Helponline.exe????

OK - we replaced a fan in my bf's system yesterday - now all of a sudden he is running at 100%CPU usage constantly - I finally got into Task manager (Win XP Pro) and there are 251 processes running (he usually has about 35) - seems to be almost all "iexplore.exe" and "helponline.exe"

I'm going to try to stop them running from task manager, but has anyone heard of this "helponline" file? Google produced no results.... My guess is he got some type of malware or virus that is telling the program to open ie and run helponline over and over again - thoughts?

Thanks bunches, as always.

Kristina

 

Oh crap - processes have gone from 251 to 281 - now Task Mgr shows a program running called "BEND COAL BAIT.exe" Another new one on me...

 

I don't think he has that on there, he's not a big IM fan - I'll try the steps and get back to you, thanks bunches.

--OMG - this will take forever - I can barely get into any of the Start Programs or Ctrl Panel because the sys is running at a constant 100% - this is like running a 286, lol. Is there any way to stop programs from running so i can access Ctrl panel etc? (302 processes and counting)

 

OK - impossible to get to control panel - should I start with step 5 and reboot in safe mode to get to add/remove programs?

 

No can do - can't get to Start - every few seconds the program reloads and the button executions are not recognized...or recognized too slowly. Task manager is the only thing up on my screen and I can barely maneurver in that (processes are at 341 now). However, if my memory serves, he already has his "show hidden/system files" checked.

(I am accessing this via my separate computer 2 feet away, btw)

 

LOL - looks like Ctrl panel may be coming up in a sec...it only took 10 minutes or so...If I can I'll check that hidden/sys is checked and try to get to add/remove progs.

Oh, and he normally has current NAV and Personal Firewall running, regularly scans with Adaware, etc etc. His NAV caught a "Download.trojan" several days ago, and it seemed to have deleted it as appropriate.

 

No go on Ctrl Panel - it just won't give it to me. Got a Plan B?

 

Not a hope in hell on that - I can't get to anything in Windows it seems, as soon as I try to click on anywhere, that damn program re-executes and I lose mouse etc etc - think of a really really really slow computer trying to execute my commands in order. All I have up is Task Manager. I am able to "end process" one at a time, but by the time it accepts the command and ends it, another has taken it's place.

Time for Safe Mode?

 

Safe mode it is - back in a few... =)

 

OK - in safe mode it is still slower than molasses, but manageable - the only processes running now are the predictable ones, down to 14 of them - I am going to check add/remove and then....

get Hijack this on the system, run it and get you a log.

Correct?

This is the list of running processes in safe mode, just for giggles:

taskmgr.exe
rundll32.exe
ctfmon.exe
explorer.exe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system idle process

 

OK, I can't access the internet on that system, so I can't d/l hijackthis, but I can run Adaware and a few others that I had already installed on his system - any other suggestions?

Thanks bunches...

 

Will do - have to shut down for the night and will send tomorrow morning - thanks so much Chas - I really appreciate it!

Kristina (a fellow Folder)

 

Hi,

If you are still there I have managed to speed-up my performance a quite a bit by pulling out the little battery on the mother board for about 30 seconds. After reinstalling that little ditty. I had a slow start-up with Norton SystemWorks not running; claiming some sort of issue. Of course my system clock reset which I suspect helped in some way to increase my performance. However, the system is still running rather oddly.

Evidentally , I still have background programs/processes running. Norton is asking me to uninstall and then reinstall my Norton products, and I keep getting the "Error Report" splash box that appears about every 30-40 seconds stating that there has been an error with "BLAHCOOL.EXE" which I have NEVER heard of before - the same program everytime "BLAHCOOL.EXE" in all caps. I don't know how ot got on my system or why it is on my system. While writing this it has appeared about 10 times - litterally. I keep clicking on the "Send Error Report" button - the other options being "Debug" and "Don't Send". Every so often the when I hit the "Send Error Report" button in the splash box I suddenly have multiple instances of the splash box appearing. Hitting "Debug" works to close the box's in this instance - if this matters - I dunno??? I am at a loss for what is happening. Other than I suspect Malware/Spyware. I am praying for the $$$ for a Mac at this point.

I was able to download Hijack this and have attached the log for your review (as an attachment, of course).

Thank you for your help... awaiting your reply - eagerly and with baited breath....
signed

confused:

 

Did a file search - system found this file BLAHCOOL.EXE-2CF812AB.PF in the directory c:\windows\prefetch - the plot thickens...lol

Also - I have turned Off my system restore.

 

Hello,

First off let me thank you for your time and efforts with my dilema.

Step One: Deleting "Daily Weather Forcast" from Add/Remove programs did not work. Only because it was truly nowhere to be found in the programs list. However it was found in a later step (as a folder) which, of course I deleted.

Step Two: Deleting "C:\Documents and Settings\All Users\Application Data\that close proxy browse\BLAHCOOL.exe" - also could not be found.

I proceeded with the next steps that went precisely as described in your instructions.

I did, in fact, recognize some of the entries; I work for Countrywide Home Loans and a couple of the entries referring to CW Insider is the Countrywide home page for employees. Ths allows employees to do work via terminal services client or AKA "Remote Desktop" - I think it is now called. Hopefully we are upgrading our version of Windows soon at Countrywide. Anyhoo - all else seemed to go well.... I think.

I could not reboot in regular mode at first. However, when rebooted again (into Safe Mode) I reset my system date/time settings to reflect the current date. Norton liked me for doing this (aparently) becuase then I rebooted one more time (in Regular Mode) and the pc did infact seem to boot properly.

Finally, I ran the second scan of "HijackThis" and am attachng it to this posting awaiting your reply.

Thanks

 

Oh one more thing? If - all is okay at this point according the Hijack this. May I turn my System Restore back on? I won't do this until I get the okay from you specifically.

Thank again

 

I am running it as I type... hope that is not a no-no.

I'll be back with the log. It has already found 13 infected items at the 50% complete point.

 

Okay,

It took almost 2 hours but the scan from Ewido seems to be well worth it. It found 18 infect files. I have attached a copy of the scan as per your instructions.

Let me know if I am on my way to normal... well - at least as my PC is concerned. LOL!

 

Hello,

The speed of my pc is actually a bit better than, even before the problems were noticable. I will make certain the crack stuff is not an issue in the future.

Everything appears to be good. I will keep using: Ewido, CCleaner, Microsofts Antispyware program, Spybot, Adaware, Spyware Nuker, and Spyware Blaster in addition to Norton SystemWorks. Geeeeeze!! Could they not just combined all this into one big office suite that automatically ran once a week (say Monday Morning at 2:00 am?)

... sorry - just dreaming.

In your experience may I ask your opinion of Apple PC's. Do you think they are worth it?

Oh - and may I turn on System Restore ?

Thank you again for all your time and consideration regarding this issue - you guys Rock!!!

 

You Guys are the best help I've found anywhere!... I mean On the Internet or in person!!!

Thank you so0000 - very much!!

Signed,

Indebted for years to come