Spy Sweeper found 'ie helper' adware

Discussion in 'malware problems & news' started by dcdc, Aug 21, 2006.

Thread Status:
Not open for further replies.
  1. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    I rarely find any malware on my computer, so I was surprised when a Spy Sweeper scan allegedly found the adware program 'ie helper' today.

    The registry key is as follows: HKLM\software\microsoft\internet explorer\active x compatibility\{a2b7a0f0-...}.

    The SS description is: 'IE Helper is an adware program that may display advertisements on your system.'

    I used regedit to find the key in question, and it said 'compatibility flags', type: REG_DWORD, data: 0x00000400 (1024).

    I am reluctant to quarantine this item without further information because it involves messing with the registry. I am inclined to think it's a false positive because scans with Windows Defender Beta and Spybot among others found nothing. I run quite a few other AS applications as well.

    I could set a System Restore point, but once again that MS application is not working properly. I try to go back to a restore point, and I wind up with a message that the system could not be restored. Thank you so much, Microsoft.

    Does anyone have a suggestion as how best to proceed? Thanks.
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The 400 signifies an ActiveX kill bit has been set against that partial CLSID # you are showing which would stop that particular ActiveX control from running in Internet Explorer. That is usually accomplished by programs such as Spybot's Immunization or Spywareblasters IE ActiveX protection. However....a search of their respective databases for that partial CLSID comes up empty so perhaps you are using another program that installs IE ActiveX control blocking ?

    In any case....if SS is reporting that entry and suggesting one remove that entry I would suspect a False positive even without knowing the whole CLSID #.

    Bubba

    Edit
    Would the below happen to match the CLSID # found and are you by chance using Spyware Doctor ?

     
    Last edited: Aug 21, 2006
  3. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    Hi Bubba,

    Kudos to you, I must say.

    Yes, I do run the free version of Spyware Doctor, which offers live protection but not the ability to remove any malware its scans reveal.

    You are also correct about the CLSID found on my computer; it's the same you note in your post.

    For those who don't know SD, it has an Immunizer function that blocks malicious Active X, well over 2000 at the moment, with usually one or more added in the daily updates.

    This situation does raise the question of why SS should now find this particular FP. I have run both SD and SS for a couple of years now without a problem. I have had the current SS build for a few weeks now, and it has not picked up on any of the other SD blocked Active X. Perhaps the latest SS malware definitions are to blame.

    At any rate, I will consider the detected item a false positive and leave it alone. I run so much AS that whenever a scan picks up anything, I usually suspect a FP anyway. I hate like hell to spend time trying to figure it out though. That's one reason I stay away from Pest Patrol, one of the few apps that the Spyware Warrior site recommends that I do not use. They have had a reputation for FPs for a long time.

    Thanks for your help, Bubba.
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    You are very Welcome and glad you got it all sorted out :thumb:
     
  5. Consoleman

    Consoleman Registered Member

    Joined:
    Aug 11, 2006
    Posts:
    15
    IE_Helpder is false positive guys, this should be fix by SS :D
     
  6. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    Apparently the fix has been made, as I have done a couple of SS sweeps after updates in the last few days, and IEHelper was not detected.

    All of which goes to show - don't automatically quarantine or delete something just because your AS says it's malware.
     
Loading...
Thread Status:
Not open for further replies.