CWS.Msspi
  • Résumé : CoolWebSearch - Variante CWS.Msspi - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Msspi
 


CoolWebSearch - Variante CWS.Msspi


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Msspi

Variant 4: CWS.Msspi - Let's get dangerous

Approx date first sighted: July 28, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=9170
Symptoms: Popups with 'enhanced results' when doing searches on Google, Yahoo and Altavista
Cleverness: 9/10
Manual removal difficulty: Impossible, I kid you not
Identifying lines in HijackThis log:
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll

At about this time, the variant appeared that was the hardest to remove. Users started reporting that when they went to Google, Yahoo or Altavista to search for something, popups appeared that (most of the time) advertised bogus 'enhanced results'. This was the one and only symptom.

After looking over the log, it was quickly concluded the msspi.dll file was to blame. One expert took the file apart and found several key URLs that were monitored, and when he changed them to bogus URLs the popups were gone.

However, the file hooked into the Winsock LSP chain, which lies very deep into the bowels of Windows and is one of the hardest parts of Windows to manipulate. Only a very small selection of spyware used this method of infection, and incorrect removal left a computer with a broken Internet connection that could not be fixed even by reinstalling Windows.

Luckily there were one or two tools that could fix a broken Internet connection due to this problem. LSPFix was the one used most since it allowed direct editing of the LSP chain.

Rédigé en écoutant Ecoute