Possible Hi-Wire, WebSearch Toolbar, and ISTbar infection, please help.

Post the Pest Patrol log and also follow the steps below exactly:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Do you have Limewire installed? Or did you have it at one time?

Most of what PestPatrol is detecting is Limewire. Supposedly the new version of Limewire no longer has malware but older versions did. Perhaps you should save your MP3s elsewhere and uninstall Limewire and delete its folder.

Let's see if we can cleanup some more hidden baddies.

- First run CCleaner before doing the below.

- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems. This log could get quite large and you may need to compress it into a ZIP file to upload it.

Post this Ewido log.

Also do a PestPatrol scan now and post its log.

Download and install the below. We may have to use it to delete some hidden files if the above does not get them all.

ExplorerXP

 

Sorry about that! I have too many threads going an just overlooked what your OS was.
Let's see a new Pest Patrol log to see what we still may need to cleanup.

 

Okay let's see if we can make Pestscan happy.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file cleanit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the cleanit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now open a command prompt window by clicking Start, Run and enter command and click OK. Enter the below commands each followed by the enter key:

cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s popcaploader.dll
del popcaploader.dll
attrib -r -h -s hwreal.exe
del hwreal.exe
exit

The exit command will close the command prompt window. Now boot into safe mode.
In safe mode run Windows Explorer and locate the below folder and delete it:

C:\Program Files\common files\totem shared

Now reboot in normal mode and get anothe Pestscan log.

 

It's been awhile since I played much with older OS's. You may need to put quotes around the directory path like below:

cd "C:\WINDOWS\Downloaded Program Files\"

or maybe leave of the ending \ and use quotes like:

cd "C:\WINDOWS\Downloaded Program Files"

 

Your welcome!


Now please do the below:
1) Download Registrar Lite and install it!
2) Run it, copy and paste this line to Reglite's address bar:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\installer\userdata
3) Click the "go" tab
4) See if you can locate this tuid item from WebSearch Toolbar
5) If you can, then right click on it and select Delete

Let me know if that works!

 

Many things found by scanners are just dormant registry keys and they can quite often be annoying to totally cleanup.

What do you mean another log? Do you mean for another PC? If so, you need to make sure you follow all steps in the READ ME FIRST on that PC and then start a new thread indicating what you have done and what problems you have. Based on that, one of us will request (if necessary) a HJT log.

Note: If your current PC is running fine now, you should refer to the below thread to help keep it that way:

How to Protect yourself from malware!

 

Okay! Post a current log but there was not too much in there last time.

Did you want about:blank for your Start Page?
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

And why does the below Proxy Server entry exist?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You log is now clean. TIme to work thru the following: How to Protect yourself from malware!

Sorry but your other question is not a topic for this forum. We are just too busy here to also address non-malware related topics.

 

You're welcome. There are no signs of the Virtumundo/Winfixer problems dying down. I would like to know where the heck everyone is getting this from.