Hi Dave i think you are going to have to become penpals
with some one in china
seriously though this cnsmin is abit crazy.I just
downloaded it to try out some fixes and
this isnt nice,its not even chinese on mine its just
random text(probably because i dont have
a chinese language pack) Its took me about a hour to
figure it out but the unistall on the add/remove screen
helped alot.
Well here's what i found out hope it helps you,the files
look obvious enough.
I downloaded cnsmin to the desktop which created a file
called setup.exe,I had to turn off spysweeper
and spyware guard to get this to install as it kept being
blocked
Spyware guard detected the BHO installing which i allowed
and then spysweeper detected the
start up entry
After installing i got loads of chinese type pop ups sand
had problems restarting the pc
it rebooted and then reset after getting on the desktop
then rebooted again
Running Hijack this the entries are showing up as
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe
C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} -
C:\WINDOWS\downlo~1\CnsHook.dll
O11 - Options group: [!CNS] Chinese keywords
Heres the scanner results without fixing anything
Spysweeper -
found 171 traces of the trojan horse cnsmin mostly
registry entries and some
files under c\windows\downloaded program\files \
cnshook.dll & cnsmin.dll
There was a entry in add/remove programs called'chinese
keywords' which i removed it said it had been
uninstalled but there was parts in use and they will be
deleted when i reboot
2nd scan with Spysweeper after using uninstall(Chinese
Keywords)
This made a huge difference after using the uninstall on
the add/remove screen
Only 14 Traces were detected this time (.dll's and Reg
entries under
HKEY_CLASSES_ROOT\CnsminHK 10 entries then the .dll's )
Spybot - only found 4 files(its showing 2 files in
windows\downloaded program files
and then 2 registry keys under
HKEY_CLASSES_ROOT\CnsminHK.Cnshook & Cnshook1
Adaware -Found the same 4 files as spybot
I rebooted to see if the unistaller would delete the
other files like it said.
Spysweeper still showing 14 traces of this even though
most of these are in the
HKEY_CLASSES folder
removal
Its looks like you cannot delete CnsMin whilst it is
running; if you try to deregister it, it restores all its
registry entries immediately.
But it is possible to move the files so that they cannot
be reloaded ;o)
(For NT/XP/2000)
Open the Command prompt (Start -> Programs ->
Accessories) and type(or copy & paste)
cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll
Reboot and load the Command prompt again. Type:
cd "%WinDir%\Downloaded Program Files"
del cns*.*
Download and run Ccleaner
http://download.ccleaner.com/download119bin.asp
To clean up the remaining traces of the software,
open the registry (Start -> Run -> regedit) and delete
the following keys if found
These were present before using the Chinese Keywords
Uninstaller from add/remove screen CnsHook entries might
be all thats left
HKEY_CLASSES_ROOT\CLSID\
{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKEY_CLASSES_ROOT\CLSID\
{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKEY_CLASSES_ROOT\CnsHelper.CH
HKEY_CLASSES_ROOT\CnsHelper.CH.1
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook.1
HKEY_CURRENT_USER\Software\3721
HKEY_LOCAL_MACHINE\Software\3721
HKEY_LOCAL_MACHINE\Software\InterChina
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\AdvancedOptions\!CNS
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Extensions\
{5D73EE86-05F1-49ed-B850-E423120EC338}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Extensions\
{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Extensions\
{FD00D911-7529-4084-9946-A29F1BDF4FE5}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run\CnsMin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Uninstall\CnsMin
Then reboot again
That should be fixed
Heres my logs now :
Spysweeper - Clear
Hijack This - Clear
Adaware - 1 cookie (unrelated)
Spybot - Clear
Good Luck
If you have any problems let me know and id try help
where i can
Regards Andy
