/
Security Response/
Adware.FlashEnhancer

Adware.FlashEnhancer

Printer Friendly Page|Rate this page

Updated:: February 13, 2007 11:39:02 AM
Type:: Adware
Publisher:: flashtrack.net
Risk Impact:: High
File Names:: XML.dll,Xcpy1_inst.exe,xclean.exe,flnclean.exe. flaclean.exe,Uninst.exe,flncpy.exe,ftkcpy.exe,ftk.dl
Systems Affected:: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.FlashEnhancer is running, it may display pop-up advertisements whose content is based on keywords found in the Web page that is being visited.

Adware.FlashEnhancer runs as a Browser Helper Object, which means that the adware component will receive information regarding all the actions inside Internet Explorer. Browser Helper Objects require Internet Explorer 4 or later to function.

When Adware.FlashEnhancer is installed, it does the following:

Creates the following files:
- %CommonProgramFiles%\Java\flnclean.exe
- %CommonProgramFiles%\Java\flncpy.exe
- %CommonProgramFiles%\Java\ftkclean.exe
- %CommonProgramFiles%\Java\ftkcpy.cfg
- %CommonProgramFiles%\Java\ftkcpy.exe
- %Windir%\Temp\ft30s.exe
  
  Note:
- %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
Installs itself to one of the following folders:
- %ProgramFiles%\Xml\*.*
- %ProgramFiles%\Fen\*.*
- %ProgramFiles%\Fla\*.*
- %ProgramFiles%\Flcp\*.*
- %ProgramFiles%\Flen\*.*
- %ProgramFiles%\Fln\*.*
- %ProgramFiles%\Flt\*.*
- %ProgramFiles%\Ftk\*.*
- %ProgramFiles%\Reg2\*.*
- %ProgramFiles%\Xmod\*.*
  
  Note:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- The filenames the risk uses in each folder varies depending on the name of the folder being used.
Creates the following registry subkeys and adds a number of values under these subkeys:

HKEY_CLASSES_ROOT\CLSID\{5EDB03AF-0341-4e96-9E9B-3171522E4BAF} HKEY_CLASSES_ROOT\CLSID\{63CF97E8-4133-438a-A831-CC9C6D47D673} HKEY_CLASSES_ROOT\CLSID\{665ACD90-4541-4836-9FE4-062386BB8F05} HKEY_CLASSES_ROOT\CLSID\{7371F073-AC0F-4b80-BB2F-96A488CEFB32} HKEY_CLASSES_ROOT\CLSID\{7CD20E91-1F31-41da-8379-479EA31DF969} HKEY_CLASSES_ROOT\CLSID\{A749B4BC-7621-4a80-9220-D0A283367DD5} HKEY_CLASSES_ROOT\CLSID\{D7E588AB-A5D9-4422-B313-22A3470F9700} HKEY_CLASSES_ROOT\Interface\{06542764-7BB2-412B-80D6-D103D1474C93} HKEY_CLASSES_ROOT\Interface\{28168CCE-5310-4F12-AB58-9DA99A55AAEB} HKEY_CLASSES_ROOT\Interface\{6E83AE1C-F69C-4AED-AF98-D23C24C6FA4B} HKEY_CLASSES_ROOT\Interface\{890089B7-B385-442F-97B6-99060E8BD08F} HKEY_CLASSES_ROOT\Interface\{BAEF4039-3C02-4C9E-A2F4-87B513AB0E87} HKEY_CLASSES_ROOT\TypeLib\{1BD49631-AE36-42F4-A37B-CA7F53146821} HKEY_CLASSES_ROOT\TypeLib\{48E832EC-B061-49E2-BBC1-AC818623B742} HKEY_CLASSES_ROOT\TypeLib\{7955EA20-E0D6-4A77-88B6-120674D979EA} HKEY_CLASSES_ROOT\TypeLib\{DB9F4C00-65E8-4FA1-917B-E4844DDF5909} HKEY_CLASSES_ROOT\TypeLib\{E6C71E83-E02B-4BC4-958D-A9194916EC19} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0AD937E7-2F37-4873-A05E-548A67EF1D0E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5EDB03AF-0341-4e96-9E9B-3171522E4BAF} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63CF97E8-4133-438a-A831-CC9C6D47D673} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{665ACD90-4541-4836-9FE4-062386BB8F05} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7371F073-AC0F-4b80-BB2F-96A488CEFB32} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7CD20E91-1F31-41da-8379-479EA31DF969} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A749B4BC-7621-4a80-9220-D0A283367DD5} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7E588AB-A5D9-4422-B313-22A3470F9700} HKEY_CLASSES_ROOT\BRedObj.BRedObj HKEY_CLASSES_ROOT\BRedObj.BRedObj.1 HKEY_CLASSES_ROOT\UnawareObj.UnawareObj HKEY_CLASSES_ROOT\UnawareObj.UnawareObj.1 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Reg2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fla HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xmod HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ftk HKEY_LOCAL_MACHINE\Software\Netfilter HKEY_LOCAL_MACHINE\Software\Xmod HKEY_LOCAL_MACHINE\Software\XML HKEY_LOCAL_MACHINE\Software\Persistent Bytes HKEY_LOCAL_MACHINE\SOFTWARE\FEN HKEY_LOCAL_MACHINE\SOFTWARE\Flen HKEY_LOCAL_MACHINE\SOFTWARE\Flt HKEY_LOCAL_MACHINE\SOFTWARE\Fln HKEY_LOCAL_MACHINE\SOFTWARE\Ftk HKEY_LOCAL_MACHINE\SOFTWARE\FlaHKEY_LOCAL_MACHINE\SOFTWARE\FlcpHKEY_USERS\S-1-5-21-1187800756-1387622775-1527857685-500\Software\Microsoft \Windows\CurrentVersion\Ext\Stats\{63CF97E8-4133-438A-A831-CC9C6D47D673} HKEY_USERS\S-1-5-21-1187800756-1387622775-1527857685-500\Software\Microsoft \Windows\CurrentVersion\Ext\Stats\{7371F073-AC0F-4B80-BB2F-96A488CEFB32}
Adds the values:

