CWS.Systeminit
  • Résumé : CoolWebSearch - Variante CWS.Systeminit - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Systeminit
 


CoolWebSearch - Variante CWS.Systeminit


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Systeminit

Variant 35: CWS.Systeminit - Actual size

Approx date first sighted: March 21, 2004
Log reference: http://www.spywareinfo.com/forums/index.php?showtopic=35845
Symptoms: IE pages changed to your-search.info, redirections to search-dot.com, hijack returning on system reboot, URL shortcuts appearing on desktop and in favorites
Cleverness: 2/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your- search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your- search.info/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:// www.your-search.info/start.html
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - Global Startup: sytem32.exe
O19 - User stylesheet: C:\WINDOWS\sstyle_old.css
O19 - User stylesheet: C:\WINDOWS\sstyle_old.css (HKLM)

A small variant, using two files to reinstall the hijack. The stylesheet links to search-dot.com, the two autostarting files set the IE homepage/search pages to your-search.info. A backup of the systeminit.exe file is kept at C:\Documents And Settings\sys.exe (this location is hardcoded into the trojan file). Deleting the three trojan files, the stylesheet, the bookmarks and restoring the IE pages fixes this hijack.

Rédigé en écoutant Ecoute