CnsMin

[Thomas]

Hi,

I have detected a new strain of CnsMin on my computer
that is resistent to deletion - I have tried multiple
different spyware version and has not been sucessful
including yours. I have tried your advanced feature to
try to block or delete its processes but also not
sucessful.

I have tried to use your suspected spyware reporting tool
to supply you information but it came back as and error
message: "An error occurred submitting the scan results.
Please check your internet proxy settings and try again."
Despite me being able to use the net - I cannot submit
the report to you because of the above error.

Such an interesting and challenging spyware - can you
help?

 

[Engel]

Hello Thomas

Please submit a suspected spyware report to spynet. (tools-

submit suspected spyware report).

Feel free to say what you've got in place and have tried,
and that it didn't work.

Once that has completed, please reboot into safe mode
logged in as administrator and run a full antivirus and
spyware scan with the latest signatures to see if that
helps.


http://www.doxdesk.com/parasite/CnsMin.html

http://inetexplorer.mvps.org/data/cnsmin.htm

http://www3.ca.com/securityadvisor/pest/pest.aspx?
id=453075460

http://www.spywareguide.com/product_show.php?id=469

http://www.pestpatrol.com/PestInfo/C/CnsMin.asp

Good luck

Engel

 

[AndyManchesta]

I thought id make the cmd part abit clearer,Goto start
then run and type cmd

copy and paste this in :


cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll




Reboot and load the Command prompt again then copy and
paste this in :




cd "%WinDir%\Downloaded Program Files"
del cns*.*



Then close the command prompt




Andy

 

[Thomas]

Thank you Andy and Engel.

This CnsMin is not only untouchable - it is the Lord
Supreme of spyware. I have been fighting it for months
and has not been sucessful. It is so clever that it can
even change with our attack. Let me give you a run down
on what I have tried - this will take a well.

I have tried all the manual steps listed in Doxdesk.com
and other antispyware website previously and it did not
work. Infact I tried to be ingenuous and tried even more
than what doxdesk has asked for as in removing other
things by dos command prompt too - and to date - I have
failed.

First antispyware I have is spybot - that failed
everytime - did not even come close.
Next - Yahoo Antispy - that delete some but always come
back.
Next Computer associates Pest Patrol - that did delete
and advised restart initially but subsequent scans - it
may just become disbabled and become non-responsive. I
have tried to run the Pest patrol both in normal mode and
in safe mode too (adminstrator) --- one important point
to note - ever since I have CnsMin on board - I have been
denied access to my administrator mode under the normal
boot up and can only access my adminstrator mode under
the safe mode boot up.

Next I have been trying to solve this problem with tech
support at CA pest patrol -- we have tried multiple
approach and to date CA pest patrol has temporarily
conceded defeat -- telling me that the case is currently
under research and will stay open as of date. The
following are the things we have tried:

1) Thank you for contacting my-eTrust Technical Support
Please delete the following files and registry entries
from the machine to get rid of that pest.
Boot the machine into SAFEMODE and delete the folder
RECYCLER from File "C:\".
Delete the folder 'Yahoo' from "C:\Program Files" and the
folder 3721.
The folder "downloaded program files" from C:\Windows and
File "C:\WINDOWS\system32\drivers\cnsminkp.sys"
The folder 'downlo~1' from File "C:\WINDOWS\"
Go to Start->Run->Regedit and delete the entries, delete
folder !cns from key "hkey_local_machine
\software\microsoft\internet explorer\advancedoptions\"
key "hkey_local_machine \software\3721 folder should be
deleted.
Folder extensions from key "hkey_local_machine
\software\microsoft\internet explorer
Incase of any further assistance in this regard, please
revert back to this email
Thank you and have a great day<

---> Tried the above -- My reply:
Hi, I tried to go along with your instructions but could
not complete the very first step - unable to delete the
file RECYCLER from C:\ --- the error message is "Access
denied. Please ensure that file is not in use or write
protected etc." Is there anything I need to do before I
can delete that file? I.e. any processes I need to kill
before I can delete that file? I think I saw the file
cnsminkp.sys loading even with my safemode startup.
Please further advise.

2) Their reply:
Thank you for contacting my-eTrust Technical Support
In order to delete that file, you may have to set
permissions.
Just right click on that particular registry entry and
set permissions as full access to the user.
Then delete the file.
Incase of any further assistance in this regard, please
revert back to this email

My reply:
Hi, after trying your advice, I finally did manage to
delete the RECYCLER folder after going through the
permission lists of all subfolders and deleting them
individually. However, I am not able to delete the
Downloaded program file list - I did manage to disable my
Yahoo Messenger though. Two files in the Downloaded
program files folder is especially resistant to deletion -
the CnsHook.dll and the CnsMin.dll files. This are the
only 2 files left and they will reappear a few seconds
after I delete them. And without deleting this 2 files,
windows would not allow me to delete the folder
downloaded program files completely. Also, everytime I
attempt to delete these 2 files, I will notice the the
RECYCLER folder may reappear too.
Also, there is still a problem with this 2 files that
will also reappear every single time I try to remove them
manually - see this message that I sent previously: Hi
Sam, after trying your advice, I finally did manage to
delete the RECYCLER folder after going through the
permission lists of all subfolders and deleting them
individually. However, I am not able to delete the
Downloaded program file list - I did manage to disable my
Yahoo Messenger though. Two files in the Downloaded
program files folder is especially resistant to deletion -
the CnsHook.dll and the CnsMin.dll files. This are the
only 2 files left and they will reappear a few seconds
after I delete them. And without deleting this 2 files,
windows would not allow me to delete the folder
downloaded program files completely. Also, everytime I
attempt to delete these 2 files, I will notice the the
RECYCLER folder may reappear too. How do I remove the 2
files above?

3)Their reply:
Hi ,
Thank you for contacting my-eTrust Technical Support
Please try to remove the files in the SAFEMODE for
permanent deletion.
Incase of any further assistance in this regard, please
revert back to this email

My reply:
I did try to remove them in Safe mode. I tried all the
permission step you previously suggested too. I even
tried to used the MSDOS command prompt to try to delete
it. I tried even to rename it first then delete. Also
tried rename first, then reboot then delete - all in
MSDOS command mode - doesn't work. Tried all the ways I
can think of so far - to remove them in SAFE mode using
both the windows delete function as well as the MSDOS
delete function - doesn't work. This is the most
resistant pest I have met thus far.

4) Their reply:
Hi,
Thank you for contacting eTrust PestPatrol HelpDesk.
There are a couple of things I would like you to do in an
attempt to resolve this issue.
Please note: It is very important that you follow this
email in order. The first thing we need to ensure is that
you have the most recent updates. This can be done by
selecting the Updates menu under the Advanced Settings
section of your software.
Next, please look in your Add/Remove Programs Control
Panel for any toolbars, search bars, search assistants
and any other odd programs that may be present there and
uninstall them.
When you are done in the Control Panel, please run a
thorough scan. To do that, you will need to select custom
scan from the scan menu. Here you will see your different
drive letters, please select the ones you would like to
scan. I would encourage you to select all of the drive
letters associated with the hard drive(s) on your PC.
When the scan is complete please select the items you
would like to keep and click the Exclude Checked Pests
button.
Next, check the remaining pests and click on Quarantine.
Reboot your PC and run another scan to see if you are
still experiencing the same issues. If you are, please
try the following: 1. shut down your computer 2. turn it
back on and tap the F8 key repeatedly until you get a
boot menu 3. select Safe Mode with Networking ***if you
have Safe Mode as the only option please select it***
Once you are in Safe Mode please delete any items located
within the temp directory. It is possible for some pest
(s) to hide within this directory and to reinstall
components that have been removed by Pest Patrol. To
clear the temp directory: 1. click on start, then run and
enter %temp% 2. click ok and a new window will open - you
will be in a temp folder 3. please hold down "Ctrl" on
the keyboard and press the "A" key - this will select ALL
items in the folder 4. press the "Delete" key on the
keyboard Reboot your PC into Normal Mode and rescan again
with PestPatrol. See if the problem still pertains. If it
does, this means that there is one or more files residing
on your system called a "trickler". These files load on
bootup and cause the pest(s) to reappear.
To track down which file(s) may be responsible: 1. click
on start, then run and enter msconfig 2. click on ok and
you will be taken into the system configuration utility
3. click on the startup tab at the top right-hand corner
4. please make a list of what is checked in these boxes
5. uncheck all components and click on ok !!!PLEASE MAKE
SURE THAT THE ONLY TAB YOU ALTER IN MSCONFIG IS THE
STARTUP TAB!!! 6. you will be asked to reboot the
computer, please click yes or ok 7. after the reboot you
will see a pop-up telling you that you have made changes
in configuration utility, place a check in the box and
click ok Check to see if any pests have returned. If not,
then you know it was one of the startup programs that was
causing the issue. At this point you can go back into
msconfig startup tab and recheck one item at a time.
Please note: you will need to reboot after each item is
checked and run a scan to see if the pest(s) returned.
Completing the steps above should resolve your issue. If
for some reason it does not, please send me a copy of the
logs by following the steps below:
1. Launch PestPatrol and click on "Advanced Settings"
2. Click on Log
3. Click on Save Log
4. Save it to the location you can easily find it from 5.
From your e-mail program you can then attach the log by
using the "Attach" function and browsing to the saved log.
You can also include the Quarantine Log:
1. Click on Advanced Settings
2. Click on Quarantined Pests
3. Click on Save Report
4. Save it to the location you can easily find it from
5. From your e-mail program you can then attach the log
by using the "Attach" function and browsing to the saved
log.
Thank you and have a great day
CA Consumer Support

My reply:
I am now convinced that this is one of the most powerful
and clever pest ever. I have tried all the steps you
described. First of all, when I tried to remove all the
suspicious stuffs from my Add/Remove programs - there are
2 programs that are not removable: 1) A program
named "Yahoo Address Autocomplete" and 2) Yahoo Messenger
explorer bar. I think that these are 2 programs
masquerading as Yahoo programs - I have uninstalled my
Yahoo components without problems but cannot uninstall
those 2 programs even in safe mode. Then, I am not able
to load my safemode with networking - the computer will
show an error blue screen everytime I try to do that.
Also, everytime I tried to use you program to quarantine
the Cnsmin pests - your program will become unresponsive.
This goes the same from the freeware program spybot.
Next, I tried to use the msconfig to stop all my startup
programs as you have suggested. I rebooted and guess
what? Lo and Behold, there are 2 programs that I cannot
even use my msconfig to disable (see how smart these
people are). These 2 programs are as follows: 1) Name:
Cnsmin; Command: Rund1132.exe C:\WINDOWS\DOWNLO~1
\Cnsmin.dll,Rundll32; location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; the
other program that continues to appear is Name: Ctfmon,
Command: C:\WINDOWS\system32\ctfmon.exe, location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Even
in safemode after trying to disable all the startup
programs, I cannot remove the program that is not
removable with the add/remove command and I cannot use
your program to quarantine Cnsmin - your program just
become unresponsive. And I cannot boot into safemode with
networking. I can however boot into safemode. Even after
trying to disable all the startup programs and also
booting into safemode, I noticed that the program file
Cnsminkp.sys continues to load with boot up. I will
attach the log for you. As your program continues
to "Hang" (ie. becomes unresponsive) everytime I try to
quarantine Cnsmin, I have no quarantine files to attach.
Please advise with this extremely clever and ingenius
pest. (Just a few days ago, my privacy firewall detected
it trying to send my bank account number over the net to
someplace with 3721 in it net address - it may function
more than a hijacker). Thanks for your help.

