Jump to content


Photo

Need Help with Log File/ Also "SysHelper" hijack


  • Please log in to reply
28 replies to this topic

#1 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 15 June 2004 - 07:14 PM

I'll try to make my explanation clear....it all started when I was trying to get some help at live tech chat from RoadRunner. Everytime something called "SysHelper" would open up and steal my cursor. I couldn't stay in the live chat with RR and type my chat words. I ran Adaware & also Spybot, but that did not get rid of it.

SysHelper is then found as an application in TaskManager. Also seems when I end SysHelper, then IEXPLORE.EXE in the processes also leaves. So I was going to delete iexplore.exe, but from doing google search, it sounded like sometimes it is not a trojan but something needful, so I haven't deleted it yet.

Then I noticed also in the processes two listings for winhlp32.exe, and after doing a google search, decided it was a trojan. so in task manager I tried to end winhlp32.exe, but everytime it ends, in just 2 seconds it is right back. i cannot get rid of it.

So after hearing about HiJack This, I downloaded and ran it, and here is my log file. I"m wanting to go ahead and let it fix (does it remove??) winhlp32.exe, and also maybe msvcmm32.exe (seems like it was using the cpu at the very same time winhlp32.exe would). but wasn't sure about that. On the google search for msvcmm32.exe it sounds like it might be something connected with Movielink Manager, which I do have that program to watch movies.

Anyway, if someone could read my log file and please give me help with what things to let it fix, and especially about winhlp32.exe. Also, if you know ANYTHING about SysHelper, I would GREATLY appreciate it. That is so frustrating, that I cannot get rid of it. Maybe by getting rid of IEXPLORE.EXE, that would remove the SysHelper.

Thanks. Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 5:25:09 PM, on 6/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Downloaded Program Files\winhlp32.exe
C:\WINNT\Downloaded Program Files\winhlp32.exe
C:\Documents and Settings\millie schmitt\Desktop\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.14.40.138 www.searchalot.com
O1 - Hosts: 64.14.40.138 searchalot.com
O1 - Hosts: 66.218.71.198 yahoo.com
O1 - Hosts: 207.68.173.245 www.hotmail.com
O1 - Hosts: 64.4.44.7 hotmail.com
O1 - Hosts: 205.188.160.120 aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [system check] C:\WINNT\Downloaded Program Files\updater.exe
O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.tutorials...eetnoagent7.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindl...abs/awswaxf.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectnt.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://www.mp3univer...autoupdater.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://media.memphis...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.8210648148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 15 June 2004 - 08:46 PM

Hi,
Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.14.40.138 www.searchalot.com
O1 - Hosts: 64.14.40.138 searchalot.com
O1 - Hosts: 66.218.71.198 yahoo.com
O1 - Hosts: 207.68.173.245 www.hotmail.com
O1 - Hosts: 64.4.44.7 hotmail.com
O1 - Hosts: 205.188.160.120 aol.com
O4 - HKLM\..\Run: [system check] C:\WINNT\Downloaded Program Files\updater.exe
O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINNT\Downloaded Program Files\winhlp32.exe <--this file
C:\WINNT\Downloaded Program Files\updater.exe <--this file

Restart normally and then ...

Download: SpyBot-Search & Destroy 1.3
http://majorgeeks.co...wnload2471.html

Run a scan, "fix" everything marked in red and reboot.

After the above rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 15 June 2004 - 11:37 PM

OK! I did everything you said to do -- some things happened along the way so I'll relate those before I post the latest log file for HiJack This.

As said I followed your instructions. When I came to checking all the things in HiJack This that you said to check, I did that. But after clicking "Fix checked" I got 2 messages, from Yahoo and AOL. Here is what it said:

An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: 205.188.160.120 aol.com)
Error #70 - Permission denied

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.97.7

This message has been copied to your clipboard.

As stated, I got the same message from Yahoo when it tried to "fix" the yahoo host thing. (I do have a yahoo email account, don't know if that matters or not.)


I did delete the C:\WINNT\Downloaded Program Files\winhlp32.exe file -- however, there was another file there called winhelp.exe. I didn't know whether to delete this one too or not, so I just left it. Now after seeing the latest HiJack this scan, I think I should have deleted winhelp.exe also.

Anyway, there was no C:\WINNT\Downloaded Program Files\updater. exe file to be found (all this was going on in Safe Mode) in Windows Explorer. I ran a search for this file, but the only thing that turned up was a file called QuickTimeUpdater.exe (144Kb) with the path of C:\Program Files\Quick Time. I started to just go ahead and delete it anyway (the exe file), but message came up saying if I did then Quick Time would not work. So I didn't delete it.

After restarting, I downloaded the newer version of Spybot, ran it, "fixed" everything it showed. Then rebooted and ran HiJack This again. So here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 11:10:45 PM, on 6/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\Downloaded Program Files\winhlp32.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINNT\Downloaded Program Files\winhlp32.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\millie schmitt\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
O1 - Hosts: 66.218.71.198 yahoo.com
O1 - Hosts: 205.188.160.120 aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.tutorials...eetnoagent7.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindl...abs/awswaxf.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectnt.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://www.mp3univer...autoupdater.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://media.memphis...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.8210648148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab



I don't understand how some of these files can be back. I took my time and carefully checked everything you said to, and then clicked "Fix check" on that first go round. Are they still on my hard drive (just deleted) but still showing up, is that why it appears? I know you can tell this is the first time I've done something like this. Before I just ran SpyBot and let it go at that.....until all of this trouble appeared. But I did take my time and followed your instructions...that's why it has taken me so long to get back to you (I've gone ever so slowly).

Anyway, I appreciate your help. I don't know if you want to keep fooling with this or not. But if you do, all I can say is you have lots of patience, and many thanks to you.

Maybe I should have gone ahead and deleted the winhelp.exe file too. Just wasn't sure since you didn't mention that one. All of this has me stumped, don't know why these files are still showing up.

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 June 2004 - 04:59 AM

Hi,

I did delete the C:\WINNT\Downloaded Program Files\winhlp32.exe file -- however, there was another file there called winhelp.exe.

It would seem that those 2 files may be related to "mp3university.com" as seen in this > thread

Start > Search (type) winhlp32.exe
The valid MS file should show up in your Windows (WINNT) folder.
It should have a "Question Mark" type icon.

The version that exists in C:\WINNT\Downloaded Program Files is bogus!

Start > Search (type) winhlp.exe
The valid MS file should show up in your Windows (WINNT) folder.
It should have a "Question Mark" type icon.

The version that exists in C:\WINNT\Downloaded Program Files is bogus!
--
Open Windows Explorer and delete:
C:\WINNT\Downloaded Program Files\winhlp.exe

Download: Process Viewer [freeware]
Unzip and run PrcView
Highlight winhlp32.exe, right-click and select: Kill

Open Windows Explorer and delete:
C:\WINNT\Downloaded Program Files\winhlp32.exe

I would recommend also removing the "mp3university" (see above thread)

Next:
Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe
O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://www.mp3univer...autoupdater.cab


Note: if you have any trouble with the above, repeat in Safe Mode.

Restart normally, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 16 June 2004 - 11:59 AM

Just as a quick reply, before I do what you stated above:

I realize what I deleted was the file winhlp32.exe that was in the WINNT folder. There was no file called winhlp32.exe in the WINNT\Downloaded Program Files. Unless it is going by another name....there were some files in there that were just numbers in the name. But I went over and over the Downloaded Program Files, and there was nothing in there named winhlp32.exe.

So I have already deleted from my recycle bin the WINNT folder file called winhlp32.exe. As said before, this is the first time I've done this, and since I didn't see the file in the specific Downloaded Program files folder, I thought this was the correct file. Anyway, hopefully it won't cause any harm to delete this file!!

Just wanted to state all of this before going any further. Thanks for your time.

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 June 2004 - 01:04 PM

Hi,

what I deleted was the file winhlp32.exe that was in the WINNT folder

Ouch! that's the legit Windows Help file ...

Try this: Start > Search (type) winhlp32.exe
Place a check in: "Advanced Options", click Search Now

Does the bogus winhelp32 file show up in the "Downloaded Program Files" folder?
If so delete it ... do the same for: "winhlp.exe"

Next:
Go to: Microsoft DLL Help Database
(type) winhelp32.exe
It looks like "Version: 5.0.2195.6601" = Windows 2000 SP4
Located in your "\i386" folder, is the file you need to replace. (WINNT folder)
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 16 June 2004 - 07:51 PM

I'm finally home and back to tackling this problem.

I just ran the search for winhlp32.exe and got 4 objects. I will list the paths that they show above when I click on them.

It says -- In Folder:

1) C:\WINDOWS

2) C:\WINNT\$NtServicePackUninstall$

3) C:\WINNT\ServicePackFiles\i386

4) C:\WINNT\system32


So according to your previous instructions, I don't know which ones to leave and which ones to delete!! And all of them do have the big Question Mark. And I did run the search with the advanced option checked.

I also did the search (advanced) for winhlp.exe and it came back with no objects found. I ran the search twice to be sure, and still no file was found.

Since it seems I still have possibly a valid winhlp32.exe (out of those four!!), I haven't gone to the Microsoft Help Database to get that file.

Also I haven't yet downloaded the Process Viewer -- I'll wait to hear from you which of those four files I should get rid of first.

