Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HELP I HAVE WTOOLSA

Started by orionflame , Dec 23 2004 11:02 PM

Please log in to reply

#1
orionflame

Posted 23 December 2004 - 11:02 PM

Member

Member
13 posts

Can someone please tell me what I need to do to remover wtoolsa and pib and the other various trojans currently running on my system?

Logfile of HijackThis v1.98.2
Scan saved at 11:57:55 PM, on 12/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\AMERICA ONLINE 6.0\WAOL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seekerbar...spx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\SYSTEM\smiehlp.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: sPeerObj Class - {00000026-8735-428D-B81F-DD098223B25F} - C:\WINDOWS\SPEER.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

#2
orionflame

Posted 23 December 2004 - 11:40 PM

Member

Topic Starter
Member
13 posts

I HAVE READ THE REQUIRED STEPS I HAVE AD-AWARE SE PERSONAL PLEASE SOMEONE COME HELP I KNOW I HAVE TO START BY GOING TO AD REMOVE PROGRAMS THEN DELETING ANYTHING THAT SAYS TOOLBAR AND SOMETHING ELSE I KNOW THERE ARE A FEW STEPS TO THIS PLEASE HELP ANYONE!

#3
-=jonnyrotten=-

Posted 24 December 2004 - 02:11 AM

Member 2k

Retired Staff
2,678 posts

Not a problem, we can help, but don't you think it's kinda loud in here with you YELLING? Calm down, it's gonna be ok. So what ever happened here?

http://www.geekstogo...wtopic=5113&hl=

Also you need the latest version of Hijack This again, the new one was just released. Please download it from here:

http://www.geekstogo...n=download&id=3

Post a new log :tazz:

-=jonnyrotten=-

#4
orionflame

Posted 24 December 2004 - 11:13 PM

Member

Topic Starter
Member
13 posts

LOL how did you find my original post from november? I looked for it so I could just post on that but I couldnt find it. Anyways I had written down the information u gave me on my original post and found the paper I wrote it on and used that last night to re- take care of my wintoolsa, wsup, tbps problems..... You are stellar I appreciate your coming to my rescue on both occaisions I believe I contracted them this time from someone ram chip I borrowed thinking that it was still in its memory I could be wrong though.... I will post a hi- jack this log so you can check it out an make sure I took care of everything I know for sure they are no longer in my run procceses. Also I keep gettin a trojan.downloader.5.h in my restore file but I believe I know how to remove that (disable my system restore and let my anti-virus remove it) Anyways heres my new hjt log hope to hear back from ya soon and thanks again!

P.s. sorry I wrote so much lol

Logfile of HijackThis v1.99.0
Scan saved at 12:09:27 AM, on 12/25/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\AMERICA ONLINE 6.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\AMERICA ONLINE 6.0\AOLUSLPKW1200A\AOLSETUP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\SYSTEM\smiehlp.dll
O2 - BHO: sPeerObj Class - {00000026-8735-428D-B81F-DD098223B25F} - C:\WINDOWS\SPEER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

If theres anything else I need to get rid of let me know thanks!

#5
-=jonnyrotten=-

Posted 26 December 2004 - 03:31 PM

Member 2k

Retired Staff
2,678 posts

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\SYSTEM\smiehlp.dll
O2 - BHO: sPeerObj Class - {00000026-8735-428D-B81F-DD098223B25F} - C:\WINDOWS\SPEER.DLL

Reboot normally, and post new log. Please include any information about your system. Do you still have Wtools? I don't see a whole lot in the log.

I found your post by clicking on your name and clicking "find members topics" :tazz:

-=jonnyrotten=-

#6
orionflame

Posted 26 December 2004 - 11:18 PM

Member

Topic Starter
Member
13 posts

Hey I did what you said and here is my new hjt log when u say list my computer specs do u mean my hardware specs? my proccesor is intel mmx 167mhz , normally I have 49 mbs of ram but I borrowed a friends 32mb chip so right now I have 80mbs. I have windows me and dial up connection my connection speed is usually 115,000bps what else do you want to know? thanks for gettin back to me post back soon!

Logfile of HijackThis v1.99.0
Scan saved at 11:21:15 PM, on 12/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1103959558\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1103959558\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103959558\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab

#7
-=jonnyrotten=-

Posted 27 December 2004 - 12:37 PM

Member 2k

Retired Staff
2,678 posts

You're log is lookin clean to me... Do you still have wtools.a? Here is a link to a removal tool, try this and tell me if it finds anything. What I meant about information was is everything running good? Bad? What is it you still may have? How do you know you have wtools? You should be able to uninstall it in add/remove programs in the control panel.

http://securityrespo...er/FxHuntbr.exe

-=jonnyrotten=- :tazz:

#8
orionflame

Posted 28 December 2004 - 09:39 PM

Member

Topic Starter
Member
13 posts

yea I got rid of wtoolsa I dl aol 9.0 security version and I need to uninstall it and go back to 6.0 because it makes so many more programs run on my computer and its just too much for my slow computer I think I have gotten rid of everything.