• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
siobhan_aoife

Cannot get rid of WSUP, WINTOOLSA, and WINTOOLSS

4 posts in this topic

Thank you in advance for any assistance that you can offer me.

 

I have read the FAQ and the stickied posts.

 

My problem is that I cannot get rid of the WinTools programs, which are installed in c:\program files\common files\WinTools. Wsup.exe, WinToolsA.exe, and WinToolsS.exe will not go away. If I manually kill these processes from the command line, they restart themselves. If I manually remove the registry key that is set to Run WinToolsA.exe at startup, it still runs and it re-adds it's Run key.

 

I have updated and run AdAware and Spybot S&D. AdAware detects WinTools but cannot remove it; it tries to delete the files at the next reboot but this does not suffice. SpyBot S&D does not detect the WinTools programs.

 

I downloaded what I believe to be the latest HijackThis! and this is the report output:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:48:26 PM, on 6/17/2004

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\cisvc.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\system32\drivers\KodakCCS.exe

C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe

C:\Program Files\NavNT\rtvscan.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\ScsiAccess.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\Explorer.EXE

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\WINNT\system32\tp4mon.exe

C:\Program Files\NavNT\vptray.exe

C:\WINNT\system32\NWTRAY.EXE

C:\paprport\pptd40nt.exe

C:\4NT301\4NT.EXE

C:\WINNT\system32\RunDll32.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

C:\Palm\HOTSYNC.EXE

E:\Yahoo\Messenger\ymsgr_tray.exe

C:\TOOLS\HIJACKTHIS.EXE

C:\WINNT\system32\cidaemon.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.netscape.com"); (C:\Program Files\Netscape\Users\sarah\prefs.js)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe

O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [Yahoo! Pager] E:\Yahoo\Messenger\ypager.exe -quiet

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\netware\nwws2sap.dll' missing

O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/Hus...ptionEngine.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://alliance.bdo.com/nps/portal/gadgets...t/LocalExec.CAB

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/064e63b9ee2775ea5406/netzip/RdxIE2.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://eddie:selma@24.196.23.136:8080/acti...sCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7420.8082986111

O16 - DPF: {AC05DC80-7DF1-11D0-839E-00A024A94B3A} (SSDBGrid Control - A) - http://exchange.digipat.com/MSADC/Samples/ssdatb32.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bdo.webex.com/client/latest/webex/ieatgpc.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E16297F-E4C0-4E40-9A3C-7A3403E36266}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

O17 - HKLM\System\CCS\Services\Tcpip\..\{6697F36C-066C-475C-959B-4916E7D2FBF5}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

O17 - HKLM\System\CCS\Services\Tcpip\..\{7BA6562C-D1A6-414C-879A-DF7791F032CF}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

O17 - HKLM\System\CCS\Services\Tcpip\..\{9EDA2E38-C8DD-4858-8451-5A62CAD1819E}: NameServer = 66.92.218.23

O17 - HKLM\System\CCS\Services\Tcpip\..\{ABB92E6C-50E7-4512-AA15-460BCCF0F096}: NameServer = 66.92.218.23

O17 - HKLM\System\CCS\Services\Tcpip\..\{B61CCD9D-39E8-4D46-B1A8-8937F6B9C3EA}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

O17 - HKLM\System\CCS\Services\Tcpip\..\{E4842A98-8EE5-4387-AFF9-7D05CB93A0E0}: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 216.240.46.130,216.240.46.131,209.209.60.131

Share this post


Link to post
Share on other sites

:) Being your first post - I get the honour and privilege of welcoming you to our corner of the world where spyware has met it's match - Welcome.

 

Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

 

Please keep an eye on this message for a resolution shortly.

Share this post


Link to post
Share on other sites

First - You system is woefully out of date.

Please run through the following procedures and after you have completed them, reboot and post another HijackThis log into this message for further review:

  1. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  2. Run either of these free online virus scans.

[*]How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Run this program as soon as possible.

[*]How to use Spybot to remove Spyware <= Please check this link for instructions on how to download, install and then use spybot. Run this as soon as possible as it may catch things that adaware misses.

[*]Download, install and run Tojan Hunter (Trial)

Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative - Specifically W2K - Get the latest Service Pack.

Share this post


Link to post
Share on other sites

Thank you for your response, I will get right on doing what you've asked, and then I will re-run HijackThis and post the output.

 

I have already run AdAware and SpyBot S&D, but I will make sure they are fully up-to-date, will read the technotes you link to, and will re-run them as Step 3 of the process you outline.

 

Thank you again.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0