TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
ADW_IEHELPER.A
Overview
Solution

QUICK LINKS  

Download the latest scan engine

In the wild: No

Reported detections:

 Low
 
Description:

Alias: Adware.IEPageHelper (Symantec)

This adware is usually dropped and installed by a Trojan as BHO.DLL. Trend Micro detects the said Trojan as TROJ_LINST.A.

Once installed, it waits for the user to browse the Internet, specifically using Internet Explorer. This adware then scans the Web pages accessed by the user and highlights certain words, usually commercial items. When the mouse runs over one of these highlighted words, it displays a link to an advertising Web page that sells the said highlighted item.

This adware runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution: 

Minimum scan engine version needed: 7.100


NOTE: Refer to the clean solution of TROJ_LINST.A to fully remove this adware.

Identifying the Adware Path

Download the latest spyware pattern file and scan your system. Note all files detected as ADW_IEHELPER.A.

Unregister the Adware

To unregister the adware as an Internet Explorer object:

  1. Click Start>Run
  2. Type: regsvr32 /u %Path%\bho.dll
    *Note: %Path% is the directory or path BHO.DLL is installed.
  3. Press the Enter key or click OK.

Running Trend Micro Antivirus

Download the latest spyware pattern file and scan your system. Then, delete all files detected as ADW_IEHELPER.A.

Details: 

This adware is usually dropped and installed by a Trojan as BHO.DLL. Trend Micro detects the said Trojan as TROJ_LINST.A.

This adware then adds the following registry entries so that the dropped file is registered as a browser help object (BHO):

HKEY_CLASSES_ROOT\bho.IEPageHelper.1

HKEY_CLASSES_ROOT\bho.IEPageHelper

HKEY_CLASSES_ROOT\CLSID\
{A6F42CAD-2559-48DF-AF30-89E480AF5DFA}

HKEY_CLASSES_ROOT\TypeLib\
{0B1DF4A9-C114-48A2-BE0A-6DC5973EB157}

HKEY_CLASSES_ROOT\AppID\
{0B1DF4A9-C114-48A2-BE0A-6DC5973EB157}

HKEY_CLASSES_ROOT\AppID\bho.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\
bho.IEPageHelper.1

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\
bho.IEPageHelper

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\
CLSID\{A6F42CAD-2559-48DF-AF30-89E480AF5DFA}

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\
TypeLib\{0B1DF4A9-C114-48A2-BE0A-6DC5973EB157}

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\
AppID\{0B1DF4A9-C114-48A2-BE0A-6DC5973EB157}

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\
AppID\bho.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\explorer\
Browser Helper Objects\{A6F42CAD-2559-48DF-AF30-89E480AF5DFA}

Once installed, it waits for the user to browse the Internet, specifically using Internet Explorer. This adware then scans the Web pages accessed by the user and highlights certain words, usually commercial items. When the mouse runs over one of these highlighted words, it displays a link to an advertising Web page that sells the said highlighted item.
Analysis by: Michael Lactaotao

For additional information about this threat, see:
Solution

Description created: Apr 23, 2004




Tell us how we did. Take our quick survey.