1. /
  2. Security Response/
  3. Adware.FFToolBar

Adware.FFToolBar

Updated:
February 13, 2007 11:45:42 AM
Type:
Adware
Publisher:
www.verticaltheories.com
Risk Impact:
Low
File Names:
FFToolBar.exe FFToolBar.dll CJET.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.FFToolBar is installed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\FastFinder\fftoolbar.dll
    • %ProgramFiles%\FastFinder\unisnt.exe
    • %ProgramFiles%\FastFinder\uninst.log
    • %ProgramFiles%\FFTOOLBAR ToolBar\Cache\*.*
    • %System%\PreUninstallFF.exe
    • %System%\ShowFF.exe
    • %Windir%\CJet.exe
    • %Windir%\nne.bin
    • %Windir%\nnmgr.dat
    • %Windir%\nnmgr.exe (A copy of Spyware.SeekSeek.)
    • %Windir%\nnmgr.ocx
    • %Windir%\nnv.bin
    • %Windir%\omi.dll(A copy of Adware.SeekSeek.)

      Note:
    • %ProgramFiles% is a variable that refers to the Program Files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Adds the following values:

    "ShowFF" = "C:\Windows\System32\ShowFF.exe"
    "nnmgr" = "C:\Windows\nnmgr.exe"
    "CJET" = "C:\Windows\CJet.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware is executed every time Windows starts.

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{34EF5B1C-52CB-400b-8B7C-F787018B3826}
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-86FF-FD60BB9AAE3B}
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-86FF-FD60BB9AAE3C}
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-86FF-FD60BB9AAE3D}
    HKEY_CLASSES_ROOT\Interface\{E9D8697E-BEA9-4170-84F3-509AD2A11951}
    HKEY_CLASSES_ROOT\TypeLib\{3CD9D85E-1FF2-4BF7-A113-6669B8D1E676}
    HKEY_CLASSES_ROOT\fftoolbar.FFTOOLBAR
    HKEY_CLASSES_ROOT\fftoolbar.FFTOOLBARMenu Button
    HKEY_CLASSES_ROOT\fftoolbar.FFTOOLBARToggle Button
    HKEY_CLASSES_ROOT\URLLauncher.URLLauncherControl
    HKEY_CLASSES_ROOT\URLLauncher.URLLauncherControl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-86FF-FD60BB9AAE3B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastFinder
    HKEY_LOCAL_MACHINE\SOFTWARE\CJET
    HKEY_LOCAL_MACHINE\SOFTWARE\Nnmgr
    HKEY_ALL_USERS\Software\FastFinder
    HKEY_ALL_USERS\Software\FastFinder\Button
    HKEY_ALL_USERS\Software\FastFinder\Button\Search
    HKEY_ALL_USERS\Software\FastFinder\Menu
    HKEY_ALL_USERS\Software\FastFinder\Menu\Main
    HKEY_ALL_USERS\Software\FastFinder\Option
    HKEY_ALL_USERS\Software\FastFinder\Option\NewsFeed
    HKEY_ALL_USERS\Software\FFTOOLBAR TOOLBAR
    HKEY_ALL_USERS\Software\FFTOOLBAR TOOLBAR\Config
    HKEY_ALL_USERS\Software\FFTOOLBAR TOOLBAR\Config\fftoolbartb0300
    HKEY_ALL_USERS\Software\FFTOOLBAR TOOLBAR\Options


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver