CWS.Aff.Tooncomics
  • Résumé : CoolWebSearch - Variante CWS.Aff.Tooncomics - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Aff.Tooncomics
 


CoolWebSearch - Variante CWS.Aff.Tooncomics


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Aff.Tooncomics

Affiliate variant: Tooncomics - Changing the Internet

Approx date first sighted: September 18, 2003
Log reference: http://boards.cexx.org/viewtopic.php?p=11617#11617
Symptoms: IE hijacked to tooncomics.com, targets of hyperlinks on websites changed to porn sites
Cleverness: 9/10
Manual removal difficulty: Involves really lots of Registry editing, and some hosts file editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tooncomics.com/main/hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.130.194/main/hp.php
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\DNSErr.dll

This variant seems to be in the league of CWS.Vrape, hijacking to porn sites, redirecting other porn sites to itself, and even using a BHO to change the target of hyperlinks to porn sites like eZula Toptext does. Some users even reported being unable to download CWShredder because the links at the bottom of this article were altered to point to porn sites. Manual removal is pretty hard, because the DNSErr.dll file responsible for the latter part of the hijack has no uninstall built-in like most dlls. However, flat-out deleting the file has no side effects.

CWS.Aff.Tooncomics.2: There is a second version of this hijack that Uses the filename dnse.dll as the BHO, and a second file ld.exe that is always running, reloading the hijack. In this version, the IE homepage and search pages are changed to fastwebfinder.com. A process killer is needed to get rid of ld.exe.

Rédigé en écoutant Ecoute