how I removed PGate
Posted 21 May 2004 - 02:29 PM
There are 5 areas I found where is presents itself, 1) the registry 2) add/remove programs 3) services 4) c:\program files\common files\wintools 5) task manager
Here is the main problem I saw. When you delete the registry settings or the wintools folder, the entries/files reappear. When you kill its processes in task manager (wtoolss.exe, wtoolsa.exe or wsup.exe) they immediately reappear. I am not sure why.
Here are the successful steps:
1) on the infected PC, go to services and disable the one called something like "Win Tools for Internet Explorer" (don't bother trying to actually stop the service. reboot the machine.
2) share with full control the program files folder on the infected PC. from another PC (called PC2 from now on) map a drive or browse to that share. (this is to make steps 4-6 easier, but you may be able to do them from just the infected PC)
3) on PC2, browse to the wintools folder so you can see the files (wtools.exe, wtoolsa.exe, etc)
[timing for the next 3 steps is very important-do them in rapid succession]
4) on infected PC, open task manager. kill the processes (all wtools?.exe such as wtoolsa.exe, wsup.exe) using the "end process tree" option.
5)begin your shut down process on the infected PC. just as you confirm okay to shut down, immediately perform step 6 from PC2
6)select all files in the wintoools folder and delete them
7)let the infected PC reboot
so, what this should do is delete the files and kill the processes. I think you have roughly 5-10 seconds before the files get regenerated, so deleting them immediately prior to shutting down the PC worked for me.
8)upon reboot, check your processes in task manager. you should not see any running called wtoolsa.exe, wtoolss.exe or wsup.exe. If you do, you should repeat or vary steps 2-7
9) open your registry editor and search for all references to pgate, wtools, wintools, or wsup.exe. Delete every key and folder that you find that is a direct match. there may be 2-3 folders which you will not be able to delete. that did not seem to be a problem for me though.
10)After deleting your reg settings, reboot again and verify once more that those programs (mentioned in step 8) are not running and that the wintools folder is still empty. If empty, delete the wintools folder and the "uninstall" web link (can't recall the name) in the common files folder.
11) verify in add/remove programs that there are no entries for PGate or WinTools for Internet Explorer.
This should do it. good luck.
BTW, if the PGate author(s) happens to catch this post, you left a trail...
Posted 11 June 2004 - 11:43 AM
First I ran the program from that link.
Then I went to ad-remove programs and clicked remove for this uninstaller. It asked me if I wanted to uninstall the malware. You have to answer NO twice to continue, if I recall correctly.
It ran a long while then I had to reboot. Seems to have worked!
Note I believe I picked up this nasty by going here and clicking on one of the FAQ links on the left: http://www.dailymp3.com/splitter.html
I'm thankful I found this thread. Thanks!
Click to visit Kallen Web Design!
Had you seen this ?
Could be a trojan - but seems to work.
Edited by auctionhugh, 29 August 2004 - 07:18 AM.
Posted 06 August 2004 - 01:09 PM