Hi SHEBU
jan...I followed your direction to see if IBIS Toolbar or wtoolsa.exe,
wtoolsb.dll, wsup.exe, tb_setup.exe or WinTools of any sort were on my
system via Safe Mode and none are present. Therefore I saw no need to
download the CWShredder etc. Thanks again for your suggestions.
I'm beginning to think it is just something I will have to learn to
live
with although I don't understand why I should.
No...you don't want to live with this on your system, as it will only get
worse. You need to get rid of it, and if you did not follow all the
directions in the information provided to the letter, you should do so.
Many
of these files are in hidden files on the system and unless they are
enabled
they can not be seen or detected. Thus, you need to enable Hidden Files
before going to Safe Mode.
How to Show Hidden Files
http://snipurl.com/6rl8
You also need to download and install SpyBot Seach & Destroy then
immediately update. Then run the program from Safe Mode.
SpyBot S &D - Update immediately after installing
http://www.majorgeeks.com/download2471.html
SpyBot S and D Tutorial
http://www.bleepingcomputer.com/forums/tutorial43.html
CAUTION!!!!! Before you try to remove spyware using any of the programs
above, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may
kill
your internet connection. If this should occur, this program, LSPFIX,
will
enable you to regain your connection.
You should also get a copy of WINSOCKXPFIX to have at hand if needed,
available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also... From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)
or Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip
Hope this helps.
Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.
Replies posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
--
Shebu
:
Hi Shebu
Courtesy Mike Maltby - MS MVP
wtoolsa.exe is malware and appears to be a new member of the IBIS
Toolbar
family (
http://www.pestpatrol.com/PestInfo/i/ibis_toolbar.asp) or even
a
variant of the CoolWebSearch parasite. One install mechanism it uses
is
if
you choose to install
the toolbar from xxx.websearch.com
Boot to Safe Mode, open MSConfig (Start, Run, enter MSConfig in the
box
and
click OK), open the Startup tab and uncheck the entry being used to
launch
wstoolsa.exe, possibly labelled something like WinTools as well as any
entries referring to wtoolsb.dll, wsup.exe and tb_setup.exe.
Browse to and delete the contents of your C:\Windows\Temp folder and
also
clear you Temporary Internet Files (Internet Options | General |
Delete
Files and ensure that you check the box "Delete all offline content",
then
click
OK and Apply.
Now check Add/Remove Programs and uninstall any entry for WinTools.
You should also delete the entire Wintools folder which is probably
located as a sub-folder in C:\Program Files\Common Files or
alternatively
in
C:\Windows\System. Check for and delete all copies of wtoolsa.exe,
wtoolsb.dll, wsup.exe and tb_setup.exe.
Now reboot back into Normal Mode and check your system for commercial
parasites.
I would suggest you download and run Merijn's CWShredder which
targets
the
CoolWebSearch parasite. CWShredder can be downloaded from
(
http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip). Details of
the
many
forms of the CoolWebSearch hijacker can be found at
http://www.spywareinfo.com/~merijn/cwschronicles.html and also
http://www.pestpatrol.com/pestinfo/c/cws.asp.
If you continue to have problems download a copy of HijackThis from
http://www.spywareinfo.com/~merijn/downloads.html). Create a folder
called
hijackthis on C: and copy the file you downloaded to that folder.
Close
as
many applications as you can including all instances of Internet
Explorer
and then run hijackthis.exe and post back the log, provided that it
isn't
too long, to this thread, otherwise to the HijackThis Forum at
http://www.spywareinfo.com/forums/ and hopefully this will enable
someone
to
identify the cause of your problem.
Possible entries in the HiJackThis log to remove include:
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products
Installer
Start) -
http://imgfarm.com/images/nocache/funwe….0.0.5.cab
also see..
http://inetexplorer.mvps.org/data/wtoolsa.htm
Hope this helps.
Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.
Replies posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
Thanks for the suggestion and link Emry's. I did download BHODemon
and
ran
it but it only detected 3 BHO's and they were all benign. So
unfortunately I
still have my problem. Maybe someone else will come up with a
solution.
--
Shebu
:
My computer is only 4 mos old and I have continually had a
problem
with IE6
crashing. It shows it's still running but I can't close it out
unless
I use
Control/Alt/Delete. Then i get a message that it's either
spyware,
IE
add-ons, or a virus causing the problem OR a message that the
error
was
likely caused by: IBIS Toolbar and to remove it. I have NAV5,
Spybot
S&D
which run and show no virus, adware or spyware. I also tried to
see
if the
IBIS Toolbar was on my machine and it isn't.....so can't delete
what
isn't
there.
I also thought the problem might be with Sun's JAVA JVM2 but they
assure me
everything is running properly.
This problem only happens when I'm in Yahoo Games and playing
Canasta.
Any
other games work and close out fine. The actual Canasta room
closes
out but
then when I try to close out IE it locks up. I have also
contacted
Yahoo and
they tell me it is an IE problem. I am on Microsoft XP, SP2,
IE6
Version
6.0.2900.2180.xpsp_sp2.
Also, the IE Error I keep getting is: szAppName: IEXPLORE.EXE
szAppVer:
6.0.2900.2180
szModVer: 0.0.0.0 offsets: 00000000 szModName: hungapp
The Error Report Content is:
C:\DOCUME~1\Owner\Locals~1\Temp\WER21eb.dir00\IEPLORE.EXE.mdmp
C:\DOCUME`1\Owner\Locals~1\TempWER21eb.dir00\appcompat.txt
Any ideas or help would really be appreciated. I am retired and
enjoy
playing Canasta online but this problem is very annoying
especially
since my
system is new. I had no problems while on Windows 98 with IE6.
Shebu
This is interesting:
http://tinyurl.com/dgres
Regards,
Emrys Davies
