CWS.Oemsyspnp
  • Résumé : CoolWebSearch - Variante CWS.Oemsyspnp - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Oemsyspnp
 


CoolWebSearch - Variante CWS.Oemsyspnp


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Oemsyspnp

Variant 6: CWS.Oemsyspnp - Pure genius

Approx date first sighted: July 29, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=8643
Symptoms: Start page/search pages changed to allhyperlinks.com, activexupdate.com in the IE Trusted Zone, reloading of the hijack on some reboots.
Cleverness: 10/10
Manual removal difficulty: Involves a bit of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection OemVideoPnP 128 oemsyspnp.inf

This variant was spotted nearly by sheer luck, since it used the same Registry value as the second variant (Bootconf) 'SysPnp'. This was a very clever hijack that disguised itself as a driver update. When the computer was started, there was a 1 in 5 chance the hijack was re-installed and changed the IE start page and search pages to allhyperlinks.com.

However, once the hijack was identified, it was easy to stop: only the autostarting oemsyspnp.inf file had to be disabled using MSConfig, and then it could be safely deleted.

CWS.Oemsyspnp.2: A mutation of this variant exists that uses the filename keymgr3.inf, and the Registry value keymgrldr instead.

CWS.Oemsyspnp.3: A mutation of this variant exists that uses the filename drvupd.inf, and the Regustry value drvupd instead. It hijacks to searchforge.com.

Rédigé en écoutant Ecoute