Avatar of Dingus

asked on 

Can't get rid of CNSMin

I'm at my wits end (not that that's very far). I have a client machine with CNSMin.dll and it's various other files. After tons of research and following numerous directions, I am unable to get rid of this pernicious bugger.

I've tried deleting the various files and registry entries, only to have them come back. It's all related to a running process (rundll32.exe) that I can't kill. One of the startup entries in the Run key in the registry calls "Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32" to start the process.

I can't delete the registry entry without the process recreating it immediately. I can't kill the process itself because it immediately restarts. I've tried using various process killers, tried killing it by PID, everything. It doesn't even have time to blink off the screen before it's back and running again.

I've tried booting into safe mode and doing all of the above from there. Somehow the process runs in safemode also, and I still can't kill it.

I've tried deleting the files in c:\Windows\downloaded program files\cns*, but I can only see them in the dos windows (Explorer won't show them. Yes, I have it set to show all files, including hidden and system). As soon as I delete CNSMin.dll and CNSIO.dll, they are immediately recreated. Same with renaming them. Then the various other CNS*.* files are recreated.

I can't figure out how the process is started in safe mode. I thought safe mode was supposed to bypass all the startup items. Apparently not.

I've checked all the services and killed any non necessary ones (set them to disabled). I figured a necessary system file was appended with the code for this and ran SFC /Scannow to try to fix it. No change.

If I try to delete or rename rundll32.exe, a new file is immediately created under c:\windows\system32. Obviously, the running process is recreating it.

I've tried various antispyware software that claims to get rid of this (AdAware, XoftSpy 4.13, etc), but all they do is automate all the steps that I've tried manually. Since the process is running and being monitored somehow, all the stuff it deletes is immediately recreated.

So my question is basically, how do I kill a running process and prevent it from restarting? There has to be another process monitoring it, but I've killed all the non critical ones.

I've removed hundreds of spyware and virus components over the years, but never run into anything like this before.

Any suggestions before I delete the partition and start fresh?

OS Security

Avatar of undefined
Last Comment

8/22/2022 - Mon