CnsMin d

Discussion in 'ewido anti-spyware forum' started by greenhatch, Apr 13, 2006.

Thread Status:
Not open for further replies.
  1. greenhatch

    greenhatch Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    58
    Ewido did not detect the CnsMin data miner that AdAware detected. Did Ewido fail where it should not? Neither the resident protection nor the chosen scan detected the CnsMin.
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    AdAware is an anti-spyware anti-adware scanner while ewido started out primarily as an anti-trojan. Although ewido covers anti-malware in general it concentrates its efforts on the more dangerous nasties, any lesser grade stuff it finds is just a bonus.

    CnsMin is not a virus or trojan, it is adware:-

    http://vil.nai.com/vil/content/v_103736.htm

    http://www.spywareguide.com/product_show.php?id=469

    This is why it is a good idea to use more than one scanner, no single scanner finds everything, but clearly AdAware is more geared towards adware type problems - though even AdAware does not find all adware.

    What exactly did AdAware find? Did you have the whole caboodle installed on your machine, or did it just find a Reg trace, a lone file, or what?
     
  3. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    On http://www.ewido.net/en/, it says:

    We offer you realtime protection against these threats:

    Hijackers and Spyware
    Secure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.

    Since it says Ewido covers spyware and advertising bars, does it mean that it will also cover adware? Or strictly Spyware only and not adware?
     
  4. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    You didn't noticed a thing about CnsMin before scanning with AdAware?

    Gerard
     
  5. greenhatch

    greenhatch Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    58
    CnsMin did not appear to adversely affect me before it was detected. Seven items of CnsMin were removed in all. Surely data miners are a type of spyware, which Ewido proudly states that it covers?
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes, it's spyware:-

    http://www.f-secure.com/sw-desc/cnsmin.shtml

    What items were found - files, processes, Reg keys or what?

    Have you ruled out the possibility of a FP?

    AdAware added definitions for CnsMin in its 10th April update. There have already been reports of false positives in this definition file and it has had to be replaced. How do you know that yours were not FP's as well?:-

    http://castlecops.com/p541182-Ad_Aware®_SE_Definition_File_Updates.html

    Were these the seven items you found?:-

    http://www.spywaredata.com/spyware/search/details/clsid.php?id=82918
     
    Last edited: Apr 14, 2006
  7. greenhatch

    greenhatch Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    58
    I attach a screenprint of the CnsMin detected by Adaware, from the saved report. Do they look like they should be deleted? I don't know, I tend to trust the program scan results, since I know no better. I did notice that Adaware's next update in beta includes a reference to CnsMin, so who knows, it might be a correction to false positives.


     

    Attached Files:

    Last edited by a moderator: Apr 15, 2006
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It's found one Reg Key and the values on that key. Unfortunately I can't make out the full CLSID number so I can't Google it to see what it belongs to. But it is not one of the CLSIDS mentioned in this link:-

    http://www.spyany.com/program/article_spy_rm_CnsMin.html

    If you really did have CnsMin installed on your system you would have a lot more than one Reg key and its values. Unless it was a Registry trace from some earlier infection.

    For this reason I would consider this a false positive unless proven otherwise. So the first thing to do is try and discover exactly what AdAware deleted. Google the CLSID to find out what the Reg key relates to. You may need to consider taking it out of quarantine and putting it back if necessary. By looking in Regedit you would then be able to see from the Key what it relates to. The Key normally carries extentions for things lke Sun Java and Windows Messenger; and although it is true CnsMin does use the Key I don't know what your CLSID is connected with..
     
  9. greenhatch

    greenhatch Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    58
    Thanks, Topper, for your comments but I'm afraid I didn't understand half of what you said there. However I have attached a better screenprint that doesn't cut off any numbers.


     

    Attached Files:

    Last edited by a moderator: Apr 15, 2006
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes, it is a false positive, the Reg Key that AdAware has deleted relates to your Yahoo Messenger:-

    http://castlecops.com/o9list-28.html

    No wonder ewido couldn't find CnsMin, you didn't have it at all!

    Luckily you've kept the deleted items in quarantine so you can easily return them to the Registry.

    Incidently, if you really had CnsMin you'd have had a running process:-

    http://www.tasklist.org/task_Rundll32_exeCNSMIN_DLL_Rundll32_569.html

    together with a whole load of other files and Reg changes, none of which you had:-

    http://www.scanspyware.net/info/CnsMin.htm
     
  11. greenhatch

    greenhatch Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    58
    Thanks for your help, Topper. So, no wonder Ewido didn't alert me to 'CnsMin' in real time monitoring (my original dig), it was not spyware in my system! I have now restored the false positives. I assume that the next Adaware update is going to correct their signatures database. I hadn't used Yahoo for a little while, having switched to Trillian. Luckily I don't seem to get many detections (or 'detections') when I scan with any one of half a dozen programs. It looks like I should always try to research detections and not just try to rely wholly on the notice pop-ups. I have heard now that A-Squared and Adaware often spew up false positives and I will be particularly wary of their apparent detections in future (when not simple tracking cookies).
     
    Last edited: Apr 16, 2006
Thread Status:
Not open for further replies.