Old 22nd May 2004, 13:07   #41
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Yes! Yay! woohoo

/me takes a bow


Thanks for the zip punkcrib.
Hmm... very interesting.
I'll be passing this useful info on to the SpybotSD and Adaware people.

Yup, it's also replacing the default Winhlp32.exe (Windows Help) file with a version of its own.
So you'll need to restore the original from the WinXP CD, or there may be a good version of it that you can copy over from one of these folders:
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$
Note that the correct filesize for the legitimate Winhlp32.exe file in the Windows dir is 277kb (WinXP sp2) or 261kb (WinXP sp1). The legit version has a yellow question mark icon.


winhlp32.dll = Free Community Toolbar malware
also known as easytoolbar or Lizard Bar foistware/browser hijacker.
This however appears to be a new variant.


So, make sure you end process in Task Manager
for all instances of Winhlp32.dll / Winhlp32.dll.exe / Winhlp32.exe
and then delete the offending files
(naturally, also making sure that the relevant HKLM/..Run
startup entries are disabled first, using HJT or msconfig).

Winhlp32.* is the file which is sabotaging Winamp.
It hooks and then sends WM_USER+2 messages to every window in the system.
WM_USER+2 in Winamp = WM_MPEG_EOF
which is the message sent by the decoder thread to tell the song has ended.


"get_xml.php.user" file provides some useful info:

code:

<AutoUpdate>
<Task name="task1" showprocess="no" type="version" version="1.0.0.1" >
<File url="http://easytoolbar.com/vvsn" filename="VVSN_MKTE0404Inst.exe" localpath="%" />
<File url="http://easytoolbar.com/vvsn" filename="OMPInst.exe" localpath="%" run="yes" />
<Get key="HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\SYNC\Partner"
url="http://easytoolbar.com/update/storeval.php?val=%val&amp;get_id=1&amp;uid=%uid"/>
</Task>
<Task name="storesearch" showprocess="no" type="version" version="1.0.0.1" >
<File url="http://www.easytoolbar.com/update/storesearch" filename="winhlp32.dll" localpath="%" run="yes" />
</Task>

</AutoUpdate>



and the crux of the issue comes from "autoupdate.xml"
Here's where winhlp32.* is coming from, loading on a timer.
Also note that the url is still active,
proving that mp3university.com is the source of this evil !

code:
<AutoUpdate>
<Task name="self" showprocess="no" type="version" version="2.0.0.0" >
<File url="http://mp3university.com/winhlp32.exe"
filename="winhlp32.exe" run="yes" install="yes" localpath="" />
</Task>

<Settings>
<TimePeriodTimeBased type="hour" value="1"/>
<TimePeriodUpdateXml type="hour" value="12"/>
</Settings>

</AutoUpdate>



So, it's also installing Easytoolbar and WhenUSave spyware.
Hopefully SpybotSD or Adaware have already removed these files,
but if not, I suggest you root out and delete all of:

VVSN_MKTE0404Inst.exe
OMPInst.exe
winhlp32.dll
winhlp32.dll.exe
updater.exe
autoupdate.xml
get_xml.php
get_xml.php.user
winhlp32.dllalias.txt
winhlp32.dlltemp.html


The first places to look would be:
C:\Windows\System32 (WinXP)
C:\Windows\System (Win9x/ME)
C:\WinNT\System32 (Win2k)
C:\Windows\Downloaded Program Files


If the default Windows Help file has been replaced
(c:\windows\system32\winhlp32.exe)
then you will need to restore the original version from the Windows Setup CD.
In WinXP, this file has a yellow question mark icon ? and is 8kb.
There will also be a winhlp32.exe in the Windows dir,
with the same yellow question mark icon, size = 261kb.
There will be a backup version of this file in c:\windows\system32\dllcache.
If the filesizes don't match, and the icon is anything different to a yellow question mark
(eg. the one in punkcrib's zip is a yellow circle with a "Z" in the middle),
then you will know that the default Help files have been replaced by these bogus malware versions.



I also strongly recommend that you add all of:

*.mp3university.com
*.easytoolbar.com
*.song-download-world.com
*.mp3downloading.com

to the Restricted Zone in Internet Explorer Options > Security.

And now would also be a good time to empty your internet cache
(Temporary Internet Files -> Delete).



Further steps you can take to protect yourselves:


Install Spywareblaster
You'll actually see a link to this in the SpybotSD > Immunize tab

Install then run the program.
Click the Updates button
Let it install all updates
Then click "enable all protection".
You can now safely close the program.

Be sure to repeat this action at least once a week,
to make sure the detection files are up to date.

If you go to Tools > Custom Blocking
You can manually add the following entry:

Name = winhlp32 reactivator
CLSID = {6C31790D-1EDF-4B05-83DC-925B3A8E2318}

Then checkmark it and click "protect against checked items"



Optionally, you can also install SpywareGuard
which runs permanently in the systray.


I'll be adding a link to this thread in the Troubleshooters FAQ.

Thanks again.

wOOt.


[Edit]
Ah, the link to punkcrib's zip is now dead.
I've put up a new link to it here
DJ Egg is offline  
Old 22nd May 2004, 14:52   #42
ujay
Forum King
 
ujay's Avatar
 
Join Date: Jul 2001
Location: London
Posts: 6,072
The Egg strikes again

UJ
ujay is offline  
Old 22nd May 2004, 15:25   #43
JonnyMac
Moderator
 
JonnyMac's Avatar
 
Join Date: Dec 2000
Posts: 14,384
Great job DJ Egg and everyone else
JonnyMac is offline  
Old 22nd May 2004, 18:05   #44
nickster
Junior Member
 
Join Date: May 2004
Posts: 5
Having a similar problem. Running Windows XP Pro on Dell 8300. Just started having problems yesterday with winamp. It randomly cycles through all songs, playing only the first 5 seconds of the song, in library as soon as I load the program. Installed spybot and adaware; unistalled program, removed winamp from registry and reinstalled program. Also applied winamp 5 update. Like the product when first installed, but now I am frustrated. Any sugguestions to remedy the proglem?
nickster is offline  
Old 22nd May 2004, 18:09   #45
DrO
 
Join Date: Sep 2003
Posts: 27,873
he's my hero :swoon:

-daz
DrO is offline  
Old 22nd May 2004, 23:59   #46
siuhrebel
Junior Member
 
Join Date: May 2004
Posts: 2
THANK GOD !!!!

I followed the instructions and I to got rid of it.
I can enjoy my music now.
I do remember going to mp3university.com within the last few days before this happened. I guess we will have to stay away from the site for now.
siuhrebel is offline  
Old 23rd May 2004, 00:06   #47
nickster
Junior Member
 
Join Date: May 2004
Posts: 5
Dr 0-
Read punkcrib's findings; unable to find winhlp32.dll.exe. I do have two instances of winhlp32.exe under 'Process' under Windows Task Manager. Ran HJT without any findings.

HELP!
nickster is offline  
Old 23rd May 2004, 00:09   #48
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Hello?

Nickster
This thread says (SOLVED) !!!
This means that the solution has been found.
This also means that the solution is contained within the posts of this thread.
Have you read every post in full?
I'm not going to repeat the fix.
Follow the instructions, word for word!
If the solution does not work for you
then this means that you have a different problem
and you should be posting in a different thread.
Plus, you haven't even posted your HJT log...
DJ Egg is offline  
Old 23rd May 2004, 04:36   #49
Rocki
Junior Member
 
Join Date: May 2004
Posts: 4
I have my winamp back!

you guys are the BEST!

I feel like that old guy in the Great America commercial.

Thanks all
Rocki is offline  
Old 23rd May 2004, 07:46   #50
punkcrib
Junior Member
 
Join Date: May 2004
Posts: 7
excellent, excellent....


Glad to hear this worked for everyone else as well.

Thanks alot to DJ Egg for helping us figure this out!
punkcrib is offline  
Old 23rd May 2004, 14:17   #51
nickster
Junior Member
 
Join Date: May 2004
Posts: 5
I have read the treads in full and still unable to alleviate this problem. Here is a synopsis of what I have done:

ran HJT and did find mp3.university; removed it - please see attached

Ran Ad-aware and spy-bot - nothing identified.

Ensured that the sounds drivers are up-to-date

check to make sure that the winhlp32.exe file size shows 8K in c:\i386 and c:\windows\system32

I could not find anything abnormal running in 'Processes' under Tasks Manager.

Completely uninstalled Winamp. Reinstalled it along with the update

System: Dell 8300 Dimension, Wireless Cable with firewall, running Norton Anti-virus (latest definitions) & Norton's Intenet Security.

