WTools (wintools) is a nasty one.
Wintools Removal Instructions and Help
http://www.pchell.com/support/wintools.shtml
=====
Unable to Log On To Windows XP After Removing wsaupdater.exe
http://www.lavahelp.com/articles/v6/04/06/0901.html
New info from Mike Burgess who requested this be "passed around":
<quote>
I don't know when this started but I have noticed that several users were
having trouble removing the WinTools folder even in Safe Mode.
They (WinTools) have registered themselves as a "service"! (XP)
(shows up in a HijackThis - startuplist.log)
Enumerating Windows NT/2000/XP services:
WinTools for IE service: C:\Program Files\Common files\WinTools\WToolsS.exe
(autostart)
The following seems to work well ...
Start | Run (type) Services.msc
Scroll down to the "WinTools for IE" service Highlight, right-click and
select: Properties Select "Service Status" option to "Stop" Select: "Startup
type" set it to "Disabled", click Apply, OK Close the Services Editor.
Then reboot, on restart, restart in Safe Mode.
Start | Run (type) regedit Navigate to the following location:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
Expand the "+Services" key (left pane) Highlight the "WinTools" key,
right-click and select: Delete, Ok the prompt. Close Regedit.
Locate and delete the following:
C:\Program Files\Common Files\WinTools <--this folder
Restart normally
Mike
</quote>
Thanks to Siljaline for passing this on to us.
--
Thanks to ~Robear for passing this on to us.
=====
From MVP Mike Burgess.
The "WinTools" seems to be a "bundled" parasite hijack [ugh!]
It doesn't really require any special tools per-say ...
It's best to restart in Safe Mode to avoid the running modules.
Then whack the Wintools folder and run HT{HijackThis} in Safe Mode to
remove the "Run" entries ...
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe
Then install SB {SpywareBlaster} to prevent future problems.
CLSID: {87766247-311C-43B4-8499-3D5FEC94A183}
Seems to be the same in all logs .....
Notice the "truncated" filenames? Must be a 16 bit hijacker
====
2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it from
ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html
4) HijackThis (some other stuff that may be of interest also)
http://www.spywareinfo.com/~merijn/downloads.html
4a) HijackThis (direct download)
http://aumha.org/downloads/hijackthis.zip
HijackThis log tutorial
http://www.spywareinfo.com/~merijn/htlogtutorial.html
HijackThis Log Tutorial
http://www.aumha.org/a/hjttutor.htm
How to use HijackThis to remove Browser Hijackers & Spyware
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#warning