Win-Tools

Overview

Win-Tools's official name is "Win-Tools Easy Installer", and is published by IBIS LLC. Win-Tools's official description: "Win-Tools assists users finding information with the delivery of contextually-based information relating to subjects and topics of personal interest." Win-Tools installs a Browser Helper Object, a URLSearchHook and its files, WToolsA.exe, WSup.exe, WToolsS.exe and WToolsB.dll, are stored in "%ProgramsDir%\Common files\WinTools\". WSup.exe is hidden.

Note: %ProgramsDir% is a variable (?). By default, this is C:\Program Files.

Note: The analysis on this page is based on WSup.exe version 1.1.0.4, WToolsS.exe version 1.0.3.6, WToolsA.exe version 1.1.04 and WToolsB.dll version 1.1.0.4, if not otherwise stated.

These files' properties does not contain any information about the vendor. Some use "Internet Explorer" as their description and the Internet Explorer icon. ZoneAlarm, a widely used firewall, uses this information to inform which programs that have accessed the internet. This screenshot of the ZoneAlarm dialog shows five programs that all seem to be the Internet Explorer browser. However, the first Internet Explorer entry is the real Internet Explorer browser, the other four are files part of the Win-Tools software. ZoneAlarm's online service that offers more information about programs connecting to the internet uses the file's description as these screenshots shows when WToolsA.exe connects to the internet [1] [2].

An average user will probably have difficulties to determine what Win-Tools does, where to find more information about it, who the vendors is and how to uninstall it. Some will probably think it is the Internet Explorer browser. If you look inside the files with a hex editor you will see the following URLs and domain names:

websearch.com

adwave.com

http://as.adwave.com/as.asmx/SrchKeys? af_id=%af_id%&kw=%keywords%&dom=%new_dom%&TUID=%tuid% &c_hist=%c_hist%&cookies=%cookies%&r_ip=

http://download.websearch.com/as2 config.asmx/GetXML?TbId=%tb_id% &TUID=%tuid%&v_lst=%cfg_v_lst% &AIs=%enable_autoinst% &ASs=%enable_ads%&tsks_s=%cfg_tsks_s%&tsk_h=%cfg_tsk_h% &max_id=%cfg_max_id%&srv_v=%cfg_srv_v%&stats=%cfg_stats% &q_res=%cfg_q_res%

http://download.websearch.com/TbStatInstLog.asmx/SetStatus? TbId=%tb_id% &Modul=ASV2_EXE_IN&TUID=%tuid% &Info=SearchInstall&sdate=%idate% &stime=%itime%

http://www.win-tools.com/

http://download.websearch.com/dnl/T_50024/WinTA.cab

http://sr.websearch.com/as.aspx?q=#autosearch#&t=%tb_id%

The following message is also located inside the files: "Do you want to install and run free plugin to optimize Internet Explorer including Web Search Tools; once you agree to the Licence Terms and Privacy Policy (http://www.websearch.com/legal/Terms.aspx) - click YES to CONTINUE"

Classification

Adware

Distribution

Win-Tools is included in 13% of the Websearch Toolbar distributions, according to a statement made the 7th of April 2005 by an IBIS representative.

Files

WToolsA.exe, WSup.exe, WToolsS.exe, WToolsB.dll, WTuninst.exe

If you have any of the files related to Win-Tools on your system, please send them for additional analysis. Generally, I have only analysed a few versions for each software component listed at this web site. With your help I will be able to look at both old and more recent versions of the Win-Tools software. Thank you very much for your time!

Log references

Log 283 Log 286

Vendor

IBIS LLC, websearch.com, win-tools.com, contact@ibisit.com

End User License Agreement

http://www.websearch.com/legal/Terms.aspx ?

Privacy policy

http://www.websearch.com/legal/privacy.aspx ?

Naming history

Win-Tools has previously been called Bubba.wintools. This change has been made upon IBIS LLC's request.

Alias

WinTools Trojan [Microsoft Antispyware], IBIS Toolbar [AdAdware], HuntBar [Spybot Search & Destroy], Win32:Adan-025 [Avast], Adware.Searchbar-24 [ClamAV], W32/Winloot-tr [Fortinet], AdWare.Wintol.aa, AdWare.Wintol.y, Trojan-Downloader.Win32.Wintool.f [Kaspersky Anti-Virus], .Websearch.P [mks_vir], AdWare.Wintol.aa, Adware.Wintol, Trojan-Downloader.Win32.Wintool.f [VBA32], ADW_WINSTOOL.A, ADW_WSEARCH.109 [Trendmicro], Adware.Huntbar, Adware.Websearch [Norton AntiVirus], IBIS Toolbar [eTrust]

Detection

Bazooka Adware and Spyware Scanner detects Win-Tools. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »

Uninstall procedure

Uninstall Win-Tools from "Add/Remove Programs" in the Windows® Control Panel. Look for entries called 'Win-Tools Easy Installer' or 'WinTools Easy Installer (by WebSearch)'. If you run into problems uninstalling Win-Tools, please contact the vendor at contact@ibisit.com for advise.

Uninstall Win-Tools with FreeFixer

I'm working on a general purpose tool for removing unwanted software. The tool is called FreeFixer and can help you remove unwanted Browser Helper Objects, Internet Explorer toolbars and software that starts automatically when you reboot your computer, so it can offer some assistance while uninstalling Win-Tools. The manual removal instructions listed below will help you to identify what to delete with FreeFixer.

Read more about FreeFixer.

Manual removal

Please follow the instructions below if you would like to remove Win-Tools manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If Win-Tools remains on your system after stepping through the removal instructions, please double-check by stepping through them again.

1. Start your computer in safe mode.
2. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
3. Browse to the key:
   'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
4. In the right pane, delete the value called 'WinTools', if it exists.
5. Browse to the key:
   'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce'
6. In the right pane, delete the value called 'WinTools', if it exists.
7. Browse to the key:
   'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices'
8. In the right pane, delete the value called 'WinTools', if it exists.
9. Browse to the key:
   'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServicesOnce'
10. In the right pane, delete the value called 'WinTools', if it exists.
11. Delete 'HKEY_LOCAL_MACHINE\SOFTWARE \ Classes \ CLSID \ {87766247-311C-43B4-8499-3D5FEC94A183}', if it exists.
12. Delete 'HKEY_LOCAL_MACHINE\SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer\Browser Helper Objects \ {87766247-311C-43B4-8499-3D5FEC94A183}', if it exists.
13. Delete 'HKEY_LOCAL_MACHINE\SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall \ WinTools', if it exists.
14. Exit the registry editor.
15. Start Windows Explorer and delete:
    %ProgramsDir%\Common files\WinTools\WToolsA.exe
    %ProgramsDir%\Common files\WinTools\WSup.exe
    %ProgramsDir%\Common files\WinTools\WToolsS.exe
    %ProgramsDir%\Common files\WinTools\WToolsB.dll
    Note: %ProgramsDir% is a variable (?). By default, this is C:\Program Files.

Problems uninstalling? Click here.

I'm looking for your help!

Thank you for using my site, I hope you find it useful. I'm looking for help from all users, please read more.

Contact information for Win-Tools's vendor

In order to provide correct, accurate and updated information about Win-Tools I encourage the vendor to contact me if any part of this write-up needs a revision.