CWS.Dreplace
  • Résumé : CoolWebSearch - Variante CWS.Dreplace - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Dreplace
 


CoolWebSearch - Variante CWS.Dreplace


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Dreplace

Variant 14: Dreplace - Just a BHO... OR IS IT?

Approx date first sighted: October 12, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=13497
Symptoms: Redirections to xwebsearch.biz and 213.159.117.233, hijack returning on reboot
Cleverness: 3/10 , 10/10 on second version
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
O1 - Hosts: 213.159.117.233 sitefinder.verisign.com
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll

This variant installs a BHO with unknown purpose, though it's probable the BHO is there to ensure xwebsearch.biz is set as your homepage on reboot. It redirects the Verisign Sitefinder, so all mistyped domains are redirected to 213.159.117.233.

CWS.Dreplace.2: There is a second version of this variant that used the most dastardly trick I have ever seen in a piece of malware. It changed the dreplace.dll so fixing it with either HijackThis or CWShredder will cause your entire system to fail on Windows 98, 98SE and ME! The hijack is the same as the first version for almost all other aspects, and both HijackThis and CWShredder have been updated to circumvent the problem.

Rédigé en écoutant Ecoute