Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.IEDriver

Adware.IEDriver

Updated:
February 13, 2007
Publisher:
Verticity Pakistan (Pvt) Ltd., URLBlaze (urlblaze.com)
Risk Impact:
High
File Names:
iedriver.exe,ieupdate.exe,Td.exe
Systems Affected:
Windows

Behavior


Adware.IEDriver is an adware component that downloads and displays advertisements that are targeted and based on Internet browsing habits.

Note: Detections prior to April 4, 2005 may detect this threat as Adware.TurboDownload.

Symptoms


The files are detected as Adware.IEDriver.

Behavior


Adware.IEDriver is usually installed with other software, or when certain Web sites are visited. This adware can also be downloaded and installed from the software publisher's Web site at www.urlblaze.com.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version June 28, 2017 revision 021
  • Initial Daily Certified version January 24, 2004
  • Latest Daily Certified version June 29, 2017 revision 004
  • Initial Weekly Certified release date January 26, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.IEDriver is installed, it does the following:
  1. Creates the folder, %System%\iedriver and sets the attributes to hidden.


    Note: %System% is a variable. The adware locates the System folder and creates the iedriver directory at that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following files:

    • %System%\Sb.htm
    • %System%\Sx.htm
    • %System%\iedriver\iedriver.bin
    • %System%\iedrive\iedriver.exe
    • %System%\iedrive\ieupdate.exe
    • %System%\iedrive\Td.exe
    • %System%\iedrive\Sx.htm
    • %System%\iedrive\Vi.tty
    • %System%\iedrive\Vii.tty
    • %System%\iedrive\3.exe
    • %System%\iedrive\5.exe

  3. Adds one of the values:

    "IEDriver" = "%System%\IEDRIVER.EXE"
    "IEDriver"="%System%\IEdriver\Iedriver.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs when Windows starts.

  4. Creates the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\{BC3BBF86-E4EC-4412-9676-8355468B3B05}

  5. Adds the values:

    "Display Name" = "IE Driver"
    "UninstallString" = "%System%\IEdriver\3.exe /c IEDriver"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\{BC3BBF86-E4EC-4412-9676-8355468B3B05}

  6. Adds the values:

    "DisplayName" = "PopKiller"
    "UninstallString" = "%SYSTEM%\IEDriver\3.exe /c PopKiller"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\{F20239CB-33DC-4ec6-959E-73EDEA0FE4D7}

  7. Adds the values:

    "DisplayName" = "TurboDownload"
    "UninstallString" = "%SYSTEM%\TD.exe /c"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\{1A00C40B-DA85-4aa3-A67F-582D9347EECD}

  8. Adds the values:

    "DisplayName" = "TextHighlight"
    "UninstallString" = "%SYSTEM%\IEDriver\3.exe /c TextHighLight"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\{14D108C8-DD97-4b78-8B50-C981500ABB8F}

  9. Adds the value:

    "ConnectionType" = "0x1"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\TurboDownload

  10. Modifies the value:

    "Search Bar" = "file:/ /%System%\sb.htm"

    in the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

  11. Contacts the Web site www.adsrve.com.

  12. Generates frequent pop-up advertisements.

  13. May download an executable from the Web. This file may be an update of itself.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Adware.IEDriver.
  3. Delete the values that were added to the registry.
  4. Reset the Internet Explorer Search page.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
  1. Start your Symantec antivirus program and run a full system scan.
  2. If any files are detected as Adware.IEDriver, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

3. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "IEDriver" = "%System%\IEdriver\Iedriver.exe"

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall

  6. Delete the subkeys:

    {BC3BBF86-E4EC-4412-9676-8355468B3B05}
    {14D108C8-DD97-4b78-8B50-C981500ABB8F}
    {1A00C40B-DA85-4aa3-A67F-582D9347EECD}
    {F20239CB-33DC-4ec6-959E-73EDEA0FE4D7}

  7. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\TurboDownload

  8. In the right pane, delete the value:

    "ConnectionType" = "0x1"

  9. Exit the Registry Editor.

4. To reset the Internet Explorer Search page
Follow the instructions for your version of Windows.

Windows 98/Me/2000
  1. Start Microsoft Internet Explorer.
  2. Click the Search button on the toolbar.
  3. In the Search pane, click Customize.
  4. Click Reset.
  5. Click Autosearch Settings.
  6. Select a search site from the drop-down list, and then click OK.
  7. Click OK.

Windows XP
Because Windows XP is set by default to use animated characters in the search, how you do this can vary. Read all the instructions before you start.
  1. Start Microsoft Internet Explorer.
  2. Click the Search button on the toolbar.
  3. Do one of the following:
    • If the pane that opens looks similar to the following picture, click the word Customize and proceed to step h:




    • If the pane that opens has the words "Search Companion" at the top, and the center looks similar to the following picture, click the Change preferences link and proceed with step d.




  4. Click the Change Internet search behavior link.
  5. Under "Internet Search Behavior," click With Classic Internet Search.
  6. Click OK. Then close Internet Explorer. (Close the program for the change to take effect.)
  7. Start Internet Explorer. When the search pane opens, it should look similar to the following picture:





    Click the word Customize, and then proceed with the next step.

  8. In the Search pane, click Customize.
  9. Click Reset.
  10. Click Autosearch Settings.
  11. Select a search site from the drop-down list, and then click OK.
  12. Click OK.
  13. Do one of the following:
    • If you were using (or want to continue using) the "Classic Internet Search" panel, stop here (or proceed with the next section).
    • If you want to go back to the "Search Companion" search (it usually has an animated character at the button), proceed with step n.

  14. Click the word Customize again.
  15. In the "Customize Search Settings" window, click Use Search Companion > OK.
  16. Close Internet Explorer. The next time you open it, it will again use the Search Companion.