Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Cnsmin, 3721


  • This topic is locked This topic is locked
24 replies to this topic

#1 Wikibob

Wikibob

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 01 May 2006 - 02:46 PM

quietman7 suggested I post a HijackThis og here (at end), because the CnsMin uninstaller is nasty.

The symptoms that led me to scan my PC were OE crashes/does not start, IE crashes
especially on antispyware sites, and windows.updates site crashes IE.

First here are details copied from my post in Am I infected? What do I do?


I am partway through cleaning my PC from various hijacks
but because IE crashes I cannot get windows update and
cannot run any online scans. Trend Micro does support
Firefox, but that also does nothing, ie Firefox only
shows "transferring data" and never gets to the
Launching House call button.

IE crashes on all these scan sites:
bitdefender.com
housecall65.trendmicro.com
pandasoftware.com

IE does not crash on other sites, such as news.bbc.co.uk or
tiscali.co.uk .

I have followed these steps (after searching Help Topics for CnsMin and 3721)
in Preparation Guide for use before posting a HijackThis Log:
1 and 2 done
3 Clean out your temporary internet files and temp files.
4 ran latest Spybot with latest definitions, both normal mode and Safe Mode
with Ad-Aware normal mode
5 Online scans all tried and failed as IE crashed on each site
Ran AVG (Grisoft)
6 McAfee Stinger ran - nothing found
7 Microsoft firewall was already enabled
8 Windows updates crashes in IE
9 HijackThis ran

My brother, who is helping me via email, has sent me instructions
http://www.spyany.com/program/article_spy_rm_CnsMin.html
on removing CnsMin, but the registry editor instructions
look behind my abilities.

This site explains the CnsMin in detail but does not offer
any removal instructions:
http://www3.ca.com/securityadvisor/pest/pe...px?id=453072511

Should I post a HijackThis log anyway (in the right forum of course),
or should I try something else?

I know I've had CnsMin since last year, when I was able to use
IE with online scans which reported it but I never got around to
trying to fix it - I was and still am a PC newbie.
I had switched from IE to Firefox some months ago, and used
IE only for windows updates.
But I wasn't getting IE crashes until some weeks ago.


After that post I tried the following:

I started Command Prompt and typed:
cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll

I then retried Ad-Aware full system scan, ignoring negligible risk entries
Again Ad-Aware failed to fix the CnsMin entries.

I then booted into Safe Mode
started Command Prompt
cd "%WinDir%\Downloaded Program Files"
dir cns*.*
showed only 3 files, including CnsDel.dll
del cns*.*
successful!

regedit
to try to delete the cns registry entries
such as HKEY_CLASSES_ROOT\CnsHelper.CH
and HKEY_CLASSES_ROOT\CnsHelper.CH.1
reported "cannot delete ..."

Then, while still in Safe Mode, I retried Ad-Aware and it again found CnsMin
plus some tracking cookies, but was unable to delete CnsMin.
I exited Ad-Aware and My Documents appeared for no apparant reason. This has happened before with Ad-Aware. I closed My Documents.

I rebooted into normal mode and got the following HijackThis log.
Note: PC is Packard Bell, ISP is tiscali.co.uk, connection is ADSL dialup, I disabled System restore just before using McAfee AVERT Stinger

Logfile of HijackThis v1.99.1
Scan saved at 20:15:29, on 01/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\RunOnce: [CnsHook.dll] regsvr32 /s C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [Tiscali NetPhone] C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...s&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O11 - Options group: [!CNS] Chinese keywords
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/activedat...supportutil.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133721354155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - [url="http://www.symantec.com/techsupp/activedata/ActiveData.cab"]http://www.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28E10D60-1FCB-4022-BFBE-F22D02D83CF7}: NameServer = 212.74.114.129 212.74.112.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{28E10D60-1FCB-4022-BFBE-F22D02D83CF7}: NameServer = 212.74.114.129 212.74.112.67
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
PC newbie: Packard Bell PC Windows XP (Build: 2600) Service Pack 2
Windows firewall; Grisoft AVG up to date on 26.04.2006; Spybot S&D 1.4 definitions 26.04.2006; appears that Buckeye Sam helped clear me of CnsMin chinese keywords hijack

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 PM

Posted 03 May 2006 - 10:36 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
Chinese malware is horrible. Let's see what Ewido can do for us.

Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.


Reboot your computer and post a new hijackthis log and the log from Ewido.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Wikibob

Wikibob
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 03 May 2006 - 04:05 PM

Thank you for replying Buckeye_Sam, I appreciate the help :thumbsup: and I see this is a busy forum. I have added a HJT log to this post, but had problems with ewido. I ran ewido but was confused when it never prompted me clean files, so I could not run this step:

While the scan is in progress you will be prompted to clean files, click OK


ewido did detect some 25 items, including CnsMin and I selected Remove for all of them,
there was no option to clean. I answered Yes when it asked to delete the whole archive
when ewido could not fix certain files. The name scrblkup(1).cab inside a temporary
folder appeared often. These .cab filenames also appeared:
cnsminal.cab
keepmainm.cab
Somehow I managed to mess up saving the report file and all I got was a file
with these 3 strange characters:
ˇĢ-
. :flowers: I am still at the newbie stage concerning saving files!
I will repeat the whole ewido scan, boot, hijackthis log
tomorrow (I'm in the UK) and will repost both if the ewido report is complete.

Meanwhile here is the hijackthis log in case it helps, although I see I ran it while
WinZip was open - I may have done that wrong too.

Tomorrow, after my retry of ewido and hijackthis, I will try ewido in Safe Mode,
unless you tell me otherwise. By the way I had run ewido after a sequence of
Ad-Aware and Spybot scans and fixes - the number of other malware remaining
have been slowly decreasing.

Logfile of HijackThis v1.99.1
Scan saved at 19:58:36, on 03/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\PAUL\LOCALS~1\Temp\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [Tiscali NetPhone] C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...s&btn=yahoomail (file missing)
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!CNS] Chinese keywords
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/activedat...supportutil.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133721354155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
PC newbie: Packard Bell PC Windows XP (Build: 2600) Service Pack 2
Windows firewall; Grisoft AVG up to date on 26.04.2006; Spybot S&D 1.4 definitions 26.04.2006; appears that Buckeye Sam helped clear me of CnsMin chinese keywords hijack

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 PM

Posted 03 May 2006 - 05:33 PM

You did everything fine. It seems that Ewido has recently updated their software and changed things up a bit.

I noticed in your last log that Hijackthis is running from a temp folder. It's very important that you only run Hijackthis from a permanent folder such as you did in your first post - C:\hijack\HijackThis.exe
Failure to do this will result in backups being lost.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O11 - Options group: [!CNS] Chinese keywords



===========


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\DOWNLO~1\CnsHook.dll
    C:\WINDOWS\DOWNLO~1\CnsMin.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.




Once you've rebooted, please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Wikibob

Wikibob
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 03 May 2006 - 09:46 PM

(My brother is writing this now on my behalf. Thanks for quick reply. :thumbsup: )
1. I found Killbox Vers. 2.0.0.588 dated 07 May 2004 size 71,680 bytes at
http://www.geekstogo.com/modules.php?modid...ction=show&id=4

2. and another version here at
http://www.bleepingcomputer.com/files/killbox.php
dated 08/02/06 (2006 February 8) which is a zip with a 73728 byte killbox.exe inside
also dated 2006 February 8

3. At first the link you gave returned this message on the page:

You do not have permission to do this action. If you think you should do, please contact the webmaster.

but then I registered at geekstogo and your link then gave me a killbox.exe
file version 2.00.0588 size 71,680 bytes

Version 1 is the same as version 3 (same octets)

Do you mean we should take the newest version from www.bleepingcomputer.com/files/killbox.php ?
PC newbie: Packard Bell PC Windows XP (Build: 2600) Service Pack 2
Windows firewall; Grisoft AVG up to date on 26.04.2006; Spybot S&D 1.4 definitions 26.04.2006; appears that Buckeye Sam helped clear me of CnsMin chinese keywords hijack

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 PM

Posted 04 May 2006 - 08:42 AM

I was unaware of the problems with that link. Thanks for bringing it to my attention.

