1. /
  2. Security Response/
  3. Adware.FindNavi

Adware.FindNavi

Updated:
January 25, 2008 2:08:56 PM
Type:
Adware
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following files:
  • %ProgramFiles%\findnavi\fndnv.dll
  • %ProgramFiles%\findnavi\fndsub.dll
  • %ProgramFiles%\findnavi\version.txt
  • %Windir%\findnavi.exe
  • %Windir%\Install.exe
  • %Windir%\unfnd.exe
  • %Windir%\unfnnsub.exe


Next, it creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15829F9F-C9B7-41F5-B20F-360ACC60324F}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{23267422-A6C8-4AF4-B2C3-9369041CF552}
  • HKEY_CLASSES_ROOT\CLSID\{15829F9F-C9B7-41f5-B20F-360ACC60324F}
  • HKEY_CLASSES_ROOT\CLSID\{23267422-A6C8-4af4-B2C3-9369041CF552}
  • HKEY_CLASSES_ROOT\Interface\{1EB8B796-B55C-437F-BB13-D8311E2B2429}
  • HKEY_CLASSES_ROOT\Interface\{850C7C97-F5BE-454B-8528-11FE5877C4AB}
  • HKEY_CLASSES_ROOT\NCTbar.CBNTbar.1
  • HKEY_CLASSES_ROOT\NCTbar.CBNTbar
  • HKEY_CLASSES_ROOT\San.sae.1
  • HKEY_CLASSES_ROOT\San.sae
  • HKEY_CLASSES_ROOT\TypeLib\{93325A53-3806-4FBF-8A6D-9AB58BB0BB63}
  • HKEY_CLASSES_ROOT\TypeLib\{C8EBE6EC-2D9A-4E6F-AFB2-1AC8A1AB2BC8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar: {23267422-A6C8-4af4-B2C3-9369041CF552}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15829F9F-C9B7-41f5-B20F-360ACC60324F}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\findnavi


It also creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"searchtemp" = "%Windir%/findnavi.exe"

The program installs itself in the system as a Browser Helper Object.

It downloads the following files on to the computer:
  • hxxp://update1.findnavi.co.kr/Toolbar/App/version.txt
  • hxxp://update1.findnavi.co.kr/Toolbar/App/fndnv.dll
  • hxxp://update1.findnavi.co.kr/Toolbar/App/fndsub.dll
  • hxxp://update1.findnavi.co.kr/Toolbar/App/findnavi.exe
  • hxxp://update1.findnavi.co.kr/Toolbar/App/unfnd.exe
  • hxxp://update1.findnavi.co.kr/Toolbar/App/unfnnsub.exe


The program replaces the Internet Explorer Address Bar with a Toolbar installed by the program.

It displays pop-up advertisements and may download other adware.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver