Jump to content


Photo

Cannot get rid of WSUP, WINTOOLSA, and WINTOOLSS


  • Please log in to reply
3 replies to this topic

#1 siobhan_aoife

siobhan_aoife

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 June 2004 - 01:12 AM

Thank you in advance for any assistance that you can offer me.

I have read the FAQ and the stickied posts.

My problem is that I cannot get rid of the WinTools programs, which are installed in c:\program files\common files\WinTools. Wsup.exe, WinToolsA.exe, and WinToolsS.exe will not go away. If I manually kill these processes from the command line, they restart themselves. If I manually remove the registry key that is set to Run WinToolsA.exe at startup, it still runs and it re-adds it's Run key.

I have updated and run AdAware and Spybot S&D. AdAware detects WinTools but cannot remove it; it tries to delete the files at the next reboot but this does not suffice. SpyBot S&D does not detect the WinTools programs.

I downloaded what I believe to be the latest HijackThis! and this is the report output:

Logfile of HijackThis v1.97.7
Scan saved at 10:48:26 PM, on 6/17/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\NWTRAY.EXE
C:\paprport\pptd40nt.exe
C:\4NT301\4NT.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Palm\HOTSYNC.EXE
E:\Yahoo\Messenger\ymsgr_tray.exe
C:\TOOLS\HIJACKTHIS.EXE
C:\WINNT\system32\cidaemon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.netscape.com"); (C:\Program Files\Netscape\Users\sarah\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Yahoo\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\netware\nwws2sap.dll' missing
O16 - DPF: HushEncryptionEngine - https://mailserver3....ptionEngine.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://alliance.bdo...t/LocalExec.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://eddie:selma@2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7420.8082986111
O16 - DPF: {AC05DC80-7DF1-11D0-839E-00A024A94B3A} (SSDBGrid Control - A) - http://exchange.digi...es/ssdatb32.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bdo.webex.co...bex/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E16297F-E4C0-4E40-9A3C-7A3403E36266}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{6697F36C-066C-475C-959B-4916E7D2FBF5}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BA6562C-D1A6-414C-879A-DF7791F032CF}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EDA2E38-C8DD-4858-8451-5A62CAD1819E}: NameServer = 66.92.218.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABB92E6C-50E7-4512-AA15-460BCCF0F096}: NameServer = 66.92.218.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{B61CCD9D-39E8-4D46-B1A8-8937F6B9C3EA}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4842A98-8EE5-4387-AFF9-7D05CB93A0E0}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 10:41 AM

:) Being your first post - I get the honour and privilege of welcoming you to our corner of the world where spyware has met it's match - Welcome.

Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

Please keep an eye on this message for a resolution shortly.

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 10:43 AM

First - You system is woefully out of date.
Please run through the following procedures and after you have completed them, reboot and post another HijackThis log into this message for further review:
  • How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  • Run either of these free online virus scans.
  • How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Run this program as soon as possible.
  • How to use Spybot to remove Spyware <= Please check this link for instructions on how to download, install and then use spybot. Run this as soon as possible as it may catch things that adaware misses.
  • Download, install and run Tojan Hunter (Trial)
    Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative - Specifically W2K - Get the latest Service Pack.


#4 siobhan_aoife

siobhan_aoife

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 06:20 PM

Thank you for your response, I will get right on doing what you've asked, and then I will re-run HijackThis and post the output.

I have already run AdAware and SpyBot S&D, but I will make sure they are fully up-to-date, will read the technotes you link to, and will re-run them as Step 3 of the process you outline.

Thank you again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button