Author Archives: Administrator

Removing Winfixer, Wintools, WtoolsA, WtoolsB, Wsup

There are a lot of variants of the Winfixer spyware. Some of them are easy to remove by booting into safe mode and running Spybot or Adaware.

I encountered a very persistent version recently. The symptoms are:

1) wsup.exe and wtoolsa.exe are always running in the task manager. When you end either process it just restores itself.
2) Wintools always loading when checked with msconfig.
3) Unable to delete the BHOs by using Hijackthis. They keep coming back.
4) Unable to rename or delete the c:\program files\common files\wintools folder. It says that access is denied or that another process is running.

The only procedure that worked for me was to install the 14-day demo version of the great Ewido program at http://www.ewido.net. After installation ewido was able to catch and deactivate the Wtools spyware programs long enough for me to delete the wintools folder.

After that it was an easy matter of cleaning up msconfig and deleting all instances of “wintools” in the registry.

Vundo Spyware Removal

1) Download the fix from here http://www.atribune.org/downloads/VundoFix.exe

2) Double click the file which will create a folder on your desktop.

3) Reboot into Safe Mode.

4) Run the KillVundo.bat file from the folder.

5) It will prompt you for two items. The first time you enter the full path to the offending file, such as c:\windows\system32\srvdisk.dll. This file may be different.

6) The second time you enter in the path, with the filename reverse. In the above example, you would enter in this: c:\windows\system32\ksidvrs.* .

7) Reboot the computer and then run Cleanup from this location. http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

The CleanUp options to select are:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

8) Run HijackThis and remove the Vundo related files you entered in 5) and 6) above.

Celebrate the Vundo removal!

It’s *ahem* Vundo-bar!

Removing guard.tmp and kldsw.dll

More spyware junk removal.

This time I needed to use l2mfix which you can find at either of these locations.

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Download the zip file and unzip it to your desktop. This will create an l2mfix folder.

From within the folder run the l2mfix.bat file.

Select option #1 for Run Find Log.

Select option #2 for Run Fix. It will reboot your computer and then run the fix on reboot. On some systems the scanning passes may take a while so be patient.

After it is done it will open up notepad with a trace log.

Removing Nail and Aurora Spyware

Got another case of Nail.exe and Aurora popups.

This time I used a combination of 3 tools to remove it.

1) Run Nailfix.

You can find this program all over the net. Here’s one place to find it: nailfix for XP at
http://users/pandora.be/bluepatchy/nailfix.zip and nailfix for Win2K at
http://users/pandora.be/bluepatchy/nailfix2k.zip

2) Unregister aurorahandler.dll and DrPMon.dll. You can do this with the following command: regsvr32 /u dllname

More information here: http://www.spyware-removal-guideline.com/aurora-removal

3) After the unregister I was able to rename the nail.exe file and later delete it.

4) Run ewido. http://www.ewido.net

Ewido was able to catch all the other random-named files that would reinstall Nail.exe.

Removing SurfsideKick3

Ran into a very stubborn case of SurfSideKick3 lately.

This posting eventually did the trick. http://www.cybertechhelp.com/forums/showthread.php?t=87193

I think the most critical part of the procedure was using Reglite to change the registry entry for Windows NT. This allowed the deletion of the repairs.dll which was responsible for reloading SurfSideKick. After repairs.dll was deleted I could then remove the entire SurfSideKick directory and all the related entries from Hijackthis.

Here are the main excerpts from the posting.

1) Download Ewido Security Suite from here: http://www.ewido.net/

Launch Ewido, there should be an icon on your desktop, doubleclick it. The program will now go to the main screen. You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates: http://www.ewido.net/en/download/updates/

When installing, under “Additional Options” uncheck : “Install background guard” and “Install scan via context menu”.

Do not run a scan yet.

Now, go to Start> Control Panel> Add or Remove Programs and remove if present:

SurfSideKick 3

Then run HijackThis Do a system scan only and place a check mark next the following entries:

R3 – URLSearchHook: (no name) – CFBFAE00-17A6-11D0-99CB-00C04FD64497 – (no file)
R3 – URLSearchHook: (no name) – {02EE5B04-F144-47BB-83FB-A60BD91B74A9} – E:\Program Files\SurfSideKick 3\SskBho.dll

O2 – BHO: COMMUNICATOR – {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} – E:\WINDOWS\system32\communicator.dll

O3 – Toolbar: COMMUNICATOR – {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} – E:\WINDOWS\system32\communicator.dll

O4 – HKLM\..\Run: [stb] E:\WINDOWS\system32\stb.exe

O4 – HKLM\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe
O4 – HKCU\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe

O9 – Extra button: (no name) – {85d1f590-48f4-11d9-9669-0800200c9a66} – %windir%\bdoscandel.exe (file missing)
O9 – Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 – {85d1f590-48f4-11d9-9669-0800200c9a66} – %windir%\bdoscandel.exe (file missing)

O15 – Trusted Zone: *.akamai.net
O15 – Trusted Zone: http://Download.Windowsupdate.com

O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – (no file)
O20 – AppInit_DLLs: repairs.dll

Close all the windows (browsers, programs) and click Fix checked.

Boot into Safe mode by tapping F8 as your computer restarts. Make sure that you can view hidden files and folders and uncheck “Hide Extensions for Known File Types” and delete the following files or folders highlighted in bold if they are still present:

E:\Program Files\SurfSideKick 3
E:\WINDOWS\system32\stb.exe
repairs.dll< -- Search for it, probably located in System32 Run Ewido. Click on scanner and click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido. 2) Download the following reg file to your desktop. When it is finished downloading double-click on it and say Yes when it asks if you would like to merge the data. fixssk.reg

3) Search for this file:

repairs.dll

Then download Pocket Killbox from here:

http://www.cybertechhelp.com/download/file/pocket-killbox

But don’t run it yet.

Boot into safe mode. Open Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying “File with be deleted on next reboot, Process and Reboot now?” Click “Yes” and post a new log when you have rebooted.

4) Download RegLite :

http://www.resplendence.com/downloads

Reboot into Safe Mode

Open Reglite and Copy&Paste the bold text below into the Address Bar and hit Enter

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

In the smaller left hand pane-> Right Click the Windows folder(Highlighted in Blue)

Select Rename-> Rename it to Windoz-> Hit Enter

Now look in the larger right hand pane-> locate and double click AppInit_DLLs

Under Value-> Remove(Delete)-> repairs.dll

Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced options

Now under All Files and Folders, enter this into the text box:

repairs.dll

Delete any exact matches

Reboot and Open Reglite again-> go back to the folder you renamed to Windoz and Rename it again, back to Windows.

Have HijackThis fix this entry if its still there

O20 – AppInit_DLLs: repairs.dll

After the protection is remove you should then be able to delete the file…

C:\Windows\System32\repairs.dll <--delete that.

Detect Autostart Programs

Here’s another cool free utility for checking what programs are automatically starting. It’s called Autoruns from the good people at SysInternals.

It shows a lot more than the traditional msconfig. Great for poking around to look for spyware and old programs that might be eating up CPU cycles during boot up.

It’s a pretty advanced tool so use it at your own risk.