Jump to content


Photo

wintoolsa


  • Please log in to reply
36 replies to this topic

#1 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 24 May 2004 - 05:47 AM

i keep getting hijacked i try to get rid of wintools and it just keeps comming back im ready to shut computer off forever ive been trying everything in your faq for 2 days arrrrrgh.i need help . god knows what else is in there . thank you for any help you can offer. at end of my rope!

#2 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 24 May 2004 - 06:13 AM

Hi...

Go to add/remove software and uninstall Wintools...


Good luck... :)
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#3 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 24 May 2004 - 06:59 AM

tried says [other ad-powered software installed remove first]

#4 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 24 May 2004 - 08:07 AM

ive tried adaware/ spybot / pc tune up/ norton system works/ a2 squared/ panda active scan/ive tried everything in Mikes faq page and i have Hijack This but not sure what to delete from it, also when i do delete some things from it they just come back.

#5 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 24 May 2004 - 08:19 AM

Post the log in here, and I'll have a look at it...
So you couldn't uninstall it? Or what? because your second post is difficult to understand...

Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#6 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 25 May 2004 - 05:24 AM

went to add remove programs and when went to uninstall i got the message [other adpowered software installed remove first. here is my log from hijack this.
Scan saved at 6:24:01 AM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\wfxsnt40.exe
F:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
F:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
f:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\WEBSHOTS.SCR
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
F:\program files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\devldr32.exe
F:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\Msimn.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50022
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50022
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50022
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WFXSwtch] F:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] f:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "f:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [AHQInit] f:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [aČ] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Webshots.lnk = H:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Accessories\cffrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictive...0/cab/pwtay.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v43/yacscom.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7870.2038657407
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - http://www.myemo.com...Flash2Image.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Online-Registration Web Client V1.0) - http://www.creative....ORWebClient.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{979B97FC-DA90-42F9-AC64-3F6A8E042AAE}: NameServer = 209.226.175.223 198.235.216.134

#7 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 25 May 2004 - 01:31 PM

1. Go to safe mode (tapping f8 frequently during boot-up)
2. Press ctrl+alt+del and Kill running entries for Wintools.
3. Uninstall Wintools from Add/Remove. it will prompt for reboot. do that and reboot.
4. Run HijackThis and fix the Wintools entries and delete the folder if present.
5. Reboot and post fresh log

That should do..
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#8 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 26 May 2004 - 05:59 AM

im computer illeterate there are 4 choices when i hit f8 for safe startup and i dont have a boot disk of any kind and im running windows xp pro

#9 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 26 May 2004 - 11:05 AM

1. Go to safe mode (tapping f8 frequently during boot-up)


You only need to select safe mode... Nothing else... No command prompt, no network capability, just plain safe mode... :)


2. Press ctrl+alt+del and Kill running entries for Wintools.

Press Ctrl+Alt+Del, a window will popup... Go to the process tab...
you will see a list with program entries on the left, all ending with .exe
Look for entrie(s) that are related to wintools... Rightclick it and choose "end process"
Close the window again...

3. Uninstall Wintools from Add/Remove. it will prompt for reboot. do that and reboot.
4. Run HijackThis and fix the Wintools entries and delete the folder if present.

All entries containing the word Wintools
5. Reboot and post fresh log



Greetz...

Edited by Quinstar, 26 May 2004 - 11:06 AM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#10 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 27 May 2004 - 06:27 AM

sucsess got rid of wintools just 2 more items to get rid of [hunt bar user settings HKEY_USERS\S-1-5-18\SOFTWARE\BTLINK and user settings HKEY_USERS\.DEFAULT\Software\BTLINK] both are Registry keys. spy bot also finds [Avenue A,Inc] and DS0 Exploit]. when i run CSWhredder it finds C:\WINDOWS\UNINSTCC.EXE should i get rid of it .

#11 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 27 May 2004 - 07:48 AM

Post me a fresh log and I'll have a look...


Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#12 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 27 May 2004 - 01:46 PM

the last post i made all the problems are in registry keys. here is a fresh log.Logfile of HijackThis v1.97.7
Scan saved at 2:45:35 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\wfxsnt40.exe
F:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
F:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\a2\a2guard.exe
f:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\WEBSHOTS.SCR
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
F:\program files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
F:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WFXSwtch] F:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] f:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "f:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [AHQInit] f:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [aČ] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Webshots.lnk = H:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Accessories\cffrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictive...0/cab/pwtay.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v43/yacscom.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7870.2038657407
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - http://www.myemo.com...Flash2Image.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Online-Registration Web Client V1.0) - http://www.creative....ORWebClient.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{979B97FC-DA90-42F9-AC64-3F6A8E042AAE}: NameServer = 209.226.175.223 198.235.216.134

#13 buzzmag

buzzmag

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 May 2004 - 02:17 PM

;) Maybe just dumb luck but I was able to get rid of wintools by deleting all
non-exe file first, i.e. *.cfg, *.wzg, *.dll --- then deleted the four *.exe files. Last to go was the WinTools folder.

Running *.exe files can't be deleted while these other files are present.

#14 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 29 May 2004 - 02:21 AM

Hi again...


Open HiJackThis and tick the next entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictive...0/cab/pwtay.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe


After this, you can also add the next entries... By fixing them you will shorten boot-up time and free up resources... By doing this you wil not harm your programs and they will still be able to start manually via the start-button...

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe


O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Accessories\cffrem.exe


Now, close all programs and browsers, Including this browser and hit Fix in HiJackThis(Double check the entries you ticked before closing the browser...)

Reboot...


Now delete these files:
C:\WINDOWS\SYSTEM\blank.htm <--- Note: this isn't the System32-folder
C:\WINDOWS\alchem.exe


Now see if you get the same errors... about the reg-keys
Are you sure you hit fix and not scan with CWShredder?

Try those two in safe mode again if you get the errors...

If they still occur, note down all the info I can use to examen the problem...
Also post me a fresh log...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#15 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 May 2004 - 05:46 AM

in spybot it cannot fix HuntBar user settings HKEY_USERS\S-1-5-18\software\BTLINK and user settings HKEY_USERS\.DEFAULT\Software\BTLINK I get message some problems couldnt be fixed; the reason could be that the associated files are still in use (in memory). this could be fixed after a restart. may spybot-S&D run on your next startup? i clicked yes and it still will not fix it. I CANNOT FIND THE FILES YOU POSTED ON MY COMPUTER. Logfile of HijackThis v1.97.7
Scan saved at 6:44:09 AM, on 5/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\wfxsnt40.exe
F:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
F:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\a2\a2guard.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
f:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\WEBSHOTS.SCR
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
F:\program files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
F:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\USER\Desktop\PC Tuneup\CWShredder.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WFXSwtch] F:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] f:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "f:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [AHQInit] f:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [aČ] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Webshots.lnk = H:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Accessories\cffrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v43/yacscom.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7870.2038657407
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - http://www.myemo.com...Flash2Image.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Online-Registration Web Client V1.0) - http://www.creative....ORWebClient.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{979B97FC-DA90-42F9-AC64-3F6A8E042AAE}: NameServer = 209.226.175.223 198.235.216.134

#16 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 May 2004 - 05:57 AM

cwshredder dosent know to fix this file it says to ask if this should be fixed so im asking C:\WINDOWS\UNINSTCC.EXE

#17 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 29 May 2004 - 12:56 PM

Well, to be honest, I don't know if it has to fix C:\WINDOWS\UNINSTCC.EXE
And I can't find anything on the net about it...
So here's how we handle these things:
Look up the file UNINSTCC.EXE using explorer
So navigate to C:/WINDOWS/
Rightclick UNINSTCC.EXE and zip it...
Now email the zip-file to here
When you send the mail, be sure to add a link to this page...
OR copy this next line:
http://www.spywarein...indpost&p=12935

And paste it into the email... That's a shortcut to our request to investigate it...


For the files you couldn't find, do this:

Click Start...
Open My Computer...
Select the Tools menu and click Folder Options...
Select the View Tab...
Under the Hidden files and folders heading select Show hidden files and folders...
Uncheck the Hide protected operating system files (recommended) option...
Click Yes to confirm...
Click OK...

Now look for these files and delete them:
C:\WINDOWS\SYSTEM\blank.htm <--- Note: this isn't the System32-folder
C:\WINDOWS\alchem.exe
If you still can't find them, don't worry, it's just for cleaning up, they are harmless at the moment...

For your huntbar problem...
Let's try this:

Go to start>run
Type cmd
Hit enter
A black box will popup
In my next lines [space] means hit the space bar once
be sure you add the " at the end of the lines
in the black box you'll see a prompt... type the next line:

cd[space]"%WinDir%\System"

Hit enter
Now type the next line:

regsvr32[space]/u[space]"\Program Files\Common Files\BTLINK\btlink.dll"

Hit enter
That should uninstall it...
Now, reboot
And delete the next folder:
c:/Program Files/Common Files/BTLINK/

and you can delete the next file:
c:/Windows/System32/btiein.dll

Now try running spybot again...


Tell me what problems you had if any occured...



Good Luck...

Edited by Quinstar, 29 May 2004 - 12:57 PM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#18 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 02 June 2004 - 05:03 PM

i could not find the files

#19 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 02 June 2004 - 05:58 PM

Did all the rest work?
What are the problems that are remaining?

Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#20 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 03 June 2004 - 03:54 AM

still have hunt bar and all those reg keys but im going to call it good enough thanks for all your help

#21 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 03 June 2004 - 05:51 PM

Well, you can call it good enough, but for me you're not clean at all if you're still having troubles... :)
So if you're up to it, we'll be fixing for as long as it takes to get you fixed...
So if you're still interested, tell me absolutely everything about the problems you're still having, the full reg-key, the hunt-bar info's, everything... I'll get you some fixes to get rid of them...
Some infections are hard...
But I'm harder... :D


Greetz...

Edited by Quinstar, 03 June 2004 - 05:52 PM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#22 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 05 June 2004 - 04:59 AM

spybot will not remove hunt bar reg keys but spybot will delete avenue a inc , ds0 exploit and mediaplex just to have them reinstall immediatly. avenue a is a tracking cookie. ds0 exploit are data source object exploit HKEY_USERS. mediaplex is a tracking cookie. huntbar is user settings HKEY_USERS\S-1-5-18\SOFTWARE\btlink and user settings HKEY_USERS\.DEFAULT\SOFTWARE\BTLINK

#23 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 05 June 2004 - 02:34 PM

Let's see....
I'm going to give you some instuctions again... Follow them closely... If they don't work, try them a second and a third time... If you still have a problem at the exact same time every time you try one procedure, tell it to me so I know what the problem exactly is...

First we'll give huntbar another go:
Go to your control panel and open the 'add/remove software' part...
Look for these entries:
'Internet 404' and 'Tools for Internet Explorer' and 'MSIETS'
If they are present, click them to uninstall... Be sure you are connected to the internet...

Afterwards, run adaware and spybot search&destroy again... Be sure you have downloaded the latest updates... Are you using spybot 1.3?
Reboot into safe mode and run them again...

Had you done these instuctions I gave you earlier?

For your huntbar problem...
Let's try this:

Go to start>run
Type cmd
Hit enter
A black box will popup
In my next lines [space] means hit the space bar once
be sure you add the " at the end of the lines
in the black box you'll see a prompt... type the next line:

cd[space]"%WinDir%\System"

Hit enter
Now type the next line:

regsvr32[space]/u[space]"\Program Files\Common Files\BTLINK\btlink.dll"

Hit enter
That should uninstall it...

Didn't they work? what went wrong?

Try this first... We'll see if any of it will work... :)


Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#24 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 06 June 2004 - 05:00 AM

those are not in add remove programs and the run instructions i get message specified file could not be found. i have spybot 1.3 and is fully updated. trying to figure out how to start in safemode without using f key be back with more info soon

#25 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 06 June 2004 - 07:42 AM

I don't get it...
Can you locate this folder?
c:\Program Files\Common Files\BTLINK\
Is it still present?
If so, try deleting it... If that isn't possible, try deleting it in safe mode...

Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#26 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 06 June 2004 - 09:49 AM

i cant find the file it does not exsist. spybot says it does exist and cannot delete it.