It is possible that I overlooked something in the process. If so, I apologize for taking your time in advance for reading this thread. Any constructive feedback on where I went wrong is greatly appreciated.
Attached Files
File Type: zip hijackthis0523.zip (2.1 KB, 554 views)
nickster is offline  
Old 23rd May 2004, 15:01   #52
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Come on dude, it's plain as day in your HJT log

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\DOWNLO~1\winhlp32.exe


Disable this with HJT
Then, either end process for it in Task Manager, or Reboot
Then go to the "Windows\Downloaded Program Files" folder
and delete the offending file.
DJ Egg is offline  
Old 23rd May 2004, 15:34   #53
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Update
Full report has now been submitted to wilders.org, lavasoft/adaware and SpybotSD admin.
DJ Egg is offline  
Old 23rd May 2004, 17:23   #54
theknub
Major Dude
 
Join Date: Sep 2001
Location: The Peoples Republic of Berkeley
Posts: 530
thanks egg... i was just going to email them but seems u got to it first.

When you take a hand and chop the fingers off... what do u get?

That would be the knub.
theknub is offline  
Old 23rd May 2004, 17:32   #55
nickster
Junior Member
 
Join Date: May 2004
Posts: 5
Thanks for your expertise Egg. It is quite a relief to hear an entire song.
nickster is offline  
Old 3rd June 2004, 18:54   #56
Alien_Concept
Junior Member
 
Join Date: Jun 2004
Posts: 3
Hello Everyone!
DJ_Egg, well done for solving the problem. I am kind of experiencing the same thing as everybody else. Ran HJT and I am d/ling SpybotSD now. Thought I should let you guys have a look at my HJT log before I do anything silly.

Many thanks in advnace.
Attached Files
File Type: txt hijackthis.txt (6.0 KB, 532 views)
Alien_Concept is offline  
Old 3rd June 2004, 19:30   #57
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
@Alien_Concept

1) Print out these instructions
Close all browser and Windows Explorer windows

2) Open the Task Manager (right click Taskbar, or Ctrl+Alt+Del)
Go to the Processes tab and end process for both instances of
winhlp32.exe

C:\WINDOWS\DOWNLO~1\winhlp32.exe

Note: both "DPF" and "DOWNLO~1" stand for:
"Downloaded Program Files"

3) Run HJT again, click "Scan"
Checkmark the following items in HJT, then click "Fix checked"

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\DOWNLO~1\winhlp32.exe

O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://www.mp3downloading.com/shared/flash/winhlp32.exe

4) Now go to "C:\Windows\Downloaded Program Files"
and, if it's still there,
make sure the Winhlp32 Reactivator Class file is deleted.

5) Reboot


Now run SpybotSD scan


Further steps and protection info can be found in my post above.



btw, there was one other entry in your HJT log that I wasn't sure about:

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

If you know this to be 100% safe, then fine,
otherwise have HJT fix this entry as well.
DJ Egg is offline  
Old 3rd June 2004, 20:13   #58
Alien_Concept
Junior Member
 
Join Date: Jun 2004
Posts: 3
Thank you so much, DJ_Egg. My Winamp is how humming like a sweet honey bee and its all thanks to you. Ran HJT and went file-hunting. The file in question had a yellow circle with a Z in the middle as its icon, just like you said. Also ran SpybotSD afterward and discovered I had 50+ spyware running on my computer, which explain all the glitches on my comp.

Cult3D caught my eye too when I was looking at the HJT log but I am not sure what it is. Most likely one of those 3D gallery you get when you go on an online shopping site.

Anyway, Thanks for the help again!

Alien_Concept is offline  
Old 3rd June 2004, 20:29   #59
Alien_Concept
Junior Member
 
Join Date: Jun 2004
Posts: 3
One thing I'd like to point out is that "WhenUSave" program is actually a host program for BearShare. Everyone beware...
Alien_Concept is offline  
Old 8th June 2004, 21:14   #60
MoPuckhead
Junior Member
 
Join Date: Jun 2004
Location: Springfield, Mo
Posts: 4
Send a message via AIM to MoPuckhead
DJ Egg............I have followed the instructions on the preceding two pages and have studied the results all day. I have all the spyware mat'ls. downloaded and have used HJT to get rid of files you recommended. Can you direct me as to the best way to provide you my HJT log and receive further instructions? Thanks a ton!
MoPuckhead is offline  
Old 9th June 2004, 01:33   #61
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Hmm... well, ideally, you should've posted your HJT log before doing anything!