After I hear from you then I'll also get rid of the mp3university thing too.

Thanks again so much for this help. I'd sure be lost otherwise.

#8 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 16 June 2004 - 08:51 PM

Just a note....there is a winhelp.exe file in the WINNT folder.

#9 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 16 June 2004 - 09:21 PM

While I was in the Downloaded Program Files folder, I found the Active X control called Live Collaboration.

Its code base is: https://rr.esecureca...l/java/RntX.cab

That makes me think this is the control for the RoadRunner live chat (maybe I'm wrong, but the reason I thought it is because RoadRunner's web site of course is rr.com). Anyway, looking at its properties and Dependency, it lists 2 files "upon which Live Collaboration depends." These files are:

C:\WINNT\DOWNLOADED...\RNTX.DLL

C:\WINNT\DOWNLOADED P...\RNTX.INF

(I typed those exactly the way they were listed.)

So I ran a search, entered only RNTX.DLL (Search for files and folders). The search could not find that file.

I did the same search for RNTX.INF and again the search could not find that file. Also they are not listed in the Downloaded Program File that I can see just by looking (unless they are those files with numbers only for names).

This all may not mean anything, I really don't know (by now you know that!!!) But I just wondered if the Live Collaboration depended on those 2 files, and the 2 files are missing ---that seemed strange! And also maybe that is why I cannot have a live chat session with the RoadRunner technical chat room. As I said in my first post, an application called "SysHelper" opens when I start my chat in RR, and it steals my cursor (description in first post). Then the only way to get rid of this SysHelper is to end it in Task Manager.

Like I said, maybe these dependent files don't mean anything. I was just curious. And desperate to get rid of that SysHelper.

#10 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 June 2004 - 09:57 PM

Hi,
The 4 instances of winhlp32.exe are all valid, no further action needed.
The "winhelp.exe" in the WINNT folder is valid, no further action needed.

As for Live Collaboration ...
When you view that from the Downloaded Programs Files folder, the "ActiveX object" you should see a "Status" column, as long as that says "Installed", it should be Ok, if not right-click and select: Update. If it fails to update, right-click and select: Remove. Once you visit that site again you will be prompted to install that "ActiveX object", do that. Otherwise contact RR.


I found the Active X control called Live Collaboration

Most likely these 2 (from your HijackThis log)

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#11 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 17 June 2004 - 01:31 AM

Seems like things get wilder and wilder. I've done so much I almost can't remember what all I've done.

What I do know is that I cannot get rid of the C:\Windows\Downloaded Program Files\winhlp32.exe file, no matter what I try. I did install the spywareblaster and put the block on winhlp32 reactivator (as someone said to do in the post thread you had me read at winamp). I also tried to kill it with the process viewer (before putting the block on), and the process viewer would kill DPFwinhlp32.exe, but then it would come right back. Each time I killed it, it came right back.

I also have tried to kill it with HiJack This many times, but it is always back there when I scan again.

Also, after trying to kill it with the Process Viewer, I discovered there were about 12 different new files on my desktop, which I will give the names here:

backup-20040615-213519-663

backup-20040616-225923-409.dll

backup-20040615-213519-867.inf

This last file could be read with notepad, and this is what it says:

; INF file for Fun Web Products Easy Installer
[version]
; version signature (same for both NT and Win95) do not remove
signature="$CHICAGO$"
AdvancedINF=2.0

[Setup Hooks]
FunWebProductsSetupHook=FunWebProductsSetupHook

[FunWebProductsSetupHook]
run=%EXTRACT_DIR%\f3Setup1.exe


; ====================== end of f3Setup1.inf =====================


You might know what all of that means, I don't.

Anyway, I did at least get rid of the mp3university thing with HiJackThis.

And also at the winamp thread, they suggested to someone to get rid of the Quick Time qttask.exe file - atbotttime. I had that file too so I got rid of it.

I also installed a trial version of TDS-3 Trojan finder & remover. When I ran the scan in it, it found the DPFwinhlp32.exe file, the updater.exe file, and another one (149efe.exe???can't remember). So I had it delete the files, but the DPF winhlp32.exe still came back. Not sure about the updater.exe --haven't run another scan with TDS-3 yet. It's getting late so I probably won't run it again tonight. I like the TDS-3, but think it might be too advanced for me.

