1. /
  2. Security Response/
  3. Adware.CWSMSConfd

Adware.CWSMSConfd

Updated:
February 13, 2007 11:41:14 AM
Type:
Adware
Publisher:
CoolWebSearch
Risk Impact:
High
File Names:
msconfd.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CWSMSConfd is executed, it performs the following actions:
  1. Creates the following files:
    • msconfd.dll (the library - detected as Adware.CWSMSConfd)
    • %Windir%\Favorites\*.url (adult-oriented links)
    • %UserProfile%\Favorites\*.url (adult-oriented links)

      Notes:
    • %Userprofile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000).

  2. On computers running Windows 95/98/Me, it adds the value:

    "Desktop" = "rundll32.exe msconfd, Restore ControlPanel"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    so that the Adware runs every time Windows starts.

  3. On computers running Windows NT/2000/XP, it adds the value:

    "AppInit_DLL" = "msconfd.dll"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    so that the Adware runs every time Windows starts.

  4. Sets the values:

    "Start Page" = "[URL on the domain webcoolsearch.com]"
    "Search Page" = "[URL on the domain webcoolsearch.com]"
    "Search Bar" = "[URL on the domain webcoolsearch.com]"

    in the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

    to that the Internet Explorer start page and search pages are redirected to the domain webcoolsearch.com.

  5. Modifies the value:

    "SearchURL" = "[URL on the domain webcoolsearch.com]"

    in the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer

    so that any URLs typed into the Internet Explorer address field are redirected to the domain webcoolsearch.com.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver