Jump to content


Bubbas.Tools on NT 4.0 client box

  • Please log in to reply
1 reply to this topic

#1 HuggyBear1957



  • New Member
  • Pip
  • 1 posts

Posted 02 July 2004 - 12:09 PM

Hi there folks,
This is my first post here, and I hope I can in the future be of some help to others. The title should say Bubba.WinTools. This is my second go around with removing scumware, and I think I know which entries to remove but I just want to make sure I'm not missing anything. My last removal project was a 3 hour odyssey.
This NT 4.0 box is really just running slow and displaying "cannot find file C:\Temp\tb_setup.exe" on startup. This box is kind of in a sensitive area, so I want to make sure I get it right and not have to reload the system.
Here's my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 11:05:03 AM, on 6/30/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\System\MOSearch\Bin\mosearch.exe
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.../animDialog.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [\\Dpssierraco5\EPSONC82] C:\WINNT\System32\spool\DRIVERS\W32X86\2\E_S0HIC1.EXE /P23 "\\Dpssierraco5\EPSONC82" /O23 "\\Dpssierraco5\EPSONC82" /M "Stylus C82"
O4 - HKLM\..\Run: [\\SIERRACODIS05\EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\2\E_S0HIC1.EXE /P39 "\\SIERRACODIS05\EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [TB_setup] C:\TEMP\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

If I understand things correctly, I need to remove the following:

C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [TB_setup] C:\TEMP\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

Thanks for your time and patience in this matter,


Edited by HuggyBear1957, 02 July 2004 - 12:12 PM.

#2 irelynnmisses


    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 02 July 2004 - 06:20 PM

Youa re correct.. make sure to delete the files or folders aswell.

Scan with adaware.. reboot and post a new log.. there is probably more...
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button