||||
Symantec.com > Security Response > Threats and Risks > Adware.FFToolBar
PRINT THIS PAGE

Adware.FFToolBar

Printer Friendly Page

Updated: February 13, 2007 11:45:42 AM
Type: Adware
Publisher: www.verticaltheories.com
Risk Impact: Low
File Names: FFToolBar.exe FFToolBar.dll CJET.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.FFToolBar is installed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\FastFinder\fftoolbar.dll
    • %ProgramFiles%\FastFinder\unisnt.exe
    • %ProgramFiles%\FastFinder\uninst.log
    • %ProgramFiles%\FFTOOLBAR ToolBar\Cache\*.*
    • %System%\PreUninstallFF.exe
    • %System%\ShowFF.exe
    • %Windir%\CJet.exe
    • %Windir%\nne.bin
    • %Windir%\nnmgr.dat
    • %Windir%\nnmgr.exe (A copy of Spyware.SeekSeek.)
    • %Windir%\nnmgr.ocx
    • %Windir%\nnv.bin
    • %Windir%\omi.dll(A copy of Adware.SeekSeek.)

      Note:
    • %ProgramFiles% is a variable that refers to the Program Files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Adds the following values:

    "ShowFF" = "C:\Windows\System32\ShowFF.exe"
    "nnmgr" = "C:\Windows\nnmgr.exe"
    "CJET" = "C:\Windows\CJet.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware is executed every time Windows starts.

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{34EF5B1C-52CB-400b-8B7C-F787018B3826}
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-86FF-FD60BB9AAE3B}
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-86FF-FD60BB9AAE3C}
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-86FF-FD60BB9AAE3D}
    HKEY_CLASSES_ROOT\Interface\{E9D8697E-BEA9-4170-84F3-509AD2A11951}
    HKEY_CLASSES_ROOT\TypeLib\{3CD9D85E-1FF2-4BF7-A113-6669B8D1E676}
    HKEY_CLASSES_ROOT\fftoolbar.FFTOOLBAR
    HKEY_CLASSES_ROOT\fftoolbar.FFTOOLBARMenu Button
    HKEY_CLASSES_ROOT\fftoolbar.FFTOOLBARToggle Button
    HKEY_CLASSES_ROOT\URLLauncher.URLLauncherControl
    HKEY_CLASSES_ROOT\URLLauncher.URLLauncherControl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-86FF-FD60BB9AAE3B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastFinder
    HKEY_LOCAL_MACHINE\SOFTWARE\CJET
    HKEY_LOCAL_MACHINE\SOFTWARE\Nnmgr
    HKEY_ALL_USERS\Software\FastFinder
    HKEY_ALL_USERS\Software\FastFinder\Button
    HKEY_ALL_USERS\Software\FastFinder\Button\Search
    HKEY_ALL_USERS\Software\FastFinder\Menu
    HKEY_ALL_USERS\Software\FastFinder\Menu\Main
    HKEY_ALL_USERS\Software\FastFinder\Option
    HKEY_ALL_USERS\Software\FastFinder\Option\NewsFeed
    HKEY_ALL_USERS\Software\FFTOOLBAR TOOLBAR
    HKEY_ALL_USERS\Software\FFTOOLBAR TOOLBAR\Config
    HKEY_ALL_USERS\Software\FFTOOLBAR TOOLBAR\Config\fftoolbartb0300
    HKEY_ALL_USERS\Software\FFTOOLBAR TOOLBAR\Options


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS