What is WToolsA and what it is supposed to do?

Thanks Newt! Our Island is so small (74K Population only) that I bet the one person I know of called Brett will be your poster! Oh so sad!

Working my way through the instructions, painstakingly because I'm new at this game. Because I have a firewall etc and zone alarm and update it every day and haven't had a thing slip through, I suppose you could say I got complacent.

Thanks again.
HelenF

 

Hello, If anyone can help me that would be great. I dowloaded Spy-bot and adware to get rid of Wtoolsa and so far have gotten nowhere. I keep getting a message from Spy botS&D Resident asking to accept change or ignore change. I am not very literate in computers yet, so I need help. Thanks, Kimberley (soggy_froggy)

 

Hi, I have this WToolsA as well as WToolsS and WSup on my computer. I went out and got McAfee virus scan professional and did a scan. I found some other stuff, but it did not pick up on WTools. I went into the Wtools folder and there is also .cfg files for WToolsC,P,and D, as well as a .dll file for WToolsB and another one called btiein.dll. There is a WToolsS.exe and IE iconed files for WToolsA.exe and WSup.exe. I have read around the forums as well as the internet and found that WToolsA disguises itself as IE. As I said, I have McAfee Virus Scan Pro and I also have Hijack This, Ad Aware, and Spybot Search and Destroy. I don't know much about computer processes, so if someone could help explain what to do with the programs I have in order to get rid of this, it would be really helpful. Also, if someone could quickly explain how to post the Hijack This log I will post it in the thread for the logs. I know I saw instructions somewhere here, but I can't find them right now. Thanks for all your help!

EDIT: OK, I found out how to post my log, so I am going to do that now. BTW, I did do run>msconfig>startup>and then unselected the 2 WToolsA files that were there. One of them stayed unchecked upon restart, the other did not, so I tried again, with the same result. So in the log file, WToolsA does not show up, but WToolsS and WSup do. Also I forgot to mention that there were some other files in the Win Tools folder that I deleted, but the ones I listed all said that they were being used by another program so I could not delete. I also did the run>regedit> and then tried to delete from there with no luck. Anyway, please take a look at the log and see if you can help me out. Thanks.

 

Hello Kimberley (soggy_froggy). Welcome to WindowsBBS

Download Ad-aware and configure it as described here and run it. When the scan is done click next. Then right click any entry and 'select all'. This should check all entries. Click next, and OK to remove. Reboot and try Spybot again. Then start a new thread with a HijackThis log. Be sure to include details of what you have done and any problems you are still having. From what I can tell by your post and PM, something is trying to make changes in the system and Spybot is asking if you want to let it. It is most likely nasties at work. Continue denying.

Enfer Singe,
Should have started a new thread, but I responded to your log.

 

Thanks for your response, and sorry for not starting a new thread, just saw that there were like 10 WTools threads already, and this one seemed to be the most heavily viewed one. Anyway, im 250,000 files into the adaware scan and so far it has dicovered 64 new things with the new settings. Thanks for all the help and ill post results in the log thread.

 

I did what Henry said, plus I also searched the drives for 'wtools' and deleted all found files, and did regedit and deleted all values found.
When I rebooted, Wtools was gone.

THANKS ALL !!!

 

I'm clean tooo! It makes such a difference when you're new to this when you get straightforward instructions that dont assume knowledge, and above all dont patronise you - thanks again. Now I just need to download that other stuff you are so keen on! I may be gone some time, or i may be back soon!
Cheers
HelenF

 

Wtoolsa bug!!!

I am not sure how to do a windows registry search for "win tools"

On top of that, my computer keeps hanging up with the blue screen saying any key to continue or ALT CTL DELETE to restart.

how do I overcome that? (Earlier, I got rid of the wtoolsa dialog box that used to come up every 2 secs by deleting the wintools program)

Sonny

 

Welcome to WindowsBBS sonnym2004!

Did you see the following post in this thread?

http://windowsbbs.com/showpost.php?p=159021&postcount=39

Please do that.

 

It looks like Mission Impossible ...

I thought it will never hit me as I have the latest patches of everything and yet it did - I was hit on one day by a mother variant (or a combination). Immediately I run spybot but invain. Finally I took me (I reckon I am very experienced in PC techno) like 4 hours to eradicate them and these are what I have noticed:-

1) malwares are more united now. They have watchdog watching each other. e.g. WtoolsS.exe as a service monitoring the other companions (namely WToolsA.exe and WToolsB.exe) and then the others are also monitoring each other. To kill one of them is not easy. Took all my skills to remove them. BTW, I removed WtoolsS.exe first (which I believed is the ring leader).
2) they are getting more security aware - they changeD folder permission on the Wintools directory. I have to take permission to remove some of the programs.
3) they using the latest techniques - they installed WToolsB.dll, asd.dll, STRAd32.dll, 404Search.dll as ActiveX objects.
4) they hooked into logon events thus enabling them to do more evil stuff. - this is asd.dll
5) they have a backed up measure to reinstall everything again.. (this is tb_setup.exe)
6) they are digital signed (asd.dll) and I am suspecting that they are using a proxying technology.

The conclusion is that malware authors are definitely getting smarter and it looks like Mission Impossible against these guys :-( For me, I have just barely survived; to the general public - it is a lost battle immediately.

FYI, here is the intrusion log that was captured (using PCLogger) during this time frame. Actually thanks to my log that I spot the malwares as I have to work my way without any Internet access during this time.

"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS ", "kdx "
"07/09/2004 ", "Installs ", "New ", "kdx ", "Secure Delivery v "
"07/09/2004 ", "File Associations ", "New ", ".kpg ", "kontiki_package= "C:\WINDOWS\kdx\kpgreader.exe" %1 "
"07/09/2004 ", "Auto Run ", "New ", "HKLM/Software\Microsoft\Windows\CurrentVersion\Run ", "kdx=C:\WINDOWS\kdx\KHost.exe "
"07/09/2004 ", "ActiveX COM ", "Changed ", "{0CF774D0-F077-11D1-B1BC-00C04F86C324} ", "COM=HTML Host Encode Object;Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll "
"07/09/2004 ", "ActiveX COM ", "Changed ", "{0CF774D1-F077-11D1-B1BC-00C04F86C324} ", "COM=ASP Host Encode Object;Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll "
"07/09/2004 ", "ActiveX COM ", "Changed ", "{0D43FE01-F093-11CF-8940-00A0C9054228} ", "COM=FileSystem Object;Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll "
"07/09/2004 ", "ActiveX COM ", "New ", "{1433F750-E53F-11D8-9669-0800200C9A66} ", "COM=STRAd32Obj Class;Inproc=c:\windows\system32\STRAd32.dll;Local=c:\windows\system32\STRAd32.dll "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS\System32 ", "CISVC32.EXE "
"07/09/2004 ", "Installs ", "New ", "DivX Player Lite (with DivX & XviD Codecs) ", "DivX Player Lite (with DivX & XviD Codecs) 1.0.3 v1.0.3 "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS\System32 ", "fInst.exe "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS\System32 ", "MS13.exe "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS\System32 ", "STRAd32.dll "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS\System32 ", "VT04.exe "
"07/09/2004 ", "ActiveX COM ", "Changed ", "{32DA2B15-CFED-11D1-B747-00C04FC2B085} ", "COM=Script Encoder Object;Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll "
"07/09/2004 ", "Browser Helper Object ", "New ", "{1433F750-E53F-11D8-9669-0800200C9A66} ", "STRAd32Obj Class=c:\windows\system32\STRAd32.dll "
"07/09/2004 ", "ActiveX COM ", "Changed ", "{85131630-480C-11D2-B1F9-00C04F86C324} ", "COM=JS File Host Encode Object;Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll "
"07/09/2004 ", "ActiveX COM ", "Changed ", "{85131631-480C-11D2-B1F9-00C04F86C324} ", "COM=VBS File Host Encode Object;Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll "
"07/09/2004 ", "ActiveX COM ", "New ", "{D8620033-0102-4EE7-8362-69AC654FD129} ", "COM=EnhancedSliderActiveXOcx.Slider;Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\EnhSliderOcx.ocx;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\EnhSliderOcx.ocx "
"07/09/2004 ", "ActiveX COM ", "Changed ", "{EE09B103-97E0-11CF-978F-00A02463E06F} ", "COM=Scripting.Dictionary;Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\DivX Player Lite\scrrun.dll "
"07/09/2004 ", "Installs ", "New ", "404Search ", "404Search v "
"07/09/2004 ", "Browser Helper Object ", "New ", "{53C330D6-A4AB-419B-B45D-FD4411C1FEF4} ", "Search404 Class=C:\Program Files\404Search\404Search.dll "
"07/09/2004 ", "ActiveX COM ", "New ", "{43914CB9-5485-41DC-B6EE-EA062A4E0BB2} ", "Inproc=C:\WINDOWS\system32\asd.dll;Local=C:\WINDOWS\system32\asd.dll "
"07/09/2004 ", "ActiveX COM ", "New ", "{53C330D6-A4AB-419B-B45D-FD4411C1FEF4} ", "COM=Search404 Class;Inproc=C:\Program Files\404Search\404Search.dll;Local=C:\Program Files\404Search\404Search.dll "
"07/09/2004 ", "Auto Run ", "Deleted ", "HKLM/Software\Microsoft\Windows\CurrentVersion\Run ", "kdx=C:\WINDOWS\kdx\KHost.exe "
"07/09/2004 ", "File Associations ", "Deleted ", ".kpg ", "kontiki_package= "C:\WINDOWS\kdx\kpgreader.exe" %1 "
"07/09/2004 ", "Installs ", "Deleted ", "kdx ", "Secure Delivery v "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS ", "Digital Signature 20040907.htm "
"07/09/2004 ", "Installs ", "New ", "Recommended Hotfix - 421701D ", "Recommended Hotfix - 421701D v "
"07/09/2004 ", "ActiveX COM ", "New ", "{0421701D-CF13-4E70-ADF0-45A953E7CB8B} ", "COM=SmartPops Class;Inproc=C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL;Local=C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL "
"07/09/2004 ", "Auto Run ", "New ", "HKLM/Software\Microsoft\Windows\CurrentVersion\Run ", "SESync= "C:\Program Files\SED\SED.exe" "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS\System32 ", "inetFuel.exe "
"07/09/2004 ", "Installs ", "Deleted ", "404Search ", "404Search v "
"07/09/2004 ", "ActiveX COM ", "Deleted ", "{53C330D6-A4AB-419B-B45D-FD4411C1FEF4} ", "COM=Search404 Class;Inproc=C:\Program Files\404Search\404Search.dll;Local=C:\Program Files\404Search\404Search.dll "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS ", "KB810217Uninst.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "FaxSetup.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "iis6.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "imsins.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "KB810217Uninst.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "MedCtrOC.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "msgsocm.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "msmqinst.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "ocgen.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "tabletoc.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "tsoc.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "comsetup.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "FaxSetup.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "iis6.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "imsins.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "KB810217Uninst.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "netfxocm.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "ntdtcsetup.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "tabletoc.log "
"07/09/2004 ", "Directory ", "Changed ", "C:\WINDOWS ", "tsoc.log "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS ", "spuninst.log "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS ", "iconz.exe "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS\System32 ", "edow.exe "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB810217.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB821557.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "sqlstp.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q811114.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB823182.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB824105.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "owsconf.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB835732.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB826939.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB828741.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Run32A60.mch "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "COM+.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB828035.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q828026.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "setup.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "win.ini "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "yacs.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "dahotfix.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "ODBC.INI "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB839643.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB828028.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q817606.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "WMSysPr9.prx "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB824141.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB825119.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q329170.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q810577.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q811493.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "War3Unin.dat "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "wmsetup.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB837001.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "OpPrintServer.INI "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "vminst.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "muninst.exe "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q819696.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "BJ3D.ini "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q810833.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "A6W.INI "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB823559.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB840374.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "nsw.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Q811630.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB824146.log "
"07/09/2004 ", "ActiveX COM ", "New ", "{87766247-311C-43B4-8499-3D5FEC94A183} ", "Inproc=C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll;Local=C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll "
"07/09/2004 ", "ActiveX COM ", "New ", "{A8DEB4A5-D9EF-4D21-B4F6-921475004E7D} ", "Inproc=C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll;Local=C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll "
"07/09/2004 ", "Installs ", "New ", "WinTools ", "Win-Tools Easy Installer (by WebSearch) v "
"07/09/2004 ", "Auto Run ", "New ", "HKLM/Software\Microsoft\Windows\CurrentVersion\Run ", "WinTools=C:\Program Files\Common Files\WinTools\WToolsA.exe "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "imsins.BAK "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "ModemLog_ESS ES56H-PI Data Fax Voice Modem.txt "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "setupact.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "ocmsn.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "pfirewall.log.old "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB840315.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "spuninst.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB841873.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "iconz.exe "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB839645.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB842773.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "xpsp1hfm.log "
"07/09/2004 ", "Auto Run ", "New ", "HKLM/Software\Microsoft\Windows\CurrentVersion\Run ", "TB_setup=C:\WINDOWS\TEMP\tb_setup.exe /dcheck "
"07/09/2004 ", "Service ", "New ", "WinToolsSvc ", "C:\Program Files\Common Files\WinTools\WToolsS.exe "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS\System32 ", "TargetSoftSetup.exe "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Digital Signature 20040907.htm "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "tsoc.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "tabletoc.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "KB810217Uninst.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "iis6.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "imsins.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "ntdtcsetup.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "ocgen.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "netfxocm.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "msmqinst.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "msgsocm.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "0.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "comsetup.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "MedCtrOC.log "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "FaxSetup.log "
"07/09/2004 ", "Directory ", "New ", "C:\WINDOWS ", "Delete "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "Delete "
"07/09/2004 ", "Installs ", "Deleted ", "Recommended Hotfix - 421701D ", "Recommended Hotfix - 421701D v "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "trthulymmllm.htm.hijack "
"07/09/2004 ", "Installs ", "New ", "Spybot - Search & Destroy_is1 ", "Spybot - Search & Destroy 1.3 v1.3 "
"07/09/2004 ", "ActiveX COM ", "New ", "{53707962-6F74-2D53-2644-206D7942484F} ", "Inproc=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\SDHelper.dll;Local=C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\SDHelper.dll "
"07/09/2004 ", "File Associations ", "Changed ", ".disabled ", "SpybotSD.DisabledFile= "C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\blindman.exe" "%1" "
"07/09/2004 ", "File Associations ", "Changed ", ".sbe ", "SpybotSD.SBEFile= "C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\SpybotSD.exe" "%1" "
"07/09/2004 ", "File Associations ", "Changed ", ".sbi ", "SpybotSD.SBIFile= "C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\SpybotSD.exe" "%1" "
"07/09/2004 ", "File Associations ", "Changed ", ".sbs ", "SpybotSD.SBSFile= "C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\SpybotSD.exe" "%1" "
"07/09/2004 ", "File Associations ", "Changed ", ".tnfo ", "SpybotSD.TInfoFile= "C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\SpybotSD.exe" "%1" "
"07/09/2004 ", "File Associations ", "Changed ", ".uti ", "SpybotSD.UTIFile= "C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\SpybotSD.exe" "%1" "
"07/09/2004 ", "File Associations ", "Changed ", ".uts ", "SpybotSD.UTSFile= "C:\Documents and Settings\Ricky\My Documents\Vincent\Other\Spybot - Search & Destroy\SpybotSD.exe" "%1" "
"07/09/2004 ", "ActiveX COM ", "Deleted ", "{0421701D-CF13-4E70-ADF0-45A953E7CB8B} ", "COM=SmartPops Class;Inproc=C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL;Local=C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL "
"07/09/2004 ", "Installs ", "Deleted ", "DivX Player Lite (with DivX & XviD Codecs) ", "DivX Player Lite (with DivX & XviD Codecs) 1.0.3 v1.0.3 "
"07/09/2004 ", "Internet Explorer ", "Changed ", "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page ", "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home "
"07/09/2004 ", "ActiveX COM ", "Changed ", "{53707962-6F74-2D53-2644-206D7942484F} ", "Inproc=C:\DOCUME~1\Ricky\MYDOCU~1\Vincent\Other\SPYBOT~1\SDHelper.dll;Local=C:\DOCUME~1\Ricky\MYDOCU~1\Vincent\Other\SPYBOT~1\SDHelper.dll "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS\System32 ", "wincore.dll "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS\System32 ", "winupd.dll "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS\System32 ", "inetadpt.dll "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS\System32 ", "cidrules.dll "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS\System32 ", "winhost32.exe "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "ieuninst.exe "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "oeuninst.exe "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "BJPSUNST.EXE "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "clock.avi "
"07/09/2004 ", "Directory ", "Deleted ", "C:\WINDOWS ", "fntldr.exe.hijack "

 

hicerro - welcome to the forum and nice catch on that nasty piece of work. And I agree, the malware authors are getting more clever. Luckily, so are the good guys who write the removal tools.

I think it will be easier for new folks with Wtools issues to start a new thread so I'm locking this one now.