0

Hi guys, my computer started giving me the about:blank page starting yesterday some time. I browsed around today and learned a lot about malware. I've tried Ad-Aware and Spybot, not mentioning a host of others, but they aren't helping. Here is my HJT log, please have a look and help me out. TIA.

Logfile of HijackThis v1.99.1
Scan saved at 3:43:28 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Viper\Files\Programs\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\REGSVR32.EXE
C:\Viper\hijackthis\HijackThis.exe

R3 - URLSearchHook: é?í??úê? - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\PepiMK\SPYBOT~1\SDHelper.dll
O2 - BHO: é?í??úê? - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [CnsHook.dll] regsvr32 /s C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\RunOnce: [cnshint.dll] regsvr32 /s C:\WINDOWS\downlo~1\cnshint.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\PepiMK\Spybot Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Viper\Files\Programs\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\Viper\Files\Programs\DAP7\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Viper\Files\Programs\DAP7\dapextie2.htm
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\downlo~1\CnsMinEx.dll/1003
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!CNS] Chinese keywords
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {59131903-4A33-40D5-80C2-5242DD365AB3} - http://www.swissquake.ch/chumbalum-soft/files/MS3DViewerOCX.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Viper\Programs\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

3
Contributors
6
Replies
7
Views
12 Years
Discussion Span
Last Post by swatkat
0

Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.

Download CCleaner and install it.


Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R3 - URLSearchHook: é?í??úê? - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: é?í??úê? - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\Program Files\3721\Assist\asbar.dll
O2 - BHO: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\RunOnce: [CnsHook.dll] regsvr32 /s C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\RunOnce: [cnshint.dll] regsvr32 /s C:\WINDOWS\downlo~1\cnshint.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\downlo~1\CnsMinEx.dll/1003
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O11 - Options group: [!CNS] Chinese keywords
O16 - DPF: {59131903-4A33-40D5-80C2-5242DD365AB3} - http://www.swissquake.ch/chumbalum-soft/files/MS3DViewerOCX.cab

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Delete this folder (and also files inside it):-
C:\Program Files\3721

Delete these files:-
C:\WINDOWS\downlo~1\CnsHook.dll
C:\WINDOWS\downlo~1\CnsMin.dll
C:\WINDOWS\downlo~1\cnshint.dll
C:\WINDOWS\downlo~1\CnsMinEx.dll

Here, downlo~1 can be either Downloaded Program Files or Downloaded Installations. So please take a look in both folders and delete the above listed files.


Run CCleaner:

  • Click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours".
  • Click OK to exit from the Options.
  • Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido:

  • Click on the "Scanner" button in the left menu, then click on the "Start" button.
  • If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file.

Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Ewido log.

0

I am having the same problem with the about:blank page. Can someone help? Can you tell me how to provide the HJT log? Thanks a ton!

0

Hi,

I am having the same problem with the about:blank page. Can someone help? Can you tell me how to provide the HJT log? Thanks a ton!

Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.

Start a new topic by clicking "New Topic" button, and post the entire contents of the HijackThis logfile.

0

Hi swatcat, thanks for your help. But I am sorry to report that the problem persists, i.e. I still cannot reset my home page.

Here is the HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:36 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PepiMK\Spybot Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Viper\Files\Programs\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Viper\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\PepiMK\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BB936323-19FA-4521-BA29-ECA6A121BC78} - (no file)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\PepiMK\Spybot Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Viper\Files\Programs\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\Viper\Files\Programs\DAP7\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Viper\Files\Programs\DAP7\dapextie2.htm
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\downlo~1\CnsMinEx.dll/1003
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - [url]http://sms.3721.com/ie/index.htm[/url] (file missing)
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - [url]http://cn.mail.yahoo.com/promo/rd1[/url] (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - [url]http://hot.3721.com/rd/shop_btn.htm[/url] (file missing)
O9 - Extra button: 3721 Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - [url]http://assistant.3721.com/index.htm?fb=Cns[/url] (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - [url]http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/[/url] (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - [url]http://assistant.3721.com/security1.htm?fb=Cns[/url] (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - [url]http://assistant.3721.com/security1.htm?fb=Cns[/url] (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - [url]http://assistant.3721.com/clean1.htm?fb=Cns[/url] (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - [url]http://assistant.3721.com/clean1.htm?fb=Cns[/url] (file missing)
O11 - Options group: [!CNS]  Chinese keywords
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {59131903-4A33-40D5-80C2-5242DD365AB3} - 
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Viper\Programs\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe[/B]

... and here is the Ewido log file:

[B]---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          7:24:22 PM, 8/7/2005
 + Report-Checksum:     AFF44AB8

 + Scan result:

    HKLM\SOFTWARE\3721 -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\3721\Assist -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\3721\Assist\Modules -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\3721\AutoLive -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\3721\AutoLive\scrblock -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\3721\CnsMin -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\3721\CnsMin\CnsMinEx -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\3721\CnsMin\Variant -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\3721\CnsMinCg -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\AutoLive.Live -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\AutoLive.Live\CLSID -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\AutoLive.Live\CurVer -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CesMain.Main -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CesMain.Main\CLSID -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CesMain.Main\CurVer -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{141A5E19-BDCB-4E27-A3D7-9E16503BC05B} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{4EDBBAEA-F509-49F6-94D1-ECEC4BE5B686} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{9EB2B422-C9EE-46C4-A471-1E79C7517B1D} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{ABEC6103-F6AC-43A3-834F-FB03FBA339A2} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4} -> Spyware.CnsMin : Error during cleaning
    HKLM\SOFTWARE\Classes\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4} -> Spyware.CnsMin : Error during cleaning
    HKLM\SOFTWARE\Classes\CnsHelper.CH -> Spyware.CnsMin : Error during cleaning
    HKLM\SOFTWARE\Classes\CnsHelper.CH\CLSID -> Spyware.CnsMin : Error during cleaning
    HKLM\SOFTWARE\Classes\CnsHelper.CH\CurVer -> Spyware.CnsMin : Error during cleaning
    HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CLSID -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CurVer -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{0BD10A76-90DB-498E-9BCB-B262A125CE13} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{25DE7220-A4D0-484B-A68A-3D4A6EBAF504} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{02A81BF7-D105-4B24-82DB-54305282017D} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{3EE88A1F-B8CC-45B9-B2AF-6CFB9D19218E} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{52CACFDF-9170-46A9-AE2E-E594D324C72A} -> Spyware.CashBack : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{7354662F-CAA3-448B-BC01-04F55A2DCA35} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{F97E75A4-0103-4F27-A752-327B600B1130} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Classes\WEBInstaller.CExecute -> Spyware.CashBack : Cleaned with backup
    HKLM\SOFTWARE\Classes\WEBInstaller.CExecute\CLSID -> Spyware.CashBack : Cleaned with backup
    HKLM\SOFTWARE\Classes\WEBInstaller.CExecute\CurVer -> Spyware.CashBack : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Menu -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\ResetCatch -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1B0E7716-898E-48cc-9690-4E338E8DE1D3} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{6D8F256B-6AB8-4398-8F86-1E56207DB77A} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4} -> Spyware.CnsMin : Error during cleaning
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4EDBBAEA-F509-49F6-94D1-ECEC4BE5B686} -> Spyware.CnsMin : Cleaned with backup
    HKLM\SOFTWARE\tmp\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
    HKLM\SOFTWARE\tmp\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\3721 -> Spyware.CnsMin : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\3721\CnsMin -> Spyware.CnsMin : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\3721\CnsMin\Variant -> Spyware.CnsMin : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\3721\CnsUrl -> Spyware.CnsMin : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\3721\InputCns -> Spyware.CnsMin : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B0E7716-898E-48CC-9690-4E338E8DE1D3} -> Spyware.CnsMin : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} -> Spyware.CnsMin : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BB936323-19FA-4521-BA29-ECA6A121BC78} -> Spyware.CnsMin : Cleaned with backup
    HKU\S-1-5-21-2111342016-4217759621-2681017343-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D157330A-9EF3-49F8-9A67-4141AC41ADD4} -> Spyware.CnsMin : Cleaned with backup
