CWS.Aff.Madfinder
  • Résumé : CoolWebSearch - Variante CWS.Aff.Madfinder - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Aff.Madfinder
 


CoolWebSearch - Variante CWS.Aff.Madfinder


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Aff.Madfinder

Affiliate variant: Madfinder - Kinda like ClientMan

Approx date first sighted: October 15, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=14977
Symptoms: IE homepage changed to madfinder.com, BHO with filename 'BrowserHelper.dll', hijack returning on reboot, or even sooner.
Cleverness: 5/10
Manual removal difficulty: Involves a process killer and lots of Registry editing.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\System32\svc.exe

O1 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\BrowserHelper.dll
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe

This variant seems to consist of two files that support each other. svc.exe runs invisible, downloads the second BrowserHelper.dll and installs it as a BHO. However, this BHO file also contains the first file and probably puts it back when it is deleted. The variant is always accompanies by a hijack to madfinder.com.

Rédigé en écoutant Ecoute