Jump to content


Photo

Need Help Removing WintoolsA


  • Please log in to reply
5 replies to this topic

#1 tomwag

tomwag

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 15 June 2004 - 05:25 PM

Ive ren Spybot and adaware cwshreddr and Peper uninstall in safe mode still have WintoolsA

HJT LoG

Logfile of HijackThis v1.97.7
Scan saved at 6:16:44 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\ACCTTMH.BASICINC\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [PnPDef] C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = basicinc.local
O17 - HKLM\Software\..\Telephony: DomainName = basicinc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = basicinc.local

Thank you for your assistance....

#2 tomwag

tomwag

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 15 June 2004 - 05:38 PM

Is "C:\WINDOWS\system32\lsass.exe" sasser?

#3 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 16 June 2004 - 12:40 AM

Is "C:\WINDOWS\system32\lsass.exe" sasser?


No.... lsass.exe is what the Sasser worm is named for, because it strikes through an lsass vulnerability on an unpatched system. Microsoft has had a patch available for some time now that addresses this vulnerability. This is why it is so important to keep your system updated. This is a legitimate file. Do not attempt to remove it!

To remove Wintools:

1. Boot into safe mode by tapping the F8 key as your computer reboots.
2. Kill running entries by depressing the ctrl, alt and del keys to bring up the Task Manager --> Processes Tab ---> highlight Wintools and click "end process."
3. Uninstall Wintools from Add/Remove programs. It should prompt for a reboot, do so.

Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

C:\Program Files\Common files\WinTools\ < folder

Reboot.

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Reboot, scan with HijackThis and post a fresh log into this same thread.

#4 tomwag

tomwag

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 16 June 2004 - 07:26 AM

Thank very much- Looks like I got rid of Wintools Popups seem to have abated also... Still have a process running I am suspicious of
wuauclt.exe and
and Iap.exe

Should I be concerned?



Logfile of HijackThis v1.97.7
Scan saved at 8:12:29 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\ACCTTMH.BASICINC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [PnPDef] C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = basicinc.local
O17 - HKLM\Software\..\Telephony: DomainName = basicinc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = basicinc.local

#5 tomwag

tomwag

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 16 June 2004 - 07:43 AM

Bump

#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 16 June 2004 - 03:13 PM

Hello,

Please do not "bump" this topic. I will receive an e-mail notifying me when posts are made to this thread. Keep in mind that we volunteers are located all around the globe, obviously in many different time zones.

Please click here to download v1.3 of Spybot Search & Destroy - Install, update, scan and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware and install, then configure it for a customized scan. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry," "Scan my IE Favorites for banned sites," and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start." Make sure "Activate in-depth scan" is ticked green, then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed. Right click the pane and click "Select all objects" - This will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot when finished.

Next, perform an online virus scan at Trend Micro and an online Trojan scan at Sygate. (See links in my signature below). Allow each program to remove whatever it may find. Reboot after each scan.

Now, use the link in my signature below to proceed to the Windows Update site. Scan your system for needed updates, then download and install them.

I see no evidence of a firewall in your log. You need more than XP's native firewall. If you do not currently have one, please download and install one of the free ones for which there are links in my signature below. Also, be certain that your antivirus program is active and updated with the latest antivirus definitions. Additionally, if your antivirus program is no longer functioning and/or expired. Please download and install one of the free ones in my signature below.

Presently, you have HijackThis on your Desktop. It needs to be in its own folder so that any backup copies it makes will be kept together and not scattered about your Desktop. Please right click on a blank space on your Desktop, select “New” then “Folder.” Name the new folder something like HJT or HijackThis. Now, you can just drag HijackThis into its new folder, using the left mouse button.

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Please run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe


If the following 017 items are related to your ISP, leave them; otherwise, fix them with HijackThis:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = basicinc.local

O17 - HKLM\Software\..\Telephony: DomainName = basicinc.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = basicinc.local


Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

C:\Program Files\TV Media\ < folder

Reboot to normal mode, scan with HijackThis, and post a fresh log into this same thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button