CWS.Winproc32
  • Résumé : CoolWebSearch - Variante CWS.Winproc32 - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Winproc32
 


CoolWebSearch - Variante CWS.Winproc32


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Winproc32

Variant 30: CWS.Winproc32 - I can't think of anything snappy to say here

Approx date first sighted: January 23, 2004
Log reference: http://forums.net-integration.net/index.php?showtopic=10128
Symptoms: IE being hijacked to icanfindit.net or 4-counter.com, hijack returning on system restart or possibly sooner
Cleverness: 2/10
Manual removal difficulty: Involves using a process killer and some Registry editing
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\SYSTEM32\WINPROC32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4- counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4- counter.com/?a=2
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

A very simple variant. Winproc32.exe loads at startup, and hijacks IE. The file stays in memory so a process killer is needed to remove it. It drops 4 porn bookmarks in the IE Favorites folder. It also tries to hijack the default user (HKEY_USERS\.DEFAULT) but fails to do so.

Rédigé en écoutant Ecoute