I keep getting 'wtoolsa has caused an errorin KERNEL
32.DLL.' can anyone help me? What is this, what causes it
and what can I do to fix it? Thanks!

Did you read any of the many replies that have been posted to those with this
problem?

wtoolsa.exe is malware and appears to be a new member of the IBIS Toolbar
family
(http://www.pestpatrol.com/PestInfo/i/ibis_toolbar.asp) or even a variant of
the CoolWebSearch parasite. It certainly doesn't form a part of the Win Me
operating system. One install mechanism it uses is if you choose to install
the toolbar from xxx.websearch.com

Boot to Safe Mode, open MSConfig (Start, Run, enter MSConfig in the box and
click OK), open the Startup tab and uncheck the entry being used to launch
wstoolsa.exe, possibly labelled something like WinTools as well as any entries
referring to wtoolsb.dll, wsup.exe and tb_setup.exe.

Browse to and delete the contents of your C:\Windows\Temp folder and also
clear you Temporary Internet Files (Internet Options | General | Delete Files
and ensure that you check the box "Delete all offline content", then click OK
and Apply.

Now check Add/Remove Programs and uninstall any entry for WinTools.

You should also delete the entire Wintools folder which is probably
located as a sub-folder in C:\Program Files\Common Files or alternatively in
C:\Windows\System. Check for and delete all copies of wtoolsa.exe,
wtoolsb.dll, wsup.exe and tb_setup.exe.

Now reboot back into Normal Mode and check your system for commercial
parasites.

This might be a good time to download yourself a copy
of the free Ad-Aware 6.0 from Lavasoft
(http://www.lavasoftusa.com/software/adaware/) and also SpyBot
(http://www.safer-networking.org/) and scan your system for and remove all
unwanted parasites, adware and spyware that might be hiding on your PC.

I would suggest you download and run merijn's CWShredder which targets the
CoolWebSearch parasite. CWShredder can be downloaded from
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip). Details of the many
forms of the CoolWebSearch hijacker can be found at
http://www.spywareinfo.com/~merijn/cwschronicles.html and also
http://www.pestpatrol.com/pestinfo/c/cws.asp.

If you continue to have problems download a copy of HijackThis from
http://www.spywareinfo.com/~merijn/downloads.html). Create a folder called
hijackthis on C: and copy the file you downloaded to that folder. Close as
many applications as you can including all instances of Internet Explorer and
then run hijackthis.exe and post back the log, provided that it isn't too
long, to this thread, otherwise to the HijackThis Forum at
http://www.spywareinfo.com/forums/ and hopefully this will enable someone to
identify the cause of your problem.

Possible entries in the HiJackThis log to remove include:
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer
Start) - http://imgfarm.com/images/nocache/funwe....0.0.5.cab
--?
Mike Maltby MS-MVP



Kathleen > wrote:

> I keep getting 'wtoolsa has caused an errorin KERNEL
> 32.DLL.' can anyone help me? What is this, what causes it
> and what can I do to fix it? Thanks!

I see your 'copy and paste' buttons are still working, Mike. You are, no
doubt, a patient and kind man.......my hat is off to you.
Heirloom, old and gets tired for you


