Spyware: Win32/CnsMin won't go away, please help

[adu123]

I use window defender to run a full system scan once a week, it detect the same spyware every single time. Even though I hit the "Remove All" button, it still remains there, it just won't go away! The description of the spyware are as follow:
*Category: Spyware
*Name: Spyware: Win32/CnsMin
*Alert level: high
*Description: This program has potentially unwanted behavior
*Adivce: remove this software immediately
*Resource:
file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0019)
file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0018)
file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0017)
file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0016)
file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0012)
file: C:\Windows\Installer\85196.msi->(MSI Stream63)->(WiseSfx)->(wise0020)
containerfile:
C:\Windows\Installer\85196.msi
Does anyone know how to remove this nasty spyware? Any help would be appreciate!

 

[howard_hopkinso]

Try the manual removal steps HERE.

Regards Howard

 

[adu123]

They are not the same! one is adware, the one that infect my computer is spyware. Even though there is some similarity between them, that is they can't be deleted. any other idea?

 

[howard_hopkinso]

They are in fact one and the same. Don`t be fooled by different websites calling the infection either adware or spyware.

Did you follow the removal instructions I linked?

Regards Howard

 

[adu123]

Why are you so sure they are the same? Not only they have different name, but they also have different description of how they will behave. For instance, the one that infect my computer will modify the registry, and the other one will just delivers advertisements. That's just my personal opion.
Beside, my computer's OS is Window Vista (the one that's being infected), the article you provided doesn't list the removal instructions in window vista. Any more idea?

 

[howard_hopkinso]

See HERE and make your own mind up.

I have no experience of Vista, but I assume you can still use regedit.

At least try and follow the removal instructions.

If they don`t work or won`t work because you`re running Vista, do the following.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly. Note: Not all tools and programme may work in Vista. If that happens, just proceed to the next step in the instructions.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

Should I download AVG Antispyware or AVG Anti-rookit? Do I have to uninstall window denferder before I download them?

 

[howard_hopkinso]

Just read and follow all the instructions. This includes disabling Windows Defender as per the instructions in step1.

Regards Howard

 

[adu123]

I've download AVG Antispyware and then ran a full system scan, but it didn't detect any spyware or adware. Instead, it detected a lot of trackingcookie. I don't think it help me, should I uninstall it?

 

[howard_hopkinso]

I need to see all the requested logfiles.

See below for instructions on how to post logfiles.

Taken from HERE.

start your new posting at TechSpot by clicking on New Thread
(or use Post Reply in an existing thread).
Scroll down until you see a button Manage Attachments. Click on that and a popup-window opens.
Click on the Browse button, find the HijackThis.log file on your PC and doubleclick on it.
Now click on the Upload button in the popup. When done, click on the Close this window button.
Finish your message-text, then click on Submit Message.

Regards Howard

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

I've scan my computer with Hijackthis, I've attached the log-file here, I hope it can help.

 

[howard_hopkinso]

Where are the rest of the logfiles and the results of the AVG Antirootkit scan?

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

launcher.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

%WINDIR%\SMINST\launcher.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as AVG Antispyware and Combofix logs. Also, let me know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

Hey howard, I want to tell you that I will not be able to post the combofix logs because my OS is Window Vista, it wouldn't scan my computer because of that. And also I could not open AVG Anti-Rootkit for some reasons. So HJT log and AVG Antispyware log are the only two I will be able to post. I will post the AVG Antispyware log later

What does %WINDIR% mean?

After I boot into the saft mode, I've perform all the steps you suggested. However, I notice all of the destop icons became smaller afterward. why is that? How do I restore them? I've attached the fresh HJT log and the AVG Antispyware log

Howard, you should not have suggested me to fix these two items:
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
because they are nothing to worry about! Now all of my desktop icons became smaller bcause I've deleted them. And I don't know how to retrieve launcher because my recycle bin has been missing for quite long time.

 

[howard_hopkinso]

Your HJT log is from safe mode, when it should be from normal mode.

Run HJT and click the config button, followed by the backups button

Tick the little box next to the following entries.

O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

Now click the restore button and click yes. This should restore those two entries. Reboot your computer.

See HERE for a possible fix to your missing recycle bin.

Your logfiles are clean, though the tracking cookies in AVG Antispyware say No action taken. That`s beacuse you didn`t follow the instructions properly for using AVG Antispyware.

Are you still having any problems?

Regards Howard

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

First of all, I really want to know why you suggested me to fix those two item? Because I did not save Hijackthis in the correct directory like I supposed to, I can't restore them now. I know this because after I ran Hijackthis, those two items did not show up on the result list. Any other idea?
I have a good news, though. After I performed a full system scan with window defender, it no longer detected that nasty spyware. It seems has gone away.
Thank you for all you help!

 

[howard_hopkinso]

The fact you didn`t install HJT to the correct directory is entirely your own fault. The instructions plainly tell you where to install HJT. This is so any changes can be undone, should the need arise.

I told your to fix those entries as one of them is considered to be adware.

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

The other one I wasn`t sure about, but fixing it shouldn`t have caused too many problems and of course it should have been easy enough to rectify it.

I`m glad to hear your CnsMin problem seems to be resolved.

Regards Howard

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

I think the other one is intend to control the size of all the desktop icons, because I've deleted it, that's why all the desktop icons became smaller. I'm fine with that. Thank you again for your help!

 

[howard_hopkinso]

No problem mate.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

I already have window defender(Anti-spyware) installed on my computer, if I install another Anti-virus program like AVG Anti-virus, Will they slow down my computer?

I finally restore the recycle bin! The next thing I did was to locate launcher to see its properties, I notice it was created Wednesday, ‎March ‎07, ‎2007, ‏‎11:09:52 AM. I've purchased this computer on July of this year, so I don't think it is adware of any kind. Am I right? Should I restore it?

 

[howard_hopkinso]

You should always have antivirus software running and yes, it will slow your pc to some extent, depending on which antivirus you choose. I recommend disabling Windows defender from running in the background and run the programme manually when you feel the need.

Here are some antivirus programmes I recommend. As far as I`m aware, they are both compatible with Vista.

AVG free or Avast antivirus programmes.

As for the Launcher.exe file. If you`re sure it`s safe, then by all means restore it.

Regards Howard

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

Out of the two anti-virus program you recommended, which one do you think is better? By the way, how do I disable window defender from running in the background? Thank you

 

[howard_hopkinso]

Personally I recommend AVG antivirus.

For instructions on how to disable Windows Defender see HERE.

Regards Howard

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

hey howard, my computer is infected again! I've download the Threat Scanner from stopsign.com and then ran a full scan, it detected two Adwares.
The following are the two files being infected:
c:\users\jing\appdata\local\temp\nerodemo12541\toolbar.exe <Adware.MWS.68>
d:\hp\apps\app12294\src\install\games\cakemania-setup.exe:data031:data002 <Adware.SpywareStorm>
I don't know how to remove it, please help me

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

cakemania-setup.exe
toolbar.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

c:\users\jing\appdata\local\temp\nerodemo12541<Delete the entire folder.
d:\hp\apps\app12294\src\install\games\cakemania-setup.exe

Reboot into normal mode and rehide your protected OS files.


Regards Howard

This thread is for the use of adu123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[adu123]

I am not able to locate either one of those files in their directory shown! I don't see any folder name "appdata" on my C drive, and when I tried to open my D drive, it says: "This area of hard drive contain files used for your PC recovery. Do not delete or alter these files, any change to this partition could prevent any recovery later." it doesn't give me any option to explore! Any advice?