1. /
  2. Security Response/
  3. Adware.DealHelper

Adware.DealHelper

Updated:
February 13, 2007 11:38:12 AM
Type:
Adware
Publisher:
DealHelper
Risk Impact:
Medium
File Names:
DealHelper.exe, download.exe, TimeSync.exe, TimeSynchronize, DHUpdt.exe, DHP2.dll,DHP.dll, de
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.DealHelper is executed, it performs the following actions:
  1. Creates the following files:

    • %System%\dun.exe
    • %System%\HookPopup.dll
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\[RANDOM CHARACTERS].xml
    • %System%\Newmsrdk2.zip
    • %Windir%\AppsInstalled.htm
    • %Windir%\dhdom.bin
    • %Windir%\dhdom1.bin%WINDOWS%\dhdomp.bin
    • %Windir%\dhdomp1.bin
    • %Windir%\dhkw.bin
    • %Windir%\dhkw1.bin
    • %Windir%\dsearch.bin
    • %Windir%\dsearch1.bin
    • %UserProfile%\Local Settings\temp\DealHelper.log
    • %UserProfile%\Local Settings\temp\TimeSync.log
    • %UserProfile%\Local Settings\temp\_Tix.log
    • %UserProfile%\Local Settings\temp\down.cab
    • %Windir% \Dhbrowser.exe
    • %Windir% \DHP.dll
    • %Windir% \Dhsvr.exe
    • %Windir% \DHUpdt.exe
    • %Windir% \Dealhlpr.dll

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\AppID\{A1F53F1D-FB2D-4FE0-8EE8-7BBE69999D9F}
    HKEY_CLASSES_ROOT\AppID\{A57AFB0F-C63E-4AE2-8A7B-BCA01BA32CC5}
    HKEY_CLASSES_ROOT\CLSID\{54A41AE7-B358-4D41-98BD-BBBFFDF5186B}
    HKEY_CLASSES_ROOT\CLSID\{5E3E1DC0-239A-4067-A4A0-88902C108E58}
    HKEY_CLASSES_ROOT\CLSID\{6DD8B352-21A7-4C24-AC49-E9B4730C1823}
    HKEY_CLASSES_ROOT\CLSID\{8B477303-698C-4EED-B9F6-C715842FBE33}
    HKEY_CLASSES_ROOT\CLSID\{8EE1AAF5-ED6B-4601-B333-CD30FFB8B39D}
    HKEY_CLASSES_ROOT\CLSID\{B8E910B5-7452-4A29-B121-08E8CF09EC07}
    HKEY_CLASSES_ROOT\CLSID\{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13}
    HKEY_CLASSES_ROOT\CLSID\{F00586DE-A432-4B9F-877D-E29CD87EFDD6}
    HKEY_CLASSES_ROOT\CLSID\{1A2883F2-FDC7-4AF2-B136-203ADB475DD7}
    HKEY_CLASSES_ROOT\CLSID\{BFEF1779-0E92-45A1-BF5E-55991007F912}
    HKEY_CLASSES_ROOT\CLSID\{FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6}
    HKEY_CLASSES_ROOT\CLSID\{7BC3EC59-A4A0-4638-A3BF-C20B0665947F}
    HKEY_CLASSES_ROOT\CLSID\{93AD89ED-F29F-4974-8688-2552B5955D4E}
    HKEY_CLASSES_ROOT\Interface\{06E53101-654C-45EB-BFF6-E37E13B5972A}
    HKEY_CLASSES_ROOT\Interface\{0B16B278-B2E3-4CBF-85B5-E058878F728F}
    HKEY_CLASSES_ROOT\Interface\{1DA40091-14B4-4C21-8170-A2CEEDE90B10}
    HKEY_CLASSES_ROOT\Interface\{3AFAE37A-56A3-4850-B599-4DA9A9104B82}
    HKEY_CLASSES_ROOT\Interface\{3D89A731-9F4A-418F-A997-2D633C7C404C}
    HKEY_CLASSES_ROOT\Interface\{81739076-56B7-42EC-A0AA-692794FDED1A}
    HKEY_CLASSES_ROOT\Interface\{A2CDAFB4-EB9C-4EFC-BCFC-A7AA6745FF7E}
    HKEY_CLASSES_ROOT\Interface\{BF9EE3A0-1A02-4265-A65F-AC4D4447F6BF}
    HKEY_CLASSES_ROOT\Interface\{DEBA1742-2BEC-4B78-A987-5837971193F7}
    HKEY_CLASSES_ROOT\Interface\{F3816084-9608-485A-B63B-CAD8F931577E}
    HKEY_CLASSES_ROOT\Interface\{C2E6831B-822B-4A1F-9EF1-1D3EB7D3E985}
    HKEY_CLASSES_ROOT\Interface\{C9679631-7060-443F-BD37-88F9410ED8C3}
    HKEY_CLASSES_ROOT\Interface\{E9468A08-F790-48CE-AD30-EADEEAB9B40C}
    HKEY_CLASSES_ROOT\Interface\{B5146C72-3328-4240-97ED-3A23DCB656CF}
    HKEY_CLASSES_ROOT\Interface\{F0207D66-1A2A-4B86-B821-50C12E4ABE43}
    HKEY_CLASSES_ROOT\TypeLib\{25AB1639-3F81-45A8-8318-2DAFBA8B8F3D}
    HKEY_CLASSES_ROOT\TypeLib\{5E19A321-635E-4BA5-8828-A5B6427CC61D}
    HKEY_CLASSES_ROOT\TypeLib\{771262E0-8FEB-4E78-B292-B01C4071B9D1}
    HKEY_CLASSES_ROOT\TypeLib\{B82B9ECF-40AE-46F2-B98E-B87CF17F70D0}
    HKEY_CLASSES_ROOT\TypeLib\{4B76F69E-247A-4617-ABA9-95774658AFC5}
    HKEY_CLASSES_ROOT\TypeLib\{C2E2F4D7-2C20-492F-B179-D15FF876AB83}
    HKEY_CLASSES_ROOT\TypeLib\{449DC6DA-DBFC-458B-8B62-3DB7C366BD6D}
    HKEY_CLASSES_ROOT\AppID\dhbrwsr.EXE
    HKEY_CLASSES_ROOT\AppID\dhsvr.EXE
    HKEY_CLASSES_ROOT\Dealhlpr.Band.1
    HKEY_CLASSES_ROOT\Dealhlpr.Band
    HKEY_CLASSES_ROOT\Dealhelper.DealHelperCtrl
    HKEY_CLASSES_ROOT\Dealhelper.DealHelperCtrl.1
    HKEY_CLASSES_ROOT\DHSIGNED.DhsignedCtrl.1
    HKEY_CLASSES_ROOT\DealPop.CDealHelperPopup
    HKEY_CLASSES_ROOT\DealPop.CDealHelperPopup.1
    HKEY_CLASSES_ROOT\DealPop.DealPopEvents
    HKEY_CLASSES_ROOT\DealPop.DealPopEvents.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\D-Helper Web Driver
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\TimeSync
    HKEY_CURRENT_USERS\Software\TimeSynchonization
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \ModuleUsage\C:/WINNT/Dhsigned.ocx
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurentVersion
    \ModuleUsage\C:/WINDOWS/Dhsigned.ocx

