CWS.Searchx
  • Résumé : CoolWebSearch - Variante CWS.Searchx - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Searchx
 


CoolWebSearch - Variante CWS.Searchx


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Searchx

Variant 38: CWS.Searchx - About:blank seems popular lately

Approx date first sighted: April 6, 2004
Log reference: http://forums.techguy.org/t217853.html
Symptoms: IE pages changed to about:blank (which is changed to a search portal linking to searchx.cc) and a search page inside a DLL on the system, hijack returning on system reboot
Cleverness: 8/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0- 12C36350039D} - C:\WINDOWS\System32\gfmnaaa.dll

This variant is not very hard to spot, but slightly harder to troubleshoot since its symptoms look a lot like those of CWS.Xmlmimefilter. It drops a randomly named DLL in the system folder and sets the IE homepage/search pages to it. A BHO is also added pointing to the same DLL. The about:blank page is modified by creating two new protocol filters for text/html and text/plain which allows the DLL to control most of the content flowing through the IE browser as web pages. The trojan keeps a record of all actions in a log file at c:\filter.log. Removing the two filters in the Registry, deleting the BHO, the DLL and the logfile and restoring the IE pages fixes this hijack.

Note: The CWS.Realyellowpage has been sighted together with this variant sometimes, causing CWShredder to not be able to remove this one. Refer to the manual removal method for that variant to delete the offending dll, then run CWShredder again to remove CWS.Searchx.

Rédigé en écoutant Ecoute