CWS.Control
  • Résumé : CoolWebSearch - Variante CWS.Control - Ensemble de hijackers d'un gang maffieux renvoyant vers le site coolwebsearch ou vers ses affiliés.
  
  • Mots-clés : CoolWebSearch, coolwwwsearch, cws, hijack, hijacker, hijacking, keymgr3.inf, drvupd.inf, svchost32.exe, astctl32.ocx, mswsc10.dll, msinfo.exe, ctfmon.exe, dnsrelay.dll, AddClass, AFF.IEDLL, AFF.MadFinder, AFF.WinShow, AlFaSearch, Bootconf, Ctfmon32, DataNotary, DNSRelay, Dnsrelay.2, Dnsrelay.3, DReplace, GoogleMS, IEFeats, LoadBAT, MSConfd, MSInfo, MSOffice, Msspi, MUpdate, OEMSysPNP, Oemsyspnp.2, Oemsyspnp.3, OSLogo, QTTasks, Svchost32, Svcinit, TapiCFG, TheRealSearch, Vrape, XPlugin, Aff.iedll, Aff.Winshow, Aff.Madfinder, Aff.Tooncomics

    get rid of, uninstall, remove, removal, suppression, effacer, effacement, supprimer, virer, détruire, désinstaller, désinstallation


CWS.Control
 


CoolWebSearch - Variante CWS.Control


De quoi s'agit-il ?
Ce parasite est une variante d'une famille de Hijackers furieux appelée CoolWebSearch et pilotée par un gang maffieux s'introduisant dans tous les ordinateurs.

Discussion générale et éradication des différentes variantes du hijacker CoolWebSearch:


Voir la fiche générale CoolWebSearch


Travaux originaux de Merijn (acquis pas Intermute le 19 Octobre 2004)
Révisions (18.10.2003 - Rév 1; 27.10.2003 - Rév 2; 12.11.2003 - Rév 3; 19.12.2003 - Rev 4; 17.01.2004 - Rev 5; 11.02.2004 - Rev 6; 7.4.2004 - Rev 7; 20.05.2004 - Rev 8)




CWS.Control

Variant 24: CWS.Control - Dude, where's my Control Panel?

Approx date first sighted: December 7, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=23210
Symptoms: IE pages changed to windoww.cc, super-spider.com and search2004.net
Cleverness: 3/10
Manual removal difficulty: Involves some Registry editing, and restoring a file from the Windows Setup CD for Windows 9x/ME
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/ sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/ sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/ hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://super-spider.com
O4 - HKCU\..\Run: [Windows Control] C:\WINDOWS\CONTROL.EXE
O4 - HKCU\..\RunServices: [Windows Control] C:\WINDOWS\CONTROL.EXE

This variant is fairly simple, if it wouldn't drop a file in the Windows folder that overwrites a system file in Windows 9x/ME - it is possible your Control Panel will not be functioning normally after being infected with this CWS variant, and you need to use the System File Checker (SFC.EXE) to restore control.exe from your Windows Setup CD. Windows NT/2000/XP does not have this problem with this variant.

CWS.Control.2: A mutation of this variant exists that is identical in every way, but where control.exe always stays in memory.

CWS.Control.3: A mutation of this variant exists that uses random filenames and random startups.

Rédigé en écoutant Ecoute