CWS.Addclass
  • Résumé : CoolWebSearch - Variante CWS.Addclass - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Addclass
 


CoolWebSearch - Variante CWS.Addclass


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Addclass

Variant 16: CWS.Addclass - Halloween edition

Approx date first sighted: October 30, 2003
Log reference: http://forums.techguy.org/showthread.php?threadid=175680
Symptoms: Redirections through ehttp.cc before reaching pages, IE homepage/searchpage changing to rightfinder.net, hijack returning on reboot.
Cleverness: 4/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\TEMP\ADDCLASS.EXE
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?

This one just surfaced when a sample (and thus a CWShredder update) was found for it. The hijack involves AddClass.exe installing the hijack and reinstalling it on reboot. It also changes the DefaultPrefix, WWW Prefix and a non-functional 'www.' prefix which makes each URL you type without 'http://' in front of it redirect through ehttp.cc before reaching the correct destination. IOW, they log everywhere you go. Luckily they are even kind enough to provide a uninstall for this 'Enhanced HTTP protocol' at their site here. This will only partially remove CWS.Addclass though.

Rédigé en écoutant Ecoute