I tried to provide a spyware report but it failed to submit.

CnsMin is a known Internet Explorer search bar modification
from China. Microsoft AntiSpyware detects it and tries to
remove it but fails as it re-appears. It seems that the
startup registry protection is bypassed using the following
Startup registry entry to load the DLL into the system.

Name CnsMin
String "Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32"

The software then monitors its startup registry settings
and files for any modifications and fixes them instantly.
This is apparent when you rename the registry entry and it
immediately creates it again and also tries to add other
registry entries which are denied by MS AntiSpyware.

The files are stored in %windir%\Downloaded Program Files
but you cannot see them using windows explorer. No idea
why. The only way you can see the files is using dir on the
command prompt. If you rename them they are restored.

It appears the way remove this is to kill the monitoring
process but you cant find it because it is hidden from the
process list. I tried using process explorer from
Sysinternals.com and could not find any of the Cns*
processes although they do exist. When closing down the
system once it asked me if I wanted to "End Now"... CnsMain
so it shows it's running even though I cannot see it.
Looking at the properties of rundll32 in process explorer
I can see the CnsMin hooks into the rundll32 process.

So IMHO we need to monitor attempts to add registry entries
to the registry *when they are removed* by MS AntiSpyware
and permanently block those entries from being added in the
future. If after the reboot and software removal, they
continue to attempt to be added we need to track the
processes that are doing this and report this information
back to spynet.

Looking forward to an update that fixes this.

Regards

Kevin Davies

Try again to send the report.
>-----Original Message-----
>I tried to provide a spyware report but it failed to
submit.
>
>CnsMin is a known Internet Explorer search bar
modification
>from China. Microsoft AntiSpyware detects it and tries to
>remove it but fails as it re-appears. It seems that the
>startup registry protection is bypassed using the
following
>Startup registry entry to load the DLL into the system.
>
>Name CnsMin
>String "Rundll32.exe C:\WINDOWS\downlo~1
\CnsMin.dll,Rundll32"
>
>The software then monitors its startup registry settings
>and files for any modifications and fixes them instantly.
>This is apparent when you rename the registry entry and it
>immediately creates it again and also tries to add other
>registry entries which are denied by MS AntiSpyware.
>
>The files are stored in %windir%\Downloaded Program Files
>but you cannot see them using windows explorer. No idea
>why. The only way you can see the files is using dir on
the
>command prompt. If you rename them they are restored.
>
>It appears the way remove this is to kill the monitoring
>process but you cant find it because it is hidden from the
>process list. I tried using process explorer from
>Sysinternals.com and could not find any of the Cns*
>processes although they do exist. When closing down the
>system once it asked me if I wanted to "End Now"...
CnsMain
>so it shows it's running even though I cannot see it.
>Looking at the properties of rundll32 in process explorer
>I can see the CnsMin hooks into the rundll32 process.
>
>So IMHO we need to monitor attempts to add registry
entries
>to the registry *when they are removed* by MS AntiSpyware
>and permanently block those entries from being added in
the
>future. If after the reboot and software removal, they
>continue to attempt to be added we need to track the
>processes that are doing this and report this information
>back to spynet.
>
>Looking forward to an update that fixes this.
>
>Regards
>
>Kevin Davies
>
>
>.
>

Try doing a full system scan in safe mode, on the scan page, choose scan
options > full system scan (check the boxes below) click "Run Scan Now".

Restart in safe mode instructions:
http://www.microsoft.com/resources/d..._failsafe.mspx
--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Kevin Davies" <(E-Mail Removed)> wrote in message
news:02af01c5449a$2049ffa0$(E-Mail Removed)...
>I tried to provide a spyware report but it failed to submit.
>
> CnsMin is a known Internet Explorer search bar modification
> from China. Microsoft AntiSpyware detects it and tries to
> remove it but fails as it re-appears. It seems that the
> startup registry protection is bypassed using the following
> Startup registry entry to load the DLL into the system.
>
> Name CnsMin
> String "Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32"
>
> The software then monitors its startup registry settings
> and files for any modifications and fixes them instantly.
> This is apparent when you rename the registry entry and it
> immediately creates it again and also tries to add other
> registry entries which are denied by MS AntiSpyware.
>
> The files are stored in %windir%\Downloaded Program Files
> but you cannot see them using windows explorer. No idea
> why. The only way you can see the files is using dir on the
> command prompt. If you rename them they are restored.
>
> It appears the way remove this is to kill the monitoring
> process but you cant find it because it is hidden from the
> process list. I tried using process explorer from
> Sysinternals.com and could not find any of the Cns*
> processes although they do exist. When closing down the
> system once it asked me if I wanted to "End Now"... CnsMain
> so it shows it's running even though I cannot see it.
> Looking at the properties of rundll32 in process explorer
> I can see the CnsMin hooks into the rundll32 process.
>
> So IMHO we need to monitor attempts to add registry entries
> to the registry *when they are removed* by MS AntiSpyware
> and permanently block those entries from being added in the
> future. If after the reboot and software removal, they
> continue to attempt to be added we need to track the
> processes that are doing this and report this information
> back to spynet.
>
> Looking forward to an update that fixes this.
>
> Regards
>
> Kevin Davies
>
>

Wow,

This bloody thing also installs a device driver
cnsminkp.sys. Its a driver that protects the spyware.
cnsminkp stands for cnsmin kill protect device driver.

You can tell windows how to stop loading device drivers
unless you are in recovery mode.

Ouch

Sounds a lot like rootkit behavior.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
<(E-Mail Removed)> wrote in message
news:0e2901c546d5$e37744f0$(E-Mail Removed)...
> Wow,
>
> This bloody thing also installs a device driver
> cnsminkp.sys. Its a driver that protects the spyware.
> cnsminkp stands for cnsmin kill protect device driver.
>
> You can tell windows how to stop loading device drivers
> unless you are in recovery mode.
>
> Ouch
>

Have you tried Sysinternals RootKitRevealer, or F-secures Blacklight beta
product?

(I just got around to reading this thread, and agree with Steve Dodson.)

Microsoft Antispyware can remove some threats which behave in "rootkit"
ways. They are definitely in the target group--so don't lose hope.

You might also try the antivirus vendors for some help. TrendMicro's online
scanner: http://housecall.trendmicro.com was able to ID one of the triad of
executables that Aurora uses for me, which I could not see with Microsoft
Antispyware or other process explorers I used.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Kevin Davies" <(E-Mail Removed)> wrote in message
news:02af01c5449a$2049ffa0$(E-Mail Removed)...
>I tried to provide a spyware report but it failed to submit.
>
> CnsMin is a known Internet Explorer search bar modification
> from China. Microsoft AntiSpyware detects it and tries to
> remove it but fails as it re-appears. It seems that the
> startup registry protection is bypassed using the following
> Startup registry entry to load the DLL into the system.
>
> Name CnsMin
> String "Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32"
>
> The software then monitors its startup registry settings
> and files for any modifications and fixes them instantly.
> This is apparent when you rename the registry entry and it
> immediately creates it again and also tries to add other
> registry entries which are denied by MS AntiSpyware.
>
> The files are stored in %windir%\Downloaded Program Files
> but you cannot see them using windows explorer. No idea
> why. The only way you can see the files is using dir on the
> command prompt. If you rename them they are restored.
>
> It appears the way remove this is to kill the monitoring
> process but you cant find it because it is hidden from the
> process list. I tried using process explorer from
> Sysinternals.com and could not find any of the Cns*
> processes although they do exist. When closing down the
> system once it asked me if I wanted to "End Now"... CnsMain
> so it shows it's running even though I cannot see it.
> Looking at the properties of rundll32 in process explorer
> I can see the CnsMin hooks into the rundll32 process.
>
> So IMHO we need to monitor attempts to add registry entries
> to the registry *when they are removed* by MS AntiSpyware
> and permanently block those entries from being added in the
> future. If after the reboot and software removal, they
> continue to attempt to be added we need to track the
> processes that are doing this and report this information
> back to spynet.
>
> Looking forward to an update that fixes this.
>
> Regards
>
> Kevin Davies
>
>

The recovery console is an excellent way to deal with this mechanism.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

<(E-Mail Removed)> wrote in message
news:0e2901c546d5$e37744f0$(E-Mail Removed)...
> Wow,
>
> This bloody thing also installs a device driver
> cnsminkp.sys. Its a driver that protects the spyware.
> cnsminkp stands for cnsmin kill protect device driver.
>
> You can tell windows how to stop loading device drivers
> unless you are in recovery mode.
>
> Ouch
>