Skip to main content
Skip to main content
Microsoft Security Intelligence
Published Mar 06, 2008 | Updated Sep 15, 2017

VirTool:WinNT/Protmin.gen!A

Detected by Microsoft Defender Antivirus

Aliases: CnsMin (McAfee) Dialer_PlayGames (Trend Micro) Virus.Win32.Cnsmin.B (other) 3721 Internet Assistant (other)

Summary

VirTool:WinNT/Protmin.gen!A is a kernel-mode driver installed by Spyware:Win32/CnsMin that may protect particular files and registry data from modification, or removal.
Due to the protection methods used by this threat, manual removal may be required. It is recommended to boot with Recovery Console in order to delete the files manually. Further removal steps involve editing the system registry, and users are strongly advised to use caution if attempting to modify the registry.
 
Warning - Serious problems might occur if you modify the registry incorrectly. Modify the registry at your own risk.
 
To manually remove this Trojan from Windows XP computers, follow these steps:
  1. Print the following Microsoft Knowledge Base article. Use the article as a guide to this procedure.
    307654 How to install and use the Recovery Console in Windows XP 
  2. Insert the Windows XP installation CD, and then restart the computer from the CD. 
  3. At the Welcome to Setup screen, press R (repair) to start the Windows Recovery Console
  4. Select the number that corresponds to the Windows installation that you want to repair. This number is typically 1. 
  5. If prompted, type the administrator password. If an administrator password does not exist, press ENTER
  6. At the command prompt, type cd "%windir%\Downloaded Program Files"  and press ENTER.
    (or type cd "%windir%\downlo~1" and press ENTER).
  7. Type del cns*.* and press ENTER.
  8. Type cd "%windir%\System32" and press ENTER.
  9. Type del cns*.* and press ENTER.
  10. Type cd "%windir%\System32\Drivers" and press ENTER.
  11. Type del cns*.* and press ENTER.
  12. Remove the Windows XP installation CD, and then type Exit to restart the computer. 
Delete the Trojan registry entries
To delete the Trojan registry entries
  1. One sthe Start menu, click Run, type regedit, and then click OK
  2. In the left pane, navigate to the key: HKEY_CLASSES_ROOT\CLSID
  3. In the right pane, right-click the following value, if it exists: {B83FC273-3522-4CC6-92EC-75CC86678DA4}
  4. Click Delete and click Yes to delete the value.
  5. In the right pane, right-click the following value, if it exists: {D157330A-9EF3-49F8-9A67-4141AC41ADD4}
  6. Click Delete and click Yes to delete the value.
  7. In the left pane, navigate to the key: HKEY_CLASSES_ROOT
  8. In the right pane, right-click the following value, if it exists: CnsHelper.CH
  9. Click Delete and click Yes to delete the value.
  10. In the right pane, right-click the following value, if it exists: CnsMinHK.CnsHook
  11. Click Delete and click Yes to delete the value.
  12. In the left pane, navigate to the key: HKEY_CURRENT_USER\Software
  13. In the right pane, right-click the following value, if it exists: 3721
  14. Click Delete and click Yes to delete the value.
  15. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software
  16. In the right pane, right-click the following value, if it exists: 3721
  17. Click Delete and click Yes to delete the value.
  18. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions
  19. In the right pane, right-click the following value, if it exists: !CNS
  20. Click Delete and click Yes to delete the value.
  21. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions
  22. In the right pane, right-click the following value, if it exists: {5D73EE86-05F1-49ed-B850-E423120EC338}
  23. Click Delete and click Yes to delete the value.
  24. In the right pane, right-click the following value, if it exists: {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
  25. Click Delete and click Yes to delete the value.
  26. In the right pane, right-click the following value, if it exists: {FD00D911-7529-4084-9946-A29F1BDF4FE5}
  27. Click Delete and click Yes to delete the value.
  28. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  29. In the right pane, right-click the following value, if it exists: CnsMin
  30. Click Delete and click Yes to delete the value.
  31. Quit Registry Editor. 
Restart the computer
To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.
Take steps to prevent re-infection
You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us