• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
caveninit

WinTools and Websearch Toolbar removal problems

11 posts in this topic

Hello. I have been having a very hard time trying to rid my computer of Wintools and Websearch Toolbar. I have and run the following, all updated, spyware removal tools.. AdAware, Spysweeper, CWShredder, and Spybot. Adaware keeps trying to delete Wintools and all the variances, but it is unable to. It has detected and tried to remove Websearch toolbar, and Spysweeper has also, but it keeps coming back. I have tried turning off system restore ( I have Windows XP)

then run a scan, then reboot.. the problems still persist. I am very new to computers, and I do not like to mess with my registry. I have had to manually remove tons of other garbage, like VX Transponder and Purity Scan and that was no picnic, but I did get them removed. This Wintools and Websearch Tool bar are STUBBORN! I know pretty much most of the files and keys associated with them, I just cant remove them. I am including my Hijack This log that I just completed.

If someone could help me, I sure would be very appreciative. And before I remove anything, should i turn off system restore first or start up in safe mode?

Thanks for any help offered here.

 

Janet

 

Logfile of HijackThis v1.97.7

Scan saved at 11:08:40 PM, on 6/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\unbtaauz.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\hphmon03.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Janet\Local Settings\Temporary Internet Files\Content.IE5\25PMRML0\HijackThis[1].exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)

O4 - HKLM\..\Run: [xpvysamj] C:\WINDOWS\System32\unbtaauz.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [FPZ] C:\WINDOWS\FPZ.exe

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

Just to let you know I'm looking at your log for you. Please be patient and I'll get back to you as soon as I can.

Share this post


Link to post
Share on other sites

First of all, you are running hijackthis out of a temporary directory. Can you please create a folder in C:Program Files and call it HijackThis or HJT or similar. Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder.

 

Go to Pandasoftware. and perform an online virus scan. Let it fix anything that it finds. Do the same at sygatetech

 

There has been an ad-aware update yesterday. Can you please update it and run another scan and also make sure ad-aware is configured as follows. Screenshot instructions for setup are here

 

Press ctrl+alt+del to bring up the task manager and under processes, end any Wintools processes running. In start > control panel > performance and maintenance > administrative tools > services, again stop any wintools services.

 

In start > control panel > add or remove programs - make sure you have change or remove programs selected in the sidebar and highlight the following programs and uninstall them.

 

Wintools

 

Close all other windows, except for hijackthis and put a check against the following items and click 'fix checked'. After that, Reboot.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

 

O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)

 

O4 - HKLM\..\Run: [xpvysamj] C:\WINDOWS\System32\unbtaauz.exe

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

 

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

 

Make sure you have all hidden files shown

 

Delete the following entries:

 

Files

C:\WINDOWS\System32\unbtaauz.exe

 

Folders

C:\Program Files\Common files\WinTools

C:\Program Files\Play Plus

 

In windows explorer can you highlight, right click and check the properties of

 

C:\WINDOWS\FPZ.exe

 

List all the properties of it in a reply, or if you know that you installed it, which program. I suspect its a baddie. I may ask you to submit it for analysis.

 

Reboot and post a fresh log so we can check that everything has been cleaned. In the meantime you can help prevent this happening again.

 

SpywareBlaster will block bad ActiveX and malevolent cookies.

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

 

Both are very small free programs that you run once, and then just occasionally to check for updates.

 

If you don't have an up to date hosts file it might be a good idea to replace it with a new one. This will help you block bad sites and ad servers. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.

 

It may be worth reading How did I get infected in the first place?

Share this post


Link to post
Share on other sites

Hi again, and thanks for your instructions. I did all that you said to do, but on my Hijack This scan after my last reboot, there are still a few of the things that I had deleted that are still showing up. I cannot find that FPZ.exe ANYWHERE. I have Show hidden files checked, still nothing. I also cannot find PlayPlus, and that is one I deleted months ago.. same with Unbataauz.

I do have protection from these active x problems. I have SpywareBlaster and also GuardwallIE. Something keeps disabling Guardwall. Haven't figured that out yet.

Thanks again, and I hope I can somehow, with your help, get the last 3 problems fixed.

I am attaching my HijackThis log that I just did after reboot.

Janet

 

 

Logfile of HijackThis v1.97.7

Scan saved at 5:21:45 PM, on 6/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\hphmon03.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\HPHipm09.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [FPZ] C:\WINDOWS\FPZ.exe

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [xpvysamj] C:\WINDOWS\System32\unbtaauz.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

Wintools is still there as well which is strange. Did you manage to delete the Wintools folder? If it has a service running it can cause a problem.

 

Go to Start > Run > Services.msc

 

Check the list for any of these names and disable them if existing.

 

[FPZ] or FPZ.exe

[xpvysamj] or unbtaauz.exe

[logocake] or Play Plus or ToolBlah.exe

 

and for Wintools

 

WinTools for IE service, if existing, stop it, and set it to 'Disabled'.

 

Now restart your computer, go to Start > Run > Regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

 

Doubleclick that "Services" subkey in order to expand the branch, locate the WinTools subkey, rightclick it, and choose 'delete' from the context menu.

 

Uninstall Wintools In start > control panel > add or remove programs.

 

Close all other windows, except for hijackthis and put a check against the following items and click 'fix checked'.

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

 

O4 - HKLM\..\Run: [FPZ] C:\WINDOWS\FPZ.exe

O4 - HKLM\..\Run: [xpvysamj] C:\WINDOWS\System32\unbtaauz.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

 

Run this registry script, which forces Windows to show so called "superhidden" files:

Copy the contents of the Quote box to Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files")

 

Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer into safe mode.

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]

"SearchSystemDirs"=dword:00000001

"SearchHidden"=dword:00000001

"IncludeSubFolders"=dword:00000001

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"Hidden"=dword:00000001

"ShowSuperHidden"=dword:00000001

 

Delete the folder

 

C:\Program Files\Common files\WinTools

 

Hit the search button > all files and folders and search the Local Hard drives C: for

Folder

PlayPlus

 

Files

FPZ.exe

unbtaauz.exe

ToolBlah.exe

 

and delete them.

 

Reboot and post a fresh log. Let me know again which of the files you could/couldn't find.

Share this post


Link to post
Share on other sites

Hi.. First off, yes, I was able to uninstall Wintools and the folder is gone now.

As for the rest.. I printed out your instructions and followed them exactly.. but I still cannot find WtoolsA.exe ( it is not even showing in my registry processes, which it was, along with all the other Wintools applications, before I deleted the folder) I also still cannot find PlayPlus, FPZ.exe,unbtaauz.exe, or ToolBlah.

They are all showing up in my HijackThis log, but nowhere else. Weird!

I must say, I am happy that I am not getting any more pop ups in OE. That was driving me crazy.

Here is my current HijackThis log.. any more advice on what to do now would be appreciated. Thanks for your time and help.

Janet

 

Logfile of HijackThis v1.97.7

Scan saved at 11:03:35 AM, on 6/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\hphmon03.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\HPHipm09.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [FPZ] C:\WINDOWS\FPZ.exe

O4 - HKLM\..\Run: [xpvysamj] C:\WINDOWS\System32\unbtaauz.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

I'm going to consult someone as to why these files may be hidden from view yet appearing in the log. I'll get back to you.

Share this post


Link to post
Share on other sites

Thanks.. I noticed that Explorer.exe is a process running in my Windows task manager. When I was researching Wintools, I saw it mentioned that Explorer.exe was one of the Wintools applications or something. Just thought I would run that by you.

Janet

Share this post


Link to post
Share on other sites

That should just be the windows explorer. Do a search on your C: the only explorer.exe should be in C:windows as listed in the running processes in your log and be 981kb

 

Can you update ad-aware again and then boot into safe mode and perform a scan. Reboot normally and repost a log.

Edited by Scoff

Share this post


Link to post
Share on other sites

No new updates for Adaware..ran a scan in safe mode. It did not detect anything.

Rebooted and here is my HijackThis log.

Thanks bunches.

Janet

 

Logfile of HijackThis v1.97.7

Scan saved at 5:21:45 PM, on 6/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\hphmon03.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\HPHipm09.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [FPZ] C:\WINDOWS\FPZ.exe

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [xpvysamj] C:\WINDOWS\System32\unbtaauz.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

Question - are you the only user of this pc or are there multiple accounts set up on it?

So far no-one's seen anything here to explain why these files are playing hide and seek. To get rid of them I think we need to go through from the start and confirm that each step works. Print this out and follow it from the page rather then from the screen.

 

Spybot has been updated. Can you get the new update and perform a scan and reboot after.

 

Step 1

Start > run > msconfig. In services and startup, enable all.

Step 2

Hit ctrl+alt+del to bring up the task manager. End Spysweeper and Guardwall IE. (I think they've got settings to protect changes to your system and I want to eliminate anything that may interfere with this process)

Step 3

Go to Start > Run > Services.msc

Scroll down to the WinTools for IE service, if existing, stop it, and set it to 'Disabled'.

Step 4

In start > control panel > add or remove programs - make sure you have change or remove programs selected in the grey sidebar and highlight Wintools and remove it.

Step 5

Open HijackThis, hit scan. When the scan is complete put a check mark in the square next to the following items and hit 'Fix Checked' Make sure that every other window and program is closed, including this one. Nothing should be open except for HijackThis.

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

 

O4 - HKLM\..\Run: [FPZ] C:\WINDOWS\FPZ.exe

O4 - HKLM\..\Run: [xpvysamj] C:\WINDOWS\System32\unbtaauz.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

 

Step 6

Reboot into safe mode and enable all hidden files

Step 7

In windows explorer navigate to the following entries and delete them

  • Folder C:\Program Files\Common files\WinTools
  • File C:\WINDOWS\FPZ.exe
  • File C:\WINDOWS\System32\unbtaauz.exe
  • File C:\PROGRAM FILES\PLAYPLUS\ToolBlah.exe

Step 8- If step 7 fails.

In windows explorer, if not already shown go to View > toolbars and select standard buttons. Highlight C: drive and hit the search button. Search for Files and Folders for each of these in turn. If found - delete them.

  • FPZ.exe
  • unbtaauz.exe
  • WToolsA.exe <= if WToolsA.exe is found and is in 'Wintools' Folder, delete the folder, if in any other folder, make a note of the name and delete the file WToolsA.exe
  • ToolBlah.exe <= if ToolBlah.exe is found and is in 'PlayPlus' Folder, delete the folder, if in any other folder, make a note of the name and delete the file ToolBlah.exe

Step 9

Reboot normally and scan with ad-aware. Make sure set-up is as follows.

  • In the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.
  • Make sure the following settings are made and on (ON = GREEN)
  • From main window : Click Start then Activate in-depth scan (recommended)
  • Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.
  • Now click on the Tweak button in that same window. Under Scanning Engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot.
  • Click Proceed to save your settings. Now to scan just click the Next button.
  • When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
  • Reboot

Step 10

Run HijackThis and post a fresh log.

 

Also make a note of everything that happened for each step and add it to your reply. Whether the process was there in task manager, was it ended, did the scan find anything, got in to safe mode etc

 

We'll get to the bottom of this eventually.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0