CWS.Ctfmon32
  • Résumé : CoolWebSearch - Variante CWS.Ctfmon32 - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Ctfmon32
 


CoolWebSearch - Variante CWS.Ctfmon32


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Ctfmon32

Variant 10: CWS.Ctfmon32 - SlawSearch part II

Approx date first sighted: September 22, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=11886
Symptoms: Start page and Search pages changed to www.slawsearch.com, 'Customize Search Assistant' closing after opening it, hijack coming back after a reboot.
Cleverness: 3/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.slawsearch.com/autosearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slawsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = javascript:window.close()
O4 - HKLM\..\Run: [CTFMON32.EXE] "C:\WINDOWS\System32\ctfmon32.exe"

This variant surfaced after a quiet time. CWShredder could fix it, but it would return after rebooting the computer. Apart from the new filename 'CTFMON32.EXE' (note that 'CTFMON.EXE' is the real Windows system file) it worked pretty much the same way as CWS.Bootconf: the file loads at startup, resetting homepages and search pages, and then closes. Deleting the file and changing everything back to normal fixes it.

Rédigé en écoutant Ecoute