Re: WToolsA / WToolsS

["Michael Painter" <tvhawaii () shaka com>]

Aloha Dave/all

> > I know there are more places in the registry that can call scripts/executables, but don't seem to
have an end-all-be-all list of startup stuff locations.<<

My favorite is Codestuff Starter (also shows running processes) because of the "Right Click" capabilities, which are 
fabulous.

http://codestuff.mirrorz.com/

Starter 5.6.1.38

--Michael



----- Original Message ----- 
From: "Dave Dyer" <ddyer () ciber com>
To: <larsmith () tds net>; <security-basics () securityfocus com>
Sent: Tuesday, July 06, 2004 5:05 AM
Subject: RE: WToolsA / WToolsS


> Hi Allan,
> It sounds like a service is running that kicks off the wtools nonsense when
> the process is ended.  If you're on a win2k/xp machine, right click on my
> computer, choose "manage", check services running, organize them by whether
> they are stopped or started and stop any service that you are POSITIVE you
> don't need.  A good list of services can be found at www.blackviper.com, but
> make sure you read and understand everything before stopping extraneous
> services.
>
> If you're still unable to get these processes stopped, I usually do the
> following when I get some particularly nasty spyware/adware/malware:
>
> 1.  Boot into Safe Mode
> 2.  Check startup in start menu for anything "new" and delete it.
> 3.  Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> in the registry for anything "new" and delete it (after backing up
> registry).
> 4.  Check services for anything "new" and delete it.
> 5.  Check to see which objects are running in IE (There are usually some
> activeX scripting components that I don't remember downloading with strange
> names, so I usually delete them).
>
> Incidentally, if anyone has a comprehensive list of where to find stuff that
> starts up in win2k/xp, I sure would be all ears.  I know there are more
> places in the registry that can call scripts/executables, but don't seem to
> have an end-all-be-all list of startup stuff locations.
>
> Thanks,
> Dave
>
> -----Original Message-----
> From: Allan [mailto:larsmith () tds net] 
> Sent: Friday, July 02, 2004 8:15 AM
> To: security-basics () securityfocus com
> Subject: WToolsA / WToolsS
>
> Anyone here have any experience with WToolsA and/or WToolsS ?
>
> I noticed, in the RUN folder on a WXP PC, an entry involving WinTools.
> Deleted the entry. Closed the RUN folder, opened it again and the entry was
> right back there.
>
> Didn't surprise me when I deleted the WinTools folder on the PC and got an
> "access denied" error, stating that the program / folder contents were in
> use.
>
> Nor did it surprise me when I did Ctrl-Alt-Del and went to the Processes
> tab, that I saw WToolsA running.  When I tried to "End Process", it came
> right back up.  Same with WToolsS.
>
> Anyone know of any effective tools for removing it ?
>
> Farz I know, it's ad/spyware but even the latest of Ad-Aware and SpyBot
> didn't even notice / remove the problem.
>
> Allan Smith, NCAA, NDAA


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------