Adware.DealHelper

Printer Friendly Page

Updated: February 13, 2007 11:38:12 AM

Type: Adware

Publisher: DealHelper

Risk Impact: Medium

File Names: DealHelper.exe, download.exe, TimeSync.exe, TimeSynchronize, DHUpdt.exe, DHP2.dll,DHP.dll, de

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.DealHelper is executed, it performs the following actions:

Creates the following files:
- %System%\dun.exe
- %System%\HookPopup.dll
- %System%\[RANDOM CHARACTERS].xml
- %System%\[RANDOM CHARACTERS].xml
- %System%\[RANDOM CHARACTERS].xml
- %System%\[RANDOM CHARACTERS].xml
- %System%\[RANDOM CHARACTERS].xml
- %System%\[RANDOM CHARACTERS].xml
- %System%\[RANDOM CHARACTERS].xml
- %System%\[RANDOM CHARACTERS].xml
- %System%\[RANDOM CHARACTERS].xml
- %System%\Newmsrdk2.zip
- %Windir%\AppsInstalled.htm
- %Windir%\dhdom.bin
- %Windir%\dhdom1.bin%WINDOWS%\dhdomp.bin
- %Windir%\dhdomp1.bin
- %Windir%\dhkw.bin
- %Windir%\dhkw1.bin
- %Windir%\dsearch.bin
- %Windir%\dsearch1.bin
- %UserProfile%\Local Settings\temp\DealHelper.log
- %UserProfile%\Local Settings\temp\TimeSync.log
- %UserProfile%\Local Settings\temp\_Tix.log
- %UserProfile%\Local Settings\temp\down.cab
- %Windir% \Dhbrowser.exe
- %Windir% \DHP.dll
- %Windir% \Dhsvr.exe
- %Windir% \DHUpdt.exe
- %Windir% \Dealhlpr.dll
  Note:
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Creates the following registry subkeys:

HKEY_CLASSES_ROOT\AppID\{A1F53F1D-FB2D-4FE0-8EE8-7BBE69999D9F} HKEY_CLASSES_ROOT\AppID\{A57AFB0F-C63E-4AE2-8A7B-BCA01BA32CC5}HKEY_CLASSES_ROOT\CLSID\{54A41AE7-B358-4D41-98BD-BBBFFDF5186B}HKEY_CLASSES_ROOT\CLSID\{5E3E1DC0-239A-4067-A4A0-88902C108E58} HKEY_CLASSES_ROOT\CLSID\{6DD8B352-21A7-4C24-AC49-E9B4730C1823} HKEY_CLASSES_ROOT\CLSID\{8B477303-698C-4EED-B9F6-C715842FBE33} HKEY_CLASSES_ROOT\CLSID\{8EE1AAF5-ED6B-4601-B333-CD30FFB8B39D} HKEY_CLASSES_ROOT\CLSID\{B8E910B5-7452-4A29-B121-08E8CF09EC07} HKEY_CLASSES_ROOT\CLSID\{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} HKEY_CLASSES_ROOT\CLSID\{F00586DE-A432-4B9F-877D-E29CD87EFDD6} HKEY_CLASSES_ROOT\CLSID\{1A2883F2-FDC7-4AF2-B136-203ADB475DD7} HKEY_CLASSES_ROOT\CLSID\{BFEF1779-0E92-45A1-BF5E-55991007F912} HKEY_CLASSES_ROOT\CLSID\{FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} HKEY_CLASSES_ROOT\CLSID\{7BC3EC59-A4A0-4638-A3BF-C20B0665947F} HKEY_CLASSES_ROOT\CLSID\{93AD89ED-F29F-4974-8688-2552B5955D4E} HKEY_CLASSES_ROOT\Interface\{06E53101-654C-45EB-BFF6-E37E13B5972A} HKEY_CLASSES_ROOT\Interface\{0B16B278-B2E3-4CBF-85B5-E058878F728F} HKEY_CLASSES_ROOT\Interface\{1DA40091-14B4-4C21-8170-A2CEEDE90B10} HKEY_CLASSES_ROOT\Interface\{3AFAE37A-56A3-4850-B599-4DA9A9104B82} HKEY_CLASSES_ROOT\Interface\{3D89A731-9F4A-418F-A997-2D633C7C404C} HKEY_CLASSES_ROOT\Interface\{81739076-56B7-42EC-A0AA-692794FDED1A} HKEY_CLASSES_ROOT\Interface\{A2CDAFB4-EB9C-4EFC-BCFC-A7AA6745FF7E} HKEY_CLASSES_ROOT\Interface\{BF9EE3A0-1A02-4265-A65F-AC4D4447F6BF} HKEY_CLASSES_ROOT\Interface\{DEBA1742-2BEC-4B78-A987-5837971193F7} HKEY_CLASSES_ROOT\Interface\{F3816084-9608-485A-B63B-CAD8F931577E} HKEY_CLASSES_ROOT\Interface\{C2E6831B-822B-4A1F-9EF1-1D3EB7D3E985} HKEY_CLASSES_ROOT\Interface\{C9679631-7060-443F-BD37-88F9410ED8C3} HKEY_CLASSES_ROOT\Interface\{E9468A08-F790-48CE-AD30-EADEEAB9B40C} HKEY_CLASSES_ROOT\Interface\{B5146C72-3328-4240-97ED-3A23DCB656CF} HKEY_CLASSES_ROOT\Interface\{F0207D66-1A2A-4B86-B821-50C12E4ABE43} HKEY_CLASSES_ROOT\TypeLib\{25AB1639-3F81-45A8-8318-2DAFBA8B8F3D} HKEY_CLASSES_ROOT\TypeLib\{5E19A321-635E-4BA5-8828-A5B6427CC61D} HKEY_CLASSES_ROOT\TypeLib\{771262E0-8FEB-4E78-B292-B01C4071B9D1} HKEY_CLASSES_ROOT\TypeLib\{B82B9ECF-40AE-46F2-B98E-B87CF17F70D0} HKEY_CLASSES_ROOT\TypeLib\{4B76F69E-247A-4617-ABA9-95774658AFC5} HKEY_CLASSES_ROOT\TypeLib\{C2E2F4D7-2C20-492F-B179-D15FF876AB83} HKEY_CLASSES_ROOT\TypeLib\{449DC6DA-DBFC-458B-8B62-3DB7C366BD6D} HKEY_CLASSES_ROOT\AppID\dhbrwsr.EXE HKEY_CLASSES_ROOT\AppID\dhsvr.EXE HKEY_CLASSES_ROOT\Dealhlpr.Band.1 HKEY_CLASSES_ROOT\Dealhlpr.Band HKEY_CLASSES_ROOT\Dealhelper.DealHelperCtrl HKEY_CLASSES_ROOT\Dealhelper.DealHelperCtrl.1 HKEY_CLASSES_ROOT\DHSIGNED.DhsignedCtrl.1 HKEY_CLASSES_ROOT\DealPop.CDealHelperPopup HKEY_CLASSES_ROOT\DealPop.CDealHelperPopup.1 HKEY_CLASSES_ROOT\DealPop.DealPopEvents HKEY_CLASSES_ROOT\DealPop.DealPopEvents.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\D-Helper Web Driver HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\TimeSync HKEY_CURRENT_USERS\Software\TimeSynchonization HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ModuleUsage\C:/WINNT/Dhsigned.ocx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurentVersion \ModuleUsage\C:/WINDOWS/Dhsigned.ocxHKEY_CLASSES_ROOT\Dhbrwsr.BrowserWindows.1 HKEY_CLASSES_ROOT\Dhbrwsr.BrowserWindows HKEY_CLASSES_ROOT\DHP.DHEvents.1 HKEY_CLASSES_ROOT\DHP.DHEvents HKEY_CLASSES_ROOT\DHP.Popup.1 HKEY_CLASSES_ROOT\DHP.Popup HKEY_CLASSES_ROOT\Dhsvr.CFileDatabase.1 HKEY_CLASSES_ROOT\Dhsvr.CFileDatabase HKEY_CLASSES_ROOT\Dhsvr.DBHelper.1 HKEY_CLASSES_ROOT\Dhsvr.DBHelper HKEY_CLASSES_ROOT\Dhsvr.Even.1 HKEY_CLASSES_ROOT\Dhsvr.Even HKEY_CLASSES_ROOT\Dhsvr.WebDealEvents.1 HKEY_CLASSES_ROOT\Dhsvr.WebDealEvents HKEY_CURRENT_USER\Software\DealHelper HKEY_LOCAL_MACHINE\SOFTWARE\dealhelper HKEY_LOCAL_MACHINE\SOFTWARE\dealhelper\KeyWord HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar \{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \SharedDLLs\C:\WINDOWS\dealhlpr.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \SharedDLLs\C:\WINDOWS\dhbrwsr.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \SharedDLLs\C:\WINDOWS\DHP.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \SharedDLLs\C:\WINDOWS\dhsvr.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \SharedDLLs\C:\WINDOWS\DHUpdt.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Uninstall\DealHelper\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\WinDH HKEY_LOCAL_MACHINE\SOFTWARE\Ddate
Adds the value:

"DealHelperUpdate" = "C:\WINDOWS\DHUpdt.exe""DealHelperBrwsr" = "C:\WINDOWS\dhbrwsr.exe"
"secure" = "C:\WINNT\system32\[RANDOM CHARACTERS].exe"
"version" = "C:\WINNT\system32\[RANDOM CHARACTERS].exe"

to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds the value:

{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} = ""

to the registry subkey:
HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Adds the value:

"UninstallString" = "C:\WINNT\system32\dun.exe
"DisplayIcon" = "C:\WINNT\system32\[RANDOM CHARACTERS].exe"

to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH
Displays pop-up advertisements.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}