"FlnCPY" = "[PATH TO ORIGINAL FILE]" "FlaCPY" = "[PATH TO ORIGINAL FILE]" "Jreg" = "[PATH TO ORIGINAL FILE]" "t" = "[PATH TO ORIGINAL FILE]" "fecpy" = "[PATH TO ORIGINAL FILE]" "flencpy" = "[PATH TO ORIGINAL FILE]" "flnCPY" = "[PATH TO ORIGINAL FILE]" "ftkCPY" = "[PATH TO ORIGINAL FILE]" "Xcpy1" = "[PATH TO ORIGINAL FILE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.
Adds the values:

"fln" = "[PATH TO ORIGINAL FILE]""f" = "[PATH TO ORIGINAL FILE]"
"t" = "[PATH TO ORIGINAL FILE]"
"fla" = "[PATH TO ORIGINAL FILE]"
"fln" = "[PATH TO ORIGINAL FILE]"
"ftk" = "[PATH TO ORIGINAL FILE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

so that the risk runs every time Windows starts.
May contact [http:/ /]ads.flashtrack.net/[REMOVED] and display pop-up advertisements with content based on keywords found on the Web page that is being visited.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm

STAR Antimalware Protection Technologies

Internet Security Threat Report, Volume 17

Symantec [+]
Norton [+]
- AntiVirus|
- Norton Store|
- Internet Security|
- Mac AntiVirus|
- Mobile Security|
- Norton|
- Spyware|
- Virus Protection|
- Virus Removal|
- Virus Scan
Website Security Solutions [+]
PC Tools [+]

PRODUCTS & SERVICES

POPULAR PRODUCTS

SOLUTIONS

HOW TO BUY

RESOURCES

COMMUNITIES: SYMANTEC CONNECT

Trust the Leader

Symantec SSL Certificates

PRODUCT SUPPORT

PRODUCT SUPPORT FOR ACQUIRED COMPANIES

LICENSING & ACCOUNT MANAGEMENT ASSISTANCE

BUSINESS SUPPORT RESOURCES

COMMUNITIES: SYMANTEC CONNECT

NORTON COMMUNITY

SOCIAL MEDIA

Information Unleashed

The Official Voice of Symantec

STAY SECURE

Updates

Repair

BE INFORMED

24/7 Reporting

Security Technology and Response

PUBLICATIONS

CONTACT US ABOUT

2013 Internet Security Threat Report

Symantec data and analysis on the threat landscape.

TRIALWARE

All Business Trialware

BUY ONLINE

Website Security Solutions

Shop All Business

SHOP NORTON

Most Popular

New Products

My Norton Product

See all Norton offerings

Double your peace of mind and save 15%

Endpoint Protection Small Business Edition 2013 + Backup Exec.cloud Bundle

Adware.FlashEnhancer

Search Threats