CWS.Alfasearch
  • Résumé : CoolWebSearch - Variante CWS.Alfasearch - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Alfasearch
 


CoolWebSearch - Variante CWS.Alfasearch


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Alfasearch

Variant 19: CWS.Alfasearch - Child's Play

Approx date first sighted: November 5, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=16730
Symptoms: IE pages changed to alfa-search.com, possibly porn sites being redirected to 216.200.3.32 (alfa-search.com), error message about a 'runtime error' at startup, 4 porn bookmarks added to favorites (one possible child porn).
Cleverness: 1/10
Manual removal difficulty: Involves a little Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
O4 - Global Startup: MSupdate.exe

Possibly the most simple CWS variant since CWS.Datanotary, this hijack only does the basic stuff: changes your IE homepage and search pages, adds porn bookmarks, and pops up a bogus error message at startup.
Deleting MSupdate.exe from the All Users Startup group, deleting the porn bookmarks and resetting the IE homepage and search pages fixed the hijack.
The MSupdate.exe file is capable of installing a hosts file hijack as well, but doesn't seem to do this.

CWS.Alfasearch.2: A mutation of this variant exists, that hijacks IE to www.find-itnow.com, drops 7 porn bookmarks in the IE Favorites, and causes error messages concerning 'Win Min' at system shutdown, as well as bogus runtime errors at system startup. It drops a fake Winlogon.exe file in the 'All Users' Startup group of the Start Menu, or in the Startup group of the current user. The file is always running, and hard to remove. If CWShredder repeatedly reports removing this variant, it cannot remove winlogon.exe. To remove this file manually, move it out of the Startup folder, restart, and then delete the file.

CWS.Alfasearch.3: A mutation of this variant exists, that hijacks IE to www.alfa-search.com, and reinstalls by running an encryped VBS script from three places in the Registry, named rundll32.vbe using the name Windows Security Assistant. It also installs a custom stylesheet named readme.txt in the Windows sytem folder, drops 9 porn bookmarks in the IE Favorites and 6 on the desktop, and installs a hosts file hijack of 8 major search engines and one porn site to 64.124.222.169 (alfa-search.com).

Rédigé en écoutant Ecoute