Content

Adware-FFinder

Type
Program
SubType
Adware
Discovery Date
07/15/2005
Minimum DAT
4536 (07/15/2005)
Updated DAT
4698 (02/16/2006)
Minimum Engine
5.1.00
Description Added
07/15/2005
Description Modified
09/22/2005 1:27 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that adds a toolbar into Internet Explorer (Fig. 1 below) and hijack search keywords to modify the search page after inserting its own marketing related hyperlinks (Fig 2)

The application installs a "Related Websites:" toolbar in IE, it keeps track of the URLs visited and displays various other related URLs on the toolbar. For example if the user types in www.times.com in the address bar of IE, the toolbar will display various news sites like cnn.com, bbc.com, yahoo news etc.

It also listens to any keyword searched in IE, and displays a modified webpage to display its own links that redirects the traffic to qlinkserver.com. This is also related to Adware-LinkMaker .

It is observed to contact the following URLs

  • srch-results.com
  • qlinkserver.com
  • thecommunicator.net

This application does not display a license agreement when installed.

Privacy

A privacy policy is not displayed during installation.

The software transmitts search keyword and URL data to 3rd party servers during browsing.

System Changes

Files Added

  • %SystemDir%\stb.exe (40 KB)
  • %SystemDir%\qlink32.dll (196 KB)
  • %SystemDir%\qldf.bin (729 KB)
  • %SystemDir%\preuninstallql.exe (24 KB)
  • %SystemDir%\preuninstallcom.exe (48 KB)
  • %SystemDir%\communicator.dll (1234 KB)
  • c:\program files\related sites toolbar\uninst.log (1 KB)
  • c:\program files\related sites toolbar\uninst.exe (11 KB)
  • c:\program files\quick links\uninst.log (1 KB)
  • c:\program files\quick links\uninst.exe (11 KB)
  • c:\program files\communicator toolbar\
  • c:\program files\communicator toolbar\cache\
  • c:\program files\communicator toolbar\cache\t16925.tmp (1 KB)
  • c:\program files\communicator toolbar\cache\newcfg\
  • c:\program files\communicator toolbar\cache\favicons\[many icon files here]
  • c:\program files\communicator toolbar\cache\errorlog.txt (1 KB)
  • c:\program files\communicator toolbar\cache\domain.txt (623 KB)
  • c:\program files\communicator toolbar\cache\default.ico (1 KB)
  • c:\program files\communicator toolbar\cache\communicatortb0300.cfg (1 KB)

Registry

The following registry keys are created:

    HKEY_LOCAL_MACHINE\SOFTWARE\QL
    "si"="92"
  • HKEY_LOCAL_MACHINE\SOFTWARE\QL
    "st"="1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Uninstall\Related Sites Toolbar
    "DisplayName"="Related Sites Toolbar "
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Uninstall\Related Sites Toolbar
    "UninstallString"="(hex data)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\Quick Links
    "DisplayName"="Quick Links "
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\Quick Links
    "UninstallString"="(hex data)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run stb"="C:\WINDOWS\System32\stb.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    "{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428}"="02"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    "{8E718888-423F-11D2-876E-00A0C9082467}"="00"
  • HKEY_CURRENT_USER\Software\COMMUNICATOR TOOLBAR\Options
  • HKEY_CURRENT_USER\Software\COMMUNICATOR TOOLBAR\Config\communicatortb0300
    "MaxAge"="5"
  • HKEY_CURRENT_USER\Software\COMMUNICATOR TOOLBAR\Config\communicatortb0300
    "LastDown"="27-2E-B3-38-3D-DB-E2-40"
  • HKEY_CURRENT_USER\Software\COMMUNICATOR TOOLBAR\Config\communicatortb0300
  • HKEY_CURRENT_USER\Software\COMMUNICATOR TOOLBAR\Config
  • HKEY_CURRENT_USER\Software\COMMUNICATOR TOOLBAR
    "LastLeft"="0"
  • HKEY_CURRENT_USER\Software\COMMUNICATOR TOOLBAR
    "BarID"="200509222154581921681143"
  • HKEY_CURRENT_USER\Software\COMMUNICATOR TOOLBAR
    "SetupInit"="1"
  • HKEY_CLASSES_ROOT\TypeLib\{EA420048-2898-4110-88C3-1F660B0C7FF3}\1.0\0\win32
    "default"="C:\WINDOWS\System32\qlink32.dll"
  • HKEY_CLASSES_ROOT\TypeLib\{EA420048-2898-4110-88C3-1F660B0C7FF3}\1.0
    "default"="QuickLinks 1.0 Type Library"
  • HKEY_CLASSES_ROOT\QuickLinks.QuickLinksFilter.1\CLSID
    "default"="{DFAA31C8-A356-4313-9D95-5EDAB46C5070}"
  • HKEY_CLASSES_ROOT\QuickLinks.QuickLinksFilter.1\CLSID
  • HKEY_CLASSES_ROOT\QuickLinks.QuickLinksFilter.1
    "default"="QuickLinksFilter Class"
  • HKEY_CLASSES_ROOT\QuickLinks.QuickLinksFilter.1
  • HKEY_CLASSES_ROOT\QuickLinks.QuickLinksFilter\CLSID
    "default"="{DFAA31C8-A356-4313-9D95-5EDAB46C5070}"
  • HKEY_CLASSES_ROOT\QuickLinks.QuickLinksFilter
    "default"="QuickLinksFilter Class"
  • HKEY_CLASSES_ROOT\QuickLinks.LinkTracker.1\CLSID
    "default"="{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}"
  • HKEY_CLASSES_ROOT\QuickLinks.LinkTracker.1
    "default"="LinkTracker Class"
  • HKEY_CLASSES_ROOT\QuickLinks.LinkTracker\CLSID
    "default"="{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}"
  • HKEY_CLASSES_ROOT\QuickLinks.LinkTracker\CLSID
  • HKEY_CLASSES_ROOT\QuickLinks.LinkTracker
    "default"="LinkTracker Class"
  • HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
    "CLSID"="{DFAA31C8-A356-4313-9D95-5EDAB46C5070}"
  • HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
    "(default)"="QuickLinks MIME Filter"
  • HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
  • HKEY_CLASSES_ROOT\Interface\{4162D910-6167-42E7-91AE-6A522C4121D2}\TypeLib
    "Version"="1.0"
  • HKEY_CLASSES_ROOT\Interface\{4162D910-6167-42E7-91AE-6A522C4121D2}\TypeLib
    "(default)"="{EA420048-2898-4110-88C3-1F660B0C7FF3}"
  • HKEY_CLASSES_ROOT\Interface\{4162D910-6167-42E7-91AE-6A522C4121D2}
    \ProxyStubClsid32
    "default"="{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{4162D910-6167-42E7-91AE-6A522C4121D2}
    \ProxyStubClsid
  • HKEY_CLASSES_ROOT\Interface\{4162D910-6167-42E7-91AE-6A522C4121D2}
    "default"="ILinkTracker"
  • HKEY_CLASSES_ROOT\communicator.COMMUNICATORToggle Button\Clsid
    "default"="{4E7BD74F-2B8D-469E-8DBC-A42EB79CB429}"
  • HKEY_CLASSES_ROOT\communicator.COMMUNICATORToggle Button\Clsid
  • HKEY_CLASSES_ROOT\communicator.COMMUNICATORToggle Button
    "default"="COMMUNICATORToggle Button"
  • HKEY_CLASSES_ROOT\communicator.COMMUNICATORMenu Button\Clsid
    "default"="{4E7BD74F-2B8D-469E-8DBC-A42EB79CB42A}"
  • HKEY_CLASSES_ROOT\communicator.COMMUNICATORMenu Button
    "default"="COMMUNICATORMenu Button"
  • HKEY_CLASSES_ROOT\communicator.COMMUNICATOR\Clsid
    "default"="{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428}"
  • HKEY_CLASSES_ROOT\communicator.COMMUNICATOR
    "default"="COMMUNICATOR"
  • HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
    \VersionIndependentProgID
    "default"="QuickLinks.QuickLinksFilter"
  • HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
    \VersionIndependentProgID
  • HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}\ProgID
    "default"="QuickLinks.QuickLinksFilter.1"
  • HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}\ProgID
  • HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
    \KeyPhrasesFileName
    "default"="qldf.bin"
  • HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}\InprocServer32
    "(default)"="C:\WINDOWS\System32\qlink32.dll"
  • HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
    "default"="QuickLinksFilter Class"
  • HKEY_CLASSES_ROOT\CLSID\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}
    \VersionIndependentProgID
    "default"="QuickLinks.LinkTracker"
  • HKEY_CLASSES_ROOT\CLSID\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}\ProgID
    "default"="QuickLinks.LinkTracker.1"
  • HKEY_CLASSES_ROOT\CLSID\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}\InprocServer32
    "ThreadingModel"="Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}\InprocServer32
    "(default)"="C:\WINDOWS\System32\qlink32.dll"
  • HKEY_CLASSES_ROOT\CLSID\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}
    "default"="LinkTracker Class"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB42A}\ProgID
    "default"="communicator.COMMUNICATORMenu Button"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB42A}\InprocServer32
    "ThreadingModel"="Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB42A}\InprocServer32
    "(default)"="C:\WINDOWS\system32\communicator.dll"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB42A}
    "default"="COMMUNICATORMenu Button"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB429}\ProgID
    "default"="communicator.COMMUNICATORToggle Button"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB429}\InprocServer32
    "ThreadingModel"="Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB429}\InprocServer32
    "(default)"="C:\WINDOWS\system32\communicator.dll"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB429}
    "default"="COMMUNICATORToggle Button"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428}\ProgID
    "default"="communicator.COMMUNICATOR"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428}\InprocServer32
    "ThreadingModel"="Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428}\InprocServer32
    "(default)"="C:\WINDOWS\system32\communicator.dll"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428}
    "default"="COMMUNICATOR"

Network Impact

Additional overhead in bandwidth due to transmission of browsing data to remote servers.

Images

 

Fig 1. Shows the related websites to the entered website "google.com"

Fig 2. Shows search keyword hijack and insertion of links in the original result page.

Removal

Aliases

Aliases

    N/A