ie6 browser homepage hijacked by hklm software

[lou]

Is there any free software to get rid of this annoyance and regain control of my computer?

 

[poertner_1274]

I have moved this thread to the Security and the Web forum.

Take a look at the threads at the top of this forum. They will most certainly fix you up.

BTW
:wave:Welcome to TechSpot:wave:

 

[Tedster]

hklm removal

What is WinTools?

WinTools appears to be a variant of Huntbar. It is very persistent and extremely difficult to remove. It creates its own folder under Program Files/Common Files called WinTools. All of its files appear to be contained within this folder.

How do I Remove WinTools?

Although there are many different methods across the web to remove this parasite, here is the most reliable way of doing this.

1) While online, download the popular HiJackThis program for Spywareinfo.com. You may want to read through the HiJackThis tutorial as well.

2) Reboot your computer into Safe Mode, you may want to also Turn off System Restore in Windows XP/ME as well to remove any backups of the files you are about to delete.

3) Remove the Startup Entries in the Registry

* Click on Start, Run, Type REGEDIT and Click OK
* Click the pluses(+) next to the following items
o HKEY_LOCAL_MACHINE
o Software
o Microsoft
o Windows
o CurrentVersion
o Run
* Right-Click on the file WinTools and click DELETE
* Click the pluses(+) next to the following items
o HKEY_LOCAL_MACHINE
o Software
o Microsoft
o Windows
o CurrentVersion
o RunServices
* Right-Click on the file WinTools and click DELETE
* Close REGEDIT

3) Run HiJackThis (while in Safe Mode) and Delete any entries relating to WinTools including

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}- C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL

Although the following entries should have been deleted in Step 2, delete these entries if they still exist.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe

3) Delete the WinTools folder and all associated files

* Open My Computer, Drive C, Program Files, Common Files
* Right-click on the WinTools folder (if it exists) and Delete it

4) You should also delete or clean up your hosts file

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts


5) Reboot the computer in Normal Mode and run HiJackThis again to test (Wintools should be gone)

 

[lou]

Thanks Poertner_1274

Re:my question about HKLM Software. I think I have fixed the problem now. I searched for Wintools and haven't found anything. I used taskmanager to stop a process called shdocha.exe from running then deleted it. I then restarted in Safemode and used Registry Repair Pro to find Autostart Programs and deleted shdocha.exe again. Now I can reset my homepage normally. The only problem I've noticed now is a Runtime Error when I boot up. Thanks again for your help and to Tedster for the advice.

lou