CWS.Msinfo
  • Résumé : CoolWebSearch - Variante CWS.Msinfo - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Msinfo
 


CoolWebSearch - Variante CWS.Msinfo


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Msinfo

Variant 9: CWS.Msinfo - running out of ideas

Approx date first sighted: August 22, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=9933
Symptoms: Redirection to Global-Finder.com, hijack reappearing when rebooting, possible errors about a missing file 'msinfo.exe'.
Cleverness: 6/10
Manual removal difficulty: Involves lots of Registry editing and some .ini file editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?101 (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
F1 - win.ini: run=msinfo.exe
O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe

This variant, using a file called 'msinfo.exe' to reinstall the hijack on a reboot, appears to have several versions. The first one seemed to malfunction often, as seen in the 'first sighted' link where the file wasn't actually installed, but the reference to it was. The second version probably fixed this a few days later, since people started surfacing that had been hijacked by this thing. Lastly, the third version appeared together with a slightly mutated variant #2 (bootconf.exe).

The MSINFO.EXE is installed in a Windows folder where also the legitimate MSINFO32.EXE file resides. It is ran from win.ini, a method rarely used by programs nowadays. It sets nearly all Start and Search pages from IE to URLs at out.true-counter.com, and reinstates these whenever the system is restarted. Fixing this variant involves resetting all the Registry values changed for IE, editing the autorun values in win.ini and the Registry, and deleting the two files.

Rédigé en écoutant Ecoute