CnsMin - post 3


T

Thomas

This is in reply to a previous post I posted - CnsMin is
indeed untouchable - I want to see what Engel has to say
about this.


This CnsMin is not only untouchable - it is the Lord
Supreme of spyware. I have been fighting it for months
and has not been sucessful. It is so clever that it can
even change with our attack. Let me give you a run down
on what I have tried - this will take a well.

I have tried all the manual steps listed in Doxdesk.com
and other antispyware website previously and it did not
work. Infact I tried to be ingenuous and tried even more
than what doxdesk has asked for as in removing other
things by dos command prompt too - and to date - I have
failed.

First antispyware I have is spybot - that failed
everytime - did not even come close.
Next - Yahoo Antispy - that delete some but always come
back.
Next Computer associates Pest Patrol - that did delete
and advised restart initially but subsequent scans - it
may just become disbabled and become non-responsive. I
have tried to run the Pest patrol both in normal mode and
in safe mode too (adminstrator) --- one important point
to note - ever since I have CnsMin on board - I have been
denied access to my administrator mode under the normal
boot up and can only access my adminstrator mode under
the safe mode boot up.

Next I have been trying to solve this problem with tech
support at CA pest patrol -- we have tried multiple
approach and to date CA pest patrol has temporarily
conceded defeat -- telling me that the case is currently
under research and will stay open as of date. The
following are the things we have tried:

1) Thank you for contacting my-eTrust Technical Support
Please delete the following files and registry entries
from the machine to get rid of that pest.
Boot the machine into SAFEMODE and delete the folder
RECYCLER from File "C:\".
Delete the folder 'Yahoo' from "C:\Program Files" and the
folder 3721.
The folder "downloaded program files" from C:\Windows and
File "C:\WINDOWS\system32\drivers\cnsminkp.sys"
The folder 'downlo~1' from File "C:\WINDOWS\"
Go to Start->Run->Regedit and delete the entries, delete
folder !cns from key "hkey_local_machine
\software\microsoft\internet explorer\advancedoptions\"
key "hkey_local_machine \software\3721 folder should be
deleted.
Folder extensions from key "hkey_local_machine
\software\microsoft\internet explorer
Incase of any further assistance in this regard, please
revert back to this email
Thank you and have a great day<

---> Tried the above -- My reply:
Hi, I tried to go along with your instructions but could
not complete the very first step - unable to delete the
file RECYCLER from C:\ --- the error message is "Access
denied. Please ensure that file is not in use or write
protected etc." Is there anything I need to do before I
can delete that file? I.e. any processes I need to kill
before I can delete that file? I think I saw the file
cnsminkp.sys loading even with my safemode startup.
Please further advise.

2) Their reply:
Thank you for contacting my-eTrust Technical Support
In order to delete that file, you may have to set
permissions.
Just right click on that particular registry entry and
set permissions as full access to the user.
Then delete the file.
Incase of any further assistance in this regard, please
revert back to this email

My reply:
Hi, after trying your advice, I finally did manage to
delete the RECYCLER folder after going through the
permission lists of all subfolders and deleting them
individually. However, I am not able to delete the
Downloaded program file list - I did manage to disable my
Yahoo Messenger though. Two files in the Downloaded
program files folder is especially resistant to deletion -
the CnsHook.dll and the CnsMin.dll files. This are the
only 2 files left and they will reappear a few seconds
after I delete them. And without deleting this 2 files,
windows would not allow me to delete the folder
downloaded program files completely. Also, everytime I
attempt to delete these 2 files, I will notice the the
RECYCLER folder may reappear too.
Also, there is still a problem with this 2 files that
will also reappear every single time I try to remove them
manually - see this message that I sent previously: Hi
Sam, after trying your advice, I finally did manage to
delete the RECYCLER folder after going through the
permission lists of all subfolders and deleting them
individually. However, I am not able to delete the
Downloaded program file list - I did manage to disable my
Yahoo Messenger though. Two files in the Downloaded
program files folder is especially resistant to deletion -
the CnsHook.dll and the CnsMin.dll files. This are the
only 2 files left and they will reappear a few seconds
after I delete them. And without deleting this 2 files,
windows would not allow me to delete the folder
downloaded program files completely. Also, everytime I
attempt to delete these 2 files, I will notice the the
RECYCLER folder may reappear too. How do I remove the 2
files above?

