Fighting Spyware, Malware and Adware one File at a Time.
Navigation Links

Database of Spyware Home

About the Project

View the Database

Forums

Database of Spyware Site Map

Terms of Use

CnsMin

Overview

Summary

 Hijacks the search feature in IE, replacing your typed search strings with Chinese characters and taking you to a Chinese search site. These functions are likely of value to many Chinese users, but are not appreciated by others. On June 7, 2004 PestPatrol researched CnsMin and at that time removal was nearly impossible and the uninstaller which was included removed most components, but left the machine with no network or Internet connection. In 6 out of 6 boots after installing CnsMin, our machine crashed within 5 minutes. CnsMin was intended to be a search support tool for users, but its operation in our test machines suggests that the current version, when run in an English computer, should be classified as a Nuker. CPR again researched CnsMin July 9, 2004 and the results were nearly the same as above except no uninstalled was provided. In addition, numerous popup ads were displayed which were difficult to close.

Vendor Description

 from the website: 'Beijing 3721 Technology Co. Ltd (aka 3721 ) is the pioneer and market leader for providing Chinese Keyword services in China. Founded in late 1998, the Company officially launched Chinese Keyword service in June 1999 and has since then experienced tremendous growth. The company is headquartered in Beijing, China, and currently has over 150 employees. 3721 maintains a technology alliance with Hong Kong 3721 Network Software Co.Ltd., which provides technology support to 3721.

Keyword service enables Internet users to navigate the web and search for relevant on-line information using real world names and familiar identities in their native language, rather than having to remember cumbersome domain names/ URLs. There is a strong demand for keyword service in non-Roman alphabet language countries such as China.Chinese Keyword (CKW) service also enables businesses to extend their real world brand identities directly on-line by making it easy for their customers to find them on the Web using familiar names.

CKW is an application service developed on top of the existing DNS infrastructure; it provides a human friendly Internet navigation interface as well as on-line directory search-like services. The service is widely available on client-software enabled browser as well as from most of the leading portal sites, search engines, and ISP portals throughout China. 3721's highly scalable keyword technology is based on proprietary, high performance data indexing and retrieving algorithm, and is fully compatible with the evolving technology standards such as XML and UNICODE. Focusing on core technology development, our software won Killer Application of the Year award at Internet World Asia in 2000.

After over four years of market and technology development, 3721 has established itself as one of the most popular Internet brand in China. The CKW service is one of the most widely used service on the Internet in China, serving over 30 million keyword resolutions everyday and reaching over 90% of Chinese Internet users. 3721 has formed broad strategic partnerships with leading portals, search engines and close to 300 local ISPs throughout China. As a result, in addition to enjoying direct navigation and keyword search in the browser address line, Internet users in China can access the Chinese Keyword service from China's leading portals and ISPs.

At the international level, 3721 works closely with leading international companies, notably our collaboration with MSN enhances the users' search and navigation experience on the IE browser in China; our strategic partnership with VeriSign also aims to provide better user experience for internationalized domain names. 3721 works closely with major Keyword service vendors around the world and actively contributes to technology standard bodies such as the Internet Engineering Task Force (IETF) regarding the technology standardization and inter-operatability discussions of the natural language based "keyword navigation technology".

3721 is dedicated to the vision of promoting truly human-friendly Internet navigation and search service, and to helping millions of Chinese businesses and their prospective customers to interface more easily with each other on the Web. Going forwards, 3721 will continue its focus on keyword and related service development and strive to provide better and more human-friendly Internet navigation and search services for Internet users and businesses in China. ' -- http://www.3721.com/english/about.htm

The company offers other services, too. This one sounds interesting: 'Our short massage center provides state-of-the art services that fulfill your requirements for short massage and help you dig out more pleasure with your cell phone.' -- http://www.3721.com/english/how03.htm

Alias

 3721, Spyware/CnsMin [Panda],

Category

 Hijacker: Any software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Browser Helper Object:  (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

Downloader:  A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.

Search Hijacker:  Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

Toolbar:  A group of buttons which perform common tasks. A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.

Reasons For Retention

 
  • Silently connects to an unintended site, redirecting the address request during a browser session, to transmit usage or other information to that site without user permission. Displays popup ads that do not appear to be connected with the product. Furthermore, by trying to close the popups, news ones were opened that required 4 or 5 tries to close. By clicking on many 3721 links, pests were downloaded silently without user permission. Cannot be uninstalled by Windows Add/Remove and has no uninstaller provided with the application. Meets our definition of a Downloader.
    •  

    Origins

     

    Group

     Inter China Network Software Co. Ltd

    Others By This Group

     CnsMin variant·

    Mailing Address

     6/F, He Qiao North Tower, 8A Guanghua Road, Beijing, 100026, P.R.China

    Phone:

     8610-65812445 Fax: 8610-65812440

    Email

     info@3721.com

    URL

     http://www.3721.com/ and http://assistant.3721.com/index.htm/ Do not visit these sites, or any other 3721 sites, with IE security settings set to "low"!

    Language

     Chinese

    Date of Origin

     April, 2002
     

    Detection and Removal

    Manual Removal

     As noted above, a recent version (June 7, 2004) included an uninstaller which removed most components, but left the machine with no network or Internet connection.

    After running manual removal (which we do not recommend in non-Chinese machines), you will need to manually remove the following: HKEY_CURRENT_USER\software\3721
    ,HKEY_LOCAL_MACHINE\software\classes\interface\{be08f6bc-c3e6-4149-beb1-cb449e1b372e}
    HKEY_LOCAL_MACHINE\software\classes\typelib\{4158db95-de71-41ff-bea1-2c3d1c679df1}
    ,HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cnsminkp\0000|classguid
    HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cnsminkp\0000|configflags
    HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cnsminkp\0000|devicedesc
    HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cnsminkp\0000|legacy
    HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cnsminkp\0000|service
    HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cnsminkp|nextinstance
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|dnsserveraddresscount
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|dnsserveraddresses
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|domainname
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|hostname
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|primarydomainname
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|registeredaddresscount
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|registeredaddresses
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|registeredflags
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|registeredsinceboot
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|registeredttl
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|sentpriupdatetoip
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\dnsregisteredadapters\{47d5bfd0-e6a1-47b3-973d-1e8074de2beb}|sentupdatetoip
    profilepath+\favorites\3721 chinese keywords.url,
    c:\winnt\system32\c_is2022.dll
    C:\Program Files\3721
    C:\Program Files\3721\3721

    Removing older versions: According to http://www.3721.com/english/how02.htm, CnsMin can be removed by using Control Panel | Chinese keywords | Remove. This did not work for us, however.

    While running, CnsMin constantly rewrites its registry entries, so removing these entries while it is running is not possible. Some CnsMin files cannot be deleted while running either, and one, if renamed, renames itself back to its original name. Finally, CnsMin runs when Windows loads, and once installed is always running. So removal requires rebooting in such a way that CnsMin does not launch.

    • In Windows 95/98, restart without loading it by restarting in MS-DOS mode: Start | Shutdown | Restart in MS-DOS mode.
    • In other platforms, restart in Safe Mode.
      • In Safe Mode or MS-DOS mode, follow the instructions below.

     Stop Running Processes:

    Kill these running processes with Task Manager:



    Remove Autorun Reference:

    Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\cesmain.dll, delete it and reboot the machine immediately.

    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\cnsmin, delete it and reboot the machine immediately.

    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\helper.dll, delete it and reboot the machine immediately.

    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\3721c:\progra~1\3721\autolive.dll253343, delete it and reboot the machine immediately.



    Unregister DLLs:

    Unregister these DLLs with Regsvr32, then reboot:



    Clean Registry:

    Remove these registry items (if present) with RegEdit:



    Remove Files:

    Remove these files (if present) with Windows Explorer:



    Remove Directories:

    Remove these directories (if present) with Windows Explorer:



    Restore Settings:

    After following the instructions above, you will still need to restore your original settings and prevent this from happening again.
     
    ClientMan.bho2  ClientSniffer  ClipGenie  Clop  Cls  CnsMin  CnsMinvariant  CockBlocker  CodaE-Bomb2.0  CodeBlue  
     
    Site Map 2006 Copyright DatabaseofSpyware.com. All rights reserved. Terms of Use
    Another Proud Thor Schrock Development