Antivirus Gold-related problems

Please follow the below steps exactly:

- Make sure you have enabled viewing of hidden and system files per the READ ME.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and select Do a System Scan only.

- In the list of items that comes up, look for the below items and select them:
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

- Reboot into safe mode and run Windows Explorer. Locate the below files and delete them:
C:\Program Files\AntivirusGold <--- the whole folder
C:\Windows\windows.html
C:\Windows\screen.html
C:\Windows\desktop.html
C:\WINDOWS\System32\hookdump.exe
C:\WINDOWS\System32\winnook.exe

- Fixing Locked Desktop
Also you should right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too (you may see a Security Info item in the list. Make sure it gets unchecked.) Then click OK. Apply. OK.

- Now reboot into normal mode and continue

- Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixAG.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixAG.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

- Tell me how the steps went and if you are still having any problems.

 

AdwareRemoverGold is a rogue tool and should be uninstalled using Add/Remove programs.

However the apptoport.dll file is supposed to be for WyvernWorks Firewall - http://www.wyvernworks.com/firewall.html

Did you or do you have this installed? If not, then it was just part of AdwareRemoverGold and you probably broke your LSP chain last time you moved it. That would show in your HJT log something like:

O10 - Unknown file in Winsock LSP: C:\Program Files\AdwareRemoverGold.com\Adware Remover Gold\apptoport.dll

You would have to fix this using a tool like LSP - Fix

The process would be like the below:

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the apptoport.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move apptoport.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

 

Look in Add/Remove programs for CNSMin and uninstall if found.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKCU\..\Run: [Tats] C:\Documents and Settings\Eric\Application Data\cnsw.exe
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\downlo~1\CnsMinEx.dll/1003
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O11 - Options group: [!CNS] Chinese keywords
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:

C:\windows\azentretien.dll or C:\windows\system32\azentretien.dll
C:\Documents and Settings\Eric\Application Data\cnsw.exe
C:\Program Files\3721 <--- the whole folder


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


The below files are in c:\windows\downloaded program files and require special steps to delete because Windows explorer will not show them.

Additional steps to delete cnshook.dll, CnsMin.dll, and CnsMinEx.dll:

- Click Start, Run, and enter cmd in the box and click OK. This opens a commend prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s cnshook.dll
del cnshook.dll

Now repeat the above for CnsMin.dll and CnsMinEx.dll
Then type exit to close the window.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You need to clean all user accounts but let's stick to one at a time with logs because it gets to confusing otherwise.

First make sure you have your Internet Security settings at Medium. From IE, click Tools, Internet Options, Security tab, Custom Level, and then down where it says "Reset custom settings" make sure you have it set to Medium.

Now do the below. Some of these steps my result in an error message, just let me know when you come back what happened but no matter what happens just continue to the next steps.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u cnshook.dll
then click OK. If a dialog box confirming this action appears, click OK.

Now repeat the above for CnsMin.dll and CnsMinEx.dll

Now open a command prompt Window again and do the below. Let me know the results
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s cns*.dll
ren CnsMin.dll CnsDel.dll

exit


Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixCNS.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixCNS.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] Chinese keywords
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0300f0e30e6c44eb8306/netzip/RdxIE601.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Documents and Settings\Eric\Application Data\cnsw.exe
C:\Program Files\3721 <--- the whole folder

- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s cns*.dll
del cns*.*
cd 3721 <---- make absolutely sure that this CD (change directory) works and that your command prompt shows that you are in this 3721 folder. DO NOT do the below commands unless you are in the C:\WINDOWS\Downloaded Program Files\3721 folder

attrib -r -h -s *.*
del *.*
cd ..
rd 3721
exit

Now run Ccleaner

Now reboot in normal mode and post a new HJT log. And tell me the results of the above steps and how things are working.

 

Let's try a potentially easy way.

Download, install, and update Spy Sweeper
This is a trial version with a one time update.
Then run a full scan with Spysweeper and let it fix everything it finds and save the log. Post it back here.

If it finds anything that cannot be fixed, boot into safe mode and run it again.

Post your results when you come back.

CNSmin can add dozens of entries into the registry. I'm hoping SpySweeper will find and remove them so we can avoid manual procedures.

 

Win XP does not have a true DOS boot mode.

Please try this:
- physically unplug your cable to the internet
- reboot into Safe Mode
- run a full scan with SpySweeper in safe mode and fix what it finds
- IMPORTANT: immediately reboot into normal mode (still no internet connection)
- run SpySweeper again
- IMPORTANT: immediately reboot into normal mode
- reconnect to the internet and upload logs and tell me what happened.

 

Let's try a more comprehensive registry patch. But do not use it while you are in normal boot mode. Just download the patch and then we will reboot into safe mode with no network support and merge in the patch. Then while in safe mode manually try deleting all the files and folders we have been trying to remove thus far.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixCNS.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixCNS.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

While in safe mode, delete the below files if found (add any others like the ones in downloaded program files )
c:\Windows\system32\c_is2022.dll
C:\Program Files\3721\3721 <--- the subfolder
C:\Program Files\3721 <--- the folder
Also look in your Favorites for 3721 chinese keywords.url and delete it too.

Now while in safe mode run HJT and fix the CNS related lines.

Now pull the power plug to your PC (yes that's what I said). We want to avoid a graceful shutdown.
Now wait 2 minutes and then boot in normal mode. Get a new HJT log and post it. Tell me the results of the above.

 

Sorry about that. I just edited the previous post to fix it. Try it now.

 

Uninstall SpySweeper and then reboot into safe mode and try the registry patches, the HJT fixes, and the file deletions (even if you have to move to the desktop first), yes delete all the ones I previously listed in the Downloaded Proram Files folder from the command prompt.. I have a feeling SpySweeper may be getting in our way right now.

Did you delete the 3721 folder before or after the last registry patch?

 

You should configure Windows search as below and use it to look for files:

How to use windows XP search mechanism to look for hidden files:
If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter cns*.* to find any files that begin with cns.
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

 

It's note a good idea to move the system32 folder.

Sometimes booting in safe mode and then renaming the file is accepted. And then after another reboot the file can then be deleted.

Also moving a file (maybe first renaming) to the Desktop and then deleting works.

Pocket Killbox can also be used to remove items at reboot. Just search the forum for Killbox and you will find many threads where we use this.