3)Their reply:
Hi ,
Thank you for contacting my-eTrust Technical Support
Please try to remove the files in the SAFEMODE for
permanent deletion.
Incase of any further assistance in this regard, please
revert back to this email

My reply:
I did try to remove them in Safe mode. I tried all the
permission step you previously suggested too. I even
tried to used the MSDOS command prompt to try to delete
it. I tried even to rename it first then delete. Also
tried rename first, then reboot then delete - all in
MSDOS command mode - doesn't work. Tried all the ways I
can think of so far - to remove them in SAFE mode using
both the windows delete function as well as the MSDOS
delete function - doesn't work. This is the most
resistant pest I have met thus far.

4) Their reply:
Hi,
Thank you for contacting eTrust PestPatrol HelpDesk.
There are a couple of things I would like you to do in an
attempt to resolve this issue.
Please note: It is very important that you follow this
email in order. The first thing we need to ensure is that
you have the most recent updates. This can be done by
selecting the Updates menu under the Advanced Settings
section of your software.
Next, please look in your Add/Remove Programs Control
Panel for any toolbars, search bars, search assistants
and any other odd programs that may be present there and
uninstall them.
When you are done in the Control Panel, please run a
thorough scan. To do that, you will need to select custom
scan from the scan menu. Here you will see your different
drive letters, please select the ones you would like to
scan. I would encourage you to select all of the drive
letters associated with the hard drive(s) on your PC.
When the scan is complete please select the items you
would like to keep and click the Exclude Checked Pests
button.
Next, check the remaining pests and click on Quarantine.
Reboot your PC and run another scan to see if you are
still experiencing the same issues. If you are, please
try the following: 1. shut down your computer 2. turn it
back on and tap the F8 key repeatedly until you get a
boot menu 3. select Safe Mode with Networking ***if you
have Safe Mode as the only option please select it***
Once you are in Safe Mode please delete any items located
within the temp directory. It is possible for some pest
(s) to hide within this directory and to reinstall
components that have been removed by Pest Patrol. To
clear the temp directory: 1. click on start, then run and
enter %temp% 2. click ok and a new window will open - you
will be in a temp folder 3. please hold down "Ctrl" on
the keyboard and press the "A" key - this will select ALL
items in the folder 4. press the "Delete" key on the
keyboard Reboot your PC into Normal Mode and rescan again
with PestPatrol. See if the problem still pertains. If it
does, this means that there is one or more files residing
on your system called a "trickler". These files load on
bootup and cause the pest(s) to reappear.
To track down which file(s) may be responsible: 1. click
on start, then run and enter msconfig 2. click on ok and
you will be taken into the system configuration utility
3. click on the startup tab at the top right-hand corner
4. please make a list of what is checked in these boxes
5. uncheck all components and click on ok !!!PLEASE MAKE
SURE THAT THE ONLY TAB YOU ALTER IN MSCONFIG IS THE
STARTUP TAB!!! 6. you will be asked to reboot the
computer, please click yes or ok 7. after the reboot you
will see a pop-up telling you that you have made changes
in configuration utility, place a check in the box and
click ok Check to see if any pests have returned. If not,
then you know it was one of the startup programs that was
causing the issue. At this point you can go back into
msconfig startup tab and recheck one item at a time.
Please note: you will need to reboot after each item is
checked and run a scan to see if the pest(s) returned.
Completing the steps above should resolve your issue. If
for some reason it does not, please send me a copy of the
logs by following the steps below:
1. Launch PestPatrol and click on "Advanced Settings"
2. Click on Log
3. Click on Save Log
4. Save it to the location you can easily find it from 5.
From your e-mail program you can then attach the log by
using the "Attach" function and browsing to the saved log.
You can also include the Quarantine Log:
1. Click on Advanced Settings
2. Click on Quarantined Pests
3. Click on Save Report
4. Save it to the location you can easily find it from
5. From your e-mail program you can then attach the log
by using the "Attach" function and browsing to the saved
log.
Thank you and have a great day
CA Consumer Support

My reply:
I am now convinced that this is one of the most powerful
and clever pest ever. I have tried all the steps you
described. First of all, when I tried to remove all the
suspicious stuffs from my Add/Remove programs - there are
2 programs that are not removable: 1) A program
named "Yahoo Address Autocomplete" and 2) Yahoo Messenger
explorer bar. I think that these are 2 programs
masquerading as Yahoo programs - I have uninstalled my
Yahoo components without problems but cannot uninstall
those 2 programs even in safe mode. Then, I am not able
to load my safemode with networking - the computer will
show an error blue screen everytime I try to do that.
Also, everytime I tried to use you program to quarantine
the Cnsmin pests - your program will become unresponsive.
This goes the same from the freeware program spybot.
Next, I tried to use the msconfig to stop all my startup
programs as you have suggested. I rebooted and guess
what? Lo and Behold, there are 2 programs that I cannot
even use my msconfig to disable (see how smart these
people are). These 2 programs are as follows: 1) Name:
Cnsmin; Command: Rund1132.exe C:\WINDOWS\DOWNLO~1
\Cnsmin.dll,Rundll32; location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; the
other program that continues to appear is Name: Ctfmon,
Command: C:\WINDOWS\system32\ctfmon.exe, location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Even
in safemode after trying to disable all the startup
programs, I cannot remove the program that is not
removable with the add/remove command and I cannot use
your program to quarantine Cnsmin - your program just
become unresponsive. And I cannot boot into safemode with
networking. I can however boot into safemode. Even after
trying to disable all the startup programs and also
booting into safemode, I noticed that the program file
Cnsminkp.sys continues to load with boot up. I will
attach the log for you. As your program continues
to "Hang" (ie. becomes unresponsive) everytime I try to
quarantine Cnsmin, I have no quarantine files to attach.
Please advise with this extremely clever and ingenius
pest. (Just a few days ago, my privacy firewall detected
it trying to send my bank account number over the net to
someplace with 3721 in it net address - it may function
more than a hijacker). Thanks for your help.

5) Their reply:
Hi,
Thank you for contacting my-eTrust Technical Support
Please follow the steps and provide us the required
information to get this issue resolved.
1. Please go to C:\Documents and Settings\All
Users\Application Data\CA\eTrustPestPatrol and delete
PPv5log.txt.
2. Open eTrust PestPatrol and run a complete custom scan
on the machine, quarantine the pests found.
3. Run a custom scan again and quarantine the pests if
they are redetected.
Then, reboot the system in safe mode session and have the
scan again with a custom scan with ePP and then
quarantine all the pests found. Send the PPv5Log.txt
For assistance in going to Safe Mode, please go through
the following URL LINK
Click Start > Run > "MSInfo32.exe" - then "Save" as
an .NFO file and email this to us for further analysis.
Please zip it before attaching or attach all these files
in a single zip file
Next one is download this file and create a report
Digital detective
Download this and run it and send us a report which is
generated
It displays all the files which are there in the PC so us
to check.

My reply:
Thanks for looking deeper into the case. I have followed
your instruction and will be attaching the files you
requested. The first scan with EPP, I quarantined the
files, it says I should restart but I did not and scanned
again as you have instructed and quarantined again. The
first scan yield about 200 plus files, the second scan
yield about 66 files that is only related to Cnsmin. I
then restarted and rebooted into safe mode. This time the
scan turns up only 61 files related to Cnsmin but while
trying to quarantine the pests, your program became
unresponsive (as per previous time - probably diabled by
this strong pest). I will attach files you requested. If
you need me to also attach the files that cannot be
deleted whatever method I try - i.e. the Cnsmin.dll and
Cnshook.dll in the C:\Windows\Downloaded program files
folder - please let me know and I will attach them for
you. Recently, I had found that there are files in the
folder C:\program files\3721 that cannot be deleted too.
Thanks for you help - Hope you find fighting this super
pest an enjoyable challenge

6) Subsequently - they sent me a .bat file to run on my
computer to help fight this. I tried it and the following
is my reply:
Hi, Thanks for working on this problem. I have done the
steps mentioned in your email. The steps I did was: 1.
Extracted the correctreg.bat file you sent me. 2. Logged
into safemode. 3. Ran the correctreg.bat file and then
tried to delete cnsmin.dll and cnshook.dll 4. At the same
time, I deleted many other files in the same downloaded
Program files folder, deleted the folder Recycler under
C:\, tried to delete the folder C:\Program files\3721 The
following are the programs encountered: 1. I managed to
delete the folder C:\Recycler, it allowed me to delete
the cnsmin.dll and cnshook.dll but once you go out of the
folder C:\windows\downloaded Program files -- those 2
files will reappear. Also, this time, there are also 2
files in that same folder that cannot be deleted -- the
Cnsio.dll and CnsminIO.dll files - both cannot be deleted
and would not allow me to even change permissions or take
hold of them. 2. The file CNSMIN.dat in C:\program
files\3721 is now resistant to deletion too 3. I think
they have taken control of my recycle bin too. Now,
whatever file I delete will no longer go into the recycle
bin but will just disappear. 4. After I reboot back to
normal mode and rescanned, there are still 165 files
reviewed. I tried to quarantine, although EPP became
unresponsive while doing that, I still manage to get a
quarantine report to sent off to you. I will be attaching
ZIP file containing the PPv5log.txt from the folder that
you told me about during your last email (I did the
delete thing then rescan again), as well as the
quarantine pest report and also the digital detective
report that I generated again this time. Thanks and
please keep me updated.

Their most current reply:
Hi,
Thank you for contacting my-eTrust Technical Support
Thank you for the information provided to us regarding
the issue. The issue is still under research and we shall
get back to you once we get the update from our research
team. Until then, the issue will be under open status


The following are what I have done with your Microsoft
antispyprogram:

1) I have scanned and tried removal both in normal boot
up and safe mode bootup -- and both removal process have
failed.

2) After a few removal attempts and scans - now it seems
like the CnsMin has evolved and now the MS antispy is
detecting something as "Possible browser hijacker" -- I
removed that too - but it seems like it can come back too.

3) I used your advanced settings and tried to remove the
things that I think is related to CnsMin - i.e. the 3721
helper - it failed. Next I tried to block it - it seems
like it is failing now. I initially tried to block it
from changing URLs etc - and MS antispy did work for a
few days --- then for the past 2 days - for now good
reasons - I would get messages from MS antispy that it
has allowed an URL change - without asking me for
permission and without my permission.

Hence, I have now convinced that CnsMin is the ultimate
lord supreme of spyware and whatever antispyware can
fight it and remove it - may justly be considered the
best antispyware in this current market.

I was actually on my way out to get spysweeper so that I
can try it on my computer too - until I saw Engel and
Andy's helpful replies - do you guys have anymore good
ideas?

The report spyware function on the MSantispy does not
work with this master of spyware --- as mentioned in my
initialy post - I get an error message.

Thanks and await your reply guys.


One more thing - there are 2 programs that show up under
my add/remove program category - the Yahoo! Messenger
explorer bar and the Yahoo! Address autocomplete --- I
think these 2 are CnsMin masquerading as Yahoo - I have
been able to remove all other components of my Yahoo
toolbars or messenger except these 2 and at one stage - I
have found something that is masquerade as Yahoo
components - the YPager with a symbol we all so often
associate with Yahoo. Nowadays- even when I click to
check my Yahoo mails - there are attempts to send some
private information of mine over the web - which was
blocked with my Norton internet security.

Alright guys -if you enjoy a challenge - try this SUPREME
LORD OF SPYWARE. Let me knwo if you find anything helpful.
 
Ad

Advertisements

Ad

Advertisements

A

AndyManc

Hi Again Zin (Thomas)

Sounds like you have been very busy :) Its good to hear
its now been removed .With you fixing all the cns entries
using hijack this then deleting all the bad files at the
same time using killbox although they came straight back
i think it may of had to reinstall which might of reset
cnsmin making the "chinese keywords" entry in the
add/remove screen work again.

The c:\recycler entry on your pc isnt malicious and you
are not meant to be able to delete it as its the windows
recycle bin , I did post a way you can reset it on the
microsoft forum but you will need to use the cmd screen
for this plus it will not remove it , it will for a
second or two but windows will put it straight back as
its the recycle bin .Heres how to reset it again if you
need to , usually you only need to reset the bin if you
are deleting things which are not appearing in the
recycle bin or if some malware has corrupted the recycle
bin

To reset the recycle bin if its corrupted follow this .

open a command prompt,goto start,then run & type

cmd

Press enter to open the prompt screen


Copy and paste this line in :


attrib c:\recycler -h -s


Press Enter.Then type


del c:\recycler


Press enter again


Say yes when asked.Close the command prompt.

the recycle bin is recreated automatically by Windows (if
not immediately, then on the next reboot), and any thing
inside deleted.



Thanks for the info on the setup file i assumed it would
mostly be usage instructions but there was also some
installation instructions in the file which were hard to
follow but indicated it makes changes to other area's of
the registry

Im just checking them again now .I did install cns last
night but again didnt have any problems getting rid of it
the chinese keywords uninstaller removed most of the crap
and using cmd to rename then delete it worked fine. I
dont think you can remove cns without using the chinese
keywords unless you can fully understand the changes it
makes as its not just the files ,Thats why i asked if you
can confirm you went through all the steps with hijack
this and killbox and pasted everyfile to be deleted.If
you did it means there is some sort of lock on them ,they
may delete for a second or two like the recycle bin but
then they come straight back,Its hard to work out whats
causing this but there must be a entry in the registry
that has been modified to reinstall cns if it gets
deleted and all the rest to reinstall if you rename it
and reinstall if you unregister it.

Looking at the setup file even though 90 percent of it
makes no sense to me at all i can see these parts in the
text.


setup SeShutdownPrivilege TXT
SYSTEM\CurrentControlSet\Control\Session Manager
PendingFileRenameOperations 3721home_dl PrePartner
3721home_dl-1 Partner Software\3721\CnsMin wb %
s\downlo~1\ CLSID\{B83FC273-3522-4CC6-92EC-
75CC86678DA4}\InprocServer32 CnsHook.dll CnsMin.dll
CnsMin.cab DOWNLO~1\CNS

Software\Microsoft\Internet Explorer\Main ucount
CnsMin SOFTWARE\Microsoft\Internet Explorer\Main
CNSAutoUpdate Message \ w NUL= r !\??\
wininit.ini DllUnregisterServer
DllRegisterServer



The above really doesnt give much info but does show its
hiding information.If you opened the registry and checked
both HKEY_CURRENT_USER & HKEY_LOCAL_MACHINE then click
the + beside software then the + next to microsoft then
Internet Exporer and finally left click Main . It will
open alot of preset Internet Values on the right pane
such as start page search page etc..

It looks like CNS has a autoupdater which works on a
timer and is hidden in this area ,

your start and main pages are disabled in a way as your's
is preset to sony's page i cant rememeber which log i
noticed it on but if you opened a internet window and
then went to tools on the top bar then to Internet
Options then the programs tab and pressed "Reset Web
Settings" on yours it will reset it to sony's page rather
than Microsofts default.


This part of the above message


Message \ w NUL= r !\??\ wininit.ini
DllUnregisterServer DllRegisterServer


Is very suspicious here is a similar entry thats added by
a trojan downloader


C:\WINDOWS\wininit.ini
`[Rename]
`NUL=C:\DOCUME~1\LOCALS~1\Temp\ginstall.dll


This means its probably hiajcked a few main functions.
Windows itself uses several special INI files. Most
notably, the WIN.INI stores information about the
installed programs and the OS itself.Most INI files are
stored in the Windows or Windows\System directory, but
they are also often located in the same folder as the
associated application. The wininit.ini is a file used
for programs, that need to overwrite windows files, that
are currently in use by windows, while the installing
runs. then the prog cannot finish the installation and
writes those install commands, that it still needs to do,
in the wininit.ini, so the installing would finish
automatically with the windows boot.

usually the wininit.ini file is empty.The using of
the .ini file is temporary by programs, who install and
might not finish the install due to using dlls by
windows.when u are not installing anything, you can do
nothing wrong when u delete this file. any program that
might need it, will create it.

For the trojan downloader entry above you would

Go into C:\WINDOWS\ and right click wininit.ini file and
choose to open with notepad . Then select and delete
these lines in it.

`[Rename]
`NUL=C:\DOCUME~1\JAMIES~1\LOCALS~1\Temp\ginstall.d ll
`NUL=

Save the file and close it.



Im sure you dont need it now though if all your scanners
are showing clear but thought id post it.The current
control set again goes to the heart of the OS so these
are area's that need looking at more if anyone is going
to try remove cnsmin manually

Glad you dont have that problem now though if i can help
with anything anytime just let me know,Nice to hear we
got there and removed it

Regards

Andy Manc
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top