Use this link to download the most current version of Killbox.
http://www.downloads.subratam.org/KillBox.exe
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Wikibob

Wikibob
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 04 May 2006 - 10:06 AM

Ok, I downloaded killbox from the subratam site, after pasting the 2 filenames I did see the two filenames in the dropdown box under Full path of File to Delete, so I clicked the button labeled Delete File with the white cross inside the red circle, and then clicked the Delete on Reboot.

I did not receive any PendingFileRenameOperations messages you mention here:

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


I did see a brief dialog that said something like "seconds to abort" flash up and disappear.

The PC did restart automatically, and I then produced a new HijackThis log, and I notice the CnsMin is still there:

Logfile of HijackThis v1.99.1
Scan saved at 15:52:49, on 04/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
c:\hijack\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [Tiscali NetPhone] C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...s&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O11 - Options group: [!CNS] Chinese keywords
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/activedat...supportutil.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133721354155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
PC newbie: Packard Bell PC Windows XP (Build: 2600) Service Pack 2
Windows firewall; Grisoft AVG up to date on 26.04.2006; Spybot S&D 1.4 definitions 26.04.2006; appears that Buckeye Sam helped clear me of CnsMin chinese keywords hijack

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 PM

Posted 04 May 2006 - 07:04 PM

Ok, we need to find out a little more about what's on your computer.

Copy the text below and paste it into notepad. Save it to your desktop as find.bat and make sure type is set to All Files.

cd\
cd %WinDir%/Downloaded Program Files
DIR  /s /o:d > dpf.txt
start dpf.txt
cls
exit


Double click find.bat It will open up with notepad very quickly. Please copy that text and post it here in your next reply.


Now I need you to check for the presence of some other files and folders. Some of these may be hidden so we need to enable you to view hidden files/folders.
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • Make sure "Hide extensions for known file types" is unchecked
  • Make sure "Hide protected operating system files (recommended)" is unchecked
  • For more info on how to show hidden files click here.
Now look for these files and let me know if you find them on your computer.

C:\WINDOWS\System32\drivers\cnsminkp.sys
C:\Windows\system\assist.dll
C:\Windows\system\bdhelper.dll
C:\Windows\system\cesweb.dll
C:\Windows\system\cnshook.dll
C:\Windows\system32\assist.dll
C:\Windows\system32\bdhelper.dll
C:\Windows\system32\cesweb.dll
C:\Windows\system32\cnshook.dll
C:\Windows\system32\ehelper.dll
C:\Program Files\3721 <-- this folder
C:\Program Files\Common Files\chinese keywords <-- this folder




Once we know what's there, then we can kill it all at once.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Wikibob

Wikibob
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 05 May 2006 - 01:25 PM

Volume in drive C is HDD
 Volume Serial Number is D476-0094

 Directory of C:\WINDOWS\Downloaded Program Files

20/01/2000  15:25			 1,162 Microsoft XML Parser for Java.osd
13/07/2000  17:21			86,488 bvinetio.dll
13/07/2000  17:21			57,816 ratechk.dll
28/03/2002  17:05			 1,268 erma.inf
12/06/2002  14:16		   112,312 ActiveData.dll
15/11/2002  13:23			   901 iuctl.inf
27/11/2002  11:36			 3,540 swflash.inf
13/12/2002  11:54		   208,896 SymProductData.dll
13/12/2002  11:55			   593 OSD34.OSD
19/12/2002  17:22			   109 SETUP.INF
19/12/2002  17:22		   132,590 StripSaver_108.EXE
19/08/2004  13:02			49,152 cnsplus.dll
07/12/2004  17:07				32 bdcore.dll
07/12/2004  17:07				32 libfn.dll
18/02/2005  17:22			   126 live.ini
01/03/2005  12:15			 1,246 oscan8.inf
01/03/2005  15:08		   118,784 bdupd.dll
01/03/2005  15:08			53,248 ipsupd.dll
09/03/2005  16:40		   475,136 oscan8.ocx
09/03/2005  16:42			 6,742 lang.ini
09/03/2005  16:43			 6,828 scanoptions.tsi
14/03/2005  13:39			   227 MsnMessengerSetupDownloader.inf
17/03/2005  14:48		   113,152 MsnMessengerSetupDownloader.ocx
26/05/2005  05:19			   291 wuweb.inf
26/10/2005  13:10			73,728 CnsHook.dll
03/11/2005  21:24			   495 LegitCheckControl.inf
17/11/2005  15:00			   241 CabSA.inf
17/11/2005  15:03		   161,480 rufsi.dll
11/12/2005  14:52		   126,976 cnshint.dll
17/01/2006  15:43			24,576 CnsMinDT.dll
22/04/2006  00:08			36,864 keepmain.dll
27/04/2006  14:26		   258,048 CnsMin.dll
28/04/2006  11:50			40,960 CnsMinIO.dll
28/04/2006  11:50			45,056 cnsio.dll
29/04/2006  17:10			94,208 CnsMinEx.dll
03/05/2006  20:11			 6,166 CnsMinCg.ini
03/05/2006  20:11			   110 CnsUp.ini
03/05/2006  20:11			   133 CnsMin.ini
03/05/2006  20:11			34,580 CnsMinEx.cab
03/05/2006  20:11			   874 CnsMinEx.ini
03/05/2006  20:11			24,956 CnsMinIO.cab
03/05/2006  20:11			28,490 CnsMinHK.cab
03/05/2006  20:11			10,415 CnsMinDT.cab
03/05/2006  20:11	<DIR>		  3721
03/05/2006  20:11			99,057 keepmainM.cab
03/05/2006  20:11			75,500 CnsMinAL.cab
03/05/2006  20:11			15,444 CnsPlus.cab
03/05/2006  20:11			54,600 CnsHint.cab
05/05/2006  18:00			 5,734 assis.ico
05/05/2006  18:00			 6,526 sms.ico
05/05/2006  18:00			 5,734 taobao.ico
05/05/2006  18:00			 5,734 yahoomsg.ico
05/05/2006  18:00			 5,734 ymail.ico
05/05/2006  18:22				 0 dpf.txt
			  53 File(s)	  2,673,090 bytes

 Directory of C:\WINDOWS\Downloaded Program Files\3721

23/02/2006  14:23			32,768 cns1.dll
27/03/2006  16:41			49,249 cnsminkp.vxd
27/03/2006  16:41			28,672 cns1.exe
21/04/2006  23:46			46,592 cnsminkpxp.sys
21/04/2006  23:46			44,032 cnsminkp2k.sys
03/05/2006  20:14	<DIR>		  ..
03/05/2006  20:14	<DIR>		  .
			   5 File(s)		201,313 bytes

	 Total Files Listed:
			  58 File(s)	  2,874,403 bytes
			   3 Dir(s)  31,765,708,800 bytes free

YES C:\WINDOWS\System32\drivers\cnsminkp.sys
no  C:\Windows\system\assist.dll
no  C:\Windows\system\bdhelper.dll
no  C:\Windows\system\cesweb.dll
no  C:\Windows\system\cnshook.dll
no  C:\Windows\system32\assist.dll
no  C:\Windows\system32\bdhelper.dll
no  C:\Windows\system32\cesweb.dll
no  C:\Windows\system32\cnshook.dll
no  C:\Windows\system32\ehelper.dll
YES C:\Program Files\3721 <-- this folder
YES C:\Program Files\Common Files\chinese keywords <-- this folder

Not on your list but I did find these similar files:

These two in C:\Windows\system32\ :
cns.dll
cns.exe
Both had these same properties:
File Version: 1.0.0.2
Copyright: ? 2004
Company: Microsoft
Language: chinese
Product Name: Microsoft cns
and this file: cns.dat

I also have this one Chinese word flash cards folder
that I downloaded last year and used to help learn some Chinese:

C:\Program Files\chinesetools with 4 files
flashapp.jar
uninsooo.exe
unins000.dat
zi.ico

I do not believe this is related to the CnsMin problem,
and I have an icon that I used to show me the flash cards.
PC newbie: Packard Bell PC Windows XP (Build: 2600) Service Pack 2
Windows firewall; Grisoft AVG up to date on 26.04.2006; Spybot S&D 1.4 definitions 26.04.2006; appears that Buckeye Sam helped clear me of CnsMin chinese keywords hijack

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 PM

Posted 05 May 2006 - 01:44 PM

These two in C:\Windows\system32\ :

cns.dll

cns.exe

Both had these same properties:

File Version: 1.0.0.2

Copyright: ? 2004

Company: Microsoft

Language: chinese

Product Name: Microsoft cns

and this file: cns.dat
I'm putting together the fix for you now. Can you tell me the size of these files and the date created?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 PM

Posted 05 May 2006 - 02:04 PM

Please copy the following text in the code box to Notepad. Make sure there is no empty line above REGEDIT4. In Notepad go to File > Save As. Name it Fixit.reg, in the drop down box at the bottom choose "All Files", and save it on your C:\ drive.

REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]

[-HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]

[-HKEY_CLASSES_ROOT\cnshelper.ch]

[-HKEY_CLASSES_ROOT\cnshelper.ch.1]

[-HKEY_CLASSES_ROOT\cnsminhk.cnshook]

[-HKEY_CLASSES_ROOT\cnsminhk.cnshook.1]

[-HKEY_CURRENT_USER\software\3721]

[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\advancedoptions\!cns]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CnsMin"=-


1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

C:\WINDOWS\System32\drivers\cnsminkp.sys
C:\WINDOWS\Downloaded Program Files\CnsMin.dll
C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll
C:\WINDOWS\Downloaded Program Files\cnsio.dll
C:\WINDOWS\Downloaded Program Files\CnsMinEx.dll
C:\WINDOWS\Downloaded Program Files\CnsMinCg.ini
C:\WINDOWS\Downloaded Program Files\CnsUp.ini
C:\WINDOWS\Downloaded Program Files\CnsMin.ini
C:\WINDOWS\Downloaded Program Files\CnsMinEx.cab
C:\WINDOWS\Downloaded Program Files\CnsMinEx.ini
C:\WINDOWS\Downloaded Program Files\CnsMinIO.cab
C:\WINDOWS\Downloaded Program Files\CnsMinHK.cab
C:\WINDOWS\Downloaded Program Files\CnsMinDT.cab
C:\WINDOWS\Downloaded Program Files\CnsMinAL.cab
C:\WINDOWS\Downloaded Program Files\CnsPlus.cab
C:\WINDOWS\Downloaded Program Files\CnsHint.cab
C:\WINDOWS\Downloaded Program Files\keepmainM.cab

Folders to delete:

C:\WINDOWS\Downloaded Program Files\3721
C:\Program Files\3721
C:\Program Files\Common Files\chinese keywords

Programs to launch on reboot:

C:\Fixit.reg



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply



Additional files to delete
I'm uncertain of the exact location of these files, but you should search out and delete these if found on your computer.