    HKEY_CLASSES_ROOT\Dhbrwsr.BrowserWindows.1
    HKEY_CLASSES_ROOT\Dhbrwsr.BrowserWindows
    HKEY_CLASSES_ROOT\DHP.DHEvents.1
    HKEY_CLASSES_ROOT\DHP.DHEvents
    HKEY_CLASSES_ROOT\DHP.Popup.1
    HKEY_CLASSES_ROOT\DHP.Popup
    HKEY_CLASSES_ROOT\Dhsvr.CFileDatabase.1
    HKEY_CLASSES_ROOT\Dhsvr.CFileDatabase
    HKEY_CLASSES_ROOT\Dhsvr.DBHelper.1
    HKEY_CLASSES_ROOT\Dhsvr.DBHelper
    HKEY_CLASSES_ROOT\Dhsvr.Even.1
    HKEY_CLASSES_ROOT\Dhsvr.Even
    HKEY_CLASSES_ROOT\Dhsvr.WebDealEvents.1
    HKEY_CLASSES_ROOT\Dhsvr.WebDealEvents
    HKEY_CURRENT_USER\Software\DealHelper
    HKEY_LOCAL_MACHINE\SOFTWARE\dealhelper
    HKEY_LOCAL_MACHINE\SOFTWARE\dealhelper\KeyWord
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
    \{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \SharedDLLs\C:\WINDOWS\dealhlpr.dll
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \SharedDLLs\C:\WINDOWS\dhbrwsr.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \SharedDLLs\C:\WINDOWS\DHP.dll
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \SharedDLLs\C:\WINDOWS\dhsvr.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \SharedDLLs\C:\WINDOWS\DHUpdt.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Uninstall\DealHelper\

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\WinDH
    HKEY_LOCAL_MACHINE\SOFTWARE\Ddate


  3. Adds the value:

    "DealHelperUpdate" = "C:\WINDOWS\DHUpdt.exe"
    "DealHelperBrwsr" = "C:\WINDOWS\dhbrwsr.exe"
    "secure" = "C:\WINNT\system32\[RANDOM CHARACTERS].exe"
    "version" = "C:\WINNT\system32\[RANDOM CHARACTERS].exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. Adds the value:

    {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Internet Explorer\Toolbar


  5. Adds the value:

    "UninstallString" = "C:\WINNT\system32\dun.exe
    "DisplayIcon" = "C:\WINNT\system32\[RANDOM CHARACTERS].exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH

  6. Displays pop-up advertisements.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver