TechSpot

Spyware: Win32/CnsMin won't go away, please help

By adu123
Aug 16, 2007
  1. I use window defender to run a full system scan once a week, it detect the same spyware every single time. Even though I hit the "Remove All" button, it still remains there, it just won't go away! The description of the spyware are as follow:
    *Category: Spyware
    *Name: Spyware: Win32/CnsMin
    *Alert level: high
    *Description: This program has potentially unwanted behavior
    *Adivce: remove this software immediately
    *Resource:
    file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0019)
    file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0018)
    file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0017)
    file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0016)
    file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0012)
    file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0020)
    containerfile:
    C:\Windows\Installer\85196.msi
    Does anyone know how to remove this nasty spyware? Any help would be appreciate!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try the manual removal steps HERE.

    Regards Howard :)
     
  3. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    They are not the same! one is adware, the one that infect my computer is spyware. Even though there is some similarity between them, that is they can't be deleted. any other idea?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    They are in fact one and the same. Don`t be fooled by different websites calling the infection either adware or spyware.

    Did you follow the removal instructions I linked?

    Regards Howard :)
     
  5. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    Why are you so sure they are the same? Not only they have different name, but they also have different description of how they will behave. For instance, the one that infect my computer will modify the registry, and the other one will just delivers advertisements. That's just my personal opion.
    Beside, my computer's OS is Window Vista (the one that's being infected), the article you provided doesn't list the removal instructions in window vista. Any more idea?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    See HERE and make your own mind up.

    I have no experience of Vista, but I assume you can still use regedit.

    At least try and follow the removal instructions.

    If they don`t work or won`t work because you`re running Vista, do the following.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly. Note: Not all tools and programme may work in Vista. If that happens, just proceed to the next step in the instructions.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    Should I download AVG Antispyware or AVG Anti-rookit? Do I have to uninstall window denferder before I download them?
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Just read and follow all the instructions. This includes disabling Windows Defender as per the instructions in step1.

    Regards Howard :)
     
  9. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I've download AVG Antispyware and then ran a full system scan, but it didn't detect any spyware or adware. Instead, it detected a lot of trackingcookie. I don't think it help me, should I uninstall it?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I need to see all the requested logfiles.

    See below for instructions on how to post logfiles.

    Taken from HERE.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I've scan my computer with Hijackthis, I've attached the log-file here, I hope it can help.
     

    Attached Files:

  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Where are the rest of the logfiles and the results of the AVG Antirootkit scan?

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    launcher.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode

    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    %WINDIR%\SMINST\launcher.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as AVG Antispyware and Combofix logs. Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    Hey howard, I want to tell you that I will not be able to post the combofix logs because my OS is Window Vista, it wouldn't scan my computer because of that. And also I could not open AVG Anti-Rootkit for some reasons. So HJT log and AVG Antispyware log are the only two I will be able to post. I will post the AVG Antispyware log later

    What does %WINDIR% mean?

    After I boot into the saft mode, I've perform all the steps you suggested. However, I notice all of the destop icons became smaller afterward. why is that? How do I restore them? I've attached the fresh HJT log and the AVG Antispyware log

    Howard, you should not have suggested me to fix these two items:
    O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode

    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    because they are nothing to worry about! Now all of my desktop icons became smaller bcause I've deleted them. And I don't know how to retrieve launcher because my recycle bin has been missing for quite long time.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is from safe mode, when it should be from normal mode.

    Run HJT and click the config button, followed by the backups button

    Tick the little box next to the following entries.

    O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode

    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

    Now click the restore button and click yes. This should restore those two entries. Reboot your computer.

    See HERE for a possible fix to your missing recycle bin.

    Your logfiles are clean, though the tracking cookies in AVG Antispyware say No action taken. That`s beacuse you didn`t follow the instructions properly for using AVG Antispyware.

    Are you still having any problems?

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    First of all, I really want to know why you suggested me to fix those two item? Because I did not save Hijackthis in the correct directory like I supposed to, I can't restore them now. I know this because after I ran Hijackthis, those two items did not show up on the result list. Any other idea?
    I have a good news, though. After I performed a full system scan with window defender, it no longer detected that nasty spyware. It seems has gone away.
    Thank you for all you help!
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The fact you didn`t install HJT to the correct directory is entirely your own fault. The instructions plainly tell you where to install HJT. This is so any changes can be undone, should the need arise.

    I told your to fix those entries as one of them is considered to be adware.

    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

    The other one I wasn`t sure about, but fixing it shouldn`t have caused too many problems and of course it should have been easy enough to rectify it.

    I`m glad to hear your CnsMin problem seems to be resolved.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I think the other one is intend to control the size of all the desktop icons, because I've deleted it, that's why all the desktop icons became smaller. I'm fine with that. Thank you again for your help!
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem mate.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I already have window defender(Anti-spyware) installed on my computer, if I install another Anti-virus program like AVG Anti-virus, Will they slow down my computer?

    I finally restore the recycle bin! The next thing I did was to locate launcher to see its properties, I notice it was created Wednesday, ‎March ‎07, ‎2007, ‏‎11:09:52 AM. I've purchased this computer on July of this year, so I don't think it is adware of any kind. Am I right? Should I restore it?
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You should always have antivirus software running and yes, it will slow your pc to some extent, depending on which antivirus you choose. I recommend disabling Windows defender from running in the background and run the programme manually when you feel the need.

    Here are some antivirus programmes I recommend. As far as I`m aware, they are both compatible with Vista.

    AVG free or Avast antivirus programmes.

    As for the Launcher.exe file. If you`re sure it`s safe, then by all means restore it.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    Out of the two anti-virus program you recommended, which one do you think is better? By the way, how do I disable window defender from running in the background? Thank you
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Personally I recommend AVG antivirus.

    For instructions on how to disable Windows Defender see HERE.

    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    hey howard, my computer is infected again! I've download the Threat Scanner from stopsign.com and then ran a full scan, it detected two Adwares.
    The following are the two files being infected:
    c:\users\jing\appdata\local\temp\nerodemo12541\toolbar.exe <Adware.MWS.68>
    d:\hp\apps\app12294\src\install\games\cakemania-setup.exe:data031:data002 <Adware.SpywareStorm>
    I don't know how to remove it, please help me
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    cakemania-setup.exe
    toolbar.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    c:\users\jing\appdata\local\temp\nerodemo12541<Delete the entire folder.
    d:\hp\apps\app12294\src\install\games\cakemania-setup.exe

    Reboot into normal mode and rehide your protected OS files.


    Regards Howard :)

    This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. adu123

    adu123 TS Maniac Topic Starter Posts: 278

    I am not able to locate either one of those files in their directory shown! I don't see any folder name "appdata" on my C drive, and when I tried to open my D drive, it says: "This area of hard drive contain files used for your PC recovery. Do not delete or alter these files, any change to this partition could prevent any recovery later." it doesn't give me any option to explore! Any advice?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...