CoolWebSearch - Variante CWS.Realyellowpage


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)

CWS.Realyellowpage

Variant 39: CWS.Realyellowpage - Inducing homocidal tendencies Approx date first sighted: March 16, 2004 Log reference: (not visible in HijackThis log) Symptoms: IE pages changed to real-yellow-page.com, drxcount.biz, list2004.com or linklist.cc, hijack inexplicably returning on reboot with no file seemingly responsible Cleverness: Where's my infinity character button? Manual removal difficulty: Battle axe or chainsaw recommended Identifying lines in HijackThis log: (not visible in HijackThis) This variant is a nightmare. If you come across an infected machine that keeps changing back to the aforementioned sites over and over again for no visible reason, you've probably seen this one. It's like whoever is reponsible for this hired some blackhat coder and told him to make the most complex, invisible and devious hijacker he could think of. And he did. The file is randomly named, and normally hooks into the IE process, loading itself as a module into it. And then it hides the host process from the process list. Yes, you read that right, the process hosting the dll disappears from the task list and most process viewers/managers we tried. At first it was only visible with FAR Explorer, later we found PrcView also shows it, and has some nice command-line options which makes for nice scripting to aid in manual removal. For Windows 95/98/ME, booting the system into Safe Mode will prevent the file from loading, allowing for even easier manual removal: * MANUAL REMOVAL INSTRUCTIONS * Download PrcView here: http://www.spywareinfo.com/~merijn/files/pv.zip, unzip it to the desktop. Be sure to have at least 1 Internet Explorer window open, then double click on the runme.bat. Select option '2' from the menu. Notepad will open with a log in it. Look for a line with this file, size and beginning to it. The filename will always be different: winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll This part indicates the bad file: 61c00000 61440 It will always start with that header. Write down the filename behind it. Now download KillBox: http://download.broadbandmedic.com/rx09ty/KillBox.zip Unzip and run it. Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The file you copied earlier should now show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so. After rebooting, make sure the file is gone. Tech info: Win9x/ME: Known to use the HKLM RunServicesOnce key to load, which is deleted by Windows after loading the file and recreated by the dll when Windows shuts down. Visible in Safe Mode, dll file is not loaded then and can be deleted. WinNT/2000/XP: Known to use the HKLM AppInit_DLLs value to load, possibly more Registry keys. The 'delete file on reboot' function can be used (KillBox does this), provided the filename is known. File is heavily encrypted using an unknown packer, has a modified PE header and crashes most (if not all) memory dumpers when attempted to dump the file from memory. Hides the dll as well as the host process (IEXPLORE.EXE, RUNDLL32.EXE, CONTROL.EXE, REGSVR32.EXE, whichever one is used) by an unknown method. Right now [17/04/04], CWShredder does not remove this variant. As soon as I figure out how to do it, I will update CWShredder for it.

Rédigé en écoutant Ecoute