Jump to content


Photo

Wintools won't die!


  • Please log in to reply
1 reply to this topic

#1 bkatz

bkatz

    Member

  • New Member
  • Pip
  • 1 posts

Posted 02 July 2004 - 01:22 AM

I've been fighting WInTools for about two weeks now. I've followed the instructions I get from Bazooka, and it keeps coming back! When I used the uninstaller, it actully got the program to leave for several days, but then it magiacally re-appeared.

It shows up under "Add/Remove Programs" as "Win-Tools Easy Installer 2.1"

I've followed these instructions:
http://www.kephyr.co...html?source=app

I've run adaware and spybot search and destroy in safe mode several times, and I just cant get rid of these things.

There has to be something I'm missing!

Here's my Hijack This log:

Logfile of HijackThis v1.98.0
Scan saved at 11:13:19 PM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\System32\mgabg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk.exe
C:\Program Files\Axis Communications\PrintSystem\System\TrayIcon.exe
C:\Program Files\Axis Communications\PrintSystem\System\DriverScanner.exe
C:\Program Files\Axis Communications\PrintSystem\System\DriverServer.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\jcffyrg.exe
C:\WINNT\System32\RunDLL32.exe
C:\WINNT\system32\wzcof32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Bazooka Spyware Scanner\spywarescanner.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\mshta.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\NUTCRA~1\NUTC\bin\ncoeenv.exe
O4 - HKLM\..\Run: [AXIS Print System TrayIcon] C:\Program Files\Axis Communications\PrintSystem\System\TrayIcon.exe
O4 - HKLM\..\Run: [AXIS Print System DriverScanner] C:\Program Files\Axis Communications\PrintSystem\System\DriverScanner.exe
O4 - HKLM\..\Run: [AXIS Print System DriverServer] C:\Program Files\Axis Communications\PrintSystem\System\DriverServer.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\jcffyrg.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\billk\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [go7ERPeFl] wzcof32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - file://C:\Xilinx\\chipviewer\lib\j2re-1_4_0-win.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D798FCE-E465-414E-8A38-035723758568}: Domain = mahinetworks.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{913C9235-74C4-4EE4-A014-EF596CFBD954}: Domain = mahinetworks.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{913C9235-74C4-4EE4-A014-EF596CFBD954}: NameServer = 172.16.7.1 172.16.7.2 172.16.7.2 206.58.250.53

Any suggestions on how to kill whatever keeps re-installing this parasite would be welcome!

Thanks,
-Bill Katz

#2 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 08 July 2004 - 07:07 AM

Hello bkatz

As Wintools has an entry in the Add/Remove Programs Control Panel, it may be easy to get rid of. If not, there are still ways to remove it from your system.

Reboot into Safe Mode. To do this with Windows 2000, you can follow these instructions from Microsoft.

Once in Safe Mode:
Click on the Start Button, Control Panel. Double-click on Administrative Tools then on Services.
Look for a service called Wintools for IE Service. double-click it to open, then click the Stop button and change the "Startup type" to Disabled.
(If the service is not there, no worries...all the better!)

Next, right-click on the Windows Taskbar and select Task Manager.
In the Processes tab, look for WToolsA.exe, WToolsS.exe and WSup.exe. If any or all of these exist, right-click on each one and select End Process Tree, and answer affirmatively to any confirmation questions.

At this point, you can check the Add/Remove Programs Control Panel. If there is an uninstaller for Wintools, try running it now. I would still recommend proceeding through the rest of this fix even if there is an uninstaller, however.

Now, please open a command prompt (Start button -> Run, type cmd and click "OK"). at the prompt, type
regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" then <ENTER>.
Then type exit to close the command prompt window.

Now, we can proceed to delete these directories, located at:

C:\Program Files\Common Files\WinTools <-- Delete the BOLD directory.
C:\Program Files\Toolbar <-- Delete the BOLD directory.

Run HijackThis, and place a checkmark beside each of these items:

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\jcffyrg.exe
O4 - HKCU\..\Run: [go7ERPeFl] wzcof32.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\billk\LOCALS~1\Temp\tb_setup.exe /dcheck


After checking the necessary items, click the Fix checked button.

These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Make sure you have all hidden files shown

Delete the following entries:
Files
C:\WINNT\system32\jcffyrg.exe
C:\WINNT\system32\wzcof32.exe


Empty the contents of this temp folder
C:\DOCUME~1\billk\LOCALS~1\Temp

I'm wondering about this file: file.???
It's not familiar to me, and I can't find anything about it on the net...
You'll have to help me with this one...
Open your Windows Explorer and navigate to C:\WINNT\System32\nutsrv4.exe
rightclick the file and choose properties from the menu that appears...
Note down all the information you see in there and add it to your next reply...
Make sure you have looked at all the tabs...

Reboot and post a fresh log so we can check that everything has been cleaned. In the meantime you can help prevent this happening again.

SpywareBlaster will block bad ActiveX and malevolent cookies.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Both are very small free programs that you run once, and then just occasionally to check for updates.

If you don't have an up to date hosts file it might be a good idea to replace it with a new one. This will help you block bad sites and ad servers. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.

It may be worth reading How did I get infected in the first place?
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button