CWS.Datanotary
  • Résumé : CoolWebSearch - Variante CWS.Datanotary - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Datanotary
 


CoolWebSearch - Variante CWS.Datanotary


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Datanotary

Variant 1: CWS.Datanotary - Introduction to Destruction

Approx date first sighted: May 27, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=8661
Symptoms: Massive IE slowdown, especially when typing text into forms
Cleverness: 9/10
Manual removal difficulty: Very easy, if you know where to look
Identifying lines in HijackThis log:
O19 - User stylesheet: c:\windows\my.css

The first variant of CoolWebSearch wasn't even identified as such. There only were several threads of users experiencing enormous slowdowns in IE when typin messages into text boxes. Delays of over a minute before the typed text appeared were reported. Also some redirections to www.datanotary.com were reported.

The solution to this problem took a while to surface, but after a few weeks (which is pretty long) someone reported the problem going away when going into IE Options, Accessability and disabling the 'Use My Stylesheet' option. After that, the fake stylesheet file could be deleted.

The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed a .css stylesheet file to execute Javascript code. The code in the file was encrypted, and spawned a popup off-screen that did the redirecting. However, this file was called on almost every action taken in IE, slowing it down - this was the most obvious when typing text.


Rédigé en écoutant Ecoute