Follow:

 

Spyware:Win32/CnsMin


CnsMin installs a browser helper object (BHO) that redirects Internet Explorer searches to a Chinese search portal. CnsMin may be installed without adequate user consent. It may prevent its files from being removed or restore files that have been previously removed.


What to do now

Use Microsoft Windows Defender, Microsoft Security Essentials, the Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

CnsMin installs a browser helper object (BHO) that redirects Internet Explorer searches to a Chinese search portal. CnsMin may be installed without adequate user consent. It may prevent its files from being removed or restore files that have been removed. When installed, CnsMin may do any or all of the following:
  • Create a folder containing a shortcut in the All Users program folder:
C:\Documents and Settings\All Users\Start Menu\Programs\chinese keyword
  • Create a folder named '3721' in the Program Files folder and install the following files:
notifier.dll
%ProgramFiles%\3721\patch03.dll
%ProgramFiles%\3721\scrblock.dll
%ProgramFiles%\3721\3721\alrex.dll
%ProgramFiles%\3721\3721\cns1.exe
%ProgramFiles%\3721\3721\repair.dll
  • Add the following registry subkey in order to run as a service:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CnsMinKP 
  • Modify the following registry subkeys in order to run automatically each time Windows starts:
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value: CnsMinKP
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: CnsMin
Value: assistse
Value: helper.dll  
  • Add the subkey {D157330A-9EF3-49F8-9A67-4141AC41ADD4} to each of the following:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks   
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks 
  • Add the following subkeys:
{00000000-0000-0001-0001-596BAEDD1289} 
{507F9113-CD77-4866-BA92-0E86DA3D0B97} 
{59BC54A2-56B3-44a0-93E5-432D58746E26} 
{5D73EE86-05F1-49ed-B850-E423120EC338} 
{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} 
{FD00D911-7529-4084-9946-A29F1BDF4FE5} 
{BB936323-19FA-4521-BA29-ECA6A121BC78}
to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping 
  • Create or modify the following registry entries:
HKEY_CLASSES_ROOT\ADKiller.ADKillerObj.1    
HKEY_CLASSES_ROOT\clsid\{118CE65F-5D86-4AEA-A9BD-94F92B89119F}    
HKEY_CLASSES_ROOT\clsid\{178DA2CB-5660-42F4-B2E1-2815401C5910}    
HKEY_CLASSES_ROOT\clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}    
HKEY_CLASSES_ROOT\clsid\{47387079-DA8D-48AB-98C7-0017812D51EA}    
HKEY_CLASSES_ROOT\clsid\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}    
HKEY_CLASSES_ROOT\clsid\{6d8f256b-6ab8-4398-8f86-1e56207db77a}    
HKEY_CLASSES_ROOT\clsid\{ca92b524-bc8a-4610-bd2c-6bd3e28155d0}    
HKEY_CLASSES_ROOT\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}    
HKEY_CLASSES_ROOT\clsid\{DDDE2452-AF9E-4577-AE6C-465DBCB54D49}    
HKEY_CLASSES_ROOT\clsid\{e5e4e352-6947-44ee-a420-db84efd3fe93}    
HKEY_CLASSES_ROOT\FFlash.FlashObjectInterface    
HKEY_CLASSES_ROOT\FFlash.FlashObjectInterface.1    
HKEY_CLASSES_ROOT\InsIII.brins    
HKEY_CLASSES_ROOT\InsIII.brins.1    
HKEY_CLASSES_ROOT\Installer.brins    
HKEY_CLASSES_ROOT\interface\{df692509-d9ef-48a0-9cd0-3aa5b81f6f68}    
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}    
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{ca92b524-bc8a-4610-bd2c-6bd3e28155d0}    
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}    
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{e5e4e352-6947-44ee-a420-db84efd3fe93}    
HKEY_CLASSES_ROOT\typelib\{a5adeae7-a8b4-4f94-9128-bf8d8db5e927}    
HKEY_CLASSES_ROOT\ZsMod.AxObj    
HKEY_CLASSES_ROOT\ZsMod.AxObj.1    
HKEY_CURRENT_USER\Software\3721    
HKEY_CURRENT_USER\Software\3721\CnsMin    
HKEY_LOCAL_MACHINE\SOFTWARE\3721    
HKEY_LOCAL_MACHINE\SOFTWARE\3721\CnsMin    
HKEY_LOCAL_MACHINE\SOFTWARE\3721\CnsMin\CnsMinEx    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADKiller.ADKillerObj    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADKiller.ADKillerObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Assist.EasyAssist    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoLive.Live    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoLive.Live.1    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoObj.AxObj    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{141A5E19-BDCB-4E27-A3D7-9E16503BC05B}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{9EB2B422-C9EE-46C4-A471-1E79C7517B1D}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{ABEC6103-F6AC-43A3-834F-FB03FBA339A2}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{b835c273-3522-4cc6-92ec-75cc86678da4}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{B83FC273-3522-4CC6-92EC-75CC86678DA4}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{BB936323-19FA-4521-BA29-ECA6A121BC78}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{DB4F72F5-FA97-4424-A8CD-758FEAE6861F}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{EF1D17A9-089F-40cc-8D64-7324CDEBA0DB}    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH.1    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsMinHK.CnsHook    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsMinHK.CnsHook.1    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FFlash.FlashObjectInterface    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FFlash.FlashObjectInterface.1    
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{aab6bce3-1df6-4930-9b14-9ca79dc8c267}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{00000000-0000-0001-0001-596BAEDD1289}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{507F9113-CD77-4866-BA92-0E86DA3D0B97}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{59BC54A2-56B3-44a0-93E5-432D58746E26}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5d73ee86-05f1-49ed-b850-e423120ec338}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{ecf2e268-f28c-48d2-9ab7-8f69c11ccb71}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{fd00d911-7529-4084-9946-a29f1bdf4fe5}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\app management\arpcache\{1b0e7716-898e-48cc-9690-4e338e8de1d3}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\app management\arpcache\cnsmin 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b0e7716-898e-48cc-9690-4e338e8de1d3}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DDDE2452-AF9E-4577-AE6C-465DBCB54D49}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF1D17A9-089F-40cc-8D64-7324CDEBA0DB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks\{b83fc273-3522-4cc6-92ec-75cc86678da4}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1b0e7716-898e-48cc-9690-4e338e8de1d3}    
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cnsmin    

Symptoms

An installation of CnsMin may be indicated by the presence of a folder named 3721 under %ProgramFiles%, and by the presence of any of the following files:
%ProgramFiles%\3721\patch03.dll
%ProgramFiles%\3721\notifier.dll
%ProgramFiles%\3721\scrblock.dll
%ProgramFiles%\3721\3721\alrex.dll
%ProgramFiles%\3721\3721\cns1.exe
%ProgramFiles%\3721\3721\repair.dll

Prevention


Alert level: High
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jul 16, 2006
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases