This is proving to be very troublesome.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how
HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how
HERE.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll (file missing)
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - F:\QQ\AddEmotion.htm
O9 - Extra button: Yahoo 3.5G¦Ì?¨®¨º - {507F9113-CD77-4866-BA92-0E86DA3D0B97} -
http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: ???¡¤???? - {59BC54A2-56B3-44a0-93E5-432D58746E26} -
http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)
O9 - Extra button: ???¡é?¨²¨º? - {5D73EE86-05F1-49ed-B850-E423120EC338} -
http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: ???¡éWIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} -
http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: ?¨¦?¡ã¨¢?¨¬¨¬ - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} -
http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: DT?¡ä?¡¥¨¤¨¤?¡Â - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} -
http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} -
http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: ??¨¤¨ª¨¦?¨ª????? - {FD00D911-7529-4084-9946-A29F1BDF4FE5} -
http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O11 - Options group: [!CNS] ?D??¨¦?¨ª?
O16 - DPF: {9ADACAA6-533E-4383-AFA7-F0A66650B6D8} (VqqSpeedDlProxy Class) -
http://dl_dir.qq.com/qqfile/p2p/vqqsdl.cab
O24 - Desktop Component 0: (no name) -
http://ic1.deviantart.com/fs7/f/2005/248/8/3/collage_00120.jpg
O24 - Desktop Component 1: (no name) -
http://ic1.deviantart.com/fs7/i/2005/245/4/2/Lex_Speaks___Wallpaper_by_MiniCow.j pg
Click on the fix checked button.
Close HJT.
Locate and delete the following
bold files and/or directories(if there).
C:\WINDOWS\DOWNLO~1\
CnsMin.dll,Rundll32
C:\WINDOWS\DOWNLO~1\
CnsHook.dll
Reboot into normal mode and rehide your protected OS files.
Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
http://spywareinfo.dk/download/drweb-cureit.exe to your desktop.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how
HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how
HERE.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Attach the DrWeb.csv log as well as a fresh HJT log.
Regards Howard
This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.