Alert level

VirTool:WinNT/Protmin.gen!A

(?)

Encyclopedia entry
Updated: May 15, 2008  |  Published: Mar 07, 2008

Aliases
  • CnsMin (McAfee)
  • Dialer_PlayGames (Trend Micro)
  • Virus.Win32.Cnsmin.B (other)
  • 3721 Internet Assistant (other)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.109.1459.0
Released: Aug 10, 2011 		Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

 

Summary

VirTool:WinNT/Protmin.gen!A is a kernel-mode driver installed by Spyware:Win32/CnsMin that may protect particular files and registry data from modification, or removal.

Top

 

Symptoms

System Changes
The following system changes may indicate the presence of VirTool:WinNT/Protmin.gen!A:
  • Presence of the following files:
    <system folder>\cns.dll
    <system folder>\cns.exe
    <system folder>\cns.dat
    <system folder>\drivers\CnsMinKP.sys
  • Presence of a registry value "CnsMin" in the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Top

 

Technical Information (Analysis)

VirTool:WinNT/Protmin.gen!A is a kernel-mode driver installed by Spyware:Win32/CnsMin that may protect particular files and registry data from modification, or removal.
Installation
WinNT/Protmin.gen!A is commonly installed to the following location:
<system folder>\drivers\CnsMinKP.sys
 
The registry is modified to run the kernel-mode driver at Windows start. Numerous other registry entries are modified, that are related to this threat and Spyware:Win32/CnsMin, including the following:
 
HKEY_CLASSES_ROOT\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKEY_CLASSES_ROOT\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKEY_CLASSES_ROOT\CnsHelper.CH
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook
HKEY_CURRENT_USER\Software\3721
HKEY_LOCAL_MACHINE\Software\3721
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\!CNS
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CnsMin
 
When running, WinNT/Protmin.gen!A may create or delete related files such as '%windir%>\cnsinfo.dat'. This kernel-mode driver may hide application or process windows, and may terminate processes.
Payload
Provides Advanced Stealth
This driver may protect certain files associated with Spyware:Win32/CnsMin from being renamed, modified or deleted, such as the following example file names:
<system folder>\cns.dll
<system folder>\cns.exe
<system folder>\cns.dat
 
Additionally WinNT/Protmin.gen!A may protect or create registry values associated with Spyware:Win32/CnsMin from being modified or deleted, such as the following example registry values:
 
..\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2bc8d755-5faf-44af-9d5a-bf8395bc221d}
HKEY_CLASSES_ROOT\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4} 
HKEY_CLASSES_ROOT\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
Additional Information
File attributes for this kernel-mode driver may include the string "Copyright © 3721 Corporation".
 
Analysis by Patrik Vicol

Top

 

Prevention

Take these steps to help prevent infection on your computer.


Top

 

Recovery

Due to the protection methods used by this threat, manual removal may be required. It is recommended to boot with Recovery Console in order to delete the files manually. Further removal steps involve editing the system registry, and users are strongly advised to use caution if attempting to modify the registry.
 
Warning - Serious problems might occur if you modify the registry incorrectly. Modify the registry at your own risk.
 
To manually remove this Trojan from Windows XP computers, follow these steps:
  1. Print the following Microsoft Knowledge Base article. Use the article as a guide to this procedure.
    307654 How to install and use the Recovery Console in Windows XP 
  2. Insert the Windows XP installation CD, and then restart the computer from the CD. 
  3. At the Welcome to Setup screen, press R (repair) to start the Windows Recovery Console
  4. Select the number that corresponds to the Windows installation that you want to repair. This number is typically 1. 
  5. If prompted, type the administrator password. If an administrator password does not exist, press ENTER
  6. At the command prompt, type cd "%windir%\Downloaded Program Files"  and press ENTER.
    (or type cd "%windir%\downlo~1" and press ENTER).
  7. Type del cns*.* and press ENTER.
  8. Type cd "%windir%\System32" and press ENTER.
  9. Type del cns*.* and press ENTER.
  10. Type cd "%windir%\System32\Drivers" and press ENTER.
  11. Type del cns*.* and press ENTER.
  12. Remove the Windows XP installation CD, and then type Exit to restart the computer. 
Delete the Trojan registry entries
To delete the Trojan registry entries
  1. One sthe Start menu, click Run, type regedit, and then click OK
  2. In the left pane, navigate to the key: HKEY_CLASSES_ROOT\CLSID
  3. In the right pane, right-click the following value, if it exists: {B83FC273-3522-4CC6-92EC-75CC86678DA4}
  4. Click Delete and click Yes to delete the value.
  5. In the right pane, right-click the following value, if it exists: {D157330A-9EF3-49F8-9A67-4141AC41ADD4}
  6. Click Delete and click Yes to delete the value.
  7. In the left pane, navigate to the key: HKEY_CLASSES_ROOT
  8. In the right pane, right-click the following value, if it exists: CnsHelper.CH
  9. Click Delete and click Yes to delete the value.
  10. In the right pane, right-click the following value, if it exists: CnsMinHK.CnsHook
  11. Click Delete and click Yes to delete the value.
  12. In the left pane, navigate to the key: HKEY_CURRENT_USER\Software
  13. In the right pane, right-click the following value, if it exists: 3721
  14. Click Delete and click Yes to delete the value.
  15. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software
  16. In the right pane, right-click the following value, if it exists: 3721
  17. Click Delete and click Yes to delete the value.
  18. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions
  19. In the right pane, right-click the following value, if it exists: !CNS
  20. Click Delete and click Yes to delete the value.
  21. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions
  22. In the right pane, right-click the following value, if it exists: {5D73EE86-05F1-49ed-B850-E423120EC338}
  23. Click Delete and click Yes to delete the value.
  24. In the right pane, right-click the following value, if it exists: {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
  25. Click Delete and click Yes to delete the value.
  26. In the right pane, right-click the following value, if it exists: {FD00D911-7529-4084-9946-A29F1BDF4FE5}
  27. Click Delete and click Yes to delete the value.
  28. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  29. In the right pane, right-click the following value, if it exists: CnsMin
  30. Click Delete and click Yes to delete the value.
  31. Quit Registry Editor. 
Restart the computer
To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.
Take steps to prevent re-infection
You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.

Top

Provide feedback