CWS.Aff.Iedll
  • Résumé : CoolWebSearch - Variante CWS.Aff.Iedll - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
  
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Aff.Iedll
 


CoolWebSearch - Variante CWS.Aff.Iedll


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Aff.Iedll

Affiliate variant: iedll - Bad coder

Approx date first sighted: August 18, 2003
Log reference: http://boards.cexx.org/viewtopic.php?t=1499
Symptoms: Errors in a file 'iedll.exe' or 'loader.exe' on Windows startup. Sighted a lot together with other CWS variants.
Cleverness: 3/10
Manual removal difficulty: Involves a process killer and a bit of Registry editing.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\LOADER.EXE

O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe

This affiliate variant, with unknown origin, consists of two files. The first one, loader.exe downloads the second one, iedll.exe and runs it. Both files are set to autostart when Windows starts. The 'hijack' becomes obvious when iedll.exe crashes - and it does this frequently. Apparently, this program is programmed so badly, it won't even carry out its payload and does not hijack IE. It is only displayed here because it has been sighted together with other CWS variants on very numerous occasions.

CWS.Aff.iedll.2: A mutation of this variant exists, that has the same files iedll.exe and loader.exe located at C:\Program Files\Windows Media Player.

Rédigé en écoutant Ecoute