G
Guest
I often marvel at those people who have time to blog on solutions, etc., but
thought that this might be important enough to post.
Scenario is...
Extremely Infected PC running XP Home.
Full Battery of Scans and Cleans removes over 100 viruses, 4000 Adware
entries, 800+ Spyware install, resulting from Party Poker and Limewire on a
Teenagers PC.
Finally felt the machine was clean enough to put online, and performed all
updates through SP2. AV Scans using Norton, Trend, and aVast. Remove all
additional traces of spyware, etc. in registry, and defrag the registry...
thinking the machine was a go for the customer. Realized that I had not
installed Anti-Spyware Beta. I try to give all customers as many free and
easy tools as possible.
I installed the software like always... and ran a scan not really thinking
it was necessary. It found some file issues that had not been detected in
Webroot, Hijackthis.exe, Spybot S&D, Ewido, or Virus Scans, that's why I like
this software. When it got to the registry scans it found some entries, but
hung at HKLM-Soft-Micro-Current-Uninstall on a WinTools folder. The page
file usage increased steadily to over 2 GB... with multiple warnings of page
file size exceeded.
I eventually had to shut down the machine... I tried in safe mode, and got
the same results. The registry entries for WinTools appeared to be empty.
But I always got the same results, and could not delete or rename the
registry folders, even in Safe Mode signed in as Admin. I fumbled upon a
program I had not used called Counterspy, but found that it looks ALOT like
Anti-Spyware Beta in appearance and layout/design/fonts... hmmmn.
I ran this new software and I ended up with the same results. However once
it reached the hang point, Counterspy would only state that it was busy
working, please wait. I watched the page file size slowly (slower than in
Anti-Spyware Beta) climb... I got frustrated and finally ended the process
after 15 minutes and an increase in PF from ~80MB to over 450MB.
Thats when I went back into the registry in safe mode, and looked at the
Wintools Folders again. I took a hunch and looked at the Folder Permissions.
There were NO USERS allowed for any permission.
Admin had no rights, nor did any other user, admins or not... Wondering how
this could happen, I thought I surely wouldn't be able to change this,but I
was able to give the Admin FULL rights, and then saw ALL of the hidden
registry keys listed under this and other folders in proximity with similar
WinTools names.
I was then able to successfully DELETE the Folders Manually, and
subsequently ran a full registry scan with Counterspy with 100% success, I
assume that Anti-Spyware Beta will have the same results when I run it
tomorrow.
WinTools is evil. I hope this might help someone, before they fall prey to
the Wipe and Reload Cop-Out. BTW - in 3 Years over 2500 machines fixed...
less than 10 were so far gone I that I needed to WIPE and RELOAD... I just
like the idea of knowing what the problem is so I am not working on the same
machine for the same customer in 3 months.
thought that this might be important enough to post.
Scenario is...
Extremely Infected PC running XP Home.
Full Battery of Scans and Cleans removes over 100 viruses, 4000 Adware
entries, 800+ Spyware install, resulting from Party Poker and Limewire on a
Teenagers PC.
Finally felt the machine was clean enough to put online, and performed all
updates through SP2. AV Scans using Norton, Trend, and aVast. Remove all
additional traces of spyware, etc. in registry, and defrag the registry...
thinking the machine was a go for the customer. Realized that I had not
installed Anti-Spyware Beta. I try to give all customers as many free and
easy tools as possible.
I installed the software like always... and ran a scan not really thinking
it was necessary. It found some file issues that had not been detected in
Webroot, Hijackthis.exe, Spybot S&D, Ewido, or Virus Scans, that's why I like
this software. When it got to the registry scans it found some entries, but
hung at HKLM-Soft-Micro-Current-Uninstall on a WinTools folder. The page
file usage increased steadily to over 2 GB... with multiple warnings of page
file size exceeded.
I eventually had to shut down the machine... I tried in safe mode, and got
the same results. The registry entries for WinTools appeared to be empty.
But I always got the same results, and could not delete or rename the
registry folders, even in Safe Mode signed in as Admin. I fumbled upon a
program I had not used called Counterspy, but found that it looks ALOT like
Anti-Spyware Beta in appearance and layout/design/fonts... hmmmn.
I ran this new software and I ended up with the same results. However once
it reached the hang point, Counterspy would only state that it was busy
working, please wait. I watched the page file size slowly (slower than in
Anti-Spyware Beta) climb... I got frustrated and finally ended the process
after 15 minutes and an increase in PF from ~80MB to over 450MB.
Thats when I went back into the registry in safe mode, and looked at the
Wintools Folders again. I took a hunch and looked at the Folder Permissions.
There were NO USERS allowed for any permission.
Admin had no rights, nor did any other user, admins or not... Wondering how
this could happen, I thought I surely wouldn't be able to change this,but I
was able to give the Admin FULL rights, and then saw ALL of the hidden
registry keys listed under this and other folders in proximity with similar
WinTools names.
I was then able to successfully DELETE the Folders Manually, and
subsequently ran a full registry scan with Counterspy with 100% success, I
assume that Anti-Spyware Beta will have the same results when I run it
tomorrow.
WinTools is evil. I hope this might help someone, before they fall prey to
the Wipe and Reload Cop-Out. BTW - in 3 Years over 2500 machines fixed...
less than 10 were so far gone I that I needed to WIPE and RELOAD... I just
like the idea of knowing what the problem is so I am not working on the same
machine for the same customer in 3 months.