CWS.Xplugin
  • Résumé : CoolWebSearch - Variante CWS.Xplugin - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
 
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Xplugin
 


CoolWebSearch - Variante CWS.Xplugin


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Xplugin

Variant 18: CWS.Xplugin - 'Helping' you search the web

Approx date first sighted: November 11, 2003
Log reference: Not visible in HijackThis log!
Symptoms: Some links in Google results redirecting to umaxsearch.com or coolwebsearch.com every now and then
Cleverness: 10/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
Not visible in HijackThis log!

This variant is the first one that is not visible in a HijackThis log. It works invisible, changing links from Google search results to other pages. It took a while to find out how this variant works, since it doesn't use any of the standard locations.
A file xplugin.dll is installed, which creates a new protocol filter for text/html. In normal english, this means it reads most of the web pages downloaded to your browser. It also randomly alters some links in Google search results to pages on umaxsearch.com and coolwebsearch.com. It claims to be made by something called TMKSoft.
It is unknown if deleting the file has no side-effects, but using CWShredder or running regsvr32 /u c:\windows\system32\xplugin.dll (may vary depending on Windows version) fixes the hijack completely.

Rédigé en écoutant Ecoute