Parasite: CnsMin

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

CnsMin is another keyword-lookup provider that takes over the search feature of IE’s address bar. It is aimed at providing keywords using Chinese characters.

Other than replacing the IE search feature with a Chinese site likely to be incomprehensible to non-Chinese users, CnsMin is not overtly harmful, but it uses extremely anti-social methods to make it difficult to uninstall.

Distribution

Is installed by ActiveX drive-by-download at its company’s site, 3721.com. Has also apparently been included in junk e-mail, which could be how some Western users have ended up with it.

What it does

Advertising

No.

Privacy violation

No.

Security issues

No.

Stability problems

Is suspected to cause software such as The Sims not to run.

Removal

There is an Add/Remove Programs entry for "Chinese keywords" which corresponds to CnsMin. However, choosing it sends you to a set of removal pages in Chinese on the manufacturer’s web site, which do not work for me.

Ad-Aware reffile 042-24-09-2002 and later, and Spybot S&D update 2002-09-22 and later can remove CnsMin.

Manual removal

You cannot delete CnsMin whilst it is running; if you try to deregister it, it restores all its registry entries immediately. In Windows 95 and 98 you can boot without loaded it must be done by using Start -> Shutdown -> Restart in MS-DOS mode and typing the following commands:

cd DOWNLO~1
del cns*.*
del 3721\*.*
rmdir 3721
exit

Then reboot.

In Windows NT/2000/XP it is possible to move the files so that they cannot be reloaded. Open the Command prompt (Start -> Programs -> Accessories) and type:

cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll

Reboot and load the Command prompt again. Type:

cd "%WinDir%\Downloaded Program Files"
del cns*.*

(As far as I know, users of Windows Me are screwed - there is no MS-DOS mode and files cannot be renamed. Try to get hold of a DOS boot disc?)

The first time you reboot after deleting or moving CnsMin you’ll get an error about not being able to find it. Ignore this. To clean up the remaining traces of the software that cause this, open the registry (Start -> Run -> regedit) and delete the following keys:

HKEY_CLASSES_ROOT\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKEY_CLASSES_ROOT\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKEY_CLASSES_ROOT\CnsHelper.CH
HKEY_CLASSES_ROOT\CnsHelper.CH.1
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook.1
HKEY_CURRENT_USER\Software\3721
HKEY_LOCAL_MACHINE\Software\3721
HKEY_LOCAL_MACHINE\Software\InterChina
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\!CNS
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CnsMin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin