Last updated 14/05/2005
Copyright 1999 - 2004, Sandra Hardmeier, All Rights Reserved Worldwide

Spyware Home Page

One of a new brand of 'intelligent' malware, able to reinstall itself if not removed properly.

At time of writing, a few of the files known to be related to wtoolsa were wtoolsa.exe, wtoolsb.dll, wsup.exe and tb_setup.exe. There are sure to be more.  The directory used is c:\program files\common files\wintools\ though it probably drops files elsewhere.

First, go to Control Panel, add/remove programs. Check for malware entries and use the uninstall programs, then reboot.

Second, get AdAware. [..Warning: AdAware is now version 6.181. All previous versions are NO LONGER SUPPORTED and will not be updated...]

AdAware is available at www.lavasoft.de. Make sure you check for updates every time you use it.

To be most effective, you must run AdAware while Windows is in safe mode, and you must shut down as many suspect processes as possible.

This can be tricky. Modern malware uses more than one process, and these processes are 'co-dependent'. In other words, when one processes detects that the other has been shut down, it automatically restarts its sibling, often using a different name.  Using Task Manager (ctrl, alt, del) doesn't work because you can only shut down one process at a time.

Disable suspect processes using MSCONFIG (startup tab) before booting into safe mode.  Use the information at the URL below as a guide:
http://www2.whidbey.com/djdenham/Uncheck.htm

After you are in safe mode, check to make sure the suspect processes did not start up using Task Manager (ctrl, alt, del).  Then start AdAware.  Make sure 'activate in depth scan' is enabled.  Select 'use custom scanning options' and then click on the 'customize' button. Turn on the following scan options - scan within archives, active processes, registry (including deep scan), IE favorites and hosts file. You must also turn on the following option via the 'tweak' button:

Cleaning engine: 'automatically try to unregister objects prior to deletion'

IMPORTANT: Before letting AdAware delete malware, write down on a piece of paper exactly where the malware is stored.  You will probably need to delete those directories after AdAware has done its work, but ONLY IF IT IS NOT A STANDARD WINDOWS DIRECTORY.

After running AdAware, run it again, this time using the option 'select drives/folders to scan'.  Click on 'select'. Scan your entire hard drive. Also do the following:

Empty your IE cache and your other temporary file folders, eg: c:\windows\temp (if using Windows 98) or C:\Documents and Settings\<name>\Local Settings\Temp (the path to your temp folder will change depending on your name) - sometimes programmes can be hidden in there - watch out for mysterious *.exe files or *.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings Button}, View Objects, Downloaded Programme Files. Check for unusual objects there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style sheet chosen (under User Style Sheet - format documents using my style sheet). If the option is turned on, turn it OFF.

Once your computer is clean, and if it applies to your operating system, create a new restore point.  Your old ones may, of course, be infected with the malware and therefore cannot be used.  Run disk cleanup to remove old restore points (if your operating system has this option you will find it on the 'more options' tab of the disk cleanup utility.

If you are still having problems:

You can go to the link below to check your system for parasites and hopefully identify your problem (supplied by Doxdesk.com):
 http://inetexplorer.mvps.org/parasite.htm
 
 Download and run the latest version of "Cool Web Shredder"
http://www.intermute.com/spysubtract/cwshredder_download.html
 
 The more experienced user can try Spybot. Again, it is a free programme which can be downloaded from: http://spybot.eon.net.au/. Warning: it is NOT a good programme for the inexperienced. If you want to use this programme, please get the advice of those more experienced before 'fixing' anything that it finds.
 
 Another excellent programme that allows you to examine your system and *create a results log for experts to examine* is HijackThis, available from:
 http://www.tomcoyote.org/hjt/
 
 An experienced computer technician can use programme such as AutoStart Viewer for in-depth diagnosis:
 http://www.diamondcs.com.au/index.php?page=asviewer