Umwhat: The only place you can find anything, if it's findable, is in
C:\WINDOWS\System32 ... Most of these kind of parasite are only registry
keys and values, and are not readily found as regular applications, some can
be found as .exe or .dll files in system32 or not at all, so don't be
discouraged if you cand find counterparts from the ones in the registry...
but anyway search like this:
type a search as; .dll do another search for; .exe... another search for
WwnToKillAppTim as WTKAT or wtkat or wtkattb and search for those other
values you found in the registry this way... (you may want to avoid part of
this cause .dll files are literaly thousands, but do look for .exe files) if
you nothing shows up in the search, you may want to install spyware programs
to disinfect your system and make sure you've rid of those nasty bugs. The
programs I use and recommend are SE Personal, Spybot Search & Destroy,
CWShredder and SpywareBlaster. Update them before scanning and update/use
them on a regular basis.
http://www.majorgeeks.com/downloads31.html (there are a few others I can
recommend if you are not fully satisfyed with the outcome).
A few other values you mention are suspicious to me.. compare them to the
following keys and values found on the Internet Explorer\Toolbar key.....
and delete those keys and values not found here.. these keys I took from my
registry which is totally normal. Or rather, to avoid the guesswork,
install the programs I mentioned, run them in safe mode and look again after
a reboot, I bet most of them will not be present anymore. To logon in Safe
Mode, press F8 three or four times at a second intervals on the first logo
screen and select Safe Mode from the logon options.... it takes longer so be
patient.
After scanning with all the programs I mentioned, look again in the Toolbar
key and see if it resembles these keys which I took from my computer and are
free of any infection, and delete any key and values which may be leftover.
These are NORMAL keys and values:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ (main key)
(default value) [alphanumeric]
{710EB7A1-45ED-11D0-924A-0020AFC7AC4D}
LinksFolderName
Locked
ShowDiscussionButton
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer\
(sub key)
(Default value)
ITBarLayout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
(sub key)
(Default value)
{01E04581-4EEE-11D0-BFE9-00AA005B4383}
{0E5CBF21-D15F-11D0-8301-00AA005B4383}
ITBarLayout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
(sub key)
(Default value)
{01E04581-4EEE-11D0-BFE9-00AA005B4383}
{0E5CBF21-D15F-11D0-8301-00AA005B4383}
ITBarLayout
after you delete the crapp from the registry, you may experience lost
Internet connectivity which is normal in some cases and can be restored by a
reboot (turn off and give it a minute before you press on again) I believe
this will be enough.. but report back the results.
I see you have been bussy, (with no favorable result)
http://forums.wugnet.com/Security-Admin-trojan-whse-ftopict374765.html
These are being posted as I write, and before I send [nice!]..
http://forum.iamnotageek.com/t-1819074245.html
http://forum.iamnotageek.com/history/topic.php/1819074245-1.html
Regards
----------------------------------------------------------
Umwhat said:
Hello Juan ,
thankyou ,
I looked where you indicated and I found ITBarLayout in the
WebBrowser entry with 2 other Binary ?? with a string of numbers and if I
double clicked on ITBarLayout to make a window , I found the same numbers in
the window down the left side as I scrolled down the page and alot of dashes
amongst some , maybe 20 , irregularly listed figures , question marks and
other random figures . Amongst those figures was 132.dll listed as a
Favorite which I'm sure I did not have as a Favorite .
The 132.dll seemed to remind me of a Trojan I had seen somewhere before .
I did see 2 entries when I found the WantToKillAppTim... beginning
WantToKillAppTim... the second had something other than the Tim... after
the App .
Can you suggest where I should look to find the 2 entries I have saw to
check they have gone ? I did try searching for them but a search would not
even find the WantToKillAppTim... .
Thankyou again , and my computer seems more responsive than
before already .
Nick
Juan said:
WantToKillAppTim... has anyone seen this before, I haven't found anything
on.....
I already loooked in Symantecs website but nothing .....
It maybe part of windows , but I don't think so ......
You are right it is not a part of Windows... by the name you can tell it's a
hijacker toolbar.
Do this to remove it:
Start\Run\msconfig\Start\ uncheck all except antivirus components, Office
shortcuts toolbar, and messenger.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete any values other than the default alphanumeric value, antivirus
components, Office shortcuts toolbar and messenger.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (delete
any other than as described in HKLM)
It may also show up in one of the next registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
Default Subkey:
{4D5C8C25-D075-11d0-B416-00C04FB90376}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
Default Subkeys:
[Explorer]
[ShellBrowser]
[ITBarLayout]
[WebBrowser]
Still any parasite could show up as an alphanumeric value and you may have
trouble identifying it, an anti-spyware program will ID and remove it.
Recommended anti-spyware programs are: Ad-aware SE Personal, Spybot Search
& Destroy, CWShredder, HijackThis.
Download them from:
http://www.majorgeeks.com/downloads31.html
Regards.
--------------------------------
"Umwhat" <me.somewhere@somewhere else.com> escribió en el mensaje
I just wrote this down while looking through the registry to remove whse
search toolbar and it's extras and I can't find anything about it but it
looks a bit nasty , " WantToKillAppTim..." , has anyone seen this before
or
can someone give a clue where to look for it . I haven't found anything on
Google or MSN SeaSearch . I already loooked in Symantecs website but
nothing .
It maybe part of windows , but I don't think so .
