Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
WToolsS.exe
nsvsvc.exe
sdoefilt.exe
Next, click Start/Run and type services.msc and click OK. Look for the service:
WToolsS.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.
Next, try to UNinstall anything to do with:
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.2.98:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [3FFg39P] sdoefilt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\n22u0cf9ef2.dll
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
...................................................................................................
Now click on the Fix Checked button in HJT.
When done, from between the dotted lines, delete the bold files.
When a directory-name is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.
