CWS.Dnsrelay
  • Résumé : CoolWebSearch - Variante CWS.Dnsrelay - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Dnsrelay
 


CoolWebSearch - Variante CWS.Dnsrelay


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Dnsrelay

Variant 8: CWS.DNSRelay - Hey, that wasn't here before!

Approx date first sighted: August 7, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=9074
Symptoms: Redirections to allhyperlinks.com when omitting 'www' from an URL typed in IE
Cleverness: 8/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\System32\dnsrelay.dll

A very clever hijack that uses a method never used before by any other hijacker, this variant monitored all URLs entered into the IE Address bar, and redirected any URLs starting without 'www' to allhyperlinks.com. The hijack isn't very widespread, and is also pretty hard to spot. Luckily, fixing it requires only deleting one Registry value and one file.

CWS.Dnsrelay.2: A mutation of this variant exists which uses the filename ASTCTL32.OCX instead.

CWS.Dnsrelay.3: A mutation of this variant exists which uses the filename mswsc10.dll instead, which is located in C:\Program Files\Common Files\Web Folders. It hijacks IE to payfortraffic.net. It also adds a custom stylesheet (like CWS.Bootconf) located at C:\Program Files\Internet Explorer\Readme.txt. (This file is not present on uninfected systems.) It uses a Registry value named nvstart to re-register the main mswsc10.dll file on startup.

CWS.Dnsrelay.4: A mutation of this variant exists that is like CWS.Dnsrelay.3, but uses the filename mswsc20.dll instead, located at the same place. It hijacks IE to gofreegalleries.com, adds the same custom stylesheet, and uses the hosts file to hijack numerous sites to allhyperlinks.com.

Rédigé en écoutant Ecoute