Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Fastwebfinder

Adware.Fastwebfinder

Updated:
February 13, 2007
Risk Impact:
High
File Names:
Ld.exe,Dnse.dll
Systems Affected:
Windows

Behavior


Adware.Fastwebfinder hijacks the Internet Explorer Home Page, Search Bar, and Search Assistant, and adds links to your Favorites.

Symptoms


The Internet Explorer Home Page changes to an undesired Web page each time you start Internet Explorer.
  • Your firewall program alerts on the file ld.exe when it tries to access the Web page www.fastwebfinder.com.


Behavior


Adware.Fastwebfinder is installed by going to www.fastwebfinder.com or to another Web site, or when you install certain programs.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version November 18, 2003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date November 19, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Fastwebfinder is executed, it does one of the following:


Adware.Fastwebfinder is not yet inst alled in %Windir% folder
If Adware.Fastwebfinder does not find the file %Windir%\Ld.exe, it will do the following:
  1. Copies itself as %Windir%\Ld.exe.


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Adds the value:

    "Ld"="%windir%\ld.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs each time you start Windows.

Adware.Fastwebfinder is already installed in the %Windir% folder
If Adware.Fastwebfinder finds the file %Windir%\Ld.exe, it will do the following:
  1. Connects to www.fastwebfinder.com.
  2. Downloads information, including the file Dnse.dll, which it copies to the %Windir% folder.

Then, this information is used to hijack the following (of Internet Explorer):
  • Home Page
  • Search Bar
  • Search Assistant
  • Favorites




Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Restart the computer in Safe mode or end the adware process.
  3. Close Internet Explorer if it is open.
  4. Delete the value that was added to the registry.
  5. Run a full system scan and delete all the files detected as Adware.Fastwebfinder.
  6. Reset the Internet Explorer home page and Search pages.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Restarting the computer in Safe mode or ending the malicious process
    Windows 95/98/Me
    Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

    Windows NT/2000/XP
    To end the malicious process:
    1. Press Ctrl+Alt+Delete once.
    2. Click Task Manager.
    3. Click the Processes tab.
    4. Double-click the Image Name column header to alphabetically sort the processes.
    5. Scroll through the list and look for Ld.exe.
    6. If you find the file, click it, and then click End Process.
    7. Exit the Task Manager.

3. Closing Internet Explorer
Make sure that the Internet Explorer windows are not closed. Do not open Internet Explorer until the removal is finished, or you may activate the adware.

4. Deleting the value that was added to the registry.

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)
  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, delete the value:

    "Ld"="%windir%\ld.exe""value"="path/file name"
  5. Exit the Registry Editor.

5. Scanning for and deleting the files
  1. Start your Symantec antivirus program and run a full system scan.
  2. If any files are detected as Adware.Fastwebfinder, click Delete.

6. Resetting the Internet Explorer home page and Search pages
  1. Start Microsoft Internet Explorer.
  2. Connect to the Internet and go to the page that you want to set as your home page.
  3. Click Tools, and then click Internet Options.
  4. In the Home page section of the General tab, click Use Current, and then click OK.
  5. Click the Search icon on the toolbar.
  6. In the Search pane, click Customize.
  7. Click Reset.
  8. Click Autosearch Settings.
  9. Choose a search site from the drop-down list, and then click OK.
  10. Click OK.