Ad-aware didn't even detect wintools and spybot only found an entry. I found the wintools folder in C:/program files/common files/wintools and deleted it in safe mode. Then I ran all of those programs listed above.
Noadware was the only program to find anything. It found several wintool registries and a few files. Unfortunately I needed to register noadware in order to remove these files. So instead I tried manually deleting these files myself. When I did I got an error message (in safe mode) saying I couldn’t.
Below is a list of the registry entries/files found by Noadware. Below that is my hijackthis log.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TBPSSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer : Processlnst
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer : ServerProc
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main : IEWatsonEnabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main : SearchAssistant
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer : Processlnst
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer : Server Proc
File: VBS.Butterhot C:\Windows\Winstart.bat (not displayed when you look in the directory)
Items I didn’t include are media access and websearch toolbar. Hopefully they aren’t related to wintools.
Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:13:27 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Phill\Desktop\spyware eliminators\spyware eliminators\hijackthis2\HijackThis.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {F756A28D-DCD5-46be-BCAB-17C088D07227} - (no file)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virus Chaser Spider NT (spidernt) - Unknown owner - C:\Program Files\Virus Chaser\SpiderNT.exe (file missing)
Edited by St0rm, 12 June 2005 - 03:18 PM.