Prev Previous Post   Next Post Next
Old 22nd May 2004, 13:07   #11
DJ Egg
Winamp & SHOUTcast Team
Join Date: Jun 2000
Posts: 35,821
Yes! Yay! woohoo

/me takes a bow

Thanks for the zip punkcrib.
Hmm... very interesting.
I'll be passing this useful info on to the SpybotSD and Adaware people.

Yup, it's also replacing the default Winhlp32.exe (Windows Help) file with a version of its own.
So you'll need to restore the original from the WinXP CD, or there may be a good version of it that you can copy over from one of these folders:
Note that the correct filesize for the legitimate Winhlp32.exe file in the Windows dir is 277kb (WinXP sp2) or 261kb (WinXP sp1). The legit version has a yellow question mark icon.

winhlp32.dll = Free Community Toolbar malware
also known as easytoolbar or Lizard Bar foistware/browser hijacker.
This however appears to be a new variant.

So, make sure you end process in Task Manager
for all instances of Winhlp32.dll / Winhlp32.dll.exe / Winhlp32.exe
and then delete the offending files
(naturally, also making sure that the relevant HKLM/..Run
startup entries are disabled first, using HJT or msconfig).

Winhlp32.* is the file which is sabotaging Winamp.
It hooks and then sends WM_USER+2 messages to every window in the system.
WM_USER+2 in Winamp = WM_MPEG_EOF
which is the message sent by the decoder thread to tell the song has ended.

"get_xml.php.user" file provides some useful info:


<Task name="task1" showprocess="no" type="version" version="" >
<File url="" filename="VVSN_MKTE0404Inst.exe" localpath="%" />
<File url="" filename="OMPInst.exe" localpath="%" run="yes" />
<Get key="HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\SYNC\Partner"
<Task name="storesearch" showprocess="no" type="version" version="" >
<File url="" filename="winhlp32.dll" localpath="%" run="yes" />


and the crux of the issue comes from "autoupdate.xml"
Here's where winhlp32.* is coming from, loading on a timer.
Also note that the url is still active,
proving that is the source of this evil !

<Task name="self" showprocess="no" type="version" version="" >
<File url=""
filename="winhlp32.exe" run="yes" install="yes" localpath="" />

<TimePeriodTimeBased type="hour" value="1"/>
<TimePeriodUpdateXml type="hour" value="12"/>


So, it's also installing Easytoolbar and WhenUSave spyware.
Hopefully SpybotSD or Adaware have already removed these files,
but if not, I suggest you root out and delete all of:


The first places to look would be:
C:\Windows\System32 (WinXP)
C:\Windows\System (Win9x/ME)
C:\WinNT\System32 (Win2k)
C:\Windows\Downloaded Program Files

If the default Windows Help file has been replaced
then you will need to restore the original version from the Windows Setup CD.
In WinXP, this file has a yellow question mark icon ? and is 8kb.
There will also be a winhlp32.exe in the Windows dir,
with the same yellow question mark icon, size = 261kb.
There will be a backup version of this file in c:\windows\system32\dllcache.
If the filesizes don't match, and the icon is anything different to a yellow question mark
(eg. the one in punkcrib's zip is a yellow circle with a "Z" in the middle),
then you will know that the default Help files have been replaced by these bogus malware versions.

I also strongly recommend that you add all of:


to the Restricted Zone in Internet Explorer Options > Security.

And now would also be a good time to empty your internet cache
(Temporary Internet Files -> Delete).

Further steps you can take to protect yourselves:

Install Spywareblaster
You'll actually see a link to this in the SpybotSD > Immunize tab

Install then run the program.
Click the Updates button
Let it install all updates
Then click "enable all protection".
You can now safely close the program.

Be sure to repeat this action at least once a week,
to make sure the detection files are up to date.

If you go to Tools > Custom Blocking
You can manually add the following entry:

Name = winhlp32 reactivator
CLSID = {6C31790D-1EDF-4B05-83DC-925B3A8E2318}

Then checkmark it and click "protect against checked items"

Optionally, you can also install SpywareGuard
which runs permanently in the systray.

I'll be adding a link to this thread in the Troubleshooters FAQ.

Thanks again.


Ah, the link to punkcrib's zip is now dead.
I've put up a new link to it here
DJ Egg is offline  
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump