Attention: We will be transitioning to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
VirTool:WinNT/Protmin.gen!A
Detected by Microsoft Defender Antivirus
Aliases: CnsMin (McAfee) Dialer_PlayGames (Trend Micro) Virus.Win32.Cnsmin.B (other) 3721 Internet Assistant (other)
Summary
VirTool:WinNT/Protmin.gen!A is a kernel-mode driver installed by Spyware:Win32/CnsMin that may protect particular files and registry data from modification, or removal.
Due to the protection methods used by this threat, manual removal may be required. It is recommended to boot with Recovery Console in order to delete the files manually. Further removal steps involve editing the system registry, and users are strongly advised to use caution if attempting to modify the registry.
Warning - Serious problems might occur if you modify the registry incorrectly. Modify the registry at your own risk.
To manually remove this Trojan from Windows XP computers, follow these steps:
-
Print the following Microsoft Knowledge Base article. Use the article as a guide to this procedure.
307654 How to install and use the Recovery Console in Windows XP -
Insert the Windows XP installation CD, and then restart the computer from the CD.
-
At the Welcome to Setup screen, press R (repair) to start the Windows Recovery Console.
-
Select the number that corresponds to the Windows installation that you want to repair. This number is typically 1.
-
If prompted, type the administrator password. If an administrator password does not exist, press ENTER.
-
At the command prompt, type cd "%windir%\Downloaded Program Files" and press ENTER.
(or type cd "%windir%\downlo~1" and press ENTER). -
Type del cns*.* and press ENTER.
-
Type cd "%windir%\System32" and press ENTER.
-
Type del cns*.* and press ENTER.
-
Type cd "%windir%\System32\Drivers" and press ENTER.
-
Type del cns*.* and press ENTER.
- Remove the Windows XP installation CD, and then type Exit to restart the computer.
Delete the Trojan registry entries
To delete the Trojan registry entries
-
One sthe Start menu, click Run, type regedit, and then click OK.
-
In the left pane, navigate to the key: HKEY_CLASSES_ROOT\CLSID
-
In the right pane, right-click the following value, if it exists: {B83FC273-3522-4CC6-92EC-75CC86678DA4}
-
Click Delete and click Yes to delete the value.
-
In the right pane, right-click the following value, if it exists: {D157330A-9EF3-49F8-9A67-4141AC41ADD4}
-
Click Delete and click Yes to delete the value.
-
In the left pane, navigate to the key: HKEY_CLASSES_ROOT
-
In the right pane, right-click the following value, if it exists: CnsHelper.CH
-
Click Delete and click Yes to delete the value.
-
In the right pane, right-click the following value, if it exists: CnsMinHK.CnsHook
-
Click Delete and click Yes to delete the value.
-
In the left pane, navigate to the key: HKEY_CURRENT_USER\Software
-
In the right pane, right-click the following value, if it exists: 3721
-
Click Delete and click Yes to delete the value.
-
In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software
-
In the right pane, right-click the following value, if it exists: 3721
-
Click Delete and click Yes to delete the value.
-
In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions
-
In the right pane, right-click the following value, if it exists: !CNS
-
Click Delete and click Yes to delete the value.
-
In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions
-
In the right pane, right-click the following value, if it exists: {5D73EE86-05F1-49ed-B850-E423120EC338}
-
Click Delete and click Yes to delete the value.
-
In the right pane, right-click the following value, if it exists: {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
-
Click Delete and click Yes to delete the value.
-
In the right pane, right-click the following value, if it exists: {FD00D911-7529-4084-9946-A29F1BDF4FE5}
-
Click Delete and click Yes to delete the value.
-
In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-
In the right pane, right-click the following value, if it exists: CnsMin
-
Click Delete and click Yes to delete the value.
- Quit Registry Editor.
Restart the computer
To restart your computer
-
On the Start menu, click Shut Down.
-
Select Restart from the drop-down list and click OK.
Take steps to prevent re-infection
You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.