CWS.Msconfd
  • Résumé : CoolWebSearch - Variante CWS.Msconfd - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Msconfd
 


CoolWebSearch - Variante CWS.Msconfd


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Msconfd

Variant 22: CWS.Msconfd - Finally using rundll32

Approx date first sighted: November 26, 2003
Log reference: Reconstruction, local test
Symptoms: IE pages being changed to webcoolsearch.com, bogus error message about msconfd.dll at startup, porn bookmarks added to Favorites (some possibly childporn)
Cleverness: 7/10
Manual removal difficulty: Involves quite some Registry editing and deleting porn bookmarks, plus struggling to unload the dll which is always in memory
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://webcoolsearch.com/
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel
Additional line from StartupList log:
Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=msconfd.dll

This is the first variant to use a dll file together with the Windows rundll32 file. This makes it a little harder to find the culprit msconfd.dll, responsible for hijacking IE to webcoolsearch.com and adding 11 adult bookmarks to IE, of which 4 are possibly child porn sites.

Deleting the autorun entry, resetting IE and deleting the porn bookmarks fixes most of the hijack. Removing msconfd.dll involves renaming the file, restarting the system and deleting the renamed file.

CWS.Msconfd.2: A mutation of this variant exists, that uses the filename avpcc.dll or ctrlpan.dll that hooks into Windows in the same way as the first version. This version also deletes all the bookmarks in the IE Favorites folder, before replacing them with porn bookmarks.

CWS.Msconfd.3: A mutation of this variant exists, that uses the filename cpan.dll.


Rédigé en écoutant Ecoute