HiJackThis > Scan
The Scan button now changes to a "Save Log" button
Save the log to hijackthis.txt
(note, the default is .log, so change it to .txt)
Then click the "Post A Reply" button in this thread
and use the attachment feature to attach the log to a new post.
DJ Egg is offline  
Old 10th June 2004, 00:26   #62
Lothwin
Junior Member
 
Join Date: Jun 2004
Posts: 1
DJ Egg, thank you ever so much! I was plagued with this thing too and it was doing other evil things to my puter besides. Your method worked but not until I FIRST ran msconfig/start tab and unchecked this from the list. Then I could deactive it on taskmanager and it wouldn't come back. Then ran HJT and killt it off that way. Genius! This was defeating every virus scanner I have. !!! Hats off!

Quote:
Originally posted by DJ Egg
@Alien_Concept

1) Print out these instructions
Close all browser and Windows Explorer windows

2) Open the Task Manager (right click Taskbar, or Ctrl+Alt+Del)
Go to the Processes tab and end process for both instances of
winhlp32.exe

C:\WINDOWS\DOWNLO~1\winhlp32.exe

Note: both "DPF" and "DOWNLO~1" stand for:
"Downloaded Program Files"

3) Run HJT again, click "Scan"
Checkmark the following items in HJT, then click "Fix checked"

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\DOWNLO~1\winhlp32.exe

O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://www.mp3downloading.com/shared/flash/winhlp32.exe

4) Now go to "C:\Windows\Downloaded Program Files"
and, if it's still there,
make sure the Winhlp32 Reactivator Class file is deleted.

5) Reboot


Now run SpybotSD scan


Further steps and protection info can be found in my post above.



btw, there was one other entry in your HJT log that I wasn't sure about:

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

If you know this to be 100% safe, then fine,
otherwise have HJT fix this entry as well.
Lothwin is offline  
Old 10th June 2004, 15:00   #63
MoPuckhead
Junior Member
 
Join Date: Jun 2004
Location: Springfield, Mo
Posts: 4
Send a message via AIM to MoPuckhead
update for the Egg-Meister

Dj EGG...........
Thanks for the help. I am attaching the log. Some info that might help. I am running a Dell 4550 with Pentium 4 @ 2GHZ, Win XP, 256MB DDR SDRAM @ 266MHz and a 60GB hard drive.
Also, I was able to locate that stinkin' Reactivator Class (with the z) in downloaded program files, but it would NOT allow me to delete it. I had also updated and ran SPYBOT and ADAWARE. This is my first time using threads for a solution, so pardon the ignorance and thanks any help!
Uli
Attached Files
File Type: txt hijackthis.txt (5.2 KB, 440 views)
MoPuckhead is offline  
Old 10th June 2004, 15:24   #64
MoPuckhead
Junior Member
 
Join Date: Jun 2004
Location: Springfield, Mo
Posts: 4
Send a message via AIM to MoPuckhead
Update #....2
DJ Egg....I have found that if I follow earlier instructions (where you bring up the task manager AND downloaded program files) I am able to remove the reactivator file..which is great. Only problem...on reboot, there is the miserable reactivator file again!
MoPuckhead is offline  
Old 10th June 2004, 17:23   #65
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
@MoPuckhead

Right, well... repeat the same again, except this time, do it like this:

1) Task Manager: End process for both instances of winhlp32

2) Run HijackThis
Click "Scan"
Then checkmark the following entry, and click "Fix selected"

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\Downloaded Program Files\winhlp32.exe

3) Delete Reactivator Class winhlp32 from Downloaded Program Files folder.

____________________________________________


Although not related to the problem at hand (at least, I don't think so anyway), I recommend that you also checkmark the following for HijackThis to fix:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/319ddbb7...p/RdxIE601.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
DJ Egg is offline  
Old 10th June 2004, 18:08   #66
MoPuckhead
Junior Member
 
Join Date: Jun 2004
Location: Springfield, Mo
Posts: 4
Send a message via AIM to MoPuckhead
DJ Egg........
Thank you very much for all of your help! It WORKED!!! The only remnants are a reactivator z file that comes up each time I open the downloaded fies folder (despite deleting it each time). I am sure that it must get frustrating helping ignoramuses such as myself, and I thank you for your patience! Long live the EGG!
MoPuckhead is offline  
Old 10th June 2004, 18:48   #67
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
No, not frustrating. That's what we're here for.

I'd still be interested in knowing what's causing the reactivator file to reappear in the DPF folder.

btw, it isn't recommended to run HJT from a temp folder (ie. from within the zip).
Extract HijackThis.exe to its own folder, eg. Program Files\HijackThis
and then run it again, making sure all references (if any) to winhlp32 are fixed.
DJ Egg is offline  
Old 11th July 2004, 04:44   #68
Mad_skillz_n00b
Junior Member
 
Join Date: Jul 2004
Posts: 5
Send a message via AIM to Mad_skillz_n00b Send a message via Yahoo to Mad_skillz_n00b
OK guys i need help with it now...i read all the following posts but still lost..i need a step by step walk through plz...Here is my log..i alrdy deleted the hlkm or whatevers and the other ones you said to delete...is there anymore?

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DOWNLO~1\winhlp32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\DOWNLO~1\winhlp32.exe
C:\Program Files\Opera75\opera.exe
C:\Documents and Settings\Daniel\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.*********.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\DOWNLO~1\winhlp32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Gqn] C:\WINDOWS\System32\stentxq.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
Mad_skillz_n00b is offline  
Old 11th July 2004, 07:23   #69
siebe83
Forum King
 
siebe83's Avatar
 
Join Date: Feb 2004
Posts: 9,222
[edit]see VV DJ Egg's post VV for better instructions[/edit]

Try this:

Quote:
Originally posted by DJ Egg
Right, well... repeat the same again, except this time, do it like this:

1) Task Manager: End process for both instances of winhlp32

2) Run HijackThis
Click "Scan"
Then checkmark the following entry, and click "Fix selected"

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\Downloaded Program Files\winhlp32.exe

3) Delete Reactivator Class winhlp32 from Downloaded Program Files folder.
But be carefull and do not 'fix' anything when you don't know what it is.

@globalloon:
maybe it's better to post a new topic, since your problem does not seem to be winhlp32.exe related. [edit]not necessary: see below[/edit]
Click the button at the top of the page.
Just copy and paste what you typed here and try to be as specific as possible. You als may want to include your HijackThis log again.
(I have a feeling that a lot of pple miss this thread when giving support)
[edit]Ok, DJ Egg found it..

Good Winamp plugins by Joonas, DrO and shaneh.
If you're bored go here or, if the boredom is more serious, here.

Last edited by siebe83; 11th July 2004 at 08:46.
siebe83 is offline  
Old 11th July 2004, 08:09   #70
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
@ Mad_skillz_n00b

Your HJT log is incomplete.
The top paragraph is also required so we can see what your Windows OS and Internet Explorer versions are.


Open Task Manager
End Process for both instances of winhlp32
(C:\WINDOWS\DOWNLO~1\winhlp32.exe)

Now close ALL browser and Explorer windows.

Run HJT again.
This time, checkmark the following entry and click "fix checked":

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\DOWNLO~1\winhlp32.exe

Now go to:
Control Panel > Internet Options > General tab
Under Temporary Internet Files, click "Delete Files"
Checkmark "Delete all offline content" and click "OK"

Now click the "Settings" button (the one next to "Delete Files")
Click the "View Objects" button.
Confirm that the Winhlp32 Reactivator Class file is no longer present.
If it's still there, delete it.

Close Internet Control Panel and all Explorer Windows again.
Run HJT again, and confirm that the above entry is no longer present.

Reboot.

That should fix the Winamp problem...


Additionally, you've also got the Viewpoint Toolbar adware/spyware installed.

You can also checkmark the follow entries for HJT to fix:

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML


I find this entry to be also highly suspicious:

O4 - HKCU\..\Run: [Gqn] C:\WINDOWS\System32\stentxq.exe

I can't find any info on google about stentxq
and I suspect it to be some kind of trojan.
Unless you know for sure what it is, I suggest you have HJT fix that entry as well,
and then delete the stentxq.exe file on reboot.

I also strongly recommend that you install and run both Adaware and Spybot Search & Destroy to get rid of any malware/spyware/adware leftovers.

Looks like you might need to reinstall Norton as well...
judging by the two "(file missing)" entries in your log.