    C:\Documents and Settings\Administrator\Local Settings\Temp\disPh8.exe -> TrojanDownloader.IstBar.kp : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\041D9FF1-9155-44E4-9C09-688E49\37F02AF3-D3D4-4EA7-9DB2-4945F3 -> Spyware.WinAD : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\0AB09B31-E86E-4E4F-B379-B2997D\1E37678D-F56F-4B7B-BE36-8C9DA4 -> Spyware.IBIS : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\2083068A-E518-4A68-B77A-8014C9\11F4AD4C-8452-47CD-9296-AAA625 -> Spyware.MyWay : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\23726009-2328-462A-977B-070FE4\444AB20A-6B7F-489C-94FB-FE47FC -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\23726009-2328-462A-977B-070FE4\49F996C4-A4B1-433B-B458-A5A99B -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\23726009-2328-462A-977B-070FE4\99BF9762-4F5E-439E-B61D-46A270 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\23726009-2328-462A-977B-070FE4\AFF2D5D3-66F2-4896-96D9-2E914F -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\23726009-2328-462A-977B-070FE4\E45A8F2F-C882-484D-A19D-FA7237 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\23B729A6-2D46-4B33-A25C-FA0E83\2622C847-FDD4-4E88-A2F8-241C25 -> Spyware.CnsMin : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\630F961A-457F-4914-9CE1-B18CEE\0FFE4E34-AC65-4CD0-96E7-3D11C8 -> Spyware.Assist : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\630F961A-457F-4914-9CE1-B18CEE\169B413E-5C1C-4156-BD40-164E2E -> Spyware.CnsMin : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\630F961A-457F-4914-9CE1-B18CEE\1BBE8DD2-A442-497B-A0B0-6D819B -> Spyware.CnsMin : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6510087E-A04A-47AC-9AD5-F258EA\076E6653-9B77-496E-A3A1-206250 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6510087E-A04A-47AC-9AD5-F258EA\881D5661-B0BB-4213-8302-1E4A2D -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6510087E-A04A-47AC-9AD5-F258EA\918F6FFE-9E3A-4448-A024-B3993B -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6510087E-A04A-47AC-9AD5-F258EA\C779BD35-4E75-48E3-815E-708995 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6510087E-A04A-47AC-9AD5-F258EA\C973C61C-7EB0-41A5-8DB2-600167 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6B868082-251F-4B50-B440-299C2A\64AF84F8-8237-45BF-981B-2F25C0 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6B868082-251F-4B50-B440-299C2A\CC13ABB2-C9B5-4FDC-8B63-04D38C -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\8EFC784C-DC13-4A15-8520-B7C3C3\2C59F981-9E83-4A9B-A024-BE8FA2 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\8EFC784C-DC13-4A15-8520-B7C3C3\966DE1C7-4F04-4CEC-B6FE-BA36BB -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\C5530C64-C120-4770-AF2F-FE3830\79A32F8A-48B6-4869-AD5D-E08690 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\C5530C64-C120-4770-AF2F-FE3830\9829284B-3C43-4A4A-8531-6A7419 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\C5530C64-C120-4770-AF2F-FE3830\A2FDCD36-25AE-4799-870A-C89E2F -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\C5530C64-C120-4770-AF2F-FE3830\BF477CA1-36B2-4589-9EB7-B1A1FE -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\C5530C64-C120-4770-AF2F-FE3830\D3DD55F0-F6D0-4D2B-8C83-AD45BB -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\D4EEA2DC-E9AD-4012-9A1E-57ADF1\0E034457-90A3-4221-81FE-CC474A -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\D4EEA2DC-E9AD-4012-9A1E-57ADF1\3D4F1E09-D153-43E6-9050-0E79E9 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\D4EEA2DC-E9AD-4012-9A1E-57ADF1\563A1E7D-84DD-40AF-BCEA-C50EAE -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\D4EEA2DC-E9AD-4012-9A1E-57ADF1\7FCDE1DC-77F6-4204-A996-096DB2 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\D4EEA2DC-E9AD-4012-9A1E-57ADF1\9523D2D9-4700-497A-82D1-A4B5A2 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\E26C41B2-A4C8-4F85-882E-535A0A\7BB3E248-CC76-4F0B-ABCC-E27A3E -> Spyware.BargainBuddy.l : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\F70F3783-23BA-441B-87D4-69A780\21FCB68A-5021-48D9-BDFF-CD368B -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\F70F3783-23BA-441B-87D4-69A780\7B438B84-DBAB-4DBD-8A97-DA29A0 -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\F70F3783-23BA-441B-87D4-69A780\C1381FEF-C66C-4397-9B51-3D524F -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\F70F3783-23BA-441B-87D4-69A780\CE711B0B-5152-4238-B509-4B820D -> Spyware.AproposMedia : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\F70F3783-23BA-441B-87D4-69A780\E105FFD9-D349-4160-8E61-81C3D2 -> Spyware.AproposMedia : Cleaned with backup
    C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP7\A0000952.exe -> Spyware.Trymedia : Cleaned with backup
    C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP8\A0001145.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP9\A0001364.dll -> Spyware.CnsMin : Cleaned with backup


::Report End

Thanks again for your help.

Edited by diafol: fixed formatting

0

Hi,
Sorry for replying late. But there are still some entries to be reomved. Especially, Chinese Keywords spyware.
Open NotePad, and copy the contents of the below "Quote" box:-

cd "%WinDir%\Downloaded Program Files"
attrib -s -r -h CnsHook.dll
del CnsHook.dll
attrib -s -r -h CnsMin.dll
del CnsMin.dll
attrib -s -r -h CnsMinEx.dll
del CnsMinEx.dll

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.


Boot in safe mode.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O2 - BHO: (no name) - {BB936323-19FA-4521-BA29-ECA6A121BC78} - (no file)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\downlo~1\CnsMinEx.dll/1003
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 3721 Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] Chinese keywords

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.


Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.