Registry hack removal failed

[johnwhy]

hi

Registry hack removal failed!

my spy scan found 'CnsMin (Browser Modifier)'.
i clicked 'remove'.
after removal, the same hack is found again!

not logged in as Administrator, shouldn't matter! necessary
to give ms anti-spyware special rights somehow?

thx

 

[plun]

Hi

Within safe mode you have "special rights",
just press F8 during reboot before Windows flag
screen appears.

Also include CCleaner for temporarily junk removal
www.ccleaner.com

and

Lavasoft Adaware for extra spyware removal.

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022-10399602.html?tag=list

 

[AndyManchesta]

CnsMin can be difficult to remove, it reinstalls if you
delete/rename or move the entries from the downloaded
program files folder it also has a hidden timer which
checks for changes then replaces anything thats missing.

Its not really a trojan or hack, Im sure its very usefull
for chinese users but isnt designed for western computers
so can cause problems when installed. Your only option is
to uninstall it from the add/remove screen then you can
rename and delete the remaining files without them being
replaced,

Goto Add/Remove screen and uninstall "Chinese Keywords"

Then run the scanner again and see if it still picks up
cnsmin if it does then follow this.

(For NT/XP/2000)

Open the Command prompt (Start -> Programs ->
Accessories) and type(or copy & paste)

cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll

Then type exit

Reboot and load the Command prompt again. Type:

cd "%WinDir%\Downloaded Program Files"
del cns*.*

Then type exit again to leave command prompt screen

Let us know if you have any problems,

Andy

 

[AndyManchesta]

Hi Again I've just checked this with MSAS and it removes
cnsmin first time without any problems. Its not worth
looking for the Chinese Keywords entry as MSAS also
removes that It does leave acouple of traces in the
registry but I assume these are harmless now the files
have been removed.

Go with Pluns suggestion and run a scan in safe mode my
last post will not work if you have run MSAS as the entry
in Add/Remove and the files in downloaded program files
are all removed. Good Work MS last time I checked this no
scanner was removing it.

I know this doesnt help you to remove the registry entry
but if the scan in safe mode doesnt work for you then let
us know whats being found and try running a scan from the
admin account if you can .

Here's a couple of traces I found after the scan:

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main]

"CNSHint"=dword:00000001
"CNSReset"=dword:2a3fcc74
"CNSEnable"=dword:00000001
"CNSList"=dword:2a3fcc74
"CNSMenu"=dword:2a3fcc74
"CNSAutoUpdate"=dword:00000001


[HKEY_CLASSES_ROOT\Interface\{1BB0ABBE-2D95-4847-B9D8-
6F90DE3714C1}]

@="ICnsHook"

[HKEY_CLASSES_ROOT\Interface\{1BB0ABBE-2D95-4847-B9D8-
6F90DE3714C1}\ProxyStubClsid]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{1BB0ABBE-2D95-4847-B9D8-
6F90DE3714C1}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{1BB0ABBE-2D95-4847-B9D8-
6F90DE3714C1}\TypeLib]
@="{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}"
"Version"="1.0"

But its removed the cnsmin files and all the other
registry entries without any problems, Maybe worth
running from the Admin account if needed or safe mode and
make sure all other IE windows are closed when fixing.

Good Luck

Andy

 

[Robin Walker [MVP]]

Registry hack removal failed!

my spy scan found 'CnsMin (Browser Modifier)'.
i clicked 'remove'.
after removal, the same hack is found again!

not logged in as Administrator, shouldn't matter!

It matters a lot. MSAS is only capable of removing malware from system
areas if the user is logged in as an Administrator.

 

[jon why]

MSAS must be run from an Admin account??

That makes no sense. It's supposed to be a set-and-forget
convenience. Should not require me to go around to all the
user desktops in the company and manually login as admin.

How to give it admin rights even if logged in as restricted
user?

 

[Robin Walker [MVP]]

MSAS must be run from an Admin account??
That makes no sense. It's supposed to be a set-and-forget
convenience. Should not require me to go around to all the
user desktops in the company and manually login as admin.

How to give it admin rights even if logged in as restricted
user?

You can't. This is an early beta trial. Those are the restrictions
revealed so far by beta-testing.

The advice has always been that this beta-test trial should not be installed
in any production environment, and certainly not on a corporate network. So
far, the Beta 1 builds are suitable only for single-user PCs logged in with
local administrator rights.