CWS.Loadbat
  • Résumé : CoolWebSearch - Variante CWS.Loadbat - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Loadbat
 


CoolWebSearch - Variante CWS.Loadbat


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Loadbat

Variant 20: CWS.Loadbat - Dastardly

Approx date first sighted: November 1, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=16132
Symptoms: DOS window flashing by at system startup, IE pages being hijacked to ie-search.com, redirection to 'FLS' or Umaxsearch when mistyping URLs or visiting porn sites
Cleverness: 9/10
Manual removal difficulty: Involves some Registry editing and deleting a few files
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
O1 - Hosts: 206.161.200.105 auto.search.msn.com
O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
O1 - Hosts: 206.161.200.103 www.smutserver.com
O1 - Hosts: 206.161.200.103 www1.smutserver.com
O1 - Hosts: 206.161.200.103 www2.smutserver.com
[...]
O1 - Hosts: 206.161.200.103 www29.smutserver.com
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [Win64 Compatibility Check] load win64.drv /c /set -- by windows setup --

Overlooked at first, this CWS variant used a clever way of reloading the hijack by making it look like some other file (shell.dll or win64.drv) was doing it, when in fact it was just a LOAD.BAT file merging a .reg file.

The second variant added a hosts file hijack of auto.search.msn.com and the Verisign Sitefinder to something called 'FLS' that linked to Umaxsearch, as well as hijacking smutserver.com domains to another porn site.

To remove this manually, killing the autostarts and removing hp.htm , load.bat and srch.reg from the Windows folder along with resetting the IE homepage/search page is enough.

Rédigé en écoutant Ecoute