CWS.Svcinit
  • Résumé : CoolWebSearch - Variante CWS.Svcinit - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Svcinit
 


CoolWebSearch - Variante CWS.Svcinit


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Svcinit

Variant 12: CWS.Svcinit - Sneaky little fellow

Approx date first sighted: September 10, 2003
Log reference: Reconstruction
Symptoms: Homepage changed to xwebsearch.biz and 'http:///', hijack returning on reboot or even sooner.
Cleverness: 9/10
Manual removal difficulty: Involves lots of Registry editing, ini file editing and a process killer.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\System32\SVCINIT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:////
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xwebsearch.biz
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe
O4 - HKLM\..\Run: [mssys] C:\WINDOWS\mssys.exe
Additional identifying line in StartupList log:
Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcinit.exe

This variant was somewhat surprising, because fixing all the items in HijackThis didn't remove it completely - it came back after a reboot (on Windows 2000 and XP). Only after a user had posted a StartupList log it became clear that this hijacker used another additional method of running at boot, besides the two visible in the HijackThis log. Terminating the running process, and deleting the three autorun values fixed it. Also, mssys.exe is possibly involved in this hijack.

CWS.Svcinit.2: A mutation of this variant exists, which uses the filename svcpack.exe instead. It hijacks to http:/// (sic) and uses the same autostarting methods as the first version. Possibly it also drops the file SVCHOST.OLD for unknown purposes.

CWS.Svcinit.3: Possibly, a mutation of this variant exists, which hijacks to xwebsearch.biz and http:/// (sic), as well as installing a hosts file redirection of several dialer sites to searchmeup.com.

CWS.Svcinit.4: A mutation of this variant exists, that hijacks IE to sex.free4porno.net, and adds porn bookmarks to the IE Favorites and on the desktop. It reinstalls from a file c:\windows\svchost.exe (not a valid Windows system file, which is in the system32 folder), running at startup using the name Online Service. It also uses the trojan file msin32.dll for unknown reasons.

Rédigé en écoutant Ecoute