CWS.Tapicfg
  • Résumé : CoolWebSearch - Variante CWS.Tapicfg - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
  
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Tapicfg
 


CoolWebSearch - Variante CWS.Tapicfg


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Tapicfg

Variant 11: CWS.Tapicfg - Msinfo part 2

Approx date first sighted: September 21, 2003
Log reference: http://boards.cexx.org/viewtopic.php?t=2075
Symptoms: Slow scrolling in IE, redirections to luckysearch.net, hijack returning on reboot, info32.exe errors.
Cleverness: 8/10
Manual removal difficulty: Involves quite some Registry editing, win.ini editing and hosts file editing. The style sheet files are marked read-only, system and hidden.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/--- /?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/-- /?oaoca (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
O1 - Hosts: 3510794918 auto.search.msn.com
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\SYSTEM\tapicfg.exe
O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css

This hijack consists of only one file, that duplicates itself in two places (info32.exe and tapicfg.exe) and acts different depending on its filename. It drops two style sheets on the system, hijacks to acc.count-all.com which redirects to luckysearch.net, and reinstalls the hijack on each reboot. The hosts file redirection also hijacks any mistyped domains to luckysearch.net.
Though a file determining its actions depending on the filename is very bad programming, it surprised me somewhat because it works so well.

CWS.Tapicfg.2: A mutation of this variant exists that uses the filename soundmx.exe, and hijacks IE to globe-finder through a redirection page at in.webcounter.cc. Possibly the same file is loaded as fntldr.exe from WIN.INI. A hosts file redirection of auto.search.msn.com to globe-finder is installed. Two custom stylesheets named tips.ini and hh.htt are installed.

Rédigé en écoutant Ecoute