CWS.Mupdate
  • Résumé : CoolWebSearch - Variante CWS.Mupdate - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
  
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Mupdate
 


CoolWebSearch - Variante CWS.Mupdate


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Mupdate

Variant 15: Mupdate - Turning up everywhere

Approx date first sighted: October 13, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=13613
Symptoms: Homepage changing to searchv.com, redirections to runsearch when mistyping URLs, *.masspass.com in the Trusted Zone, hijack returning on a reboot.
Cleverness: 9/10
Manual removal difficulty: Involves some Registry editing and lots of ini file editing.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchv.com/search.html
F0 - system.ini: Shell=explorer.exe mupdate.exe
F1 - win.ini: run=mupdate.exe
F2 - REG:system.ini: Shell=explorer.exe mupdate.exe
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O15 - Trusted Zone: *.masspass.com

This variant isn't very common, but it makes up for this by being very persistent in its existence. It's ran from 3 places at boot, as well as merging a .reg file that reinstalls the hijack, and adding an adult site to the Trusted Zone. It also redirects any mistyped domains to runsearch.com.

Rédigé en écoutant Ecoute