#27 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 06 June 2004 - 09:59 AM

no, not the file, the folder :)
Can you locate a folder named BTlink in the c:/program files/common files-folder

Maybe you need to make hidden files and folders visible if you haven't done that yet:

Click Start...
Open My Computer...
Select the Tools menu and click Folder Options...
Select the View Tab...
Under the Hidden files and folders heading select Show hidden files and folders...
Uncheck the Hide protected operating system files (recommended) option...
Click Yes to confirm...
Click OK...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#28 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 08 June 2004 - 03:51 AM

the folder is not there.

#29 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 08 June 2004 - 03:38 PM

okay...
Let's try this...
Scan again with spybot... Look for any updates first if there are any...
Then give me all the info about huntbar...
A path would be nice to know what folder it could be in...
I can't tell that from the regkeys...

Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#30 colum

colum

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 08 June 2004 - 10:13 PM

I had this problem too. Hope this helps. Look in properties in the Wintools file and check the date and time it was created. This info helped to locate a file on my Hijackthis log as WintoolsB, it was the exact date and time, and under my daughter's name ( C:DOCUME~1\letters of her first name~1\LOCALS~1\Temp\WToolsB.dll ). This file is also shown on the Hijackthis log. I could not delete this file until I ran Hijackthis and fixed Wintools\WToolsA.exe and WinTools\WSup.exe. PLEASE DOUBLE CHECK- The date it was created and time matched on mine, unsure of yours. >> Remember to print and save your logs.

#31 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 09 June 2004 - 03:36 AM

Colum reminds me of a question I should have asked already...
Are you having multiple user-accounts?
If so, post me a log of all the accounts, and tell them if they have administrator rights or not...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#32 colum

colum

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 June 2004 - 03:24 PM

I am glad I was of at least a little help Quinstar. We all want to enjoy our computer system, but there is so much about them we should familiarize ourselves with. I am a novice and learned to pay attention to several things on a daily basis: 1.) Note if their are added files in C:/Program Files/Common Files/(e.g. Wintools), this is where the parasite usually sets up shop so to speak.> 2>Check C:/Windows/Downloaded Program Files, different items installed. I play on a gamesite regularly and the games are installed to avoid repetitive installation , there was one game I NEVER played and couldn't uninstall it. This was a Hijacker using my computer, I could not close windows that were open-had to minimize or restart-,nor print. 3.) There are several things to check on a regular basis and am still learning everyday. I am following your suggestions to hobbyfarmer, they help me too.

#33 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 11 June 2004 - 03:58 AM

only 1 user and i have admin rights thanks

#34 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 11 June 2004 - 04:59 AM

have you read this?

okay...
Let's try this...
Scan again with spybot... Look for any updates first if there are any...
Then give me all the info about huntbar...
A path would be nice to know what folder it could be in...
I can't tell that from the regkeys...

Greetz...


To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#35 hobbyfarmer

hobbyfarmer

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 12 June 2004 - 05:26 AM

im done with this huntbar thing im just going to fdisk and reinstall windows. thanks for all the help but i cant find hunt bar anywhere except where i stated already and i tried everything you said to try and now we are just running in circles.

#36 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 12 June 2004 - 08:45 AM

Quinstar,
Unable to Remove BTIEIN Registry Subkey Using Ad-aware
http://www.lavahelp....04/02/0302.html

Note: most likely would apply to SpyBot also? ... just a thought.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#37 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 12 June 2004 - 09:42 AM

I wouldn't ask things that I already know, therefore we are not running in circles...
If you think we are, then read more carefully...

We could try what Winhelp2002 says (thanks for the tip)
If you are familiar with registry editing, then navigate to these keys:
HKEY_USERS\S-1-5-18\SOFTWARE\btlink
HKEY_USERS\.DEFAULT\SOFTWARE\BTLINK
and perform the next actions for both:
Right-click BTLINK and choose Permissions. Edit the permissions such that the user of your choice has Full Control, and apply the changes. Then, while logged in with that user account, manually attempt to delete the BTLINK subkey from the registry by right-clicking BTLINK and choosing delete.
Or if you can't remove them manually, just change the permissions and scan with spybot to remove them...

If you need help on how to edit the registry, then reply in here again...
NOTE: editing the registry can be very harmfull if you edit the wrong keys... Therefore, handle with care and take precautions (registry-backup if needed)...


Greetz...

Edited by Quinstar, 12 June 2004 - 09:44 AM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button