To elaborate on the 3721 network real name "virus" _ Loophole Research

Source: Internet
Author: User
Tags delete key
Recently browsing some portal sites, will unknowingly be installed on a "3721 network real name" of the IE plug-in. Although these portals and 3721 are well-intentioned, but such a unilateral installation of such a plug-in is a bit inappropriate! The reason is that it is a virus, because it is also the boot automatically start, and although bring some convenience, but make the system run extremely unstable, slow down the speed of the Internet. in the forum to see a lot of netizens have said that the shutdown will often appear explorer.exe error tips. I am also deeply hurt by it, carefully studied a bit, the problem is out in this "3721 network real name" On! More exasperating is, may be due to the program to do a more hasty, completely without uninstall function!
Here is attached its source code, through the code can be seen that this is not a Trojan horse. But the program is poorly written ...
#include "Windows.h"
#include "winbase.h"
void Main ()
Char Buf[max_path];
:: ZeroMemory (BUF, MAX_PATH);
:: GetWindowsDirectory (BUF, MAX_PATH);
Char Filename[max_path];
:: ZeroMemory (filename, MAX_PATH);
strcpy (filename, buf);
strcat (filename, "\\Downloaded program Files\\cnsminio.dll");
:: MoveFileEx (filename, NULL, movefile_delay_until_reboot);
:: ZeroMemory (filename, MAX_PATH);
strcpy (filename, buf);
strcat (filename, "\\Downloaded program Files\\cnsmin.dll");
:: MoveFileEx (filename, NULL, movefile_delay_until_reboot);
:: ZeroMemory (filename, MAX_PATH);
strcpy (filename, buf);
strcat (filename, "\\Downloaded program Files\\cnsio.dll");
:: MoveFileEx (filename, NULL, movefile_delay_until_reboot);
The following is a detailed procedure for uninstalling this plugin.
Because this 3721 network real-name plug-in is using Rundll32.exe call Connection library, the system can not terminate the Rundll32.exe process, so we have to restart the computer, press F8 into Safe mode (F8 can only press once, do not press more!) )。 After that, click Start-> Run Regedit.exe open the registry and enter:
Delete key: CnsMin
Its key value is: Rundll32.exe c:\winnt\downlo~1\cnsmin.dll,rundll32
(If it's Win98, here's c:\winnt\downlo~1\ for c:\windows\downlo~1\)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\advancedoptions\
Delete Entire directory:! Cns
This directory adds 3721 network real-name options to the Internet option-> advanced.
Hkey_local_machine\software\3721\ and Hkey_current_user\software\3721\
Delete Entire directory: 3721
Note: If you have installed 3721 of other software, such as the need for flying cats, you should remove
Entire Directory: Hkey_local_machine\software\3721\cnsmin
and Hkey_current_user\software\3721\cnsmin
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main\
Delete key: Cnsenable Its key value is: a2c39d5f
Delete key: Cnshint Its key value is: a2c39d5f
Delete key: Cnslist Its key value is: a2c39d5f
After you delete the entries in the registry, you also need to delete the 3721 network real-name files that are stored on your hard disk.
Delete the following file:
The C:\winnt\downlo~1 directory
(The c:\winnt\downlo~1\ here is c:\windows\downlo~1\)
2001-08-09 15:34
2001-08-02 17:03 40,960 Cnsio.dll
2001-08-08 14:14 102,400 CnsMin.dll
2001-08-24 23:14 Cnsmin.ini
2001-08-09 10:18 13,848
2001-07-06 17:57 32,768 CnsMinEx.dll
2001-08-25 02:52 Cnsminex.ini
2001-08-25 02:51 17,945
2001-08-02 17:02 32,768 CnsMinIO.dll
2001-08-24 23:15 40,793
The c:\winnt\downlo~1\3721 directory
2001-08-02 17:03 40,960 Cnsio.dll
2001-08-24 15:53 102,400 CnsMin.dll
2001-07-06 17:59 213 Cnsmin.inf
2001-08-24 15:48 28,672 CnsMinIO.dll
All the above files are deleted, so 3721 network real name "virus" from your computer all clear.
Finally, restart your computer and go to normal mode. Now has completely no 3721 network real name of the bundle Rao!
..::: [end]:::..
The following is a method of prohibiting 3721:
After uninstalling 3721, open c:\windows\hosts (lookup, description for file) with Notepad, and add the following characters (between IP and domain name with a space interval):
The saved file name is hosts (be careful not to add any extensions), the Windows 98/me system saves the file to the Windows directory, and the Windows 2000/XP system saves the file to the Winnt\system32\drivers\etc directory. If you already have a Hosts file, replace it directly. Then open the browser to observe the results, how about it? I can't see the 3721 dialog anymore, can I?
Similarly, the Hosts file can also deal with the ads on the Web page. Now a lot of large web sites, there are specialized hosting ads, viewing the source code of the Web page, you can know where the ads file stored on the host, and then the hosts file to resolve the host's IP, you can put these ads shut out.
You can also speed up browsing sites: x.x.x.x (space) WWW.X.COM (IP for Real)
..::: [Other]:::..
You can also use a multiple-page browser to
These are added to the blacklist,
Cut the C section.
Attached to the attached hosts:
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings's IP addresses to host names. each
# entry should is kept on a individual line. The IP address should
# is placed in the ' the ' followed by the corresponding host name.
# The IP address and the host name should is separated by at least one
# space.
# Additionally, comments (such as) may is inserted on individual
# lines or following the machine name denoted by a ' # ' symbol.
# For example:
# # source Server
# # x client Host localhost #3721网络实名 #3721网络实名 #3721网络实名 #3721网络实名 #3721网络实名 #3721网络实名

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.