CWS.Googlems
  • Résumé : CoolWebSearch - Variante CWS.Googlems - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Googlems
 


CoolWebSearch - Variante CWS.Googlems


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Googlems

Variant 17: CWS.Googlems - We have a payload!

Approx date first sighted: November 1, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=16643
Symptoms: IE pages changed to http://www.idgsearch.com/, hijack reinstalled on reboot and when running Windows Media Player.
Cleverness: 7/10
Manual removal difficulty: Involves some Registry editing, and reinstalling Windows Media Player
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.idgsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.idgsearch.com/
O2 - BHO: GoogleMS Search Helper - {79369D5C-2903-4b7a-ADE2-D5E0DEE14D24} - C:\Documents and Settings\[username]\Application Data\GoogleMS.dll

This variant is first of its kind, since an important development was observed here: the Windows Media Player executable was deleted and replaced by the trojan. This file reinstalled the hijack when ran. No other variants modify or delete system files, but this one seems to.
It also installs a BHO that reinstalls hijack on a reboot. Deleting GoogleMS.dll and reinstalling Windows Media Player fixes the hijack.

CWS.Googlems.2: A mutation of this variant exists that hijacks IE to idgsearch.com and 2020search.com, installs a BHO named 'Microsoft SearchWord' using the filename SearchWord.dll in the same location as the first version. It also adds *.xxxtoolbar.com to the Trusted Zone.

CWS.Googlems.3: A mutation of this variant exists that hijacks IE to idgsearch.com, installs a BHO named 'Microsoft SearchWord' using the filename Word10.dll in the location C:\Documents And Settings\[username]\Application Data\Microsoft\Office.
This version can also be loaded by a fake Notepad.exe file in the Windows system folder. The fake file has an icon different from the default notepad one.

CWS.Googlems.4: A mutation of this variant exists that hijacks IE to idgsearch.com, 2020search.com and possibly coundnotfind.com. It installs a hosts file hijack to 69.56.223.196 (idgsearch.com), redirecting from several CWS affiliate domains (!), one Lop.com domain, one misspelled Spywareinfo domains (hehe) and several porn domains. It installs a BHO named 'Microsoft Excel' using the filename Excel10.dll, located at the same place as the third mutation. It also adds *.xxxtoolbar.com and *.teensguru.com to the Trusted Zone.

Rédigé en écoutant Ecoute