ADW_IEHLPR
Windows 98, ME, NT, 2000, XP, Server 2003
Threat Type:
Destructiveness: No
Encrypted:
In the wild: Yes
TECHNICAL DETAILS
Installation
This Adware drops the following files:
- %System%\update.reg
- %System%\APPHELP32.DLL
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Other System Modifications
This Adware adds the following registry keys:
SOLUTION
Step 1
Terminate the malware/grayware/spyware process:
Step 2
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Explorer\Browser Helper Objects\
- CE7C3CF0-4B15-11D1-ABED-709549C10000
Step 3
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Explorer\HideDesktopIcons\ClassicStartMenu
- {871C5380-42A0-1069-A2EA-08002B30309D}=1
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Explorer\HideDesktopIcons\NewStartPanel
- {871C5380-42A0-1069-A2EA-08002B30309D}=1
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}
- (Default)=Internet Explorer
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\DefaultIcon
- (Default)=%Program Files%\Internet Explorer\iexplore.exe
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\shell
- (Default)=
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\shell\D
- (Default)=??(&D)
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\shell\D\command
- (Default)=Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\shell\open
- (Default)=????
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\shell\open\command
- (Default)=%Program Files%\Internet Explorer\iexplore.exe http://www.shangla.com/?100050
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\shell\??
- (Default)=??
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\shell\??\command
- (Default)=Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl
- HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93278894599}\ShellFolder
- (Default)=
- Attributes=a
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Explorer\Desktop\NameSpace\{86AEFBE8-763F-0647-899C-A93278894599}
- (Default)=Ineter Iexplorer.exe
- HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
- (Default)=IEHlprObj Class
- HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1\CLSID
- (Default)={CE7C3CF0-4B15-11D1-ABED-709549C10000}
- HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj\CurVer
- (Default)=IEHlprObj.IEHlprObj.1
- HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
- (Default)=IEHlprObj Class
- HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID
- (Default)=IEHlprObj.IEHlprObj.1
- HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
- (Default)=IEHlprObj.IEHlprObj
- HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InProcServer32
- (Default)=%System%\apphelp32.dll
- ThreadingModel=Apartment
- HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0
- (Default)=IEHelper 1.0 Type Library
- HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS
- (Default)=0
- HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\win32
- (Default)=%System%\apphelp32.dll
- HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR
- (Default)=%System%\
- HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}
- (Default)=IIEHlprObj
- HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid
- (Default)={00020424-0000-0000-C000-000000000046}
- HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32
- (Default)={00020424-0000-0000-C000-000000000046}
- HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
- (Default)={CE7C3CE2-4B15-11D1-ABED-709549C10000}
- Version=1.0
Step 4
Search and delete these files
- %System%\update.reg
- %System%\APPHELP32.DLL
Note: To do a search for the following files, right-click Start then click Search... or Find..., depending on the version of Windows you are running. For each file to be deleted, type its file name in the Named input box. In the Look In drop-down list, select My Computer, then press Enter.
Step 5
Scan your computer with your Trend Micro product to delete files detected as
ADW_IEHLPR
*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.