CWS.Aff.Winshow
  • Résumé : CoolWebSearch - Variante CWS.Aff.Winshow - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Aff.Winshow
 


CoolWebSearch - Variante CWS.Aff.Winshow


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Aff.Winshow

Affiliate variant: Winshow - Comes in two flavours

Approx date first sighted: July 13, 2003
Log reference: Reconstruction
Symptoms: Changed IE pages to youfindall.com, BHO added to IE named 'winshow.dll'. Second variant hijacks to searchv.com and also redirects mistyped URLs to a porn site, and reloads the hijack on a reboot, or even sooner.
Cleverness: 5/10, second variant 8/10
Manual removal difficulty: Involves lots and lots of Registry editing, a bit of hosts file editing and deleting one file.
Identifying lines in HijackThis log:
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
Second variant CWS.Aff.Winshow.2:
O1 - Hosts file: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents And Settings\username\Application Data\winshow\Winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - Global Startup: MSUpdater.exe

This affiliate variant originally was quite innocent, consisting only of one Browser Helper Object (BHO) named 'Winshow', with unknown goal. It was frequently sighted together with other CWS variants.

CWS.Aff.Winshow.2: The second variant of this one also used the BHO and filename, but added a hosts file hijack that redirected mistyped domains/URLs to a porn site, and reloaded a IE hijack to searchv.com on reboot using a Registry command file. One file named MSUpdater.exe was sitting in the 'All Users' startup folder in the Start Menu, and also reloaded the hijack. Deleting both files fixed the hijack. It is still unknown what the BHO actually does.

CWS.Aff.Winshow.3: A third version of this variant exists, that uses the filename winlink.dll for the BHO. It hijacks to both searchv.com and thesten.com. It does not have the additional files the second version has.

CWS.Aff.Winshow.4: A third version of this variant exists, that adds an uninstall entry in Add/Remove Software labelled Winshow, and auto-updates from a Registry value named WinShowUpdate.

CWS.Aff.Winshow.5: A third version of this variant exists, that uses the filename iefeatsl.dll, hijacks to search-click.com and auto-updates from a Registry value named iefeatslUpdate. It also downloads and installs a BHO named SubmitHook.

CWS.Aff.Winshow.6: A third version of this variant exists, that uses a random string for its filename and folder, with the same CLSID as the previous two variants, {587DBF2D-9145-4c9e-92C2-1F953DA73773}. It also downloads and installs a BHO named SubmitHook and autoupdates from a Registry value named Updater.


Rédigé en écoutant Ecoute