CWS.Xmlmimefilter
  • Résumé : CoolWebSearch - Variante CWS.Xmlmimefilter - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
  
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Xmlmimefilter
 


CoolWebSearch - Variante CWS.Xmlmimefilter


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Xmlmimefilter

Variant 34: CWS.Xmlmimefilter - About:blank hacked v2.0

Approx date first sighted: February 29, 2004
Log reference: http://computercops.biz/postt21263.html
Symptoms: IE homepage changed to about:blank, which is changed to a search engine named 'Microsoft Search the Web', mistyped URLs being redirected to this same search engine
Cleverness: 10/10
Manual removal difficulty: Involves quite some Registry editing
Identifying lines in HijackThis log:
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol: about - {53B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\msxmlpp.dll

Though the hijacking of the about:blank page was also done by the CWS.Winres variant, this new variant accomplishes it in a much more elegant way. The DLL itself used for handling the 'about:' protocol is changed to a malicious msxmlpp.dll one, displaying a search engine instead of a blank page filled with links to 66.117.38.91.
Changing the CLSID of the about protocol back to the default {3050F406-98B5-11CF-BB82-00AA00BDCE0B}, deleting the file and removing the hosts file hijack fixes this.

Rédigé en écoutant Ecoute