, but maybe I just don't understand the cmd function...maybe they are being blocked or something. Anyway, I did reboot and opened the dpf.txt file again and here is the contents:

 

Volume in drive C is DRIVE_C

Volume Serial Number is A881-AAB5

 

Directory of C:\WINNT\Downloaded Program Files

 

 

Directory of C:\WINNT\Downloaded Program Files

 

06/17/2004 10:02p <DIR> ..

06/15/2004 01:35p <DIR> rave

06/12/2004 11:41p <DIR> CONFLICT.1

06/17/2004 10:02p <DIR> .

06/11/2003 09:17p <DIR> temp

06/06/2004 02:30p 57 res.htm

06/12/2003 08:54p 65 desktop.ini

09/13/2002 10:56a 144 QTPlugin.inf

06/17/2004 10:53a 156 get_xml.php

08/27/2002 09:59a 173 setup.inf

02/06/2003 04:38p 209 RntX.inf

08/12/2003 03:13p 231 activate.inf

06/02/2003 03:32p 232 Mnviewer.inf

05/25/2003 02:47p 233 yacscom.inf

10/23/2001 01:18p 243 yacsui.inf

10/24/2003 02:01p 278 MsnChat45.inf

05/03/2004 03:40p 306 SASSCLN.INF

06/15/2004 08:59a 350 autoupdate.xml

03/05/2003 08:27p 381 ravupdt.ini

12/11/2002 02:08a 395 tgctlar.inf

06/16/2004 11:07a 404 get_xml.php.user

07/04/2003 06:21p 411 OSInfo.inf

09/05/2001 05:22a 411 isetup.inf

07/04/2003 05:16p 453 SiS_OCX.inf

06/06/2003 05:23p 477 play365.inf

08/07/2003 09:06a 525 asinst.inf

09/04/2003 03:02p 583 ravonline.inf

06/09/2003 02:17p 618 PCPitstop.inf

10/14/1997 06:52p 697 DirectAnimation Java Classes.osd

04/16/2003 03:24p 698 ChatSpace Full Java Client 4.0.0.300.osd

07/27/2002 04:25p 733 ymmapi.inf

11/25/2003 09:32a 754 Rovion.inf

03/13/2003 11:03a 962 IPIXX.inf

08/25/2003 06:12p 1,096 iuctl.inf

01/20/2000 03:25p 1,162 Microsoft XML Parser for Java.osd

03/28/2002 05:05p 1,268 erma.inf

11/17/1999 05:41p 1,522 voxmsdec.inf

05/01/2000 07:06p 1,988 wmvax.inf

03/02/2001 02:43p 2,132 wmv8ax.inf

08/11/2000 04:31p 2,140 msscrnax.inf

12/08/2003 01:58p 3,759 swflash.inf

06/17/2004 10:02p 4,068 dpf.txt

04/18/2003 08:11p 6,638 ravllio.vxd

10/18/2000 05:21p 7,288 awswax.inf

06/26/2003 07:41p 7,736 UGO20.exe

06/15/2004 01:35p 11,381 update.log

03/21/2002 01:53a 16,202 sdclicense.txt

09/05/2001 05:22a 24,576 iSetup.dll

04/18/2003 01:59p 53,248 DiskFAU.dll

06/08/2003 08:52p 59,556 Doremi.ttf

02/13/2003 11:07p 102,400 RntX.dll

06/02/2000 11:29a 102,912 ipixx.ocx

08/07/2003 09:02a 110,592 asinst.dll

08/12/2003 03:00p 110,592 activate.dll

05/03/2004 03:39p 118,784 SassCln.dll

10/20/2001 12:08a 155,648 yacsui.dll

07/27/2002 04:21p 155,714 ymmapi.dll

09/05/2001 05:21a 159,744 iSetup.exe

09/04/2003 02:33p 167,936 ravscan.dll

09/04/2003 03:00p 200,704 ravonline.dll

06/02/2003 03:46p 233,472 mnviewer.dll

05/27/2003 06:24p 233,472 yacscom.dll

06/11/2003 05:31p 249,856 PCPitstop.dll

09/04/2003 02:34p 290,816 ravupdt.dll

11/25/2003 09:22a 307,200 Rovion.dll

06/06/2003 06:06p 335,872 Play365.dll

05/16/2004 11:48a 393,216 imloader.exe

10/27/2003 11:35a 510,552 MSNChat45.ocx

07/11/2003 02:57a 562,160 QuickTimeInstaller.exe

03/22/2002 01:59p 565,248 RdxIE.dll

07/11/2003 02:59a 5,201,532 QuickTimeInstallCache.qdat

01/16/2004 11:25p 19,979,192 iTunesSetup.exe

67 File(s) 30,464,553 bytes

5 Dir(s) 3,332,952,064 bytes free

 

 

There also appeared another dpf.txt file, it's in the "Recent" folder. Guess this is normal.

 

Anyway, maybe those files I deleted are actually deleted...just still listed?

 

Well, one things for sure, my technical ignorance continues to show!

Share this post


Link to post
Share on other sites

Hi,

Sorry it took so long to get back to you, I guess SWI was having technical difficulities yesterday? Anyway ... did you reboot and then create a fresh "dpf.txt" file? Otherwise I think your in good shape now. :wave:

Share this post


Link to post
Share on other sites

I'm just guessing that creating a fresh dpf.exe file can mean deleting the contents of the old one? I hope so. I thought that would be safest.

 

Anyway, things seem to be running great here. As said before, can't thank you enough for all your help. I would STILL be having all those problems if not for you, so I really appreciate everything (and again I have to say, your patience is appreciated very much too).

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0