"Mike M" > wrote in message
...
> Did you read any of the many replies that have been posted to those with
this
> problem?
>
> wtoolsa.exe is malware and appears to be a new member of the IBIS Toolbar
> family
> (http://www.pestpatrol.com/PestInfo/i/ibis_toolbar.asp) or even a variant
of
> the CoolWebSearch parasite. It certainly doesn't form a part of the Win
Me
> operating system. One install mechanism it uses is if you choose to
install
> the toolbar from xxx.websearch.com
>
> Boot to Safe Mode, open MSConfig (Start, Run, enter MSConfig in the box
and
> click OK), open the Startup tab and uncheck the entry being used to launch
> wstoolsa.exe, possibly labelled something like WinTools as well as any
entries
> referring to wtoolsb.dll, wsup.exe and tb_setup.exe.
>
> Browse to and delete the contents of your C:\Windows\Temp folder and also
> clear you Temporary Internet Files (Internet Options | General | Delete
Files
> and ensure that you check the box "Delete all offline content", then click
OK
> and Apply.
>
> Now check Add/Remove Programs and uninstall any entry for WinTools.
>
> You should also delete the entire Wintools folder which is probably
> located as a sub-folder in C:\Program Files\Common Files or alternatively
in
> C:\Windows\System. Check for and delete all copies of wtoolsa.exe,
> wtoolsb.dll, wsup.exe and tb_setup.exe.
>
> Now reboot back into Normal Mode and check your system for commercial
> parasites.
>
> This might be a good time to download yourself a copy
> of the free Ad-Aware 6.0 from Lavasoft
> (http://www.lavasoftusa.com/software/adaware/) and also SpyBot
> (http://www.safer-networking.org/) and scan your system for and remove all
> unwanted parasites, adware and spyware that might be hiding on your PC.
>
> I would suggest you download and run merijn's CWShredder which targets
the
> CoolWebSearch parasite. CWShredder can be downloaded from
> (http://www.zerosrealm.com/downloads/CWShredder.zip or
> http://www.spywareinfo.com/~merijn/files/cwshredder.zip). Details of the
many
> forms of the CoolWebSearch hijacker can be found at
> http://www.spywareinfo.com/~merijn/cwschronicles.html and also
> http://www.pestpatrol.com/pestinfo/c/cws.asp.
>
> If you continue to have problems download a copy of HijackThis from
> http://www.spywareinfo.com/~merijn/downloads.html). Create a folder
called
> hijackthis on C: and copy the file you downloaded to that folder. Close
as
> many applications as you can including all instances of Internet Explorer
and
> then run hijackthis.exe and post back the log, provided that it isn't too
> long, to this thread, otherwise to the HijackThis Forum at
> http://www.spywareinfo.com/forums/ and hopefully this will enable someone
to
> identify the cause of your problem.
>
> Possible entries in the HiJackThis log to remove include:
> O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
> files\WinTools\WToolsA.exe
> O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common
> files\WinTools\WToolsA.exe
>
> O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products
Installer
> Start) - http://imgfarm.com/images/nocache/funwe....0.0.5.cab
> --?
> Mike Maltby MS-MVP
>
>
>
> Kathleen > wrote:
>
> > I keep getting 'wtoolsa has caused an errorin KERNEL
> > 32.DLL.' can anyone help me? What is this, what causes it
> > and what can I do to fix it? Thanks!
>
>

The trouble heirloom is that my instructions are changing slightly over time
as more is discovered about this new pest. The latest version now being as
follows and includes information on how to inoculate the system against being
attacked by this pest.

:wtoolsa.exe is malware and appears to be a new member of the IBIS Toolbar
family (http://www.pestpatrol.com/PestInfo/i/ibis_toolbar.asp). It certainly
doesn't form a part of the Win Me operating system. One install mechanism it
uses is if you choose to install the toolbar from xxx.websearch.com.

Boot to Safe Mode, open MSConfig (Start, Run, enter MSConfig in the box and
click OK), open the Startup tab and uncheck the entry being used to launch
wstoolsa.exe, possibly labelled something like WinTools as well as any entries
referring to wtoolsb.dll, wsup.exe and tb_setup.exe.

Browse to and delete the contents of your C:\Windows\Temp folder and also
clear you Temporary Internet Files (Internet Options | General | Delete Files
and ensure that you check the box "Delete all offline content", then click OK
and Apply.

Now check Add/Remove Programs and uninstall any entry for WinTools.

You should also delete the entire Wintools folder which is probably
located as a sub-folder in C:\Program Files\Common Files or alternatively in
C:\Windows\System. Check for and delete all copies of wtoolsa.exe,
wtoolsb.dll, wsup.exe and tb_setup.exe.

Now reboot back into Normal Mode and check your system for commercial
parasites.

This might be a good time to download yourself a copy
of the free Ad-Aware 6.0 from Lavasoft
(http://www.lavasoftusa.com/software/adaware/) and also SpyBot
(http://www.safer-networking.org/) and scan your system for and remove all
unwanted parasites, adware and spyware that might be hiding on your PC.

I would suggest you download and run merijn's CWShredder which targets the
CoolWebSearch parasite. CWShredder can be downloaded from
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip). Details of the many
forms of the CoolWebSearch hijacker can be found at
http://www.spywareinfo.com/~merijn/cwschronicles.html and also
http://www.pestpatrol.com/pestinfo/c/cws.asp.

If you continue to have problems download a copy of HijackThis from
http://www.spywareinfo.com/~merijn/downloads.html). Create a folder called
hijackthis on C: and copy the file you downloaded to that folder. Close as
many applications as you can including all instances of Internet Explorer and
then run hijackthis.exe and post back the log, provided that it isn't too
long, to this thread, otherwise to the HijackThis Forum at
http://www.spywareinfo.com/forums/ and hopefully this will enable someone to
identify the cause of your problem.

Entries in the HiJackThis log to remove include:

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe

Finally to prevent reinfection download and use SpywareBlaster
(http://www.wilderssecurity.net/spywareblaster.html) which can inocualte your
PC against infection by many parasites and using Tools | Custom Blocking add
the following:
Item Name - WinTools
CLSID - {87766247-311C-43B4-8499-3D5FEC94A183}
--?
Mike Maltby MS-MVP



heirloom > wrote:

> I see your 'copy and paste' buttons are still working, Mike. You are, no
> doubt, a patient and kind man.......my hat is off to you.
> Heirloom, old and gets tired for you

Yes, I have noticed the changes, but, unlike some (most), I read pertinent
responses and have attached your latest to a couple. You still have the
patience of Job and my highest respect.
Heirloom, old and help when I can

"Mike M" > wrote in message
...
> The trouble heirloom is that my instructions are changing slightly over
time
> as more is discovered about this new pest. The latest version now being
as
> follows and includes information on how to inoculate the system against
being
> attacked by this pest.
>
> :wtoolsa.exe is malware and appears to be a new member of the IBIS Toolbar
> family (http://www.pestpatrol.com/PestInfo/i/ibis_toolbar.asp). It
certainly
> doesn't form a part of the Win Me operating system. One install mechanism
it
> uses is if you choose to install the toolbar from xxx.websearch.com.
>
> Boot to Safe Mode, open MSConfig (Start, Run, enter MSConfig in the box
and
> click OK), open the Startup tab and uncheck the entry being used to launch
> wstoolsa.exe, possibly labelled something like WinTools as well as any
entries
> referring to wtoolsb.dll, wsup.exe and tb_setup.exe.
>
> Browse to and delete the contents of your C:\Windows\Temp folder and also
> clear you Temporary Internet Files (Internet Options | General | Delete
Files
> and ensure that you check the box "Delete all offline content", then click
OK
> and Apply.
>
> Now check Add/Remove Programs and uninstall any entry for WinTools.
>
> You should also delete the entire Wintools folder which is probably
> located as a sub-folder in C:\Program Files\Common Files or alternatively
in
> C:\Windows\System. Check for and delete all copies of wtoolsa.exe,
> wtoolsb.dll, wsup.exe and tb_setup.exe.
>
> Now reboot back into Normal Mode and check your system for commercial
> parasites.
>
> This might be a good time to download yourself a copy
> of the free Ad-Aware 6.0 from Lavasoft
> (http://www.lavasoftusa.com/software/adaware/) and also SpyBot
> (http://www.safer-networking.org/) and scan your system for and remove all
> unwanted parasites, adware and spyware that might be hiding on your PC.
>
> I would suggest you download and run merijn's CWShredder which targets
the
> CoolWebSearch parasite. CWShredder can be downloaded from
> (http://www.zerosrealm.com/downloads/CWShredder.zip or
> http://www.spywareinfo.com/~merijn/files/cwshredder.zip). Details of the
many
> forms of the CoolWebSearch hijacker can be found at
> http://www.spywareinfo.com/~merijn/cwschronicles.html and also
> http://www.pestpatrol.com/pestinfo/c/cws.asp.
>
> If you continue to have problems download a copy of HijackThis from
> http://www.spywareinfo.com/~merijn/downloads.html). Create a folder
called
> hijackthis on C: and copy the file you downloaded to that folder. Close
as
> many applications as you can including all instances of Internet Explorer
and
> then run hijackthis.exe and post back the log, provided that it isn't too
> long, to this thread, otherwise to the HijackThis Forum at
> http://www.spywareinfo.com/forums/ and hopefully this will enable someone
to
> identify the cause of your problem.
>
> Entries in the HiJackThis log to remove include:
>
> R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
> C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
> O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
> C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
> O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
> files\WinTools\WToolsA.exe
> O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common
> files\WinTools\WToolsA.exe
>
> Finally to prevent reinfection download and use SpywareBlaster
> (http://www.wilderssecurity.net/spywareblaster.html) which can inocualte
your
> PC against infection by many parasites and using Tools | Custom Blocking
add
> the following:
> Item Name - WinTools
> CLSID - {87766247-311C-43B4-8499-3D5FEC94A183}
> --?
> Mike Maltby MS-MVP
>
>
>
> heirloom > wrote:
>
> > I see your 'copy and paste' buttons are still working, Mike. You are,
no
> > doubt, a patient and kind man.......my hat is off to you.
> > Heirloom, old and gets tired for you
>
>

