CWS.Oslogo
  • Résumé : CoolWebSearch - Variante CWS.Oslogo - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Oslogo
 


CoolWebSearch - Variante CWS.Oslogo


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Oslogo

Variant 3: CWS.OSLogo.bmp - Send in the affiliates

Approx date first sighted: July 10, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=8210
Symptoms: Massive IE slowdowns
Cleverness: 2/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/ x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/ x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://stopxxxpics.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.coolwwwsearch.com/z/a/ x1.cgi?656387 (obfuscated)
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp

After HijackThis was updated for a few tricks CWS used, a new variant surfaced that showed CWS was just getting started. The filename of the user stylesheet changed into one that didn't even look like a stylesheet on the outside, but got accepted by IE anyway. Two domains were added to the Trusted Zone to ensure CWS could do its dirty work and install any updates if they ever became available.

But most of all, IE start and search pages started getting changed to several dozen different sites that were all affiliated to CWS. There didn't seem to be an end to the flow of different domains users were hijacked to. When I write this, over 80 domains are known CWS affiliates - and all appeared in users' logs.

Rédigé en écoutant Ecoute