5) Their reply:
Hi,
Thank you for contacting my-eTrust Technical Support
Please follow the steps and provide us the required
information to get this issue resolved.
1. Please go to C:\Documents and Settings\All
Users\Application Data\CA\eTrustPestPatrol and delete
PPv5log.txt.
2. Open eTrust PestPatrol and run a complete custom scan
on the machine, quarantine the pests found.
3. Run a custom scan again and quarantine the pests if
they are redetected.
Then, reboot the system in safe mode session and have the
scan again with a custom scan with ePP and then
quarantine all the pests found. Send the PPv5Log.txt
For assistance in going to Safe Mode, please go through
the following URL LINK
Click Start > Run > "MSInfo32.exe" - then "Save" as
an .NFO file and email this to us for further analysis.
Please zip it before attaching or attach all these files
in a single zip file
Next one is download this file and create a report
Digital detective
Download this and run it and send us a report which is
generated
It displays all the files which are there in the PC so us
to check.

My reply:
Thanks for looking deeper into the case. I have followed
your instruction and will be attaching the files you
requested. The first scan with EPP, I quarantined the
files, it says I should restart but I did not and scanned
again as you have instructed and quarantined again. The
first scan yield about 200 plus files, the second scan
yield about 66 files that is only related to Cnsmin. I
then restarted and rebooted into safe mode. This time the
scan turns up only 61 files related to Cnsmin but while
trying to quarantine the pests, your program became
unresponsive (as per previous time - probably diabled by
this strong pest). I will attach files you requested. If
you need me to also attach the files that cannot be
deleted whatever method I try - i.e. the Cnsmin.dll and
Cnshook.dll in the C:\Windows\Downloaded program files
folder - please let me know and I will attach them for
you. Recently, I had found that there are files in the
folder C:\program files\3721 that cannot be deleted too.
Thanks for you help - Hope you find fighting this super
pest an enjoyable challenge

6) Subsequently - they sent me a .bat file to run on my
computer to help fight this. I tried it and the following
is my reply:
Hi, Thanks for working on this problem. I have done the
steps mentioned in your email. The steps I did was: 1.
Extracted the correctreg.bat file you sent me. 2. Logged
into safemode. 3. Ran the correctreg.bat file and then
tried to delete cnsmin.dll and cnshook.dll 4. At the same
time, I deleted many other files in the same downloaded
Program files folder, deleted the folder Recycler under
C:\, tried to delete the folder C:\Program files\3721 The
following are the programs encountered: 1. I managed to
delete the folder C:\Recycler, it allowed me to delete
the cnsmin.dll and cnshook.dll but once you go out of the
folder C:\windows\downloaded Program files -- those 2
files will reappear. Also, this time, there are also 2
files in that same folder that cannot be deleted -- the
Cnsio.dll and CnsminIO.dll files - both cannot be deleted
and would not allow me to even change permissions or take
hold of them. 2. The file CNSMIN.dat in C:\program
files\3721 is now resistant to deletion too 3. I think
they have taken control of my recycle bin too. Now,
whatever file I delete will no longer go into the recycle
bin but will just disappear. 4. After I reboot back to
normal mode and rescanned, there are still 165 files
reviewed. I tried to quarantine, although EPP became
unresponsive while doing that, I still manage to get a
quarantine report to sent off to you. I will be attaching
ZIP file containing the PPv5log.txt from the folder that
you told me about during your last email (I did the
delete thing then rescan again), as well as the
quarantine pest report and also the digital detective
report that I generated again this time. Thanks and
please keep me updated.

Their most current reply:
Hi,
Thank you for contacting my-eTrust Technical Support
Thank you for the information provided to us regarding
the issue. The issue is still under research and we shall
get back to you once we get the update from our research
team. Until then, the issue will be under open status

 

[Guest]

One more thing - there are 2 programs that show up under
my add/remove program category - the Yahoo! Messenger
explorer bar and the Yahoo! Address autocomplete --- I
think these 2 are CnsMin masquerading as Yahoo - I have
been able to remove all other components of my Yahoo
toolbars or messenger except these 2 and at one stage - I
have found something that is masquerade as Yahoo
components - the YPager with a symbol we all so often
associate with Yahoo. Nowadays- even when I click to
check my Yahoo mails - there are attempts to send some
private information of mine over the web - which was
blocked with my Norton internet security.

Alright guys -if you enjoy a challenge - try this SUPREME
LORD OF SPYWARE. Let me knwo if you find anything helpful.

 

[Guest]

Of note - my scans with MS antispy are in the customed -
thorough deep scan type and it still cannot remove it.

 

[AndyManchesta]

Hi Again Its sounds like you have tried alot of things ,
I downloaded Cnsmin and shifted it within 30 mins so was
thinking its not that bad really but from what you are
saying its really dug itself in to yours ,I must of been
lucky with the add/remove screen entry(Chinese Keywords)
as it removed most of the crap,Spysweeper went from
detecting 171 to 14 after using the unistaller.The other
user said the unistaller took them to a chinese website
which was impossible to work out but again i must of been
lucky there.I'll have another crack at removing this
though if you have the time

I take it you have tried the add/remove screen chinese
keywords entry(note you should unplug your internet
connection before running the unistaller or else it takes
you to their site to probably download more crap)




ctfmon.exe is a genuine file and unconnected :

http://support.microsoft.com/?kbid=282599



Download Ccleaner to help clean up if you get this removed

http://download.ccleaner.com/download119bin.asp


copy this to notepad so you can still view it in safemode


Its hard to know which is the right order for this if you
have cns in the drivers folder it needs stopping

Goto start > then c/drive > then Windows > Open the
system32 folder > then the drivers folder > find

cnsminkp.sys

right click and rename it cnsminkp.old and then press
enter remove the start up entry from msconfig then remove
the cnsminkp.old file when you reboot into safe mode


If you wish to delete the cns downloaded program files
folder go for it this way :

First check msconfig

goto start then run and type

msconfig

goto the start up tab and check here for

CnsMin Rundll32.exe C:\WINDOWS\DOWNLO~1
\CNSMIN.DLL.Rundll32


Uncheck that, and Apply, then OK. Then restart your PC.
As your PC restarts, keep tapping F8 when you get the
menu, select safe mode with command prompt to go into DOS.

Now you'll have a C:\ prompt
Type the following;

cd \Windows\Downlo~1\

Now you'll have a C:\Windows\Downlo~1\ prompt

Type "dir" and you'll see any files this thing has dumped
in there,consisting of a number of files starting with
the letters cns, things like cnsmin.dll, cnsio, etc

There's also another directory called 3721.

Now to try delete it if its not still running ;press
control,alt & delete (task manager) and check the
processes tab for cns recheck msconfig and start over if
its still running .



Type the following at the C:\Windows\Downlo~1\ prompt;

del C:\Windows\Downlo~1\ cns*.*

When you hit enter on that command, DOS will respond with
Are you sure (Y/N)?

Enter Yes and reboot & proceed to remove the 3721 folder
and reg entries.


If this is something you have already tried and you wish
to remove the whole contents of the downloaded program
files folder then follow the above (msconfig,unchecking
the start up and booting into safe mode with command
prompt) but copy & paste this instead :


del C:\Windows\Downlo~1\ *.*


*BE VERY CAREFUL TO GET THIS RIGHT OTHERWISE YOU MIGHT
BLOW AWAY THE C:\WINDOWS DIRECTORY AND THAT WOULD BE VERY
VERY BAD

When you hit enter on that command, DOS will respond with
All files in directory will be deleted!
Are you sure (Y/N)?
Enter Y if you are VERY SURE you entered the command
right and you really want to delete the whole contents of
the downloaded program files folder.




To reset the recycle bin if its corrupted follow this .


open a command prompt,goto start,then run & type

cmd

Press enter to open the prompt screen


Copy and paste this line in :


attrib c:\recycler -h -s


Press Enter.Then type


del c:\recycler


Press enter again


Say yes when asked.Close the command prompt.

the recycle bin is recreated automatically by Windows (if
not immediately, then on the next reboot), and any thing
inside deleted.


clear the prefetch folder .Goto start run and type

Prefetch

delete the contents on this folder


Run Ccleaner on all 3 settings (windows,apps & issues)


Now Reboot the pc.

see if it loads again and if not clear the reg entries.,


Check these area's for 3721,cns or Interchina


HKEY_CLASSES_ROOT\CLSID\

{B83FC273-3522-4CC6-92EC-75CC86678DA4}

HKEY_CLASSES_ROOT\CLSID\

{D157330A-9EF3-49F8-9A67-4141AC41ADD4}

HKEY_CLASSES_ROOT\CnsHelper.CH
HKEY_CLASSES_ROOT\CnsHelper.CH.1


HKEY_CLASSES_ROOT\CnsMinHK.CnsHook
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook.1


HKEY_CURRENT_USER\Software\3721
HKEY_LOCAL_MACHINE\Software\3721
HKEY_LOCAL_MACHINE\Software\InterChina

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\AdvancedOptions\!CNS

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Extensions\

{5D73EE86-05F1-49ed-B850-E423120EC338}

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Extensions\

{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Extensions\

{FD00D911-7529-4084-9946-A29F1BDF4FE5}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run\CnsMin

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Uninstall\CnsMin




Another tool that may help for searching is this reg
searcher


This script allows you to search the registry for any
names and displays the results in notepad



http://andymanchesta.com/Downloads/RegSearch.vbs


**Note : VBScript and VBS files

VBScript files are nothing more than plain text files
with a .vbs extension, and they can be edited using any
text editor, such as Notepad. They contain a set of
instructions that are run when a user executes the file.
For example, you can create a .vbs file that reads a list
of names for shared folders on your local network and
maps a network drive to each name. Almost any action that
you can perform while sitting at your computer can be
automated by one of these scripts.

For this reason Most antivirus software will halt this
script and ask you if you want to proceed its mainly
because this script searches the registry and displays
results so its guarding the pc incase the script is being
run without your consent.The script is just a reg search
tool and harmless to your system.



If you still cannot remove this which im sure will be the
case if its running in the drivers folder and
regenerating download Hijack this and post the log to
show whats running on your pc.

Always create a Folder for HiJackThis anywhere but your
Temp/Temporary Internet Folders or Desktop. A good place
to make a folder would be in My Documents, as this is
where it will save the backup files needed if there's a
problem.)

Download Hijack this and save it into the new folder

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

choose to run a scan and save the logfile,when its
finished it will open the results in notepad post that
back if your still having problems and i will try help
more


Regards Andy

 

[AndyManchesta]

I wanted to add a couple of things You should turn off
your system restore untill you get clean again if you
havn't already

Disable System Restore:

Goto start > right click my computer > choose properties

then goto system restore and check the box ' Turn off

system restore ' then press apply, you can set a new
restore point when you are clean by following the above
but unchecking turn off system restore .


For deleting Index.dat files use Index.dat Suite 2.8.6

Auto-generatese batch files to assist in deleting the
index.dat files.

Full details here

http://majorgeeks.com/download.php?det=4280




Adware:Wengs

This adware is also related to cnsmin so maybe worth
checking for the value "Windows Update" in this area of
the registry :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run




http://securityresponse.symantec.com/avcenter/venc/data/ad
ware.wengs.html





try using Adaware & Spysweeper in safe mode to remove
other traces :



Ad-Aware SE 1.06

http://www.download.com/3000-2144-10045910.html


Spy Sweeper Free Trial

http://www.webroot.com/shoppingcart/tryme.php?
bjpc=64002&vcode=DT02




Regards


Andy Manc