CWS.Smartsearch
  • Résumé : CoolWebSearch - Variante CWS.Smartsearch - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Smartsearch
 


CoolWebSearch - Variante CWS.Smartsearch


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Smartsearch

Variant 26: CWS.Smartsearch - Counter-counter-actions

Approx date first sighted: January 7, 2004
Log reference: http://forums.spywareinfo.com/index.php?showtopic=26148
Symptoms: IE hijacked to smartsearch.ws, redirections to smartsearch.ws when entering incomplete URLs into the address bar, antispyware programs closing without reason only a few seconds after opening them
Cleverness: 5/10
Manual removal difficulty: Involves a process killer, lots of registry editing and deleting a few files.
Identifying lines in HijackThis log:
Running processes:
C:\Program Files\directx\directx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
O4 - HKLM\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\RunServices: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=

This variant is mostly hard to spot since it can use over a dozen different filenames, luckily all with the same registry value. The file is always running and reinstalls the hijack to smartsearch.ws every 10 seconds. Killing the trojan process, deleting/restoring all the Registry values it added or changed and deleting its files fixed the hijack.

CWS.Smartsearch.2: A mutation of this variant exists that attempts to close CWShredder, HijackThis, Ad-Aware, Spybot S&D and the SpywareInfo forums when they are opened. It uses the filename IEXPLORER.EXE (note the extra 'R') and a different Registry value. It drops a hosts file that blocks over two dozen anti-spyware sites. CWShredder has been updated to circumvent this.

CWS.Smartsearch.3: A mutation of this variant exists that uses the startup 'coolwebprogram', and attempts to close CWShredder, HijackThis, Ad-Aware, Spybot S&D and the SpywareInfo forums when they are opened. It also drops notepad32.exe and hijacks the .txt and .log filetypes to open with this file (before showing it in the real Notepad), reinstalling the hijack.

CWS.Smartsearch.4: A mutation of this variant exists that hijacks to magicsearch.ws instead of smartsearch.ws, uses the startup 'MicrosoftWindows' and also drops the notepad32.exe Notepad hijacker like CWS.Smartsearch.3. It also hijacks the DefaultPrefix and WWW Prefix to magicsearch.ws like CWS.Vrape and attempts to kill several firewalls, including (but not limited to) ZoneAlarm and Kerio Personal Firewall.

Known filenames used by this variant:
C:\Program Files\directx\directx.exe
C:\Program Files\Common Files\System\systeem.exe
C:\Windows\explore.exe (note the missing 'r')
C:\Windows\System\internet.exe
C:\Windows\Media\wmplayer.exe
C:\Windows\Help\helpcvs.exe
C:\Program Files\Accessories\accesss.exe
C:\Games\systemcritical.exe
C:\Documents Settings\sistem.exe
C:\Program Files\Common Files\Windows Media Player\wmplayer.exe
C:\Windows\Start Menu\Programs\Accessories\Game.exe
C:\Windows\sistem.exe
C:\Windows\System\RunDll16.exe
C:\Windows\iexplorer.exe (note the extra 'i' or the extra 'r')
C:\y.exe
C:\x.exe

c:\funny.exe
c:\funniest.exe
c:\Windows\notepad32.exe
C:\Windows\system\kazaa.exe
C:\Windows\system32\kazaa.exe
C:\Program Files\Common Files\Services\iexplorer.exe
C:\Program Files\Common Files\Services\explore.exe
C:\Program Files\Common Files\Services\exploreer.exe
C:\Program Files\Common Files\Services\sistem.exe
C:\Program Files\Common Files\Services\critical.exe
C:\Program Files\Common Files\Services\directx.exe
C:\Program Files\Common Files\Services\internet.exe
C:\Program Files\Common Files\Services\window.exe
C:\Program Files\Common Files\Services\winmgnt.exe
C:\Program Files\Common Files\Services\clrssn.exe
C:\Program Files\Common Files\Services\explorer32.exe
C:\Program Files\Common Files\Services\win32e.exe
C:\Program Files\Common Files\Services\directx32.exe
C:\Program Files\Common Files\Services\uninstall.exe
C:\Program Files\Common Files\Services\volume.exe
C:\Program Files\Common Files\Services\autorun.exe
C:\Program Files\Common Files\Services\users32.exe
C:\Program Files\Common Files\Services\notepad.exe
C:\Program Files\Common Files\Services\win64.exe
C:\Program Files\Common Files\Services\inetinf.exe
C:\Program Files\Common Files\Services\time.exe
C:\Program Files\Common Files\Services\systeem.exe

c:\Windows\system32\iexplorer.exe
c:\Windows\system32\explore.exe
c:\Windows\system32\exploreer.exe
c:\Windows\system32\sistem.exe
c:\Windows\system32\critical.exe
c:\Windows\system32\directx.exe
c:\Windows\system32\internet.exe
c:\Windows\system32\window.exe
c:\Windows\system32\winmgnt.exe
c:\Windows\system32\clrssn.exe
c:\Windows\system32\explorer32.exe
c:\Windows\system32\win32e.exe
c:\Windows\system32\directx32.exe
c:\Windows\system32\uninstall.exe
c:\Windows\system32\volume.exe
c:\Windows\system32\autorun.exe
c:\Windows\system32\users32.exe
c:\Windows\system32\win64.exe
c:\Windows\system32\inetinf.exe
c:\Windows\system32\time.exe
c:\Windows\system32\systeem.exe

Rédigé en écoutant Ecoute