CWS.Gonnasearch
  • Résumé : CoolWebSearch - Variante CWS.Gonnasearch - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Gonnasearch
 


CoolWebSearch - Variante CWS.Gonnasearch


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Gonnasearch

Variant 28: CWS.Gonnasearch - Three for the price of one

Approx date first sighted: January 18, 2004
Log reference: http://forums.spywareinfo.com/index.php?showtopic=28344
Symptoms: IE hijacked to gonnasearch.com
Cleverness: 2/10
Manual removal difficulty: Involves deleting some registry keys and values
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/ iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/ iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/ iesearch.php?ref=sb
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll

This variant differs from the others in that it installs not one, but three (!) BHOs. Their exact purpose is unknown. Killing the three BHOs and restoring the IE pages fixed this hijack.

Rédigé en écoutant Ecoute