WantToKillAppTim



Umwhat
07-10-2005, 03:09 AM
I just wrote this down while looking through the registry to remove whse
search toolbar and it's extras and I can't find anything about it but it
looks a bit nasty , " WantToKillAppTim..." , has anyone seen this before or
can someone give a clue where to look for it . I haven't found anything on
Google or MSN SeaSearch . I already loooked in Symantecs website but nothing .
It maybe part of windows , but I don't think so .
--
signature

Juan
07-10-2005, 03:09 AM
WantToKillAppTim... has anyone seen this before, I haven't found anything
on.....
I already loooked in Symantecs website but nothing .....
It maybe part of windows , but I don't think so ......

You are right it is not a part of Windows... by the name you can tell it's a
hijacker toolbar.
Do this to remove it:

Start\Run\msconfig\Start\ uncheck all except antivirus components, Office
shortcuts toolbar, and messenger.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete any values other than the default alphanumeric value, antivirus
components, Office shortcuts toolbar and messenger.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (delete
any other than as described in HKLM)

It may also show up in one of the next registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
Default Subkey:
{4D5C8C25-D075-11d0-B416-00C04FB90376}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
Default Subkeys:
[Explorer]
[ShellBrowser]
[ITBarLayout]
[WebBrowser]

Still any parasite could show up as an alphanumeric value and you may have
trouble identifying it, an anti-spyware program will ID and remove it.
Recommended anti-spyware programs are: Ad-aware SE Personal, Spybot Search
& Destroy, CWShredder, HijackThis.
Download them from:
http://www.majorgeeks.com/downloads31.html

Regards.

--------------------------------
"Umwhat" <me.somewhere@somewhere else.com> escribió en el mensaje
news:F1DC1B25-FF24-405F-A51D-6B47F00F5DA2@microsoft.com...
> I just wrote this down while looking through the registry to remove whse
> search toolbar and it's extras and I can't find anything about it but it
> looks a bit nasty , " WantToKillAppTim..." , has anyone seen this before
or
> can someone give a clue where to look for it . I haven't found anything on
> Google or MSN SeaSearch . I already loooked in Symantecs website but
nothing .
> It maybe part of windows , but I don't think so .
> --
> signature

Umwhat
07-10-2005, 03:09 AM
Hello Juan ,
thankyou ,
I looked where you indicated and I found ITBarLayout in the
WebBrowser entry with 2 other Binary ?? with a string of numbers and if I
double clicked on ITBarLayout to make a window , I found the same numbers in
the window down the left side as I scrolled down the page and alot of dashes
amongst some , maybe 20 , irregularly listed figures , question marks and
other random figures . Amongst those figures was 132.dll listed as a
Favorite which I'm sure I did not have as a Favorite .
The 132.dll seemed to remind me of a Trojan I had seen somewhere before .
I did see 2 entries when I found the WantToKillAppTim... beginning
WantToKillAppTim... the second had something other than the Tim... after
the App .
Can you suggest where I should look to find the 2 entries I have saw to
check they have gone ? I did try searching for them but a search would not
even find the WantToKillAppTim... .

Thankyou again , and my computer seems more responsive than
before already .
Nick

"Juan" wrote:

> WantToKillAppTim... has anyone seen this before, I haven't found anything
> on.....
> I already loooked in Symantecs website but nothing .....
> It maybe part of windows , but I don't think so ......
>
> You are right it is not a part of Windows... by the name you can tell it's a
> hijacker toolbar.
> Do this to remove it:
>
> Start\Run\msconfig\Start\ uncheck all except antivirus components, Office
> shortcuts toolbar, and messenger.
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> Delete any values other than the default alphanumeric value, antivirus
> components, Office shortcuts toolbar and messenger.
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (delete
> any other than as described in HKLM)
>
> It may also show up in one of the next registry keys.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
> Default Subkey:
> {4D5C8C25-D075-11d0-B416-00C04FB90376}
>
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
> Default Subkeys:
> [Explorer]
> [ShellBrowser]
> [ITBarLayout]
> [WebBrowser]
>
> Still any parasite could show up as an alphanumeric value and you may have
> trouble identifying it, an anti-spyware program will ID and remove it.
> Recommended anti-spyware programs are: Ad-aware SE Personal, Spybot Search
> & Destroy, CWShredder, HijackThis.
> Download them from:
> http://www.majorgeeks.com/downloads31.html
>
> Regards.
>
> --------------------------------
> "Umwhat" <me.somewhere@somewhere else.com> escribió en el mensaje
> news:F1DC1B25-FF24-405F-A51D-6B47F00F5DA2@microsoft.com...
> > I just wrote this down while looking through the registry to remove whse
> > search toolbar and it's extras and I can't find anything about it but it
> > looks a bit nasty , " WantToKillAppTim..." , has anyone seen this before
> or
> > can someone give a clue where to look for it . I haven't found anything on
> > Google or MSN SeaSearch . I already loooked in Symantecs website but
> nothing .
> > It maybe part of windows , but I don't think so .
> > --
> > signature
>
>
>

Juan
07-10-2005, 03:09 AM
Umwhat: The only place you can find anything, if it's findable, is in
C:\WINDOWS\System32 ... Most of these kind of parasite are only registry
keys and values, and are not readily found as regular applications, some can
be found as .exe or .dll files in system32 or not at all, so don't be
discouraged if you cand find counterparts from the ones in the registry...
but anyway search like this:

type a search as; .dll do another search for; .exe... another search for
WwnToKillAppTim as WTKAT or wtkat or wtkattb and search for those other
values you found in the registry this way... (you may want to avoid part of
this cause .dll files are literaly thousands, but do look for .exe files) if
you nothing shows up in the search, you may want to install spyware programs
to disinfect your system and make sure you've rid of those nasty bugs. The
programs I use and recommend are SE Personal, Spybot Search & Destroy,
CWShredder and SpywareBlaster. Update them before scanning and update/use
them on a regular basis.
http://www.majorgeeks.com/downloads31.html (there are a few others I can
recommend if you are not fully satisfyed with the outcome).

A few other values you mention are suspicious to me.. compare them to the
following keys and values found on the Internet Explorer\Toolbar key.....
and delete those keys and values not found here.. these keys I took from my
registry which is totally normal. Or rather, to avoid the guesswork,
install the programs I mentioned, run them in safe mode and look again after
a reboot, I bet most of them will not be present anymore. To logon in Safe
Mode, press F8 three or four times at a second intervals on the first logo
screen and select Safe Mode from the logon options.... it takes longer so be
patient.

After scanning with all the programs I mentioned, look again in the Toolbar
key and see if it resembles these keys which I took from my computer and are
free of any infection, and delete any key and values which may be leftover.

These are NORMAL keys and values:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ (main key)
(default value) [alphanumeric]
{710EB7A1-45ED-11D0-924A-0020AFC7AC4D}
LinksFolderName
Locked
ShowDiscussionButton

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer\
(sub key)
(Default value)
ITBarLayout

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
(sub key)
(Default value)
{01E04581-4EEE-11D0-BFE9-00AA005B4383}
{0E5CBF21-D15F-11D0-8301-00AA005B4383}
ITBarLayout

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
(sub key)
(Default value)
{01E04581-4EEE-11D0-BFE9-00AA005B4383}
{0E5CBF21-D15F-11D0-8301-00AA005B4383}
ITBarLayout

after you delete the crapp from the registry, you may experience lost
Internet connectivity which is normal in some cases and can be restored by a
reboot (turn off and give it a minute before you press on again) I believe
this will be enough.. but report back the results.

I see you have been bussy, (with no favorable result)
[url]http://forums.wugnet.com/Security-Admin-trojan-whse-ftopict374765.html[/url]

These are being posted as I write, and before I send [nice!]..
[url]http://forum.iamnotageek.com/t-1819074245.html[/url]
[url]http://forum.iamnotageek.com/history/topic.php/1819074245-1.html[/url]

Regards

----------------------------------------------------------
"Umwhat" <me.somewhere@somewhere else.com> escribió en el mensaje
news:40A10C39-EAD1-4233-8EEB-B0129882C5BC@microsoft.com...[color=blue]
> Hello Juan ,
> thankyou ,
> I looked where you indicated and I found ITBarLayout in the
> WebBrowser entry with 2 other Binary ?? with a string of numbers and if[/color]
I[color=blue]
> double clicked on ITBarLayout to make a window , I found the same numbers[/color]
in[color=blue]
> the window down the left side as I scrolled down the page and alot of[/color]
dashes[color=blue]
> amongst some , maybe 20 , irregularly listed figures , question marks and
> other random figures . Amongst those figures was 132.dll listed as a
> Favorite which I'm sure I did not have as a Favorite .
> The 132.dll seemed to remind me of a Trojan I had seen somewhere[/color]
before .[color=blue]
> I did see 2 entries when I found the WantToKillAppTim... beginning
> WantToKillAppTim... the second had something other than the Tim...[/color]
after[color=blue]
> the App .
> Can you suggest where I should look to find the 2 entries I have saw to
> check they have gone ? I did try searching for them but a search would[/color]
not[color=blue]
> even find the WantToKillAppTim... .
>
> Thankyou again , and my computer seems more responsive than
> before already .
> Nick
>
> "Juan" wrote:
>[color=green]
> > WantToKillAppTim... has anyone seen this before, I haven't found[/color][/color]
anything[color=blue][color=green]
> > on.....
> > I already loooked in Symantecs website but nothing .....
> > It maybe part of windows , but I don't think so ......
> >
> > You are right it is not a part of Windows... by the name you can tell[/color][/color]
it's a[color=blue][color=green]
> > hijacker toolbar.
> > Do this to remove it:
> >
> > Start\Run\msconfig\Start\ uncheck all except antivirus components,[/color][/color]
Office[color=blue][color=green]
> > shortcuts toolbar, and messenger.
> >
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> > Delete any values other than the default alphanumeric value, antivirus
> > components, Office shortcuts toolbar and messenger.
> >
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run[/color][/color]
(delete[color=blue][color=green]
> > any other than as described in HKLM)
> >
> > It may also show up in one of the next registry keys.
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
> > Default Subkey:
> > {4D5C8C25-D075-11d0-B416-00C04FB90376}
> >
> > HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
> > Default Subkeys:
> > [Explorer]
> > [ShellBrowser]
> > [ITBarLayout]
> > [WebBrowser]
> >
> > Still any parasite could show up as an alphanumeric value and you may[/color][/color]
have[color=blue][color=green]
> > trouble identifying it, an anti-spyware program will ID and remove it.
> > Recommended anti-spyware programs are: Ad-aware SE Personal, Spybot[/color][/color]
Search[color=blue][color=green]
> > & Destroy, CWShredder, HijackThis.
> > Download them from:
> > http://www.majorgeeks.com/downloads31.html
> >
> > Regards.
> >
> > --------------------------------
> > "Umwhat" <me.somewhere@somewhere else.com> escribió en el mensaje
> > news:F1DC1B25-FF24-405F-A51D-6B47F00F5DA2@microsoft.com...[color=darkred]
> > > I just wrote this down while looking through the registry to remove[/color][/color][/color]
whse[color=blue][color=green][color=darkred]
> > > search toolbar and it's extras and I can't find anything about it but[/color][/color][/color]
it[color=blue][color=green][color=darkred]
> > > looks a bit nasty , " WantToKillAppTim..." , has anyone seen this[/color][/color][/color]
before[color=blue][color=green]
> > or[color=darkred]
> > > can someone give a clue where to look for it . I haven't found[/color][/color][/color]
anything on[color=blue][color=green][color=darkred]
> > > Google or MSN SeaSearch . I already loooked in Symantecs website but[/color]
> > nothing .[color=darkred]
> > > It maybe part of windows , but I don't think so .
> > > --
> > > signature[/color]
> >
> >
> >[/color][/color]

Umwhat
07-10-2005, 03:10 AM
my apologies for wasting your time Juan
I actually found WaitToKillAppTim...
which I learn is a Windows program for the Timeout loading
process .

"Juan" wrote:

> Umwhat: The only place you can find anything, if it's findable, is in
> C:\WINDOWS\System32 ... Most of these kind of parasite are only registry
> keys and values, and are not readily found as regular applications, some can
> be found as .exe or .dll files in system32 or not at all, so don't be
> discouraged if you cand find counterparts from the ones in the registry...
> but anyway search like this:
>
> type a search as; .dll do another search for; .exe... another search for
> WwnToKillAppTim as WTKAT or wtkat or wtkattb and search for those other
> values you found in the registry this way... (you may want to avoid part of
> this cause .dll files are literaly thousands, but do look for .exe files) if
> you nothing shows up in the search, you may want to install spyware programs
> to disinfect your system and make sure you've rid of those nasty bugs. The
> programs I use and recommend are SE Personal, Spybot Search & Destroy,
> CWShredder and SpywareBlaster. Update them before scanning and update/use
> them on a regular basis.
> http://www.majorgeeks.com/downloads31.html (there are a few others I can
> recommend if you are not fully satisfyed with the outcome).
>
> A few other values you mention are suspicious to me.. compare them to the
> following keys and values found on the Internet Explorer\Toolbar key.....
> and delete those keys and values not found here.. these keys I took from my
> registry which is totally normal. Or rather, to avoid the guesswork,
> install the programs I mentioned, run them in safe mode and look again after
> a reboot, I bet most of them will not be present anymore. To logon in Safe
> Mode, press F8 three or four times at a second intervals on the first logo
> screen and select Safe Mode from the logon options.... it takes longer so be
> patient.
>
> After scanning with all the programs I mentioned, look again in the Toolbar
> key and see if it resembles these keys which I took from my computer and are
> free of any infection, and delete any key and values which may be leftover.
>
> These are NORMAL keys and values:
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ (main key)
> (default value) [alphanumeric]
> {710EB7A1-45ED-11D0-924A-0020AFC7AC4D}
> LinksFolderName
> Locked
> ShowDiscussionButton
>
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer\
> (sub key)
> (Default value)
> ITBarLayout
>
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
> (sub key)
> (Default value)
> {01E04581-4EEE-11D0-BFE9-00AA005B4383}
> {0E5CBF21-D15F-11D0-8301-00AA005B4383}
> ITBarLayout
>
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
> (sub key)
> (Default value)
> {01E04581-4EEE-11D0-BFE9-00AA005B4383}
> {0E5CBF21-D15F-11D0-8301-00AA005B4383}
> ITBarLayout
>
> after you delete the crapp from the registry, you may experience lost
> Internet connectivity which is normal in some cases and can be restored by a
> reboot (turn off and give it a minute before you press on again) I believe
> this will be enough.. but report back the results.
>
> I see you have been bussy, (with no favorable result)
> [url]http://forums.wugnet.com/Security-Admin-trojan-whse-ftopict374765.html[/url]
>
> These are being posted as I write, and before I send [nice!]..
> [url]http://forum.iamnotageek.com/t-1819074245.html[/url]
> [url]http://forum.iamnotageek.com/history/topic.php/1819074245-1.html[/url]
>
> Regards
>
> ----------------------------------------------------------
> "Umwhat" <me.somewhere@somewhere else.com> escribió en el mensaje
> news:40A10C39-EAD1-4233-8EEB-B0129882C5BC@microsoft.com...[color=green]
> > Hello Juan ,
> > thankyou ,
> > I looked where you indicated and I found ITBarLayout in the
> > WebBrowser entry with 2 other Binary ?? with a string of numbers and if
> I
> > double clicked on ITBarLayout to make a window , I found the same numbers
> in
> > the window down the left side as I scrolled down the page and alot of
> dashes
> > amongst some , maybe 20 , irregularly listed figures , question marks and
> > other random figures . Amongst those figures was 132.dll listed as a
> > Favorite which I'm sure I did not have as a Favorite .
> > The 132.dll seemed to remind me of a Trojan I had seen somewhere
> before .
> > I did see 2 entries when I found the WantToKillAppTim... beginning
> > WantToKillAppTim... the second had something other than the Tim...
> after
> > the App .
> > Can you suggest where I should look to find the 2 entries I have saw to
> > check they have gone ? I did try searching for them but a search would
> not
> > even find the WantToKillAppTim... .
> >
> > Thankyou again , and my computer seems more responsive than
> > before already .
> > Nick
> >
> > "Juan" wrote:
> >[color=darkred]
> > > WantToKillAppTim... has anyone seen this before, I haven't found[/color]
> anything[color=darkred]
> > > on.....
> > > I already loooked in Symantecs website but nothing .....
> > > It maybe part of windows , but I don't think so ......
> > >
> > > You are right it is not a part of Windows... by the name you can tell[/color]
> it's a[color=darkred]
> > > hijacker toolbar.
> > > Do this to remove it:
> > >
> > > Start\Run\msconfig\Start\ uncheck all except antivirus components,[/color]
> Office[color=darkred]
> > > shortcuts toolbar, and messenger.
> > >
> > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> > > Delete any values other than the default alphanumeric value, antivirus
> > > components, Office shortcuts toolbar and messenger.
> > >
> > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run[/color]
> (delete[color=darkred]
> > > any other than as described in HKLM)
> > >
> > > It may also show up in one of the next registry keys.
> > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
> > > Default Subkey:
> > > {4D5C8C25-D075-11d0-B416-00C04FB90376}
> > >
> > > HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
> > > Default Subkeys:
> > > [Explorer]
> > > [ShellBrowser]
> > > [ITBarLayout]
> > > [WebBrowser]
> > >
> > > Still any parasite could show up as an alphanumeric value and you may[/color]
> have[color=darkred]
> > > trouble identifying it, an anti-spyware program will ID and remove it.
> > > Recommended anti-spyware programs are: Ad-aware SE Personal, Spybot[/color]
> Search[color=darkred]
> > > & Destroy, CWShredder, HijackThis.
> > > Download them from:
> > > http://www.majorgeeks.com/downloads31.html
> > >
> > > Regards.
> > >
> > > --------------------------------
> > > "Umwhat" <me.somewhere@somewhere else.com> escribió en el mensaje
> > > news:F1DC1B25-FF24-405F-A51D-6B47F00F5DA2@microsoft.com...
> > > > I just wrote this down while looking through the registry to remove[/color]
> whse[color=darkred]
> > > > search toolbar and it's extras and I can't find anything about it but[/color]
> it[color=darkred]
> > > > looks a bit nasty , " WantToKillAppTim..." , has anyone seen this[/color]
> before[color=darkred]
> > > or
> > > > can someone give a clue where to look for it . I haven't found[/color]
> anything on[color=darkred]
> > > > Google or MSN SeaSearch . I already loooked in Symantecs website but
> > > nothing .
> > > > It maybe part of windows , but I don't think so .
> > > > --
> > > > signature
> > >
> > >
> > >[/color]
>
>
>[/color]


WantToKillAppTim