Hi to the community

I am new here and not very technical but I still hope that someone can help me.

When I start my computer I suddenly see an icon in the system tray (I think that is the name for the bottom right part of my screen -correct?) that looks like a pair of binoculars. But when I move the mouse over the icon it dissapears at once and I cannot do anything to get it visible or to find out what it is???

I have Norton 360 and I have run a complete system scan and according to the scan there are no issues with my computer. But I tried googling it and it seems that there are people out there thinking it is a virus or keylogger with a name like wtwatch.exe or something similar?

Please help. As mentioned I am not very technical so I would appreciate it very much if you can answer in "details for dummies"

All the best

Christian from Denmark

Hi to the community

I am new here and not very technical but I still hope that someone can help me.

When I start my computer I suddenly see an icon in the system tray (I think that is the name for the bottom right part of my screen -correct?) that looks like a pair of binoculars. But when I move the mouse over the icon it dissapears at once and I cannot do anything to get it visible or to find out what it is???

I have Norton 360 and I have run a complete system scan and according to the scan there are no issues with my computer. But I tried googling it and it seems that there are people out there thinking it is a virus or keylogger with a name like wtwatch.exe or something similar?

Please help. As mentioned I am not very technical so I would appreciate it very much if you can answer in "details for dummies"

All the best

Christian from Denmark

Hi there delphinium

Thank you for taking the time to help

My operating system is windows vista

When I searched the net it was not gtwatch.exe that I found in connection with people thinking the binoculars may be a keylogger it was wtwatch.exe - but I do not know if this makes a difference?

When I move my cursor on top of the icon it immediately dissapears and that is what makes me suspicious. I cannot left click on the icon and I cannot right click on the icon???

I hope the extra info helps?

Best,

Christian

Hi ChristianDK,

I have located the following information on this file that
may be of assistance to you:

http://www.virus-com.com/viruscom/viruscom_100917.html

http://www.thinkdigit.com/forum/software-q/138198-some-kind-icon-my-task-bar.html

As suggested in the first link, restarting into Safe Mode and running a full system scan with Norton 360 v5 should eliminate the infection, if not the instructions in the first link should assist you in removing it.

For your information, here are more detailed articles on how to access Windows Safe Mode:

How to Start in Safe Mode:

--------------------------------------

Windows XP:

http://support.microsoft.com/kb/315222/en-us

Windows Vista:

http://windows.microsoft.com/en-US/windows-vista/Start-your-computer-in-safe-mode

Windows 7:

http://windows.microsoft.com/en-US/windows7/Start-your-computer-in-safe-mode

--------------------------------------

--------------------------------------

Please also find below more detailed articles on how to temporarily turn system restore on and off
(i.e. disable it):

--------------------------------------

Windows XP:

http://support.microsoft.com/kb/310405/en-us

Windows Vista:

http://windows.microsoft.com/en-US/windows-vista/Turn-System-Restore-on-or-off

Windows 7:

http://windows.microsoft.com/en-US/windows-vista/Turn-System-Restore-on-or-off

--------------------------------------

I hope the above information is of assistance to you. If you have any further questions, please
reply and I will be happy to assist in any way I can.

Thank you.

JimboC

If wtwatch is actually the problem, you should be able to locate the file or files listed in the link given on your machine.  If you are removing things in your computer based on a Google search, it could be unhealthy. 

Hi There

Thank you very much for the pointers I will try these things.

All the best

Christian

Hi there

I have now tried restarting my computer in safe mode and then running a full system scan with my Norton 360 and it detects 10 problems and removes them. All 10 are only low risk tracking cookies.

BUT the f.... binocular icon still remains in my system tray and they appear when I start the computer. But as soon as I hover on it with my cursor it dissapears. I cannot left click on it or right click on it

Then I tried downloading, installing and running Norton Extreme Eraser. And this also says that there are no problems. But the binoculars remain

I really do not know what to do. I have used Norton for quite a few years now so my computer has not been unprotected. Every time I got the message from Norton I renewed my license. So I am really sad that it seems that something still has infected me. If I could I would but I do not have 99$ that I can use to have Norton look at my system.

Sign in to one of these free malware removal forums.  They will look at your system and either remove the problem or identify it.  They are very good at what they do.  Bleeping will be a longer wait time.

www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

Christian,

You might try looking in the Startup TAB of msconfig and seeing if anything shows up there that might be the source of the binoculars icon.

If it works in VISTA as in Windows 7 just click on your START button and type msconfig  in the search box and you should get a list probably with msconfig.exe or msconfig at the top. Click on that and you will see the utility and the STARTUP tab.

If you see something with a check mark in the box and something that makes you think of ... wtwatch ... (Weightwatchhers? <g>) uncheck it and OK your way out then restart your computer. If the icon is gone then you know that is what it was and you are rid of the icon and can take time to find out more about what it was and why it's there.

If something stops working that you want then you know that that checkmark needs to be there and you can look for something else ......

Hi ChristianDK,

I am sorry to learn that the suggestions provided by delphinium and I were not effective.

My advice is to continue to renew your subscription of Norton. Why do I say this? I work in the security industry and trust me, Norton is far better than the competition (in terms of malware removal and prevention). I use it on all of my PCs.

The reasons that Norton is not detecting the threat are one of the following:

1. The program does not perform malicious actions.

2. The particular variant of this program on your computer is not yet known to Symantec (Norton).

For any security company, not just Norton it is difficult to say what programs should be removed and what should not be. The definition of Unwanted programs vary from person and is a gray area when it comes to classification.

In order to remove this threat (a name that I am calling this program, it may not even be malicious but it is STILL UNWANTED), I would suggest, downloading and running Sysinternals Process Explorer:

http://technet.microsoft.com/en-us/sysinternals/bb896653

You can use Windows Task Manager for this but, Process Explorer shows the corresponding path to the file with less clicks and is more visual and easier to understand.



You will need to first unzip (de-compress it), run the following file that will be present after decompressing the zip file as follows:



Right click and choose "Run as Administrator" for the following .exe file (click "Yes" if prompted by Windows):

procexp.exe



Agree to the license agreement (it is a totally free and non-expiring program) and then examine the list of running processes.



Process Explorer should open and look similar to the following screenshot:





For any program that you do not recognise, examine the path of that program (this will give the location of the program, most likely C:\Users\-YourName-\AppData\Local\Temp).





To do this, right click a blank area of the Process Toolbar and choose "Select Columns" and check the box marked "Image Path" and click OK" (see the following screenshot):





Move your mouse over the right hand side of the "Path" column, when the mouse cursor changes to a black line with arrows pointing out from both sides of it; drag the cursor to right to expand the column to make it easier to read (please see the screenshot below for the result intended).



Now carefully look in the Process column to the far left of the window, you are looking for any program you do not recognize.



For any program you do not recognise, move along the line that it is on and examine the company name, is it a company recognize? If not, this is most likely the program that is appearing in your Windows taskbar at the bottom of the screen. Examine the path to the file and make a note of it.



For any other programs that you do not recognise, write down the path to the program and make a note of the company name if you wish.



You can use the following screenshot taken using Process Explorer 15.01 under Windows 7 Professional 64 bit SP1 (a separate copy of Windows that I have bought specifically for malware testing) as a good guide (since it is showing the minimum programs running at start up).





This is a fresh install of Windows 7 running in a virtual machine (VMware Workstation) (you can ignore any running programs that have the Company Name, VMware, Inc. from the above screenshot, since they will not be present on a native (i.e. normal) installation of Windows).



Next download and run Sysinternals Autoruns:



http://technet.microsoft.com/en-us/sysinternals/bb963902



Once again, unzip the file you download, right click and choose "Run as Administrator" for the following .exe file (click "Yes" if prompted by Windows):



autoruns.exe



Agree to the license agreement (it is a totally free and non-expiring program) and then click on the "Logon" tab near the top of the windows. This tab will show a list of programs that run at Windows start up:



From the following screenshot you can see the list of programs that run when my native Windows 7 Ultimate 64 bit SP1 starts up:





If any program in this list matches the program(s) that you did not recognize in Process Explorer, uncheck the box (located on the far left side of the window) beside the program’s entry in the list.



Uncheck any program that you do not recognize (make a note of the path location of any program you uncheck e.g. c:\windows).



ONLY UNCHECK WHAT YOU STRONGLY SUSPECT IS THE PROGRAM THAT YOU WISH TO STOP FROM RUNNING.



Close Autoruns and restart your computer for the changes to take effect.



If the program with the binoculars icon no longer appears, you have located the file(s) responsible and have removed them from starting when Windows starts.



If the program is still there, follow these steps:



1. Open Autoruns again, right click and choose "Run as Administrator" for the following .exe file (click "Yes" if prompted by Windows):



autoruns.exe



that you downloaded and used earlier.



2. Click the "Everything" tab near the top of the window. Examine the list for any entry that you do not recognize and uncheck the box for that entry.



3. You can see from the screenshots below that there are a lot of different company names present even on a fresh install of Windows 7.







4. ONLY UNCHECK WHAT YOU STRONGLY SUSPECT IS THE PROGRAM THAT YOU WISH TO STOP FROM RUNNING.



5. Anything with the word "driver" and a small cog icon is very unlikely to be the program you wish to stop from running, as shown in the following small list of drivers:





6. If you uncheck any program, close Autoruns and restart your computer for the changes to take effect.

7. Repeat by unchecking programs until the binoculars icon is gone.



8. For any program that you recognise but unchecked and no change was observed, re-check the box for the program’s entry in Autoruns and it will then run as normal upon the next computer restart.



Once the icon has been removed, you can now simply delete the files in question or use Norton to quarantine and submit them for analysis.



After restarting your computer, the icon should no longer be present. Open Computer and navigate to the location of the file, right click the file and choose Delete.



If you encounter any problem deleting the file, try deleting the file in Windows Safe Mode. If you still encounter difficulties, please reply to this post and I will supply further instructions with screenshots.



If you wish to use Norton to quarantine the file(s) and submit them for analysis, follow these steps:



Open your Norton product.



Click the Quarantine option.





To add an item to the Quarantine



1. Click Add to Quarantine.





2. In the Manual Quarantine dialog box, in the Description text box, type a short name for the item that you want to add.



This text appears in the Quarantine, so you should use a recognizable description.



3. Click Browse.



4. In the Select File to Quarantine dialog box, browse to the item that you want to add, select it, and then click Open.



5. Click Add.



6. Click Close.



After adding the item to Quarantine, click the yellow "More Details" button.





Click the "Options" button at the bottom of the window.





Click "Submit To Symantec".





Your computer should now be free of this troublesome program.



If you have any further questions, please reply and I will be happy to assist further (you can also send me a private message to perhaps set up a Skype call between us?)



Thank you.



JimboC

Jimbo --

Your message is impressive but I can't read your images which you inserted. Did you change the default size?

Even if I use the Zoom feature in my browser to bring them up to readable dimensions the text is blurred so it rather defeats your purpose

I normally use the Full Size default but use the Preview TAB to check how it will look in case it is so large that it stretches the screen.

Hi Hugh,

Thanks for the compliment. I fight malware in my day to day job and have been professionally trained.

I will edit the images in my previous post by changing them to full size (they were scaled to medium). At very least I will provide an external link to them if they are still illegible. I apologize for not checking this. 

Sorry for going off topic.

Thanks.

JimboC

Hi everyone,

I have been unable to edit my previous post (editing time has expired).

Please find below the links to the screenshots that I previously posted. They remain in the same order.

I have provided the links rather than the images since they are automatically scaled to fit the width of the post (this happens if I insert inline from an external link to upload them to the forum directly), and are still illegible. I apologize for any inconvenience caused.

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/ProcessExplorer1.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/ProcessExplorer2.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/ProcessExplorer3.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/ProcessExplorer4.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/Autoruns1.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/Autoruns2.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/Autoruns3.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/Autoruns4.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/QuarantineHighlighted.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/Quarantine2Highlighted.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/Quarantine3Highlighted.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/Quarantine4Highlighted.png

http://i742.photobucket.com/albums/xx69/Jimboc/Norton/Quarantine5Highlighted.png

Once again, if any further advice is required, I will be happy to assist.

Thank you.

Jimboc

We only have one hour after posting during which we can edit our own posts -- it can get out of hand otherwise in threads where we could answer a post and then wonder why the reply referred to something not there!

I'm reminded of the true story told me by a friend who trained in the US Air Force as a meteorological officer. On arriving at his first post he was welcomed by the Commanding Officer who ended his brief chat with "A word of advice, Mr Jones, before you issue your forecast, look out of the window ...."

That's why I use the Preview TAB <s>

I don't know if a moderator can change the image sizes or not. I'll ask.

If we click on JimboC's name, we can view the full-size images in his gallery.

Thanks Delphinium -- nice and clear too.

But better in context if possible ......

Dear all

THANK YOU SO VERY MUCH FOR YOUR PATIENCE IN HELPING A NON EXPERIENSED GUY LIKE ME.

It is really awesome to come in hear and meet such nice people!!!! And to see that you have taken so much of your time to help me by giving me such detailed instructions. Truly awesome

I will try what you suggest and then get back to you

ALL THE BEST

Christian

Hi again

JimboC

I have now done everything that you explained so excellently to me. And I think I have figured it out. The binoculars was caused by a program from Ashampoo software. A program called Ashampoo uninstaller. So now I have uninstalled it.

I am sorry to you all if you think you have waisted your time helping me since this seems to be a no-virus issue and more of a - I am not technical enough - issue. But I am really grateful and I have really learned something. So now I know how to I can maybe find errors in the future.

Thank you again.

All the best

Christian

Christian,

No problem -- I'm delighted you tracked it down and it is certainly not something you need, especially at $50 .......

It may not be  a virus, but unless you knowingly invited it in it's malware so far as I'm concerned ....

You know where to find us ....