Adware.ESDIexplorr Browser Helper Object

[Brad]

Behavior
Adware.ESDIexplorr is a Browser Helper Object that displays advertisements and may download additional files. It displays unusually high number of pop-up advertisements..

Symptoms
Your Symantec program detects Adware.ESDIexplorr.
Unexpected advertisements appear in Internet Explorer browser windows.

Transmission
This security risk can be installed as part of another program.

technical details
File names:
%Windir%\iexplorr11.dll
%Windir%\iexplorr22.dll
%Windir%\iexplorr23.dll
%Windir%\iexplorr24.dll
%Windir%\WindowsIE.dll
%UserProfile%\Local Settings\Temp\Install.exe

When Adware.ESDIexplorr is executed, it performs the following actions:

   1. Creates the following files:

          * %Windir%\iexplorr11.dll
          * %Windir%\iexplorr22.dll
          * %Windir%\iexplorr23.dll
          * %Windir%\iexplorr24.dll
          * %Windir%\WindowsIE.dll
          * %UserProfile%\Local Settings\Temp\Install.exe

            Note:
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

   2. Creates the following subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
      \Explorer\Browser Helper Objects\{39AF31DD-EAFC-45EA-A56C-385B52E25CC0}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{2E12B523-3D4C-4FAC-9B04-0376A8F5E879}

      so that the risk runs every time Internet Explorer starts.

   3. Creates the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{236826B1-8FDB-4D3C-8F70-E154F874703D}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E12B523-3D4C-4FAC-9B04-0376A8F5E879}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39AF31DD-EAFC-45EA-A56C-385B52E25CC0}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43E2DBE5-8C8A-4519-9684-8CD7F39A5147}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A76066C9-941B-4209-9D96-0AC80501100D}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DA3609D1-3E96-4726-A17F-30F46AE89726}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB6D8BAA-704A-415B-BC0A-3468BFAE924E}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4B191B11-A44C-4D42-B4AC-6FCD5F61587C}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{943F44C0-44DA-40D5-98D7-9AAC4C15C603}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0B60CEF5-2431-4F92-82CF-03FEE5BDC762}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{22EB8F60-F99B-4E29-8376-E8BC417148FD}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{338F1D89-A419-4C40-96E3-C29C978A7DF6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7FB04DE1-4340-4002-9D9E-3B6913AE6953}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B4450075-9717-43B1-BA10-4B9FD7325FD5}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CBD7E8BE-0E1E-441D-B133-E26F5636CCCF}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E41774F1-63E7-44ED-A03A-FF8422F9AFF0}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC385F81-0109-4FA8-AAD0-53B4A9A5DD2B}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6862A20-1DD6-11D3-BB7C-444553540000}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1620D17D-F2B5-43BE-8ED4-6B22E321D2A3}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22CBCB4C-E9DF-4D25-86BC-FFDA4DF8FC06}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B224AFF4-0561-4B35-A91A-6F339152A482}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6862A20-1DD6-11D3-BB7C-444553540000}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsIE
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsIE.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr11.clsDW
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr11.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr22.clsDW
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr22.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr23.clsDW
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr23.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr24.clsDW
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr24.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowsIE

   4. One or more .dll files are injected into Explorer.exe. Explorer.exe then listens on a random port.

   5. Displays advertisements in Internet Explorer at random intervals.

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

      Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html and then continue with the removal.

   3. Navigate to and delete the following subkeys, if present:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
      \Explorer\Browser Helper Objects\{39AF31DD-EAFC-45EA-A56C-385B52E25CC0}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{2E12B523-3D4C-4FAC-9B04-0376A8F5E879}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{236826B1-8FDB-4D3C-8F70-E154F874703D}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E12B523-3D4C-4FAC-9B04-0376A8F5E879}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39AF31DD-EAFC-45EA-A56C-385B52E25CC0}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43E2DBE5-8C8A-4519-9684-8CD7F39A5147}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A76066C9-941B-4209-9D96-0AC80501100D}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DA3609D1-3E96-4726-A17F-30F46AE89726}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB6D8BAA-704A-415B-BC0A-3468BFAE924E}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4B191B11-A44C-4D42-B4AC-6FCD5F61587C}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{943F44C0-44DA-40D5-98D7-9AAC4C15C603}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0B60CEF5-2431-4F92-82CF-03FEE5BDC762}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{22EB8F60-F99B-4E29-8376-E8BC417148FD}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{338F1D89-A419-4C40-96E3-C29C978A7DF6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7FB04DE1-4340-4002-9D9E-3B6913AE6953}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B4450075-9717-43B1-BA10-4B9FD7325FD5}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CBD7E8BE-0E1E-441D-B133-E26F5636CCCF}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E41774F1-63E7-44ED-A03A-FF8422F9AFF0}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC385F81-0109-4FA8-AAD0-53B4A9A5DD2B}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6862A20-1DD6-11D3-BB7C-444553540000}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1620D17D-F2B5-43BE-8ED4-6B22E321D2A3}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22CBCB4C-E9DF-4D25-86BC-FFDA4DF8FC06}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B224AFF4-0561-4B35-A91A-6F339152A482}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6862A20-1DD6-11D3-BB7C-444553540000}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsIE
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsIE.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr11.clsDW
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr11.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr22.clsDW
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr22.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr23.clsDW
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr23.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr24.clsDW
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr24.clsIS
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowsIE

   4. Exit the Registry Editor.