HELP ! MW AntiSpyware HELP!

G

GTOLover

I have tried using Spyware Beta. After cleaning up with
Spybot and Adaware I ran MS Spyware. It found MANY more
items, 100s. However, before it can complete it's
scan it hangs up and locks up on a Regitry item:
HKEY_local_machine\software\mocrosoft\windows\currentversion
\uninstall\wintools
I tried deleting this item in REGEDIT but it would not
allow it. I thought I deleted it when running in safe mode.
But it is still there. I have a whole list of spies that
the MS beta lists before it hangs up. But I don't know how
to delete them or capture them.
I am somewhat of a novice and am going in to places I
probably shouldn't (REDEDIT namely). Any help???? PLease
!!!!!! I feel like my computer is "captured" even though it
seems to work OK.
Thanks
 
B

Bill Sanderson

Does it still lock up if you do the scanning in safe mode?

Is this XP Home or Pro?
 
A

Andre Da Costa

Did you do a full system scan in safe mode too? Scan Page > Scan Options >
Full System Scan.
 
G

GTOlover

I tried full system scan in safe mode and normal. Locks up
at same entry. The illustration shows green boxes with
question marks passing thru the scanner. The boxes continue
to move but it stays there forever. I have tried it many times.
 
B

Bill Sanderson

Restart in safe mode.

Log in as "administrator"

See whether, in this mode, you have a "permissions" choice when you
right-click on the key in question.

If you do, set it so that administrator has full permissions on the key--You
may need to click advanced, and the owner tab, and take ownership of the
key.

I'm not very familiar with XP Home--so I'm not sure exactly what you will
see, and what facilities are available.
 
A

AndyManchesta

Hi mate i understand your frustration but dont worry
everything can be removed once we know what it is,I think
you should also download Hijack this and then follow
these tips,Its very difficult to remove as it adds
registry values all over the place plus a folder in
c/drive program files but follow these tips and see how
you get on.

The problem is there is at least 3 different adware i
know called wintools plus a genuine program for removing
files but with you saying you cannot remove it i suspect
its this one as it has three executables running at
startup including one hidden one and one running as a
Windows service. These processes interact to stop each
other from being killed, preventing removal of the
software.


Download These :

Hijack This

http://hijackthis.clickhereformoreinfo.com/


General Tips for removing Bugs:

Turn off Windows System Restore (Start,Right
click my computer,Properties,then system restore and
disable and apply)


Next: Enable viewing of hidden files and folders and
extensions; Some programs can hide this way by not being
visible in Windows. Start Windows Explorer and click on
your main hard drive, usually c:\. Then select Tools from
the top of Windows Explorer and then Folder Options. Go
to the View tab. Scroll down to the folder icon that says
Hidden files and folders and check show hidden files and
folders. Also, right below it, uncheck the hide file
extensions for known types.

Next to boot into Safe Mode
Reboot the system and tap F8, choose Safe Mode.


Next: Delete Temp Internet files :
Open a internet browser window, click Tools then Internet
Options.
Click on the Delete Cookies and the Delete Files buttons,
then click OK and close the browser window.


Next: Delete Windows Temporary Files - (start,run then
type %temp% delete all files you can in this folder
The Windows temporary directory (usually located at
C:\windows\temp).


This is going to need some registry work but you say you
have already used this so it shouldn't be a problem for
you,Just take your time and only delete the wintools
values or TB_Setup/TBPS if you find them.

Remove the Startup Entries in the Registry

Click on Start, Run, Type REGEDIT and Click OK

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run

Right-Click on the file WinTools and click DELETE If
there is still a 'TB_setup' or 'TBPS' entry here, delete
that too.

To clean up, delete any of the
subkeys 'MSIETS', 'MSIEIN', 'MSLINK', 'BTIEIN', 'BTLINK',
'Search Toolbar' and 'WinTools' in the Software subkey of
both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.

Theres more registry area's affected but dont want to
make things any harder than they already are so this is
where Hijack this comes into play.

Close REGEDIT


Run HiJackThis (while in Safe Mode) and Delete any
entries relating to WinTools including

O2 - BHO: (no name) - {87766247-311C-43B4-8499-
3D5FEC94A183}- C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-
C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL

Although the following entries should have been deleted,
delete these entries if they still exist.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program
Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WToolsS.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program
Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WSup.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program
Files\Common files\WinTools\WSup.exe

3) Delete the WinTools folder and all associated files

Open My Computer, Drive C, Program Files, Common Files
Right-click on the WinTools folder (if it exists) and
Delete it

You should also delete or clean up your hosts file

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32
\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts

(If you have not added entries to the hosts file and are
not sure which to delete then id advise removing them all
except the 127.0.0.1 local host entry and the examples
above the localhost Heres a part of my hosts file:


# Additionally, comments (such as these) may be inserted
on individual
# lines or following the machine name denoted by a "#"
symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

You can remove the rest without it causing any problems


5) Reboot the computer in Normal Mode and run HiJackThis
again to test (Wintools should be gone)

If you are unsure of anything or cannot find any of these
registry values then its possible a different Adware
called Bubba.Wintools But this is the hardest to remove
out of them all so i assume it is this but like i say if
you are unsure just repost and i will help where i can.

Good Luck Mate Andy
 
A

AndyManchesta

I wanted to add a couple more things,I could be way off
on this as like i say i know of 3 Adware/Search Hijackers
and 1 genuine Wintools for removing files but suspect it
might by this one with you saying you deleted the
registry value but its come back but let me know if im
wrong and i will provide removal methods for the others.

Plus it might be easier for you to copy my post into
notepad and save it to your pc so you can still follow it
in safe mode(Especially the registry part)

With MS Antispy freezing at this point it pretty much
rules out the genuine WinTools as this wouldnt happen
unless its a bug in the Antispy but i dont think thats
the case here,I think its either the one ive told you
about which is a variation on Huntbar which is a search
Hijacker or the other called Bubba.Adware Which is a
Malicious BHO but the purpose is currently unknown.The
third is a spyware program but hasnt been used or
detected for a few years,So hope you can see its hard for
me to know which exactly it is and it could also be a bug
in the MS antispy so you will have to reply if this
doesnt match and i will give removal info for the others.

Hope this helps

Andy :)
 
G

GTOLover

Thanks Andy!! I am just finishing up with your excellent
instructions. After running Hijack, I find one add'l
reference to Wintools. It is
023-service:wintools for IE ...... I did not copy it all
although I saved the log. Is this to also be deleted? If
Microsoft has a legitimate Wintools, I have probably wiped
most of it out.
The HiJackIt log looks like it is full of crap. I am now
running MWAS to see if it will run through the scan.
While it is scanning I get a "Virtual Memory is Low"
message. It changes the VM autumatically.
Looks like MWAS is hung up again !!! on the same registry
entry.
WOW!!! What a pain! How can that be? I thought we
eliminated everything related.
 
G

GTOLover

Thanks Bill:
I tried this but got a message "unable to save permission
changes on WinTools. Access is denied."
It won't let me change the owner.
See above where Andy had me try a number of things and my
response.
Thanks!!!!
 
A

Andre Da Costa

I would suggest you take ownership of either the WinTools file or Folder,
delete it then run the scan again.
 
A

AndyManchesta

Hi Mate Sorry i just saw your reply,

No this is the Wintools part that add's it self to
windows services again to prevent complete removal,It
would help if you could post me your Hijack this log and
i will be able to help more,There could be other problems
causing this,There isnt a Wintools entry in Windows XP so
you can fix this while in safe mode,

Another way is to go to control panel > Then
Administative Tools > Then click the services Tab > Click
on the Name Bar to sort them into alphabetical order then
find Wintools and kill it (Right Click > Properties >
Then choose Disable and apply

The problem is the services part is protected by windows
and starts up before you even log in so this needs
stopping then run hijack this again in safe mode and if
it still shows in the log choose fix there also either
post the log on the forum or email to me at
(e-mail address removed)

I appreciate this site isnt for hijack this logs but
think it could benefit others to get to the bottom of
this one Im confident we can solve it but its hard for me
to advise without seeing the log,Im up early for work but
will reply as soon as i can

Also Run these

Trojan Hunter (30 day free Trial)

http://www.misec.net/products/TrojanHunter.exe

CWShredder ( Free )

http://cwshredder.net/bin/CWShredder.exe

Restoring your hosts file:

Download the Hoster from here: (Free)

http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

CCleaner.....Clears all temp and unused files,leave it on
the default setting abd run cleaner,also use the
applications and issues scan and follow the onscreen
prompts,On the issues part check for any reference to
wintools and delete any leftover registry values it
detects (Free)

http://majorgeeks.com/downloadget.php?
id=4191&file=11&evp=a12d758b021af1a4f0a6bfe45b0c7a82

And finally
Download

Del Domains (Free)

http://www.mvps.org/winhelp2002/DelDomains.inf

Download this file to your desktop.