Anyway, here is my log file for HiJack this:

Logfile of HijackThis v1.97.7
Scan saved at 1:14:35 AM, on 6/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINNT\Downloaded Program Files\winhlp32.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\millie schmitt\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\millie schmitt\Desktop\PrcView\PrcView.exe
C:\WINNT\Downloaded Program Files\winhlp32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
O1 - Hosts: 66.218.71.198 yahoo.com
O1 - Hosts: 205.188.160.120 aol.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [winhlp3.exe] C:\WINNT\system32\winhlp3.exe
O4 - HKLM\..\Run: [web] C:\WINNT\system32\149efe.exe
O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindl...abs/awswaxf.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectnt.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.8210648148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

I forgot to mention that I tried to delete the file found in the Downloaded Program Files called Reactivator Class. Someone at the winamp thread said to delete that too. But mine will not delete....it says it is a share violation, that other programs are using it. It says to try closing other programs first, but the strange thing is I would have no other programs open at the time except the windows explorer. Anyway, in the properties it says for this Reactivator Class that it was created on June 6, 2004, that it is an Active X Control, its total size is 79KB, and it has no code base, says it is installed, and THE REALLY IMPORTANT PART is that the Dependency file is C:\WINNT\DOWNLO...\WINHLP32.EXE

Can you believe that??? This has to be the culprit to keep it active, especially since I can't delete it because its being shared. I put a block in the Process Viewer on it ....Reactivator Class ID {6C31790D-1EDF-4B05-83DC-925B3A8E2318}

So hopefully that will "protect against checked items." It's late now, so I'm headed to try to get some sleep. But in the morning or sometime during the day, I'll run some more scans and see if it is blocking both of these.

Again, thanks for your continued help.

#12 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 June 2004 - 05:04 AM

Hi,

I discovered there were about 12 different new files on my desktop

Those are the backups created by HijackThis. If you look, I mentioned about moving HijackThis to a legit folder, etc. in my first reply.

Download: KillBox
http://www.downloads...org/KillBox.zip
Unzip but don't run it yet.

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O4 - HKLM\..\Run: [winhlp3.exe] C:\WINNT\system32\winhlp3.exe
O4 - HKLM\..\Run: [web] C:\WINNT\system32\149efe.exe
O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINNT\system32\winhlp3.exe <--this file
C:\WINNT\system32\149efe.exe <--this file
C:\WINNT\Downloaded Program Files\winhlp32.exe <--this file


Note: if you are unable to delete any of the above:

Run (double-click) killbox.exe

In the "Paste Full Path of File to Delete" box, (type):

C:\WINNT\Downloaded Program Files\winhlp32.exe

Next: click on the "Action" menu (up top)and select: "Delete on Reboot".
In the window that opens up, click on the File menu and select: "Add File".
The "C:\WINNT\Downloaded Program Files\winhlp32.exe" listing should show up in the window.

Then repeat the process, this time adding:

C:\WINNT\system32\winhlp3.exe
C:\WINNT\system32\149efe.exe

If that's successful you should have the three files listed.

In the same window choose the "Action" menu and select "Process and Reboot".
You'll be prompted to reboot, do so.

Note: I would also delete any other "SysHelper" related files you found in the "Downloaded Program Files".
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#13 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 17 June 2004 - 04:29 PM

I thought I had HiJack This in a legit folder. Sorry, my error.

I did everything you said to do in the last instructions. When I was in Safe Mode - Windows Explorer, I couldn't find those 3 files..winhlp3.exe, 149efe.exe., or DPF\winhlp32.exe.

So I ran Killbox, and added those files to be deleted on reboot, and then rebooted.

Here is the HiJack This log file after doing all of the above:

Logfile of HijackThis v1.97.7
Scan saved at 4:18:17 PM, on 6/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\millie schmitt\Desktop\PrcView\PrcView.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
O1 - Hosts: 66.218.71.198 yahoo.com
O1 - Hosts: 205.188.160.120 aol.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [winhlp32.exe] C:\WINNT\Downloaded Program Files\winhlp32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindl...abs/awswaxf.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectnt.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.8210648148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab



Seems like that DPFwinhlp32.exe is just about impossible to get rid of. When I open the DPF folder, there is, of course, no file listed called winhlp32.exe. And when I run just a basic search for a file called winhlp32.exe, just those four files show up that you said were legitimate. But this file is still showing up in the HiJack This log file, even after doing all the steps with KillBox. This must be one bad file!

I was able to delete the Reactivator Class file (which had for a dependent file the DPF\winhlp32.exe file). So something else must be keeping the DPF\winhlp32.exe file alive.

As for your comment about using KillBox for any "SysHelper" related files, I am really hindered there, because SysHelper never show up on any search I do for it. The only place it shows up is when it has suddenly opened (while I'm in the RoadRunner chat help), and then I go to Task Manager and it is listed as a running application. When I end it, then all other prgrams running at that time are ended also, for some reason. Guess it takes 'em down with it. But I can't enter it into KillBox because I don't know the whole path for it.

With all of this happening, I can see why the Security field is the fastest growing sector of the computer IT fields.

