K
Kevin Davies
I tried to provide a spyware report but it failed to submit.
CnsMin is a known Internet Explorer search bar modification
from China. Microsoft AntiSpyware detects it and tries to
remove it but fails as it re-appears. It seems that the
startup registry protection is bypassed using the following
Startup registry entry to load the DLL into the system.
Name CnsMin
String "Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32"
The software then monitors its startup registry settings
and files for any modifications and fixes them instantly.
This is apparent when you rename the registry entry and it
immediately creates it again and also tries to add other
registry entries which are denied by MS AntiSpyware.
The files are stored in %windir%\Downloaded Program Files
but you cannot see them using windows explorer. No idea
why. The only way you can see the files is using dir on the
command prompt. If you rename them they are restored.
It appears the way remove this is to kill the monitoring
process but you cant find it because it is hidden from the
process list. I tried using process explorer from
Sysinternals.com and could not find any of the Cns*
processes although they do exist. When closing down the
system once it asked me if I wanted to "End Now"... CnsMain
so it shows it's running even though I cannot see it.
Looking at the properties of rundll32 in process explorer
I can see the CnsMin hooks into the rundll32 process.
So IMHO we need to monitor attempts to add registry entries
to the registry *when they are removed* by MS AntiSpyware
and permanently block those entries from being added in the
future. If after the reboot and software removal, they
continue to attempt to be added we need to track the
processes that are doing this and report this information
back to spynet.
Looking forward to an update that fixes this.
Regards
Kevin Davies
CnsMin is a known Internet Explorer search bar modification
from China. Microsoft AntiSpyware detects it and tries to
remove it but fails as it re-appears. It seems that the
startup registry protection is bypassed using the following
Startup registry entry to load the DLL into the system.
Name CnsMin
String "Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32"
The software then monitors its startup registry settings
and files for any modifications and fixes them instantly.
This is apparent when you rename the registry entry and it
immediately creates it again and also tries to add other
registry entries which are denied by MS AntiSpyware.
The files are stored in %windir%\Downloaded Program Files
but you cannot see them using windows explorer. No idea
why. The only way you can see the files is using dir on the
command prompt. If you rename them they are restored.
It appears the way remove this is to kill the monitoring
process but you cant find it because it is hidden from the
process list. I tried using process explorer from
Sysinternals.com and could not find any of the Cns*
processes although they do exist. When closing down the
system once it asked me if I wanted to "End Now"... CnsMain
so it shows it's running even though I cannot see it.
Looking at the properties of rundll32 in process explorer
I can see the CnsMin hooks into the rundll32 process.
So IMHO we need to monitor attempts to add registry entries
to the registry *when they are removed* by MS AntiSpyware
and permanently block those entries from being added in the
future. If after the reboot and software removal, they
continue to attempt to be added we need to track the
processes that are doing this and report this information
back to spynet.
Looking forward to an update that fixes this.
Regards
Kevin Davies