Can't get rid of CNSMin

I'm at my wits end (not that that's very far). I have a client machine with CNSMin.dll and it's various other files. After tons of research and following numerous directions, I am unable to get rid of this pernicious bugger.

I've tried deleting the various files and registry entries, only to have them come back. It's all related to a running process (rundll32.exe) that I can't kill. One of the startup entries in the Run key in the registry calls "Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32" to start the process.

I can't delete the registry entry without the process recreating it immediately. I can't kill the process itself because it immediately restarts. I've tried using various process killers, tried killing it by PID, everything. It doesn't even have time to blink off the screen before it's back and running again.

I've tried booting into safe mode and doing all of the above from there. Somehow the process runs in safemode also, and I still can't kill it.

I've tried deleting the files in c:\Windows\downloaded program files\cns*, but I can only see them in the dos windows (Explorer won't show them. Yes, I have it set to show all files, including hidden and system). As soon as I delete CNSMin.dll and CNSIO.dll, they are immediately recreated. Same with renaming them. Then the various other CNS*.* files are recreated.

I can't figure out how the process is started in safe mode. I thought safe mode was supposed to bypass all the startup items. Apparently not.

I've checked all the services and killed any non necessary ones (set them to disabled). I figured a necessary system file was appended with the code for this and ran SFC /Scannow to try to fix it. No change.

If I try to delete or rename rundll32.exe, a new file is immediately created under c:\windows\system32. Obviously, the running process is recreating it.

I've tried various antispyware software that claims to get rid of this (AdAware, XoftSpy 4.13, etc), but all they do is automate all the steps that I've tried manually. Since the process is running and being monitored somehow, all the stuff it deletes is immediately recreated.

So my question is basically, how do I kill a running process and prevent it from restarting? There has to be another process monitoring it, but I've killed all the non critical ones.

I've removed hundreds of spyware and virus components over the years, but never run into anything like this before.

Any suggestions before I delete the partition and start fresh?


Blackwood
LVL 1
DingusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sirbountyCommented:
See if this would help: http://labs.paretologic.com/spyware.aspx?remove=CnsMin

And/or - try downloading hijackthis from http://hijackthis.de
Save it to your desktop and run it - posting your log to the same site.
At the bottom of your log is a link to your log - post the link, not the log, here.
Rundll32 is a valid windows file...WFP (windows file protection) prevents you from deleting that file - not the malware...
DingusAuthor Commented:
I've followed those direction. Everything that I delete is recreated within a few mintues.

I've run Hijackthis several times. The BHO and registry entry it deletes are recreated before I can reboot or run it again.

I've posted the log here: http://www.blackwoodtech.com/linked/hijackthis.log

I know that Rundll32.exe is a valid file. It's still a killable process though. With CNSMin, it can't be killed though.

Blackwood

Aland CoonsSystems EngineerCommented:
These folks don't seem to think they can get rid of it either.
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511

Have you tried running the commercial spy-ware program Spy Sweeper?  www.webroot.com
I'm curious to know if it will remove it.  They have a fully funcational 14-day or 30-day demo.

Also, can you change the attribute to deny SYSTEM the ability to read or access the .DLL or .EXE another support files?
I have found that effective to kill apps. I usually set the security flag and immediately reboot.

Have you figured out if there is a twin process that is monitoring this one to keep it running and active?


CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

sirbountyCommented:
You have several instances of the file throughout that log - have you attempted clearing these via Hijackthis in safe mode?

Also try Start->Run->MSconfig
From the services tab check the hide all non-MS services and deselect the remaining.
Deselect all items from the startup tab and reboot and determine if it is still running.
If it is, try Start->Run->SFC /Scannow

Post back with the results...
r-kCommented:
This was alluded to by alandc above, but this is what I would suggest:

You can change permissions on the file so that it cannot be used by anyone, then reboot.

(0) If running XP Home, reboot in safe mode (not needed for XP Pro)

(1) Right click on the file in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot.

This will render the file harmless and prevent it from running.

Since you have more than one offending file, you may need to repeat steps (1) to (4) above for as many files as you can identify before doing step (5).

Also after the reboot, you may need to see what is left and repeat the whole process.

Good luck.
DingusAuthor Commented:
SirBounty, I've tried clearing the entries with Hijackthis and MSconfig in standard and safe mode. They come back almost instantly because the process is running.

AlanDC and R-K, I can't set file permissions on the filed because they don't show up in Windows Explorer at all. The only way I can see them is to navigate to them in a DOS box.

AlanDC, you did give me an idea though. I'm going to boot into SafeMode - Command prompt only and try to delete them there. If that doesn't work, I'll boot into the Recovery Console and see if I can get rid of them there. Once I get rid of the files under window\downloaded program files it should solve the overall problem.

I won't be able to try this until tonight, so I'll post my results later this evening.

Thank you.


Blackwood
sirbountyCommented:
Have you considered/tried system restore?

Booting into safemode with command prompt is certainly an option.
Additionally, it might be a better idea rather than simply deleting the dll, as you don't know what's generating it, to delete the file CNSMin.dll and then create a FOLDER with the same name.  Whatever is recreating the file will be stopped cold and you may get an error from the calling app, allowing you to identify it...

Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
r-kCommented:
If you can't find the files at all, (and you have made sure that Windows Explorer options are set to show all files and not hide system files), then I would also suggest running RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

A rootkit in a general sense is just a program that hides itself.
Phil_AgcaoiliCommented:
This may be a dumb questions, but...

What you run Windows Update on the infected system?
Try the new Microsoft Update (it updates the OS, SQL Server, Exchange, MS Office, and other MS apps...it's in beta):
http://update.microsoft.com/

The run the safe mode checks in the instructions above.

Bad news if these instructions don't work...
Copy important files over to another location and reinstall.
DingusAuthor Commented:
I managed to kill the little b*stard. It took booting from the CD, using the recovery console, and deleting the files from there. SirBounty put me on the trail for that with the safemode command prompt idea (that wouldn't load NTOSKRL.exe for some reason).

Once I had the files under c:\windows\downloaded program files\cns*.* deleted, the registry entries and startup entries were a snap to delete.

Thank god something worked.

Phil, I had all the current windows updates on the machine.

There had to be another process that was monitoring it, but I couldn't find it. I killed everything that wasn't absolutely critical, but it was still being monitored somehow. Oh well.

I'll split the points on this.

Thanks for the help guys.
sirbountyCommented:
As a followup - you said you've got all the updates, but you're still at SP1...might want to consider SP2 at some point...glad you got it off there... :)
r-kCommented:
Thanks for the feedback on what finally worked.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.