#14 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 17 June 2004 - 05:30 PM

Have to say I've been just surfing for a while, and just opened up Task Manager, and I don't see the winhlp32.exe running in processes. Maybe it is actually gone! It was always there before, and usually 2 of them.

I'll keep checking every now and then for it. I'm hopeful!!

#15 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 June 2004 - 07:47 PM

Hi,
Since Windows Explorer or Windows Search does not allow viewing individual files located in the Downloaded Program Files folder. Let's try it this way ...

Start | Run (type) cmd (click Ok)

(type) cd\WINNT\Downloaded Program Files (press Enter)

Next:

(type) dir /a /O:S D *.*>C:\dpf.txt (press Enter)

Open "dpf.txt" and paste the contents in your next post.

Note: in going back over your previous posts ...
You mentioned: C:\WINNT\Downloaded Program Files\RNTX.DLL

It looks like it could be part of the below:
http://www.pestpatro...fo/b/bridge.asp

That's why I wanted to get a file list to see exactly what's in that folder.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#16 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 17 June 2004 - 09:50 PM

Just a quick reply before I start following your last instructions. I read the link you had about the DPF\RNTX.DLL file. That was interesting, and also I noticed near the bottom of that article they mentioned the file a.exe.

I've been making notes all along, and on one of my earlier pages I had written down the name of that file -- a.exe, because I had seen it while looking for some of the other files and thought, now what kind of file is that, with a name like that!! I started to ask you about it, but I didn't want to get off track or add any more problems for you to have to deal with (thought this one had enough issues!).

So that was really interesting to find mention of that file in the article. Just wanted to mention that. I'll start on your instructions now.

#17 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 17 June 2004 - 10:11 PM

I'm in the cmd function....but I keep getting the message:

Parameter format not correct - "*.*".

I've tried twice and still get the same message. In fact I've tried skipping a space, etc., but that didn't work either!

Am I doing something wrong?

#18 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 17 June 2004 - 11:00 PM

I just did another scan with HiJack This, and I don't see the DPF\winhlp32.exe file on it....I can't believe it! This is the first time that it has not shown up there.

Maybe the block with the Process Viewer has put a stop to it. This is great. I used to continually hear my hard drive like every 4 or 5 seconds...now it's quiet. What a difference. Does this mean it's gone for good? Hopefully?

If that's true, then all I can say is thanks. I sure never would have even attempted (or known how to do) all of this myself.

I'm going to go in to the RR chat room, and see if the SysHelper application cuts in still.

Here is the latest HiJack This log file:

Logfile of HijackThis v1.97.7
Scan saved at 10:50:12 PM, on 6/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\msvcmm32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
O1 - Hosts: 66.218.71.198 yahoo.com
O1 - Hosts: 205.188.160.120 aol.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindl...abs/awswaxf.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectnt.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.8210648148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab


I still would like to get rid of those two instances of O14 - IERESET.INF: SEARCH_PAGE_URL=
Maybe that is possible. HiJack This just doesn't stop them from coming back. Also I'll probably delete that a.exe file. But the article mentioned about going into the registry, which is something I've never done. I'm not too sure about that. I might just try finding the file again and just deleting in Windows Explorer, and/or putting a block on it.

I'm really encouraged so much!! I just can't say thanks enough. Don't you think it looks like that DPF file has been successfully blocked or deleted?

#19 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 17 June 2004 - 11:20 PM

I just had to let you know....I went to the RoadRunner live chat, and "SysHelper" did NOT show up!!! I could actually carry on a conversation with the tech person. I told them what had been going on, getting cut off, etc.

Well, this is all just fantastic. It's really great that there are people out there like you who know what to do about all of these problems. And your patience is really admirable.

If you have any more comments about the other files I mentioned in my last post, that's fine. But if you are ready to end this, since the original problems of PDFwinhlp32.exe & SysHelper have apparently been solved, then I understand. You might have had enough of this ordeal! Just can't say enough how much I appreciate all your help.

#20 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 June 2004 - 05:05 AM

Hi,
Looks like you are making (good) progress ... (re: winhlp32.exe)
I just want to make sure there are no other culprits hiding there.

Parameter format not correct - "*.*".

Usually caused by typing it wrong, I tried it several times and it works here.


dir<space>/a<space>/O:S<space>D<space>*.*>C:\dpf.txt

Note: (that's the letter "O", not a zero) /O:S

I still would like to get rid of those two instances of O14 - IERESET.INF:


The "IERESET.INF" file is used by Windows when you go to Internet Options | Programs and hit the "Reset web settings" button. The "SEARCH_PAGE_URL=" is a standard entry, but part of the entry appears to be missing or corrupt.

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

If you open "iereset.inf" in Notepad and scroll down to:
(it should read as below)

[Strings]
START_PAGE_URL="http://www.microsoft...r=6&ar=msnhome"
SEARCH_PAGE_URL="http://www.microsoft...ie&ar=iesearch"


If that entry is empty, simply edit it to read exactly as above, then File | Save.

Edited by WinHelp2002, 18 June 2004 - 05:15 AM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#21 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 18 June 2004 - 05:02 PM

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

(I've omitted the first line with my name)

C:\WINNT\Downloaded Program Files>dir /a /O:S D *.*>C:\dpf.txt

C:\WINNT\Downloaded Program Files>dir /a /O:S D *.*>C:\dpf.txt

C:\WINNT\Downloaded Program Files>


This is what it gives me when I type it EXACTLY as you say. If I change it in some way, like not putting the spaces, then I get the message about the Parameter format not correct.

As you can see, I'm putting spaces where you say to put them. (Sorry, I know this is so elementary, must be somewhat painful for you....)

#22 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 June 2004 - 06:05 PM

cear,
Does "C:\dpf.txt" exist? (in your C: folder)

Did you fix the "iereset.inf" file? (was it missing those 2 lines?)
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#23 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 18 June 2004 - 07:39 PM

I did a search and copied the contents of C:\dpf.txt. I'll answer your other question before I post the file contents.

I had 4 different iereset.inf files. One of them had 4 strings, so I edited that one and put in the 2 strings you posted.

The other 3 iereset.inf files had this string:

[Strings]
SAFESITE_VALUE="ie.search.msn.com"


So I just left it. Should there be 4 iereset.inf files?? If not needed, I can delete the other 3.

Now here is the contents of the dpf.txt file (don't know if you actually wanted this or not, but thought I might as well post it):

Volume in drive C is DRIVE_C
Volume Serial Number is A881-AAB5

Directory of C:\WINNT\Downloaded Program Files


Directory of C:\WINNT\Downloaded Program Files

06/17/2004 10:02p <DIR> ..
06/15/2004 01:35p <DIR> rave
06/12/2004 11:41p <DIR> CONFLICT.1
06/17/2004 10:02p <DIR> .
06/11/2003 09:17p <DIR> temp
06/06/2004 02:30p 57 res.htm
06/12/2003 08:54p 65 desktop.ini
09/13/2002 10:56a 144 QTPlugin.inf
06/17/2004 10:53a 156 get_xml.php
08/27/2002 09:59a 173 setup.inf
02/06/2003 04:38p 209 RntX.inf
08/12/2003 03:13p 231 activate.inf
06/02/2003 03:32p 232 Mnviewer.inf
05/25/2003 02:47p 233 yacscom.inf
10/23/2001 01:18p 243 yacsui.inf
10/24/2003 02:01p 278 MsnChat45.inf
05/03/2004 03:40p 306 SASSCLN.INF
06/15/2004 08:59a 350 autoupdate.xml
03/05/2003 08:27p 381 ravupdt.ini
12/11/2002 02:08a 395 tgctlar.inf
06/16/2004 11:07a 404 get_xml.php.user
07/04/2003 06:21p 411 OSInfo.inf
09/05/2001 05:22a 411 isetup.inf
07/04/2003 05:16p 453 SiS_OCX.inf
06/06/2003 05:23p 477 play365.inf
08/07/2003 09:06a 525 asinst.inf
09/04/2003 03:02p 583 ravonline.inf
06/09/2003 02:17p 618 PCPitstop.inf
10/14/1997 06:52p 697 DirectAnimation Java Classes.osd
04/16/2003 03:24p 698 ChatSpace Full Java Client 4.0.0.300.osd
07/27/2002 04:25p 733 ymmapi.inf
11/25/2003 09:32a 754 Rovion.inf
03/13/2003 11:03a 962 IPIXX.inf
08/25/2003 06:12p 1,096 iuctl.inf
01/20/2000 03:25p 1,162 Microsoft XML Parser for Java.osd
03/28/2002 05:05p 1,268 erma.inf
11/17/1999 05:41p 1,522 voxmsdec.inf
05/01/2000 07:06p 1,988 wmvax.inf
03/02/2001 02:43p 2,132 wmv8ax.inf
08/11/2000 04:31p 2,140 msscrnax.inf
12/08/2003 01:58p 3,759 swflash.inf
06/17/2004 10:02p 4,068 dpf.txt
04/18/2003 08:11p 6,638 ravllio.vxd
10/18/2000 05:21p 7,288 awswax.inf
06/26/2003 07:41p 7,736 UGO20.exe
06/15/2004 01:35p 11,381 update.log
03/21/2002 01:53a 16,202 sdclicense.txt
09/05/2001 05:22a 24,576 iSetup.dll
04/18/2003 01:59p 53,248 DiskFAU.dll
06/08/2003 08:52p 59,556 Doremi.ttf
02/13/2003 11:07p 102,400 RntX.dll
06/02/2000 11:29a 102,912 ipixx.ocx
08/07/2003 09:02a 110,592 asinst.dll
08/12/2003 03:00p 110,592 activate.dll
05/03/2004 03:39p 118,784 SassCln.dll
10/20/2001 12:08a 155,648 yacsui.dll
07/27/2002 04:21p 155,714 ymmapi.dll
09/05/2001 05:21a 159,744 iSetup.exe
09/04/2003 02:33p 167,936 ravscan.dll
09/04/2003 03:00p 200,704 ravonline.dll
06/02/2003 03:46p 233,472 mnviewer.dll
05/27/2003 06:24p 233,472 yacscom.dll
06/11/2003 05:31p 249,856 PCPitstop.dll
09/04/2003 02:34p 290,816 ravupdt.dll
11/25/2003 09:22a 307,200 Rovion.dll
06/06/2003 06:06p 335,872 Play365.dll
05/16/2004 11:48a 393,216 imloader.exe
10/27/2003 11:35a 510,552 MSNChat45.ocx
07/11/2003 02:57a 562,160 QuickTimeInstaller.exe
03/22/2002 01:59p 565,248 RdxIE.dll
07/11/2003 02:59a 5,201,532 QuickTimeInstallCache.qdat
01/16/2004 11:25p 19,979,192 iTunesSetup.exe
67 File(s) 30,464,553 bytes
5 Dir(s) 3,332,952,064 bytes free

#24 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 June 2004 - 09:52 PM

Hi,

Should there be 4 iereset.inf files??

The one you need to edit and use should be located in your Winnt\Inf folder.

The "Strings" section should look like:

[Strings]
START_PAGE_URL="http://www.microsoft...r=6&ar=msnhome"
SEARCH_PAGE_URL="http://www.microsoft...ie&ar=iesearch"
SAFESITE_VALUE="ie.search.msn.com"


As for the files in Downloaded Program Files, you need to delete:

06/26/2003 07:41p 7,736 UGO20.exe
05/03/2004 03:40p 306 SASSCLN.INF
02/13/2003 11:07p 102,400 RntX.dll
03/22/2002 01:59p 565,248 RdxIE.dll

Start | Run (type) cmd (click Ok)

(type) cd\WINNT\Downloaded Program Files (press Enter)

Next:

(type) del UGO20.exe (press Enter after each)
(type) del SASSCLN.INF
(type) del RntX.dll
(type) del RdxIE.dll

Edited by WinHelp2002, 18 June 2004 - 09:54 PM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#25 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 18 June 2004 - 10:26 PM

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.


C:\WINNT\Downloaded Program Files>del UGO20.exe

C:\WINNT\Downloaded Program Files>del SASSCLN.INF

C:\WINNT\Downloaded Program Files>del RntX.dll

C:\WINNT\Downloaded Program Files>del RdxIE.dll

C:\WINNT\Downloaded Program Files>



Hopefully, all of that looks right to you...just thought I would post what I did just to be sure.

I did add the SAFESITE string to the iereset.inf file in the Winnt\Inf folder and deleted the other three iereset.inf files.

I also ran another Spybot scan and it came up with nothing! First time that has happened! Sounds like my computer is finally getting in good shape.

I don't know if I need to reboot for those files to actually be deleted and not show up. But think I will reboot and bring up the dpf.txt file and maybe post the updated copy.

#26 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 18 June 2004 - 10:51 PM

Well, seems they are still there, but maybe I just don't understand the cmd function...maybe they are being blocked or something. Anyway, I did reboot and opened the dpf.txt file again and here is the contents:

Volume in drive C is DRIVE_C
Volume Serial Number is A881-AAB5

Directory of C:\WINNT\Downloaded Program Files


Directory of C:\WINNT\Downloaded Program Files

06/17/2004 10:02p <DIR> ..
06/15/2004 01:35p <DIR> rave
06/12/2004 11:41p <DIR> CONFLICT.1
06/17/2004 10:02p <DIR> .
06/11/2003 09:17p <DIR> temp
06/06/2004 02:30p 57 res.htm
06/12/2003 08:54p 65 desktop.ini
09/13/2002 10:56a 144 QTPlugin.inf
06/17/2004 10:53a 156 get_xml.php
08/27/2002 09:59a 173 setup.inf
02/06/2003 04:38p 209 RntX.inf
08/12/2003 03:13p 231 activate.inf
06/02/2003 03:32p 232 Mnviewer.inf
05/25/2003 02:47p 233 yacscom.inf
10/23/2001 01:18p 243 yacsui.inf
10/24/2003 02:01p 278 MsnChat45.inf
05/03/2004 03:40p 306 SASSCLN.INF
06/15/2004 08:59a 350 autoupdate.xml
03/05/2003 08:27p 381 ravupdt.ini
12/11/2002 02:08a 395 tgctlar.inf
06/16/2004 11:07a 404 get_xml.php.user
07/04/2003 06:21p 411 OSInfo.inf
09/05/2001 05:22a 411 isetup.inf
07/04/2003 05:16p 453 SiS_OCX.inf
06/06/2003 05:23p 477 play365.inf
08/07/2003 09:06a 525 asinst.inf
09/04/2003 03:02p 583 ravonline.inf
06/09/2003 02:17p 618 PCPitstop.inf
10/14/1997 06:52p 697 DirectAnimation Java Classes.osd
04/16/2003 03:24p 698 ChatSpace Full Java Client 4.0.0.300.osd
07/27/2002 04:25p 733 ymmapi.inf
11/25/2003 09:32a 754 Rovion.inf
03/13/2003 11:03a 962 IPIXX.inf
08/25/2003 06:12p 1,096 iuctl.inf
01/20/2000 03:25p 1,162 Microsoft XML Parser for Java.osd
03/28/2002 05:05p 1,268 erma.inf
11/17/1999 05:41p 1,522 voxmsdec.inf
05/01/2000 07:06p 1,988 wmvax.inf
03/02/2001 02:43p 2,132 wmv8ax.inf
08/11/2000 04:31p 2,140 msscrnax.inf
12/08/2003 01:58p 3,759 swflash.inf
06/17/2004 10:02p 4,068 dpf.txt
04/18/2003 08:11p 6,638 ravllio.vxd
10/18/2000 05:21p 7,288 awswax.inf
06/26/2003 07:41p 7,736 UGO20.exe
06/15/2004 01:35p 11,381 update.log
03/21/2002 01:53a 16,202 sdclicense.txt
09/05/2001 05:22a 24,576 iSetup.dll
04/18/2003 01:59p 53,248 DiskFAU.dll
06/08/2003 08:52p 59,556 Doremi.ttf
02/13/2003 11:07p 102,400 RntX.dll
06/02/2000 11:29a 102,912 ipixx.ocx
08/07/2003 09:02a 110,592 asinst.dll
08/12/2003 03:00p 110,592 activate.dll
05/03/2004 03:39p 118,784 SassCln.dll
10/20/2001 12:08a 155,648 yacsui.dll
07/27/2002 04:21p 155,714 ymmapi.dll
09/05/2001 05:21a 159,744 iSetup.exe
09/04/2003 02:33p 167,936 ravscan.dll
09/04/2003 03:00p 200,704 ravonline.dll
06/02/2003 03:46p 233,472 mnviewer.dll
05/27/2003 06:24p 233,472 yacscom.dll
06/11/2003 05:31p 249,856 PCPitstop.dll
09/04/2003 02:34p 290,816 ravupdt.dll
11/25/2003 09:22a 307,200 Rovion.dll
06/06/2003 06:06p 335,872 Play365.dll
05/16/2004 11:48a 393,216 imloader.exe
10/27/2003 11:35a 510,552 MSNChat45.ocx
07/11/2003 02:57a 562,160 QuickTimeInstaller.exe
03/22/2002 01:59p 565,248 RdxIE.dll
07/11/2003 02:59a 5,201,532 QuickTimeInstallCache.qdat
01/16/2004 11:25p 19,979,192 iTunesSetup.exe
67 File(s) 30,464,553 bytes
5 Dir(s) 3,332,952,064 bytes free


There also appeared another dpf.txt file, it's in the "Recent" folder. Guess this is normal.

Anyway, maybe those files I deleted are actually deleted...just still listed?

Well, one things for sure, my technical ignorance continues to show!

#27 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 June 2004 - 03:16 AM

Hi,
Sorry it took so long to get back to you, I guess SWI was having technical difficulities yesterday? Anyway ... did you reboot and then create a fresh "dpf.txt" file? Otherwise I think your in good shape now. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#28 cear

cear

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 20 June 2004 - 09:30 PM

I'm just guessing that creating a fresh dpf.exe file can mean deleting the contents of the old one? I hope so. I thought that would be safest.

Anyway, things seem to be running great here. As said before, can't thank you enough for all your help. I would STILL be having all those problems if not for you, so I really appreciate everything (and again I have to say, your patience is appreciated very much too).

#29 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 21 June 2004 - 03:19 AM

cear,
You're welcome ... glad to see you were able to resolve your problem. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button