Targetsaver and CWS_NS3

XP Home, SP 1

Followed all steps in "Read Me First", except online scans, as the PC in question currently does not have web access.

Spybot continues to find Targetsaver. Spybot appears to remove it, but it comes up again during a subsequent scan. I evem deleted the TSA registry key manually, but apparently it gets recreated.

Webroot continually finds CWS_NS3 (I ran CWShredder)

Adaware finds nothing. No virus detected with McAfee.

Computer had a lot of junk that was removed during preliminary scans. These appear to be the only two that remain, however, the PC is extremely slow.


Thanks in advance,

-Steve

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here is the HT log.

Thanks bj.


-Steve

 

bump!

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

P2P Networking


After you remove the above program, procede with the below online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan
Panda Online Scan

After you complete ALL of the above, reboot and post a fresh HJT log and explain what problems you are having.

 

Thanks bj.

I uninstalled P2P Networking from Add/Remove Programs.

As for the online scans that you had mentioned... unfortunatly, this particular PC does not have web access at the moment. Is there anything else that you could suggest that doesn't require web access?

Thanks again,

-Steve

 

Do you have another computer with internet access to download 2 files and transfer them?

 

Sure do! Can you post the links?


Thanks,

-Steve

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner.

After you have completed the above scan reboot and attach a fresh HJT log.

 

OK. Ran the Trend scanner, but it didn't seem to find anything.

Here is a new HT log...


Thanks,

-Steve

 

bump!

 

bump

 

Not trying to be rude but you need to be patient. This forum is strictly volunteer, we come in when we have time. We all have full time jobs during the day.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lkkxr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

O9 - Extra button: Microsoft AntiSpyware helper - {7B17CC46-C7B2-478E-B706-09C35D9FB2BC} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7B17CC46-C7B2-478E-B706-09C35D9FB2BC} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {7B17CC46-C7B2-478E-B706-09C35D9FB2BC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7B17CC46-C7B2-478E-B706-09C35D9FB2BC} - (no file) (HKCU)

O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - http://63.241.168.238/ecwplugins/ncs.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\lkkxr.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

I totally understand, and I apologize. I normally would not act like that, but the PC in question belongs to my inlaws, so my wife is really on my ass to get it done. You know how it is...

Anyway, did what you said. Couldn't find that lkkxr.dll

Heres a fresh TH log.

As always, thanks bj.


-Steve

 

Download Pocket KillBox
(Don't run it yet)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lkkxr.dll/sp.html#28129

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\lkkxr.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your computer. If you get any error from Killbox just reboot normally. After you have rebooted and windows has loaded attach a fresh HJT log.