CNav is an application which provides Chinese domain name services as well as Internet Keyword searches.
The default installation folder is <Program Files>\CNNIC.
When CNav is installed the following files and folders are typically created:
<User>\Cookies\<user>@cnnic[?].txt
<Temp>\<variable>.exe
<Temp>\CdnCli.exe
<Temp>\C1
<Temp>\C1\cdn.dll
<Temp>\C1\cdnaux.dll
<Temp>\C1\cdnforie.dll
<Temp>\C1\cdnins.dll
<Temp>\C1\cdnprh.dll
<Temp>\C1\cdnprot.dat
<Temp>\C1\cdnprot.sys
<Temp>\C1\cdnsign.dll
<Temp>\C1\cdnunins.exe
<Temp>\C1\cdnup.exe
<Temp>\C1\cdnuplib.dll
<Temp>\C1\cdnvers.dat
<Temp>\C1\idnconvs.dll
<Temp>\C1\setup.exe
<Temp>\C1\src.dat
<Program Files>\CNNIC
<Program Files>\CNNIC\Cdn
<Program Files>\CNNIC\Cdn\cdnaux.dll
<Program Files>\CNNIC\Cdn\cdnforie.dll
<Program Files>\CNNIC\Cdn\cdnprh.dll
<Program Files>\CNNIC\Cdn\cdnsign.dll
<Program Files>\CNNIC\Cdn\cdnunins.exe
<Program Files>\CNNIC\Cdn\cdnup.exe
<Program Files>\CNNIC\Cdn\cdnuplib.dll
<Program Files>\CNNIC\Cdn\cdnvers.dat
<Program Files>\CNNIC\Cdn\idnconvs.dll
<Program Files>\CNNIC\Cdn\src.dat
<Program Files>\CNNIC\Cdn\Images
<Program Files>\CNNIC\Cdn\Update
<Program Files>\CNNIC\Cdn\Update\cdnvers.dat
<Program Files>\CNNIC\Cdn\Update\cdncmd.dll
<Program Files>\CNNIC\Cdn\Update\cdndet.dll
<Program Files>\CNNIC\Cdn\Update\cdndisp.dat
<Program Files>\CNNIC\Cdn\Update\cdnhint.dat
<Program Files>\CNNIC\Cdn\Update\cdnns.dll
<Program Files>\CNNIC\Cdn\Update\cdnprev.dat
<Program Files>\CNNIC\Cdn\Update\cdnprh.dll
<Program Files>\CNNIC\Cdn\Update\cdnprot.dat
<Program Files>\CNNIC\Cdn\Update\cdnprot.sys
<Program Files>\CNNIC\Cdn\Update\cdnrenew.exe
<Program Files>\CNNIC\Cdn\Update\cdntdns.dll
<Program Files>\CNNIC\Cdn\Update\cdntran.dat
<Program Files>\CNNIC\Cdn\Update\cdntran.sys
<Program Files>\CNNIC\Cdn\Update\client.dll
<Program Files>\CNNIC\Cdn\Update\enter.ico
<Program Files>\CNNIC\Cdn\Update\idnconv.dll
<Program Files>\CNNIC\Cdn\Update\iesrch.dll
<Program Files>\CNNIC\Cdn\Update\imaoe.dll
<Program Files>\CNNIC\Cdn\Update\news.ico
<Program Files>\CNNIC\Cdn\Update\popup.bmp
<Program Files>\CNNIC\Cdn\Update\soft.ico
<Program Files>\CNNIC\Cdn\Update\wmhlpr.dll
<Downloaded Program Files>\Cdndownload.inf
<System>\Cdndownload.dll
<System>\cdn.dll
<System>\cdnns.dll
<System>\cdnprot.dat
<System>\csetup.exe
<System>\Intenet.exe
<System>\drivers\cdnprot.sys
<System>\drivers\cdntran.sys
where ? is a digit 0-9 and <variable> is a randomly generated filename.
The following registry entry is created to run cdnup.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CdnCtr
<Program Files>\CNNIC\Cdn\cdnup.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Service
<variable>
The files cdnforie.dll and Cdndownload.dll are registered as COM objects, creating registry entries under:
HKCR\TypeLib\(9D208473-52B3-49D1-BBBE-4D4ED9E92EBF)
HKCR\TypeLib\(5C3853CE-C7E0-4946-B3FA-1ABDB6F48108)
HKCR\Interface\(C04CBD66-AF27-4BCC-BACB-758247C24526)
HKCR\Interface\(6B36E550-F70E-47A0-935F-2F54DB38A267)
HKCR\Interface\(5C3853CD-C7E0-4946-B3FA-1ABDB6F48108)
HKCR\CLSID\(E2D9AF38-368E-427B-B621-80DFBF89FFCA)
HKCR\CLSID\(5C3853CF-C7E0-4946-B3FA-1ABDB6F48108)
HKCR\CdnForIE.IEHlprObj.1
HKCR\CdnDownload.Download
HKCR\CdnDownload.Download.1
HKCR\CdnForIE.IEHlprObj
HKCR\CdnForIE.IEHlprObj.1
HKCR\CdnDownload.Download
HKCR\CdnDownload.Download.1
The file cdnforie.dll is registered as a plugin and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(5C3853CF-C7E0-4946-B3FA-1ABDB6F48108)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
(5C3853CF-C7E0-4946-B3FA-1ABDB6F48108)
CNav may register the following system driver services:
- cdntran
- cdnprot
- Namespace Service Providers
- Transport Service Providers
CNav changes search settings for Microsoft Internet Explorer by setting the registry values:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search
CustomizeSearch
http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant
http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
<System>\Cdndownload.dll
1
HKCU\Software\Microsoft\Internet Explorer\Main
Enable Browser Extensions
yes
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CdnClient
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\
C:/WINDOWS/system32/Cdndownload.dll
HKCU\Software\CNNIC
HKLM\SOFTWARE\CNNIC
HKCU\Software\Microsoft\Internet Explorer\MenuExt\
Access Internet Keyword
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT
HKCU\Software\Microsoft\Office\Outlook\Addins\
MailParserSvr.MailParser.1
CNav provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "Chinese Navigation".
Note: some older versions of CNav use system level processes which may prevent Sophos from being able to successfully remove all the CNav components. In such cases, to complete disinfection reboot to recovery mode and delete any remaining files (see list of dropped files above).