Heirloom,

I still don't think I justify the use of such kind words. <g> Just put it
down to boredom whilst I'm trying to create a demo DVD from a load of video
captures for use in support of a proposal to get the BBC to run a feature
program on an event later this year in which my elder daughter is involved.
--
Mike Maltby MS-MVP



heirloom > wrote:

> Yes, I have noticed the changes, but, unlike some (most), I read pertinent
> responses and have attached your latest to a couple. You still have the
> patience of Job and my highest respect.

Mike,
Ahhh, you are much to modest. And a producer to boot! I was on the
telly Sunday evening.....got caught up in the camera during a news event. I
was a participant in the "Run for the Wall" www.rftw.org . Pretty cool
being amongst approx. 600 bikes on an escorted run....went about 350
miles.....all in honor of my father, who was shot down in WWII an held POW
in Stalag 3 (and others) for almost a year.
Best wishes on your efforts for your daughter.
Heirloom, old and will ride till I can't


"Mike M" > wrote in message
...
> Heirloom,
>
> I still don't think I justify the use of such kind words. <g> Just put
it
> down to boredom whilst I'm trying to create a demo DVD from a load of
video
> captures for use in support of a proposal to get the BBC to run a feature
> program on an event later this year in which my elder daughter is
involved.
> --
> Mike Maltby MS-MVP
>
>
>
> heirloom > wrote:
>
> > Yes, I have noticed the changes, but, unlike some (most), I read
pertinent
> > responses and have attached your latest to a couple. You still have the
> > patience of Job and my highest respect.
>
>

> I was a participant in the "Run for the Wall" www.rftw.org .

Very interesting.

> .....all in honor of my father, who was shot down in WWII an held POW
> in Stalag 3 (and others) for almost a year.

Clearly a brave man.
--
Mike Maltby MS-MVP




heirloom > wrote:

> Mike,
> Ahhh, you are much to modest. And a producer to boot! I was on the
> telly Sunday evening.....got caught up in the camera during a news event.
> I was a participant in the "Run for the Wall" www.rftw.org . Pretty
> cool being amongst approx. 600 bikes on an escorted run....went about 350
> miles.....all in honor of my father, who was shot down in WWII an held POW
> in Stalag 3 (and others) for almost a year.
> Best wishes on your efforts for your daughter.