Yahoo! Assistant

From Wikipedia, the free encyclopedia

Yahoo! Assistant, formerly named 3721 Internet Assistant, is a Browser Helper Object for Internet Explorer developed by Beijing 3721 Technology Co. Ltd, and was renamed to Yahoo! Assistant after Beijing 3721 Technology was acquired by Yahoo!.

3721 Internet Assistant, together with 3721 Chinese Keywords, are known as Spyware by Microsoft AntiSpyware, and malware or browser hijacker by some others, such as Panda Antivirus. However, Yahoo! China filed a lawsuit against Beijing Sanjiwuxian Internet Technology Co. Ltd, the developer of the 360Safe antispyware for identifyng Yahoo! Assistant as malware in 360Safe[1].

Contents 1 Distribution 2 Features 2.1 Blocking popup ads 2.2 Internet Explorer Extension Management 2.3 Concealing 2.4 Removing antispyware program 3 Uninstall 4 Manual removal 5 Steps to block 3721 websites 6 External links

[edit] Distribution

3721 Internet Assistant was originally released as a normal client-server application. However, it turned to use ActiveX technology to install itself on a client system later and was also shipped with many sharewares as default install options. 3721 Internet Assistant was also blamed for its use of a flaw in Microsoft Internet Explorer to install itself automatically when a user is browsing an array of 3721 sponsored personal and commercial websites with Microsoft Internet Explorer. Yahoo! Assistant is also included in 3721 Chinese Keywords and Yahoo! Mail Express, but sometimes the whole package of Internet Assistant, Chinese Keywords and Mail Express is named "Yahoo! Assistant" in some sharewares. The company says the automatic installation ended in September 2005 and now asks user's permission before installing[2], however, CA Inc. reported that during Yahoo! Assistant installation, extra components are installed without obtaining user's consent[3].

This software is also bundled with the Chinese client of the CGA Gaming platform.

[edit] Features

3721 claims 3721 Internet Assistant includes a lot of useful features, such as IE setting repair, security shield, removal of internet history information and blocking ads. However, it installs various windows hooks that will slow down the system, and tries to install the hooks repeatedly. Some users also reported that Internet Assistant buttons reappeared immediately after their manual removal using Internet Explorer customization features, and Blue Screen of Death appeared when using Internet Assistant.

[edit] Blocking popup ads

A test using http://www.kephyr.com/popupkillertest shows 3721 Internet Assistant can block roughly half of popup methods itself when the built-in popup blocker in Windows XP SP2 is not present or is turned off.

[edit] Internet Explorer Extension Management

3721 Internet Assistant can enable/disable individual Internet Explorer extensions, except the advertisement links and extensions installed by Yahoo! products.

[edit] Concealing

3721 Internet Assistant processes are running as "Rundll32.exe" [4] in Windows Task manager. If one is killed, it will be revived by others immediately.

A driver named CnsMinKP.sys is installed with 3721 Internet Assistant, along with several hidden Windows services.

After uninstallation, several files are left on the system, but they are not visible in Windows Explorer. They can be found by using tools such as Total Commander or in the DOS box.

[edit] Removing antispyware program

According to CnBeta, Yahoo! Assistant also removes 360Safe, an antispyware program from the hard disk. [5]

[edit] Uninstall

3721 Internet Assistant, together with 3721 Chinese Keywords, according to Interfax, are regarded by Chinese internet users as "Hooligan" or "Zombie" applications. The uninstall program of the pair provided by 3721 simply redirects users to the 3721 website (in Simplified Chinese thus not recognizable except by Chinese speakers), and the default option of the web page is to keep 3721 Internet Assistant after the uninstallation. After following the web uninstallation wizard and a reboot, many 3721 files will still remain on the client system. The pair were ranked #1 by Beijing Association of Online Media in its list of Chinese Malware at 2005.

Ironically, the Anti-Spy program included with Yahoo! Toolbar detects and attempts to remove Yahoo! Assistant, although its effectiveness varies.

Because the pair used several kernel technologies to protect themselves, it is very difficult for many anti-spyware applications or IT professionals to remove them completely. For example, a driver named CnsMinKP.sys/vxd is installed with them and loaded even in Windows safe mode, and many kinds of attempts that try to remove 3721 files or registrys will be circumvented by this driver. For another, an incomplete uninstallation will trigger the "self-repair" feature that downloads missing files from internet. As a result, Microsoft AntiSpyware will enter an infinite loop when it is trying to remove the 3721 applications.

A confirmed way of removing cnsmin is as follows:

• Boot in safe mode.
• Run Spybot - Search & Destroy with very latest definitions from a jump drive or on the HD
• Spybot removes most of Cnsmin.
• Go to "add/remove programs" in the control panel.
• Remove "Chinese Keywords" applet
• Reboot into safe mode.
• Run Spybot again.
• It should detect "Cnsmin" one more time.
• Remove it.
• Reboot into safe mode once more and run spybot once more.
• If it's clear of problems you can reboot.

[edit] Manual removal

Booting from the Windows XP installation disk and running the Recovery Console allows you to manually delete files from the hard drive.

1. Delete any files beginning with "cns" from the downloaded program files directory. C:\Windows\downlo~1\
   
2. Delete CNSminkp.sys/vxd from C:\Windows\system32\drivers\
   
3. Delete any files beginning with "cns" from C:\Windows\system32\
   

These have to be done manually as delete in the recovery console does not support wildcards, ie. "cns*.*". Note: In order to enable wildcards support in Recovery Console, use SET command to change ALLOWWILDCARDS = TRUE.
The easy way to get a list of files is to type "dir cns*.*" in the relevant directory.
Type "exit" to restart the computer.
Start in safe mode and run your antispyware program of choice, Ad-Aware does a good job from this point.

[edit] Steps to block 3721 websites

Execution of following command lines may prevent a Windows NT/XP/2000 system from the automatic installation of 3721 applications when visiting many websites:

echo 127.0.0.1 cnsmin.3721.com >>%systemroot%\system32\drivers\etc\hosts 
echo 127.0.0.1 www.3721.net >>%systemroot%\system32\drivers\etc\hosts 
echo 127.0.0.1 www.3721.com >>%systemroot%\system32\drivers\etc\hosts 
echo 127.0.0.1 cn.zs.yahoo.com >>%systemroot%\system32\drivers\etc\hosts 
echo 127.0.0.1 cn.download.zs.yahoo.com >>%systemroot%\system32\drivers\etc\hosts 

This will translate some 3721 websites to a local IP, thus block these websites. However, newer versions of the Yahoo Assistant will modifiy the hosts file themselves, replacing some dots in the URLS with commas, invalidating the entries and thereby making this approach useless.

[edit] External links

• Official website (Visit with IE security settings set to "low" may install the software without interaction)
• China Malware War Gets Personal
• an introduction on ca.com
• Remove CnsMin on spywaredb.com
• Remove CnsMin on doxdesk.com
• script to install CnsMin on Yahoo.com (executing it may install the software without interaction)