Right-click on the deldomains.inf file and
select 'Install'

Once it is finished your Zones will be reset.


At the very least this will clear alot of junk from your
system and make the hijack this log look better but get
rid of the wintools service first either with hijack this
or control panel way and i'll leave it to you if you want
to post it on here or email it to me

Chat to you soon mate

Andy
 
B

Bill Sanderson

You should always be able to take ownership as administrator. I'll look at
the other message.
 
G

GTOlover

You say take ownership. How & where do I do that. Sorry but
I am pretty new at this.
 
A

AndyManchesta

And with the low virtual memory this could be caused by
alot of different reasons,BHO's especially malicious ones
would use alot of this as will trojans/viruses etc...

optimizing virtual memory

To check your ram so you can calculate just go start the
right click my computer and goto properties,You will see
it displayed on the general tab on this screen


The rule of the thumb is 1.5 times the amount of system
memory, unless you have too much load on your system.

Have the initial size be at least 1.5 times bigger than
the amount of physical RAM. Do NOT make the pagefile
smaller than the amount of physical RAM you've got
installed on your system.

Let's say we have 512MB of RAM and we decided to create a
pagefile of 768MB.

In Windows go to My Computer, right click it and then
choose Properties, go to the Advanced tab, click
Performance Options, then click Settings then Advanced
again and change now you can view and set the parameters
you need:(Go to the custom box enter 1.5 the times of
your ram in the initial box and 3 times the size of your
ram in the maximum box then press set then apply)

If you decrease the size of either the initial or maximum
paging file settings, you must restart your computer to
see the effects of those changes. When you increase the
paging file size, you typically do not need to restart
your computer.

How big should my Pagefile be?
To have Windows choose the best paging file size, click
System managed size. The recommended minimum size is
equivalent to 1.5 times the amount of RAM on your system,
and 3 times that figure for the maximum size. Example, if
you have 256 MB of RAM, the minimum size would be 384,
the maximum size would be 1152.

To delete a paging file, set both initial size and
maximum size to zero, or click No paging file. Microsoft
strongly recommends that you do not disable or delete the
paging file.


Using Task Manager
Another (faster) way to find out is by using Task Manager:

Open Task Manager and go to the Performance Tab.

Notice the Physical Memory section. Look at the Total
figures: 785904 K (that's the amount of installed RAM).

How much RAM is available? 372924 K - more than half of
the installed RAM. You're doing ok for now.

How much memory is your system committed to? Look at the
Commit Charge section, at the Total figures: 429604 K.

What was the largest amount of memory your system has
ever committed itself to since the last boot? Look at the
Peak figures: 453168 K. This means that you're running
close to your peak, and although your system has peaked
to around 450000 K, it's still far from using up its RAM.
You're ok for now.

Really you need to find whats eating up all your space i
think it could be alot of malware & BHO's possibly but
hard to say without seeing the hijack this log but if you
can shut anything down thats not needed this will also
help,I will reply when i finish work tomorrow as its
1.10am here now and im up at 6am for work but hopefully
some of the other talented members on here can advise you
if you have any problems and i will reply when i get in
tomorrow

Good Luck ;o)
 
B

Bill Sanderson

Another message I've seen describes a memory leak in Microsoft Antispyware
when it is doing whatever it is doing--looping--when stuck at one of these
keys which have permissions set to prevent easy deletion.

So--I don't think this is a misconfiguration--it's a bug in Microsoft
Antispyware--and we're going to have to work around it by fixing the
permissions on the registry entry so that it can be handled by the tool.
 
B

Bill Sanderson

In XP Pro, when I have right-clicked a registry key, and choose permissions,
I see a tab for "Security." At the bottom right of that tab is and Advanced
button. When I click that I see several tabs, one of which is "Owner".

When I click on the Owner tab, I see the current owner of the item, a choice
of several users I can change the owner to, and a checkbox to "replace owner
on subcontainers and objects."

Do you have this tab? What happens--if you try to change the owner to
Administrator--or Administrators--what happens?
 
G

GTOLover

YAYYYYY!!!!! yAAAYYYYYY !!!! I was able to change the
permission and delete it. The scan worked and is in the
process of removing 25 buggers!!!
THanks Bill !!!!! I will now go forward and see what happens.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Antispyware beta 3
winupdates ??? keeps coming back on re-boot 2
No spyware found 2
Trouble with Freezing 2
MS Antispyware vs Adware ++ 7
MS Antispyware Suggestion 2
Antispyware hangs on scan 7
Mulitple Antispyware Beta Questions 2

Top