Jump to content


Photo

how I removed PGate


  • Please log in to reply
4 replies to this topic

#1 parttimeadmin

parttimeadmin

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 May 2004 - 03:29 PM

I found Pgate on my home PC (WinXP). I searched for quite a while and found many threads on various sites trying to remove it using at least 4 programs each (such as Ad aware) but seemed to fall short of complete removal. I played around and here is how I wiped it clean (no apps needed):

There are 5 areas I found where is presents itself, 1) the registry 2) add/remove programs 3) services 4) c:\program files\common files\wintools 5) task manager

Here is the main problem I saw. When you delete the registry settings or the wintools folder, the entries/files reappear. When you kill its processes in task manager (wtoolss.exe, wtoolsa.exe or wsup.exe) they immediately reappear. I am not sure why.

Here are the successful steps:
1) on the infected PC, go to services and disable the one called something like "Win Tools for Internet Explorer" (don't bother trying to actually stop the service. reboot the machine.
2) share with full control the program files folder on the infected PC. from another PC (called PC2 from now on) map a drive or browse to that share. (this is to make steps 4-6 easier, but you may be able to do them from just the infected PC)
3) on PC2, browse to the wintools folder so you can see the files (wtools.exe, wtoolsa.exe, etc)

[timing for the next 3 steps is very important-do them in rapid succession]
4) on infected PC, open task manager. kill the processes (all wtools?.exe such as wtoolsa.exe, wsup.exe) using the "end process tree" option.
5)begin your shut down process on the infected PC. just as you confirm okay to shut down, immediately perform step 6 from PC2
6)select all files in the wintoools folder and delete them
7)let the infected PC reboot

so, what this should do is delete the files and kill the processes. I think you have roughly 5-10 seconds before the files get regenerated, so deleting them immediately prior to shutting down the PC worked for me.

8)upon reboot, check your processes in task manager. you should not see any running called wtoolsa.exe, wtoolss.exe or wsup.exe. If you do, you should repeat or vary steps 2-7
9) open your registry editor and search for all references to pgate, wtools, wintools, or wsup.exe. Delete every key and folder that you find that is a direct match. there may be 2-3 folders which you will not be able to delete. that did not seem to be a problem for me though.
10)After deleting your reg settings, reboot again and verify once more that those programs (mentioned in step 8) are not running and that the wintools folder is still empty. If empty, delete the wintools folder and the "uninstall" web link (can't recall the name) in the common files folder.
11) verify in add/remove programs that there are no entries for PGate or WinTools for Internet Explorer.

This should do it. good luck.

BTW, if the PGate author(s) happens to catch this post, you left a trail...

#2 JoeTechie

JoeTechie

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 May 2004 - 11:33 PM

Had you seen this ?

http://www.pgate-bas...uninstall.shtml

Could be a trojan - but seems to work.

-Joe

#3 auctionhugh

auctionhugh

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 11 June 2004 - 12:43 PM

This did not work directly but eventually it did as follows.

First I ran the program from that link.

Then I went to ad-remove programs and clicked remove for this uninstaller. It asked me if I wanted to uninstall the malware. You have to answer NO twice to continue, if I recall correctly.

It ran a long while then I had to reboot. Seems to have worked!

Note I believe I picked up this nasty by going here and clicking on one of the FAQ links on the left: http://www.dailymp3.com/splitter.html

I'm thankful I found this thread. Thanks!

--------
Click to visit Kallen Web Design!
Posted Image

Had you seen this ?

http://www.pgate-bas...uninstall.shtml

Could be a trojan - but seems to work.

-Joe


Edited by auctionhugh, 29 August 2004 - 08:18 AM.


#4 Shadow Warrior

Shadow Warrior

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 06 August 2004 - 02:09 PM

Newest version of Ad-Aware (6.0) with latest update took this one out for me on one of the computers at work. No muss, no fuss.

#5 auctionhugh

auctionhugh

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 29 August 2004 - 08:19 AM

Thank goodness Ad Aware is dealing with it now!!

--------
Click to visit Kallen Web Design!
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button