General discussion

PLEASE HELP with Ad-Aware

I have been using Lavasoft's Ad-Aware SE for almost a year now, a month after I got the computer. With the exception of a few tracking cookies, I THOUGHT I never had much of a problem. I prided myself as being EXTREMELY careful, when I went on the Internet. I have had Spybot S&D, since November and have come up clean, with one or two exceptions with the first scan.

When I first downloaded Ad-Aware, I left it at the recommended setting, as I am far from "advanced". Today I downloaded HexDump. (Just a point of reference) In addition, I attempted to go to a site today that I found at Google. McAfee immediately came up with a warning that an unauthorized.. "something or other"' ..was trying to gain access, and did I want to block it.I immediately blocked it and Hacker Watch's page came up asking me to report it. There may be no point in recreating my tracks for anyone, since "why" may not matter at all.

MY PROBLEM:
I ran a scan and it came up with 119 objects!! Most of them were BHO's. All said "Data Miner". I was under the impression, I could delete them, BUT, I've only had tracking cookies to deal with. Everything that came up was a RegKey or RegValue. I tried to quarantine these objects. Ad-Aware said some objects could not be removed. (All located:
C:\Program Files\Common Files\wintools\ ) The end of the path for these 3 items is.. WSup.exe,\WToolsA.exe,\WToolsB.dll.

I am at a total loss. I went to Lavasoft's forum, with the hopes of finding a place to discern what is okay to delete.. and what is not. I have a feeling these objects have been accumulating from day one, and not from the one website, that I believe was blocked. Although I saved all the logs, I don't know if I am equipped to deal with their forums. Since everyone seems to have Ad-Aware, is it possible someone could tell me if it is okay to delete all Data Miner's.. even if it is a Registry Key or Value??

Yes, I have I.E. I need to get out of this mess before I can start using Firefox. Sorry for this long post, but when I see "Reg" anywhere, I tend to panic. I now have these items quarantined and don't know if they should be deleted. Is there a hard fast rule about Data Miner's? Please Help. (I'm willing to do the "work", but don't know where to go or what to do at this point.)

ANY help would be GREATLY appreciated!

Discussion is locked

Follow
Reply to: PLEASE HELP with Ad-Aware
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: PLEASE HELP with Ad-Aware
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
but when I see "Reg" anywhere, I tend to panic

no need to panic.

if Ad-Aware determines they are wrong entries it is safe to delete them.....

also I would set paramenters for 'custom scan'.

all data miners can be deleted as well.

- Collapse -
(NT) (NT) Correction: BHO's = IBIS Toolbar in Ad-Aware
- Collapse -
IBIS Toolbar
- Collapse -
IBIS Toolsbar

Donna, I am faced with the same problem. I rebooted WinXP in Safe mode and attempted to stop, via CTRL+ALT+DEL, the programs running. As soon as they are stopped, they restart. Then I went to the Registry and attemped to delete the RUN and RUNONCE entries. As soon as they are deleted they are recreated. You cannot delete the actual directories. In the days of Win98 I would have rebooted in DOS mode and deleted the directories that way.

So, what do I do now?

Thanks

- Collapse -
There must be another one or two that is still

running that triggered to recreate again.

First try to review your Add/Remove Programs for "Search Toolbar" or "Wintools" entry? If you have it in the list, remove it from there. Next, reboot to safe mode. Try again to end the task of any of the below mentioned processes (if any). Proceed in running the up-to-date Ad-aware SE (safe mode).

In Computer Associates page, it shows the following items that need to be killed (the processes):
iexploreskins.exe
wintools.exe
wtoolsa.exe
wsup.exe
wtoolsa.exe
wtoolss.exe
emusicclient.exe
emusicsetup.exe
iexploreskins.exe
fash.exe

Reboot the system to normal mode then scan once again using Ad-aware SE. Please let us know of the result (cleaned or cannot clean by Ad-aware SE)

If Ad-aware SE failed to clean it, you need to follow the complete manual removal method again provided by Computer Associates. You need to reboot immediately after deleting each entry in the registry.

If all method will fail, get HijackThis from http://www.spywareinfo.com/~merijn/ to scan the system and locate any instances of Wintools, hit fix.

For example:
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}- C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe
profilepath+\locals~1\temp\iexploreskins.exe
profilepath+\locals~1\temp\wintools.exe
programfilesdir+\common files\wintools\update\wtoolsa.exe
programfilesdir+\common files\wintools\wsup.exe
programfilesdir+\common files\wintools\wtoolsa.exe
programfilesdir+\common files\wintools\wtoolss.exe
programfilesdir+\emusic\emusicclient.exe
programfilesdir+\emusic\emusicsetup.exe
programfilesdir+\toolbar\iexploreskins.exe
systemroot+\fash.exe

Do the above only, if you've ended the running processes of Wintools.
Reboot when done. Scan again using HijackThis to see if there is still entry of WinTools, toolbar or emusic.

Reboot to safe mode. Delete the program directory of Wintools. Reboot to normal mode and let us know how it goes.

Important Note: If you are not familiar with HijackThis, post the log in forums that offer HijackThis analysis. You can find those forums in http://a-sap.org

Another method is:
Download and install MoveonBoot from http://www.gibinsoft.net/gipoutils/bin/moveonb.exe

Boot to safe mode.

Locate the following:
iexploreskins.exe
wintools.exe
wtoolsa.exe
wsup.exe
wtoolsa.exe
wtoolss.exe
emusicclient.exe
emusicsetup.exe
iexploreskins.exe
fash.exe

Right-click the each then select "Delete file(s) on next boot"

Scan the system using Ad-aware SE.

- Collapse -
Thanks Donna!

Thanks Donna for your very detailed help.

My problem was that I couldn't reboot quick enough after deleting entries from the Registry.

So I rebooted WinXP in Safe mode with DOS and was able to delete the contents of the various directories and then remove the directories themselves.

Then I rebooted in Safe Mode and completed the clean up using Ad-aware, Spybot, HijackThis and WinPatrol - belts and braces approach. Skybot found more than the others. All is well.

Thanks again.

Charles

- Collapse -
Good work Charles.

Glad to hear that you resolved and killed it. Happy

- Collapse -
WinTools

To get rid of WinTools, you need to end its task via Task Manager. End the task of all instances of WinTools. Proceed in deleting instances of Wintools in the registry and its own program directory (usually in C:\Program Files\Common files\WinTools)

Or download HijackThis from http://www.spywareinfo.com/~merijn/ to scan the system and locate any instances of Wintools, hit fix.

For example:
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}- C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe

Do the above only, if you ended the running processes of Wintools.
Reboot when done. Scan again using HijackThis to see if there is still entry of WinTools.

Important Note: If you are not familiar with HijackThis, post the log in forums that offer HijackThis analysis. You can find those forums in http://a-sap.org

You should put Hijackthis in its own folder. See instructions - How to use HijackThis

Scan again using Ad-aware in Normal or Safe mode.

- Collapse -
Donna... Donna.. Donna..

THANK YOU.. THANK YOU.. THANK YOU!!!

I was driving myself crazy until 3 in the morning! Searching all I could find on Win Tools. (Never thought to search IBIS Toolbar) Had I waited for an additional reply here, I might have gotten more sleep!! The CA article was perfect. This post another gem. I can't believe this mess came from one, seemingly "innocuous" site!

I did the work. Ran a scan in safe mode. Shut my eyes.. and prayed. I can't believe how my priorities in life have changed. I never thought a clean scan would have me this excited. I have learned alot of lessons, in the past 24 hours. I have you to thank.. that it was only 24 hrs and not 72.. or more.

Donna, thanks again. And thank you for all I have learned from the posts you reply to, from other's. I wait for the day, I can give back, what I have learned here.

What more can I say? Thank you?... Thank you!

- Collapse -
You're welcome! Good work!

Glad we can help Happy

- Collapse -
One last question... please?

Donna..

I've had IBIS Toolbar on the brain!! (I even removed it totally from the Task Manager, because I never wanted to be reminded of it) ALTHOUGH.. I no longer see any traces of it from Ad-Aware and Spybot.. just for the heck of it.. I decided to do a "search" in the registry. One came up under McAfee and it was as I suspected after going to McAfee. It has been disallowed. (Had to make sure it wasn't "Allowed"!) I left it alone.

There is only 1 last entry left, that I DON'T see on Computer Associate's list. This is located @:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache. Under Name is: "c\Program~1\Commom~1\WinTools\WinToolsA.exe" (w/o the quotes..Grin)

Should I leave well enough alone?

I appreciate all you have done.. and hope I'm not "pushing it".

- Collapse -
Nice find!

You should delete any instances of WinTools whereever it is located.

Just be careful. Make sure you are deleting only the value WinToolsA.exe instead of the whole string HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

Happy

- Collapse -
A - OH .. .. I'm lost now.
Shocked See? I had no business being in the registry in the first place!! (I do question things 10X over.. when it come's to the registry. It is only the 3rd time I have deleted anything there.) Are you saying, I should be careful not to delete the complete MUICache folder (or whatever it's called in reg)? .. as opposed to just deleting the LINE that is named:
C\Program~1\Common~1WinTools\WinToolsA.exe
Forgot to mention before, in addition to "Name", it had a category for "Data", where it said, 'Internet Explorer'. (My intention had been to highlight only the line (value?) that had specifically 'WinTools.exe' in it. Correct?)

The McAfee entry was in HKEY_LOCAL_SOFTWARE
Local\Software\McAfee.com\PersonalFirewall\Apps
When I went to McAfee, I see where the Firewall blocked the program from my computer. Can I presume this reg entry would be one in the same? Confused

I''m sorry I did pull you back in! Didn't mean to, but got a bit hesitant and insecure about this. Promise.. this will be my last question. (I hope. You've been an absolute doll. <--not being derogatory.. I too am female! Grin
- Collapse -
Computer clean and operable.... i think.

Donna..

It may not have been prudent of me, but I deleted both value's. Mischief It dawned on me, that there was no reason for WinTools to be in either place. If McAfee listed "blocked" sites in the registry.. there should have been other's there. (I double-checked at a site that "walked you through" editing the registry. I believe I did this correctly. "Believe" being the operative word.) What's done is done. If I did wrong, I learned another lesson, albeit, in this particular instance, one that I could have done w/o!

Thanks again for your help.

- Collapse -
Great work curcat!

Nice to know it is operative after you've deleted it. It really shouldn't be there Happy

- Collapse -
PLEASE HELP with Ad-Aware

CNET Forums

Forum Info