CWS.Therealsearch
  • Résumé : CoolWebSearch - Variante CWS.Therealsearch - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Therealsearch
 


CoolWebSearch - Variante CWS.Therealsearch


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Therealsearch

Variant 23: CWS.Therealsearch - Misery travels in pairs

Approx date first sighted: November 29, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=19137
Symptoms: IE pages changed to therealsearch.com, porn bookmarks added to IE Favorites, porn sites appearing in IE autocomplete
Cleverness: 4/10
Manual removal difficulty: Involves lots of Registry editing, a process killer, and deleting bookmarks
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\quicken.exe
C:\WINDOWS\editpad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.therealsearch.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.therealsearch.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.therealsearch.com/sp.php
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe

This variant of CWS appeared to be worse than it actually was at first. Since it had two running processes, it looked like the Peper virus, that was very hard to remove. Luckily these two processes didn't behave like that. The smallest one quicken.exe downloaded and ran the second one editpad.exe (like CWS.Aff.Iedll does) and hijacked IE to therealsearch.com, as well as setting themselves to run at startup.

To remove this variant a process killer is needed to kill editpad.exe and quicken.exe and deleting the files, as well as resetting the IE homepage/search pages and possibly removing CWS.Aff.Tooncomics.2 which can be downloaded by this variant.

CWS.Therealsearch.2: There is a mutation of this variant that hijacks to my.search (sic), that also the filenames c:\windows\winrar.exe and c:\windows\waol.exe.


Rédigé en écoutant Ecoute