CnsMin d

Ewido did not detect the CnsMin data miner that AdAware detected. Did Ewido fail where it should not? Neither the resident protection nor the chosen scan detected the CnsMin.

 

AdAware is an anti-spyware anti-adware scanner while ewido started out primarily as an anti-trojan. Although ewido covers anti-malware in general it concentrates its efforts on the more dangerous nasties, any lesser grade stuff it finds is just a bonus.

CnsMin is not a virus or trojan, it is adware:-

http://vil.nai.com/vil/content/v_103736.htm

http://www.spywareguide.com/product_show.php?id=469

This is why it is a good idea to use more than one scanner, no single scanner finds everything, but clearly AdAware is more geared towards adware type problems - though even AdAware does not find all adware.

What exactly did AdAware find? Did you have the whole caboodle installed on your machine, or did it just find a Reg trace, a lone file, or what?

 

On http://www.ewido.net/en/, it says:

We offer you realtime protection against these threats:

Hijackers and Spyware
Secure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.

Since it says Ewido covers spyware and advertising bars, does it mean that it will also cover adware? Or strictly Spyware only and not adware?

 

You didn't noticed a thing about CnsMin before scanning with AdAware?

Gerard

 

CnsMin did not appear to adversely affect me before it was detected. Seven items of CnsMin were removed in all. Surely data miners are a type of spyware, which Ewido proudly states that it covers?

 

Yes, it's spyware:-

http://www.f-secure.com/sw-desc/cnsmin.shtml

What items were found - files, processes, Reg keys or what?

Have you ruled out the possibility of a FP?

AdAware added definitions for CnsMin in its 10th April update. There have already been reports of false positives in this definition file and it has had to be replaced. How do you know that yours were not FP's as well?:-

http://castlecops.com/p541182-Ad_Aware®_SE_Definition_File_Updates.html

Were these the seven items you found?:-

http://www.spywaredata.com/spyware/search/details/clsid.php?id=82918

 

I attach a screenprint of the CnsMin detected by Adaware, from the saved report. Do they look like they should be deleted? I don't know, I tend to trust the program scan results, since I know no better. I did notice that Adaware's next update in beta includes a reference to CnsMin, so who knows, it might be a correction to false positives.

 

It's found one Reg Key and the values on that key. Unfortunately I can't make out the full CLSID number so I can't Google it to see what it belongs to. But it is not one of the CLSIDS mentioned in this link:-

http://www.spyany.com/program/article_spy_rm_CnsMin.html

If you really did have CnsMin installed on your system you would have a lot more than one Reg key and its values. Unless it was a Registry trace from some earlier infection.

For this reason I would consider this a false positive unless proven otherwise. So the first thing to do is try and discover exactly what AdAware deleted. Google the CLSID to find out what the Reg key relates to. You may need to consider taking it out of quarantine and putting it back if necessary. By looking in Regedit you would then be able to see from the Key what it relates to. The Key normally carries extentions for things lke Sun Java and Windows Messenger; and although it is true CnsMin does use the Key I don't know what your CLSID is connected with..

 

Thanks, Topper, for your comments but I'm afraid I didn't understand half of what you said there. However I have attached a better screenprint that doesn't cut off any numbers.

 

Yes, it is a false positive, the Reg Key that AdAware has deleted relates to your Yahoo Messenger:-

http://castlecops.com/o9list-28.html

No wonder ewido couldn't find CnsMin, you didn't have it at all!

Luckily you've kept the deleted items in quarantine so you can easily return them to the Registry.

Incidently, if you really had CnsMin you'd have had a running process:-

http://www.tasklist.org/task_Rundll32_exeCNSMIN_DLL_Rundll32_569.html

together with a whole load of other files and Reg changes, none of which you had:-

http://www.scanspyware.net/info/CnsMin.htm

 

Thanks for your help, Topper. So, no wonder Ewido didn't alert me to 'CnsMin' in real time monitoring (my original dig), it was not spyware in my system! I have now restored the false positives. I assume that the next Adaware update is going to correct their signatures database. I hadn't used Yahoo for a little while, having switched to Trillian. Luckily I don't seem to get many detections (or 'detections') when I scan with any one of half a dozen programs. It looks like I should always try to research detections and not just try to rely wholly on the notice pop-ups. I have heard now that A-Squared and Adaware often spew up false positives and I will be particularly wary of their apparent detections in future (when not simple tracking cookies).