As well as installing/running both SpybotSD and Adaware, you should also make sure you've installed all critical/security updates from windowsupdate.
DJ Egg is offline  
Old 11th July 2004, 17:10   #71
Mad_skillz_n00b
Junior Member
 
Join Date: Jul 2004
Posts: 5
Send a message via AIM to Mad_skillz_n00b Send a message via Yahoo to Mad_skillz_n00b
Ok Dj will be sure to do all that but for some1 reason my Cntrl+Alt+Delete doesnt work..its never worked...whenever i press them nothing comes up. Is this a way to turn it off without having to do Cntrl alt delete?
Mad_skillz_n00b is offline  
Old 11th July 2004, 17:33   #72
siebe83
Forum King
 
siebe83's Avatar
 
Join Date: Feb 2004
Posts: 9,222
Are you using XP?
If so:
Press Start button in the taskbar > select Run...
type taskmgr.exe
The taskmanager will now start, so you can close the instances of winhlp32.exe
(I think this'll work with other windows versions as well)

Good Winamp plugins by Joonas, DrO and shaneh.
If you're bored go here or, if the boredom is more serious, here.
siebe83 is offline  
Old 11th July 2004, 17:42   #73
Mad_skillz_n00b
Junior Member
 
Join Date: Jul 2004
Posts: 5
Send a message via AIM to Mad_skillz_n00b Send a message via Yahoo to Mad_skillz_n00b
WOW thanks sibe, i will does this process because i am having panda scan my comp like egg advised :P
Mad_skillz_n00b is offline  
Old 11th July 2004, 18:02   #74
Mad_skillz_n00b
Junior Member
 
Join Date: Jul 2004
Posts: 5
Send a message via AIM to Mad_skillz_n00b Send a message via Yahoo to Mad_skillz_n00b
SWO0T SWO0T! problem fixed thanks to Egg and Siebe! thanks guyz your awesome!
Mad_skillz_n00b is offline  
Old 21st January 2005, 05:43   #75
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
I must insist that unless you've got the EXACT same problem
(plays approx 4 seconds and stops, as caused by the winhlp32 trojan),
then please DO NOT post in this thread.
It only makes it more difficult for people with the actual problem to find the solution.
Post a new thread instead. I'm more than willing to examine HJT logs,
but please post them in the correct place.
Don't become a hijacker yourself, by hijacking other peoples' threads.

Thank you.


All non-related posts have now been split from this thread
and moved into a new thread, which can be found here:

Unrelated posts split from the "plays only 4 seconds then stops" sticky :/
DJ Egg is offline  
Old 18th February 2005, 07:02   #76
djmetaler
Junior Member
 
Join Date: Feb 2005
Posts: 3
ok i am seeming to have a probelm very similar to this but the songs will go more then just 4 secs or so, i can be playing them for awhile and then it will stop... i checked and i dont have that winhlp32.dll.exe file and i need to find a different link to that HiJackThis program

i am running windows 2000 professional and winamp 5.08c
djmetaler is offline  
Old 18th February 2005, 09:55   #77
siebe83
Forum King
 
siebe83's Avatar
 
Join Date: Feb 2004
Posts: 9,222
@djmetaler:
Did you read the post above yours? Please continue discussion here.

Good Winamp plugins by Joonas, DrO and shaneh.
If you're bored go here or, if the boredom is more serious, here.
siebe83 is offline  
Old 18th February 2005, 12:57   #78
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
If the problem isn't EXACTLY the same
then just start a new thread.

Include relevant system specs and HijackThis log.


HJT v1.99.1
http://www.thespykiller.co.uk/files/HJTSetup.exe
http://www.thespykiller.co.uk/files/HijackThis_sfx.exe
http://www.thespykiller.co.uk/files/HijackThis.exe
http://aumha.org/downloads/hijackthis.exe
http://forums.winamp.com/showthread....33#post1459033
http://www.spywareinfo.com/~merijn/downloads.html
http://www.merijn.org/downloads.html
DJ Egg is offline  
Old 5th March 2005, 19:33   #79
kby
Junior Member
 
Join Date: Mar 2005
Location: PL
Posts: 10
Obviously, the winhlp32.exe file in Punkcrib's attachment has been packed with UPX - Microsoft NEVER does that sort of thing. Therefore i'm 100% sure it was a trojan. Have no time to disassembly it, though. :/
kby is offline  
Old 6th March 2005, 17:38   #80
megesque
Junior Member
 
Join Date: Mar 2005
Location: Dallas, Texas
Posts: 2
Send a message via AIM to megesque
WTF

Can someone please tell me which guy's idea works?? I'm very confused. I don't know wheather to install that hijack thing or what. Who's plan worked? @_@
megesque is offline  
Closed Thread
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump