BrowserModifier:Win32/Helpth is a DLL file that may be installed in the system as a Browser Helper Object (BHO). It may collect information about the system and send it back to a remote server.
Installation
BrowserModifier:Win32/Helpth arrives as a DLL file that may be installed as a BHO with the following properties:
It may modify the system registry to install itself as a BHO:
Set value: "ThunderAdvise"
With data: "{97421d0d-e07f-40df-8f07-99597b9585ad}"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value: "(default)"
With data: "thunderhlpobj class"
To subkey: HKLM\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1
Set value: "(default)"
With data: "{97421d0d-e07f-40df-8f07-99597b9585ad}"
To subkey: HKLM\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1\CLSID
Set value: "(default)"
With data: "thunderadvise.thunderhlpobj.1"
To subkey: HKLM\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CurVer
Set value: "(default)"
With data: "thunderhlpobj class"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}
Set value: "(default)"
With data: "thunderadvise.thunderhlpobj.1"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ProgID
Set value: "(default)"
With data: "thunderadvise.thunderhlpobj.1"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\VersionIndependentProgID
Set value: "(default)"
With data: "<DLL file name>"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\InprocServer32
Set value: "(default)"
With data: "{6d4c7e08-e021-414c-a42d-ab15a2302196}"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\TypeLib
Set value: "(default)"
With data: "thunderadvise"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}
Set value: "(default)"
With data: "thunderadvise 1.0 type library"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0
Set value: "(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\FLAGS
Set value: "(default)"
With data: "<DLL file name>"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\0\win32
Set value: "(default)"
With data: "<current folder>"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\HELPDIR
Set value: "(default)"
With data: "ithunderhlpobj"
To subkey: HKLM\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}
Set value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid
Set value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32
Set value: "(default)"
With data: "{6d4c7e08-e021-414c-a42d-ab15a2302196}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib
It may create the mutex Advise#PNP#v1 to prevent other instances of itself from running in memory if the process currently running the BHO is explorer.exe.
Additional Information
BrowserModifier:Win32/Helpth may collect system information and send it to a remote server at post.ad9178.com.
It may also receive information from the same server, which it stores in the following file:
This TMP file contains commands for the BHO. Once the commands are run by the BHO, the TMP file is deleted.
Information passed to the BHO may include where to get pop-up advertisements, scripts, and updates.
Analysis by Oleg Petrovsky
