winhlp.exe running in "processes"

  • Thread starter Thread starter MAP
  • Start date Start date
M

MAP

I have XP home. I noticed "winhlp.exe" running
in "processes" in the Task Manager. It was taking all
resources. I ended the task and can not find this file
anywhere on my computer when I search the C drive
including hidden files.
When I reboot it is not running any more. What happened?

Is this a virus?
 
-----Original Message-----
I have XP home. I noticed "winhlp.exe" running
in "processes" in the Task Manager. It was taking all
resources. I ended the task and can not find this file
anywhere on my computer when I search the C drive
including hidden files.
When I reboot it is not running any more. What happened?

Is this a virus?

.
Click to expand...

This could be a virus. here is an article i found
here is a link
http://www.viruslibrary.com/virusinfo/I-Worm.Moncher.htm


This is an Internet worm that spreads via e-mails attached
as a EXE or ZIP file. The worm itself is a Win32
executable file about 37Kb in length, and written in
Visual Basic. The worm is also able to spread via IRC
channels.

When the worm's EXE file is being run from an attachment
or from an IRC download directory, it registers itself in
the system to run each time Windows starts up, and it
sends infected messages. To hide itself, the worm displays
two fake messages:

INSTALL
Install complete.

ERROR!
Unable to run program!
While installing into the system, the worm copies itself
to the Windows directory with the WINHLP.EXE name, creates
the VBS script file "helper" OUTLOOKHELP.VBS in the same
directory, and registers these files in the Windows
registry auto-run section:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio
n\Run
WinProfile = %WinDir%\winhlp.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio
n\Run
OutlookProfile = %WinDir%\outlookhelp.vbs
where %WinDir% is the name of the Windows directory.

The first (EXE) file is the worm's main code, and the
second (VBS) file is the e-mail spreading program.

When the VBS script is run, it connects to MS Outlook,
obtains the addresses from the MS Outlook Address Book,
and sends messages there. The message Subject, Body and
Attachment appear as follows:

Subject: With Love
Body: Whit all my love for you. :)
Attach: Winhlp.exe èëè MonCherry.zip
The worm infects the mIRC client if it is installed in the
C:\MIRC directory. The worm writes a script to the
SCRIPT.INI file in there that sends an infected WINHLP.EXE
file to each user that enters the infected IRC channel.

On January 13th, the worm overwrites the C:\AUTOEXEC.BAT
file with a DOS batch program that will format the C:
drive upon the next reboot.
 
I saw this, but when I check Symantec, they don't list it.
When I go to the registry at the specified locations,
there is nothing there. The URL may be a bogus Russian
site.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Is there a stop command? 9
System Process 13
Memory issue 8
Running Processes 7
Windows Explorer keeps restarting, desktop disappears 4
Processes Running 2
Processes continue to run? 1
System Idle Process 4

Back
Top