Yahoo!

Yahoo! Assistant

Yahoo! Assistant, formerly named 3721 Internet Assistant, is a Browser Helper Object for Internet Explorer developed by Beijing 3721 Technology Co. Ltd, and was renamed to Yahoo! Assistant after Beijing 3721 Technology was acquired by Yahoo!.

3721 Internet Assistant, together with 3721 Chinese Keywords, are known as Spyware by Microsoft AntiSpyware, and malware or browser hijacker by some others, such as Panda Antivirus

Distrubution

3721 Internet Assistant was originally released as a normal client-server application. However, it turned to use ActiveX technology to install itself on a client system later and was also shipped with many sharewares as default install options. 3721 Internet Assistant was also blamed for its use of a flaw in Microsoft Internet Explorer to install itself automatically when a user is browsing an array of 3721 sponsored personal and commercial websites with Microsoft Internet Explorer. Yahoo! Assistant is also included in 3721 Chinese Keywords and Yahoo! Mail Express, but sometimes the whole package of Internet Assistant, Chinese Keywords and Mail Express is named "Yahoo! Assistant" in some sharewares.

Features

3721 claims 3721 Internet Assistant includes a lot of useful features, such as IE setting repair, security shield, removal of internet history information and blocking ads. However, it installs various windows hooks that will slow down the system, and tries to install the hooks repeatedly. Some users also reported that Internet Assistant buttons reappeared immediately after their manual removal using Internet Explorer customization features, and Blue Screen of Death appeared when using Internet Assistant.

Blocking popup ads

A test using http://www.kephyr.com/popupkillertest shows 3721 Internet Assistant can block roughly half of popup methods itself when the built-in popup blocker in Windows XP SP2 is not present or is turned off.

Internet Explorer Extension Management

3721 Internet Assistant can enable/disable individual Internet Explorer extensions, except the advertisement links and extensions installed by Yahoo products.

Concealing

3721 Internet Assistant processes are running as "Rundll32.exe" in Windows Task manager. If one is killed, it will be revived by others immediately.

A driver named CnsMinKP.sys is installed with 3721 Internet Assistant, along with several hidden Windows services.

After uninstallation, several files are left on the system, but they are not visible in Windows Explorer. They can be found by using tools such as Total Commander or in the DOS box.

Uninstall

3721 Internet Assistant, together with 3721 Chinese Keywords, according to Interfax, are regarded by Chinese internet users as "Hooligan" or "Zombie" applications. The uninstall program of the pair provided by 3721 simply redirects users to the 3721 website (in Simplified Chinese thus not recognizable except by Chinese speakers), and the default option of the web page is to keep 3721 Internet Assistant after the uninstallation. After following the web uninstallation wizard and a reboot, many 3721 files will still remain on the client system. The pair were ranked #1 by Beijing Association of Online Media in its list of Chinese Malware at 2005.

Because the pair used several kernel technologies to protect themselves, it is very difficult for many anti-spyware applications or IT professionals to remove them completely. For example, a driver named CnsMinKP.sys/vxd is installed with them and loaded even in Windows safe mode, and many kinds of attempts that try to remove 3721 files or registrys will be circumvented by this driver. For another, an incomplete uninstallation will trigger the "self-repair" feature that downloads missing files from internet. As a result, Microsoft AntiSpyware will enter an infinite loop when it is trying to remove the 3721 applications.

Step to block 3721 websites

Execution of following command lines may prevent a Windows NT/XP/2000 system from the automatic installation of 3721 applications when visiting many websites:

echo 127.0.0.1 cnsmin.3721.com >>%systemroot%\system32\drivers\etc\hosts 
echo 127.0.0.1 www.3721.net >>%systemroot%\system32\drivers\etc\hosts 
echo 127.0.0.1 www.3721.com >>%systemroot%\system32\drivers\etc\hosts 
echo 127.0.0.1 cn.zs.yahoo.com >>%systemroot%\system32\drivers\etc\hosts 
echo 127.0.0.1 cn.download.zs.yahoo.com >>%systemroot%\system32\drivers\etc\hosts 

This will translate some 3721 websites to a local IP, thus block these websites.

External links

• Official website
• an introduction on ca.com
• Remove CnsMin on spywaredb.com
• Remove CnsMin on doxdesk.com
• script to install CnsMin on Yahoo.com.

Home
Up
AlltheWeb
AltaVista
Broadcast
Del.icio.us
eGroups
Flickr
GeoCities
Inktomi
Kelkoo
LAUNCHcast
Oddpost
Rocketmail
Upcoming
Yahoo! Assistant
Yahoo! Search Marketing