1.reg
12.reg
14.reg
15.reg
3.reg
4.reg
asdf.txt
bbb.txt
cns01.dat
cnsinfo.dat
cnsmin.txt
cnsmin-install.htm

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Wikibob

Wikibob
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 07 May 2006 - 11:30 AM

I made a mistake the first time I ran avenger - I had saved the fixit.reg text in file fixit.reg and
not Fixit.reg. In case that affected the log here is what happened.

* Microsoft Antispyware asked me to allow running of caqtmvxh.bat - I allowed it;
* PC rebooted and a black window appeared briefly with the words
"couldn't find the file specified c..." something I couldn't catch
* notepad opened with a dialog "cannot find the avenger.txt file"
* I looked in C: and found no avenger.txt but there was C:\avenger\backup.zip of 1KB size.
* At that point I rechecked the instructions and saw I had typed fixit.reg with a small f!

So I repeated from the top and this time the black window opened and started
logging things about deleting files, and afterwards regedit opened with
"are you sure you want to add the info in the C:\Fixit.reg to the registry" - I clicked Ok or yes
and shortly after saw the message "info in c:... has been successfully...".
Finally this avenger.txt file appeared:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qgtqtnjy

*******************

Script file located at: \??\C:\vuhyxxvf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\drivers\cnsminkp.sys deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMin.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\cnsio.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinEx.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinCg.ini deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsUp.ini deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMin.ini deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinEx.cab deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinEx.ini deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinIO.cab deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinHK.cab deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinDT.cab deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsMinAL.cab deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsPlus.cab deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CnsHint.cab deleted successfully.
File C:\WINDOWS\Downloaded Program Files\keepmainM.cab deleted successfully.
Folder C:\WINDOWS\Downloaded Program Files\3721 deleted successfully.
Folder C:\Program Files\3721 deleted successfully.


Folder C:\Program Files\Common Files\chinese keywords not found!
Deletion of folder C:\Program Files\Common Files\chinese keywords failed!

Could not process line:
C:\Program Files\Common Files\chinese keywords
Status: 0xc0000034

Program C:\Fixit.reg successfully set up to run once on reboot.

Completed script processing.

*******************

Finished!  Terminate.

( 17:40 UK time I edited the above because I saw I had problems with paste and had pasted several copies of the log )

I then made a fresh HijackThis log,

Logfile of HijackThis v1.99.1
Scan saved at 16:00:30, on 07/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [Tiscali NetPhone] C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133721354155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28E10D60-1FCB-4022-BFBE-F22D02D83CF7}: NameServer = 80.225.252.58 80.225.252.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{28E10D60-1FCB-4022-BFBE-F22D02D83CF7}: NameServer = 80.225.252.58 80.225.252.50
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

During the restart a message appeared with words like
"error loading ...dll ... 3721...".
But I see the hijakthis log is now clear of 3721 and CnsMin

Of the files to be deleted I did find one:
cns01.dat dated 20 oct 2005 inside c:\avenger/3721-ren-381
but I could not delete it - I can try to delete this again later

None of the other files were found, but I saw many similar files
inside what looked like Spybot Search and Destroy archive folders
named cnsmin1.zip dated 27 April to cnsmin212.zip dated 3 May this year.

cnsmin.zip was found in an applications folder
cns1.dll was in another spybot folder
cnsmin.dat was in a temp folder
I then ran cleanmgr to empty my temporary files folder

Should I make a better search for more files?

Edited by Wikibob, 07 May 2006 - 11:42 AM.

PC newbie: Packard Bell PC Windows XP (Build: 2600) Service Pack 2
Windows firewall; Grisoft AVG up to date on 26.04.2006; Spybot S&D 1.4 definitions 26.04.2006; appears that Buckeye Sam helped clear me of CnsMin chinese keywords hijack

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 PM

Posted 07 May 2006 - 04:54 PM

It's looking good. :thumbsup:

Don't worry about the files found inside the Avenger folder, or in Spybot's quarantine, but you should delete this one that you referred to.

cnsmin.zip was found in an applications folder


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...s&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)



Reboot and post a new hijackthis log.
Also post a new log from find.bat
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Wikibob

Wikibob
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 08 May 2006 - 02:49 PM

Ok, I deleted the cnsmin.zip, the hijackthis.log is here:

Logfile of HijackThis v1.99.1
Scan saved at 16:59:46, on 08/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [Tiscali NetPhone] C:\Program Files\Tiscali\NetPhone\Tiscali NetPhone.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133721354155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe


By the way, I could find only four of hijackthis items to check,
somehow the others were not listed anymore. These were the 4 I
checkmarked:
x  O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
x  O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
x  O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
x  O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)

And here is the find.bat output:

Volume in drive C is HDD
 Volume Serial Number is D476-0094

 Directory of C:\WINDOWS\Downloaded Program Files

20/01/2000  15:25			 1,162 Microsoft XML Parser for Java.osd
13/07/2000  17:21			86,488 bvinetio.dll
13/07/2000  17:21			57,816 ratechk.dll
28/03/2002  17:05			 1,268 erma.inf
12/06/2002  14:16		   112,312 ActiveData.dll
15/11/2002  13:23			   901 iuctl.inf
27/11/2002  11:36			 3,540 swflash.inf
13/12/2002  11:54		   208,896 SymProductData.dll
13/12/2002  11:55			   593 OSD34.OSD
19/12/2002  17:22			   109 SETUP.INF
19/12/2002  17:22		   132,590 StripSaver_108.EXE
07/12/2004  17:07				32 bdcore.dll
07/12/2004  17:07				32 libfn.dll
18/02/2005  17:22			   126 live.ini
01/03/2005  12:15			 1,246 oscan8.inf
01/03/2005  15:08		   118,784 bdupd.dll
01/03/2005  15:08			53,248 ipsupd.dll
09/03/2005  16:40		   475,136 oscan8.ocx
09/03/2005  16:42			 6,742 lang.ini
09/03/2005  16:43			 6,828 scanoptions.tsi
14/03/2005  13:39			   227 MsnMessengerSetupDownloader.inf
17/03/2005  14:48		   113,152 MsnMessengerSetupDownloader.ocx
26/05/2005  05:19			   291 wuweb.inf
03/11/2005  21:24			   495 LegitCheckControl.inf
17/11/2005  15:00			   241 CabSA.inf
17/11/2005  15:03		   161,480 rufsi.dll
11/12/2005  14:52		   126,976 cnshint.dll
17/01/2006  15:43			24,576 CnsMinDT.dll
22/04/2006  00:08			36,864 keepmain.dll
07/05/2006  15:12			 6,526 sms.ico
07/05/2006  15:12			 5,734 assis.ico
07/05/2006  15:12			 5,734 taobao.ico
07/05/2006  15:12			 5,734 yahoomsg.ico
07/05/2006  15:12			 5,734 ymail.ico
08/05/2006  20:35				 0 dpf.txt
			  35 File(s)	  1,761,613 bytes

	 Total Files Listed:
			  35 File(s)	  1,761,613 bytes
			   0 Dir(s)  31,894,970,368 bytes free

PC newbie: Packard Bell PC Windows XP (Build: 2600) Service Pack 2
Windows firewall; Grisoft AVG up to date on 26.04.2006; Spybot S&D 1.4 definitions 26.04.2006; appears that Buckeye Sam helped clear me of CnsMin chinese keywords hijack

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 PM

Posted 08 May 2006 - 04:57 PM

Run Avenger just like you did before and use this code.

Files to delete:

C:\WINDOWS\Downloaded Program Files\cnshint.dll
C:\WINDOWS\Downloaded Program Files\CnsMinDT.dll
C:\WINDOWS\Downloaded Program Files\keepmain.dll



Otherwise your log looks pretty good to me.
How about on your end? Any signs of it?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users