Security Basics mailing list archives
RE: WToolsA / WToolsS
From: "Dave Dyer" <ddyer () ciber com>
Date: Tue, 6 Jul 2004 09:05:08 -0600
Hi Allan, It sounds like a service is running that kicks off the wtools nonsense when the process is ended. If you're on a win2k/xp machine, right click on my computer, choose "manage", check services running, organize them by whether they are stopped or started and stop any service that you are POSITIVE you don't need. A good list of services can be found at www.blackviper.com, but make sure you read and understand everything before stopping extraneous services. If you're still unable to get these processes stopped, I usually do the following when I get some particularly nasty spyware/adware/malware: 1. Boot into Safe Mode 2. Check startup in start menu for anything "new" and delete it. 3. Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry for anything "new" and delete it (after backing up registry). 4. Check services for anything "new" and delete it. 5. Check to see which objects are running in IE (There are usually some activeX scripting components that I don't remember downloading with strange names, so I usually delete them). Incidentally, if anyone has a comprehensive list of where to find stuff that starts up in win2k/xp, I sure would be all ears. I know there are more places in the registry that can call scripts/executables, but don't seem to have an end-all-be-all list of startup stuff locations. Thanks, Dave -----Original Message----- From: Allan [mailto:larsmith () tds net] Sent: Friday, July 02, 2004 8:15 AM To: security-basics () securityfocus com Subject: WToolsA / WToolsS Anyone here have any experience with WToolsA and/or WToolsS ? I noticed, in the RUN folder on a WXP PC, an entry involving WinTools. Deleted the entry. Closed the RUN folder, opened it again and the entry was right back there. Didn't surprise me when I deleted the WinTools folder on the PC and got an "access denied" error, stating that the program / folder contents were in use. Nor did it surprise me when I did Ctrl-Alt-Del and went to the Processes tab, that I saw WToolsA running. When I tried to "End Process", it came right back up. Same with WToolsS. Anyone know of any effective tools for removing it ? Farz I know, it's ad/spyware but even the latest of Ad-Aware and SpyBot didn't even notice / remove the problem. Allan Smith, NCAA, NDAA --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- WToolsA / WToolsS Allan (Jul 05)
- Re: WToolsA / WToolsS Brian Shaw (Jul 06)
- Re: WToolsA / WToolsS Michael Painter (Jul 06)
- RE: WToolsA / WToolsS Tony (Jul 06)
- RE: WToolsA / WToolsS Dave Dyer (Jul 06)
- Re: WToolsA / WToolsS Ansgar -59cobalt- Wiechers (Jul 07)
- Re: WToolsA / WToolsS Michael Painter (Jul 07)
- Re: WToolsA / WToolsS jpc (Jul 06)
- <Possible follow-ups>
- RE: WToolsA / WToolsS LordInfidel (Jul 06)
- Re: WToolsA / WToolsS Kenny (Jul 07)
- WToolsA / WToolsS Allan (Jul 07)