Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winhlp32.exe entries in task manager


  • Please log in to reply
11 replies to this topic

#1 bobs409

bobs409

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 01 January 2014 - 02:16 PM

Hi, I am getting many entries in the task manager: winhlp32.exe

 

I scanned with Spybot and it didn't even find these.

 

Can someone suggest how to remove these and check for other possible problems?

 

 

Thanks,

 

Bob



BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:01:21 AM

Posted 01 January 2014 - 02:36 PM

Windows Help (WinHlp32.exe) is a Help program that has been included with Microsoft Windows versions starting with the Microsoft Windows 3.1 operating system.

Edited by dc3, 01 January 2014 - 02:36 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 01 January 2014 - 04:28 PM

I did a search and found it can also be a virus.  It was showing in my task manager about 10 times or so all at once.

 

http://www.bleepingcomputer.com/startups/winhlp32.exe-6671.html



#4 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:21 AM

Posted 01 January 2014 - 05:08 PM

Yes it can be a virus. They can also be valid. However to help you determine if it's a legitimate or malicious entry we need the full path designations of each individual entry.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#5 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 01 January 2014 - 06:09 PM

Yes it can be a virus. They can also be valid. However to help you determine if it's a legitimate or malicious entry we need the full path designations of each individual entry.

Can you give me instructions on how to do that.

 

Thanks,

 

Bob



#6 MissLizz

MissLizz

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Western Arkansas
  • Local time:04:21 AM

Posted 01 January 2014 - 06:58 PM

An interesting site to check out is  www.What-is-exe.com.  It's a Computer Task Database and Spyware Directory.  Just handy to know.



#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:21 AM

Posted 01 January 2014 - 07:02 PM

Process Explorer - Taking a Screenshot of Process Explorer.


Table of Contents
  • Introduction
  • Getting and Running Process Explorer
  • Taking screenshot of Process Explorer with some example screenshots.
  • Conclusion
1) Introduction to Process Explorer

Process Explorer is a lot like Task Manager, which is the program you access via the following keys on your keyboard: "CTRL+ALT+DELETE". Task Manager is used to display process information such as the process name, memory usage and other application information. However, the information that Task Manager displays is rather limited compared to what Process Explorer can show you. With Process Explorer one can see the entire process tree for a particular applications, which consists of all other processes that were started by the original process, or parent, in the tree.

Process Explorer has many different uses such as examining what process are active and what processes are making connections to outside computers. In this guide I will demonstrate the kinds of information one can gleam from using Process Explorer as opposed to using task manager.

2) Getting and Running Process Explorer

Getting Process Explorer is easy just use the below link:

Download Process Explorer

This is a completely free tool that is easy to run. You do not have to install anything, as it is just an executable program that runs on various Windows operating systems. Process Explorer is only available for Windows XP, Windows Vista, Windows 7, Windows 2003, and Windows 2008 (including their IA 64bit Counterparts).

Opening and running Process Explorer is quite easy:

After downloading the zipped file, you will need to unzip it in order to use it. You will have to remember where you downloaded the file and where it is saved. For example, I have a folder called Downloads on my other drive. I have Firefox and Internet Explorer set to save files to that location. You will want to consult the following images on where to locate the download folder for Firefox and Internet Explorer.


1) Firefox Default Download Location:

firefox_download_location.png

You can get to that window via Tools then Options, and you will want to look at the General Tab.



2) Internet Explorer will use the last location that you saved a file to. For example, for me it is on my other drive as seen in my screenshot. You can either choose Open, Save, or Cancel. Open will automatically open the file after it is downloaded. Save will save the file to a location for later use if you want to use it again, and cancel just cancels the download from happening. I would recommend that you save it for future use. It is a very useful tool.

internet_explorer_download_location.png


Now that we have noted where we saved it to after downloading it, we need to extract it. You can use your favorite unzipping tool such as WinRAR, WinZIP, 7zip, or you can use what comes with Windows XP and later called Compressed Folders.

After locating the file <b>ProcessExplorer.zip</b>, you will want to do the following:

The easiest way is to just double click it and read the on screen instructions for how to extract/unzip it. I am going to use Windows Compressed Folders for ease of use since everyone has that already.

1) Right click the file.

right_click_process_explorer_zipped.png


2) Select Extract All and the following Window will come up:

extract_file_using_compressed_folders.pn

At this point you can extract the needed files anywhere on your computer, but I am going to pick D:\downloads\ProcessExplorerfor the destination. Just hit extract_button.png, and we are almost done. Upon successful extraction the following image will be seen.


3) Final Process of extracting Process Explorer from the Zipped file.

extracted_process_explorer.png

Now all you do to run Process Explorer is to double click the file called: procexp.exe and you are now ready to use Process Explorer.


3) Taking screenshot of Process Explorer with some example screenshots.

When asked to take a snap shot you can either use alt+prt scn, which is located above the home, end, page up, page down, and delete keys, and open your favorite photo editor such as The GIMP which is a free image editing program, MSPaint which is installed by default on most systems, Paint.NET which is also free, and many others that are available. Then go to Edit and hit Paste, and then to file and save as filename.jpg or something easy to remember. After you do this, head on over to a free image hosting website such as ImageShack.us, Photobucket.com, and many others (those are just the most popular). If you have a custom site that you run, then you can use that storage and web space to host your images (keep in mind your limits on bandwidth).

Now that you have taken the screenshots, and have hosted them to your web space. You can post them to a new topic, or to a current one that you have started by doing the following:

[img=linktoyourimagehere]
Some of the images that may be of use are as follows:

1) Process Explorer Main

process_explorer_main.png

You will notice along the top various column headers such as Process, PID, CPU, Company Name, User Name, Path, and Image Type. These are all used in verifying what a process is doing, how much time it is taking up, who the process is being ran as, and the process path (which can be used to determine a legitimate process).


2) Here is a graphical representation of the colors that you will see in the main window. Of course, as you can see, you can change the colors for the main window.

process_explorer_color_legend.png


3) The below image is what you get when you mouse over particular process, and the resulting is the ability for you to see what is running under that said process or service. This is extremely useful when seeing what svchosts are actually doing:

process_explorer_svchost.png


[indent=1]4) The below is an image for a particular process's properties which will tell us what is running under the said properties. You will notice the various tabs in the screenshot. Each tab tells you something that that process is doing such as what ports the process is being used to communicate to the computer and other processes. You can do this by right clicking on a process and selecting processes.

process_explorer_process_properties.png

[/ident]


4) Conclusion

Why would you want to take a screenshot of Process Explorer?

The below output is very disorganized, and is produced when you save a text based representation of Process Explorer. A graphical representation of Process Explorer, and the processes that are active would show us more accurately as to what is running without having to spend too much time on analyzing a file that is humanly unreadable.

Process	PID	CPU	Description	Company Name	User Name	Path	Image Type
aim.exe	4412		AOL Instant Messenger	America Online, Inc.	alphacentari\cryptodan	C:\Program Files (x86)\AIM\aim.exe	32-bit
AOLacsd.exe	1396		AOL Connectivity Service	AOL LLC	NT AUTHORITY\SYSTEM	C:\Program Files (x86)\Common Files\aol\acs\AOLacsd.exe	32-bit
audiodg.exe	1208	0.39	Windows Audio Device Graph Isolation 	Microsoft Corporation	NT AUTHORITY\LOCAL SERVICE	C:\Windows\System32\audiodg.exe	n/a
csrss.exe	648		Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	C:\Windows\System32\csrss.exe	64-bit
csrss.exe	716		Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	C:\Windows\System32\csrss.exe	64-bit
dllhost.exe	1508		COM Surrogate	Microsoft Corporation	NT AUTHORITY\SYSTEM	C:\Windows\System32\dllhost.exe	64-bit
DPCs	n/a	1.16	Deferred Procedure Calls				64-bit
As you can, see a screenshot of Process Explorer is much easier to read, then the text based output that a File and Save As produces.

If you want to see the actual file then visit the following link: Process Explorer Text Based Capture

#8 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 02 January 2014 - 05:13 AM

The link doesn't work to download this program. ???



#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:21 AM

Posted 02 January 2014 - 06:23 AM

They must have disabled hotlinking, but here is the link for Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

#10 MissLizz

MissLizz

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Western Arkansas
  • Local time:04:21 AM

Posted 02 January 2014 - 07:18 AM

My apologies.  I don't know how or when things go through as a link.  For myself, i generally just go to search and type in a www address if I'm not sure.  What-is-exe.com....maybe that would do it?  Again, sorry.   Or:

http://what-is-exe.com


Edited by MissLizz, 02 January 2014 - 07:30 AM.


#11 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 02 January 2014 - 03:55 PM

Hi, while I was waiting, I tried running Superantispyware and it seems to have done the trick. Computer is working well again and no odd items showing up in task manager.

 

I'll see how it goes from here.

 

Thank you all who replied,

 

 

Bob



#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:21 AM

Posted 02 January 2014 - 06:29 PM

Can you post the log of SAS?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users