StyleZ.BLOG @ Republic Polytechnic

October 15, 2006

A guide to removing chinese popups [www.3721.com]

Filed under: Daily stuff,Every Little Thing — Jasper Mah @ 12:35 am

Hi all, this is my second guide that I am going to do for the chinese popups problem that the RP student community have been facing. Why did I put http://www.3721.com in the title?

No, it’s not the website to go to, in order to fix your problem, it’s the source of the website that’s causing the problem.

Now, one may say, “Hey, I didn’t go to this website” or just a joke for guys, “Were you watching those kinds of stuff again” and laugh in a wicked manner.

From my understanding of the recent spates of viruses, don’t worry, it’s not those problems. I suspect it was the job of RavmonE.exe, when it appear dormant on your computer, and you forgot to take a notice to remove it. RavMonE.exe, as covered in the earlier guide, is actually a Trojan.Downloader, and it will un-necessarily download files to your computer as and when it likes, so more than one malware/spyware/adware may appear on your computer, causing more problems, and slowing your computer much more dramatically.

Then again, why would this guide surface?

Normal mainstream anti-spyware programs can detect it, yet cannot remove it.

Does that mean non-mainstream ones will work?

Not really. Currently I have not found any working against it yet.

Then again..why this guide?

Currently there’s only 3 alternatives, mainly

– manual removal

– system restore

– reformat

So this guide is to illustrate manual removal, if system restore does not work, or restoration can only occur on a very early date, or you do not want to go to IT-helpdesk to reformat your computer again.
Now, let’s pin down the source of all this chinese popups, mainly a process called CnsMin.dll.

So what would be the symptoms of CnsMin.dll?

It would be chinese words in your Internet Explorer Browser, as displayed in the screenshot below, chinese words will appear at the end of your address bar.

chinese words

– constant popups from this website

3721.com

3721.com was actually a previous form of chinese input software, so RP students who understand chinese, will actually see that the website is still promoting chinese software.

– and for users who have used antispywares to run scans, it will detect Yahoo! Assistant from a china yahoo website, as the founders of 3721 Beijing Technology, has been acquired by Yahoo! China indeed.

– At the same time, open up your Task Manager, and see if the process “CnsMin.dll” is running.

– So how do I remove it?

today’s guide involves using the Command Prompt, and at the same time, it also involves our good ol registry editor.

HUH?!

What is the Command Prompt?

If you have seen computers that exist before Windows 95, you should have heard of something they called DOS Prompt. Command Prompt is actually like a minimised size of DOS that allows you to issue commands by typing in a certain word.

How should I run it?

like the usual method, press the start button, and go to run…run...

– but this time, to start the Command Prompt, type in cmd, and press enter.

running cmd

– The Command Prompt looks like a small version of a DOS.

cmd revealed

– At this point of time, you have indeed come a long step. The real technical stuff’s gonna begin, prepare!

type in this : cd “%WinDir%\Downloaded Program Files”

– you should be seeing this in your Command prompt.going to dir

– at this point of time, you can see the starting of your command change.

[Interesting isn’t it, allows you to issue direct commands to files once the folder you are at]

– What to do now?

We are in the process of renaming the file Cnsmin.dll to another name, since the file actually cannot be deleted, it will return itself in a infinite loop, which you will never be able to remove.

– so type in ren CnsMin.dll CnsDel.dll and press enter.

Now that was complicated, am I done yet?

umm..not really, it continues on.

So what shall I do now?

– Now, we restart the computer.

– After restarting, go to your command prompt again.

– this time, type in the same command again, cd “%WinDir%\Downloaded Program Files”

– getting to the same folder again, now type in this : del cns*.*

that sure looks weird, but it is indeed typing in del cns*.*, i know that thing looks like a emotion, that *.* thing, but you really need to type in that.

– Wah, am I done yet….

Sorry, No again. Now to edit your Registry Editor, as we commonly know as the regedit we use in the “Run…”

What am I suppose to delete this time?

– It’s gonna be quite abit of registry keys to delete, and at 3 locations, mainly

– hkey_classes_root

– hkey_current_user

– hkey_local_machine

Let’s begin our hkey_classes_root section.

The first key is at HKEY_CLASSES_ROOT\CLSID\ {B83FC273-3522-4CC6-92EC-75CC86678DA4}

How do I access it? ( for first time users)

1st: press on the “+” button of hkey_classes_roots. (after pressing that, you are surely amazed by the number of stuff in this program. Press Ctrl + F, and put in CLSID. You should be at this folder after finding it(as shown in the image below) CLSID

OMG! How am I suppose to find this key {B83FC273-3522-4CC6-92EC-75CC86678DA4} ?

Tip : Press Ctrl + F. It actually activate the “Search” Function, so copy and paste part of the registry key, to get to that section easily.

– like usual, once you found the registry key, delete it, by selecting its folder, and press the delete key on your keyboard.

– If ask for confirmation to delete, choose yes.

to continue, under the hkey_class_roots, there are a few more keys to delete, which are

 

HKEY_CLASSES_ROOT\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKEY_CLASSES_ROOT\CnsHelper.CH
HKEY_CLASSES_ROOT\CnsHelper.CH.1
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook.1

For the hkey_current_user section, the registry key to look out for would be
- HKEY_CURRENT_USER\Software\3721

For the Hkey_local_Machine section, the registry key to look out for would be

HKEY_LOCAL_MACHINE\Software\3721
- HKEY_LOCAL_MACHINE\Software\InterChina
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\!CNS
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\ {5D73EE86-05F1-49ed-B850-E423120EC338}

– HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\
Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
– HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}-

-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\CnsMin

-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall \CnsMin

Finally, Restart your computer again, check for all the cnsmin.dll symptoms I mentioned earlier on. Indeed, your job of removal is finally complete. It may be difficult to remove, for china malwares such as these are on the loose, and are known to be big problems.

Note : This method currently only applies to those affected by popups under http://www.3721.com, and cnsmin.dll. I will be looking into different china malwares, but this is currently my alternative for the one circulating the internet, targeting RP users affected by RavMonE.exe.
The Internet Tips & Tricks of Surfing Guide shall be released tomorrow, with the introduction of the Firefox Browser(The NeXt mainstream browser).

Thank you for reading this guide.

– StyleZ
“Play with Originality, Play with StyleZ”

Advertisements

1 Comment »

  1. Bush and the Republicans were not protecting us on 9-11, and we aren’t a lot safer now. We may be more afraid due to george bush, but are we safer? Being fearful does not necessarily make one safer. Fear can cause people to hide and cower. What do you think? Why has bush turned our country from a country of hope and prosperity to a country of belligerence and fear.
    Our country is in debt until forever, we don’t have jobs, and we live in fear. We have invaded a country and been responsible for thousands of deaths.
    We have lost friends and influenced no one. No wonder most of the world thinks we suck. Thanks to what george bush has done to our country during the past three years, we do!

    Comment by Antibush — February 15, 2007 @ 3:15 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: