Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Iefeats

Adware.Iefeats

Updated:
February 13, 2007
Risk Impact:
High
File Names:
Msiesh.dll iefeatsl.dll image.dll Mshp.dll f2install.exe
Systems Affected:
Windows

Behavior


Adware.Iefeats is an adware component that redirects Internet Explorer Start Page and modifies search functionality without permission. It displays pop-up ads and downloads files without the user's knowledge, which in turn can spread other security risks and may cause further damage.

Symptoms


Your Symantec program detects Adware.Iefeats.

Behavior


This adware component may be manually installed, or it may be installed as a component of another program.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version March 05, 2004
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date March 10, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Iefeats installer is executed, it performs the following actions:
  1. Creates the following file:


    %SystemDrive%\f2install.log

    Note:
    %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  2. Adds the value:

    "[NAME OF THE INSTALLER FILE]" = "[LOCATION AND NAME OF THE INSTALLER FILE]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the installer runs every time Windows starts.

  3. Creates and populates the following registry subkey:

    HKEY_CLASSES_ROOT\CLSID\[INSTALLER CLSID]

    where [installer clsid] is a semi-random CLSID determined by location and file name of the installer.

  4. Downloads encrypted service and Browser Helper Object from one or more of following domains:

    • u47.cc
    • u45.cx
    • u48.cc
    • u46.cx

      Decrypts the files, merges them with up to 1024 random bytes and saves as %Windir%\[random executable name] or %System%\[RANDOM EXECUTABLE NAME], where [RANDOM EXECUTABLE NAME] is file name generated by the installer, combining one of the following strings:

    • sdk
    • java
    • cr
    • d3
    • ms
    • ie
    • sys
    • win
    • add
    • app
    • atl
    • mfc
    • api
    • net
    • ip
    • nt

      with two random letters often followed by the string "32" and having one of the following extensions:

    • .dll
    • .exe

      Additionally the installer downloads encrypted resources file from one of the above listed domains. Decrypts it and saves as %Windir%\[RANDOM 5 LETTERS].dll or %System%\[RANDOM 5 LETTERS].dll

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  5. Adds the value:

    "[NAME OF THE SERVICE FILE]" = "[LOCATION AND NAME OF THE SERVICE FILE]"

    for downloaded service to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    so that the service could be run on next Windows start.

  6. For downloaded service and Browser Helper Object creates and populates the following registry subkey:

    HKEY_CLASSES_ROOT\CLSID\[SERVICE CLSID]
    HKEY_CLASSES_ROOT\CLSID\[BHO CLSID]

    Note: [SERVICE CLSID] and [BHO CLSID] are semi-random CLSIDs determined by location and file name of the components.

  7. Executes the service and initializes the Browser Helper Object.

  8. May periodically display message boxes or alert balloons resembling legitimate behaviour of operating system to trick user into visiting possibly malicious web sites.

  9. Attempts to avoid removal by:

    • making backup copies of associated service and Browser Helper Object components to [6 random characters].dat files or randomly named NTFS alternate data streams of existing files in %Windir% folder;
    • restoring missing components;
    • downloading and reinstalling missing components when necessary;
    • recreating the CLSID registry subkeys and updating them with information necessary to locate other components of Adware.Iefeats.

  10. May attempt to download additional security risks and threats.


When downloaded service is executed, it performs the following actions:
  1. Attempts to remove the following registry subkeys:

    HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/html
    HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/plain
    HKEY_CLASSES_ROOT\CLSID\[HTML FILTER CLSID]
    HKEY_CLASSES_ROOT\CLSID\[PLAIN FILTER CLSID]

    Note: [HTML FILTER CLSID] and[PLAIN FILTER CLSID] are values of CLSID entries of the subkeys:

    HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/html
    HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/plain

    Additionally attempts to delete the files referenced by default entries of the subkeys:

    HKEY_CLASSES_ROOT\CLSID\[HTML FILTER CLSID]\InProcServer32
    HKEY_CLASSES_ROOT\CLSID\[PLAIN FILTER CLSID]\InProcServer32

  2. Attempts to remove the value:

    "AppInit_DLLs"

    of the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    and delete file referenced by this value.

  3. Installs obscurely named service with image path:

    "[LOCATION AND NAME OF THE SERVICE FILE] /s"

    and one of the following display names:

    • Network Security Service
    • Network Security Service (NSS)
    • Remote Procedure Call (RPC) Helper
    • Workstation NetLogon Service

Note: The service duplicates the following functionality of the installer in attempt to avoid removal:
    • recreating the value in the RunOnce registry subkey;
    • making copies and restoring missing components from backups;
    • recreating the CLSID registry subkeys and updating them with information necessary to locate other components of Adware.Iefeats.


When downloaded Browser Helper Object is initialized, it performs the following actions:
  1. Creates and populates the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\HSA
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SE
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SW

    to create links to Web pages providing non-functional uninstallers for the following programs:

    • Home Search Assistent
    • Search Extender
    • Shopping Wizard

  2. Creates and populates the following registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[BHO CLSID]

    to register itself as a Browser Helper Object.

  3. Replaces Internet Explorer search functionality by removing the following registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks

    and adds the value:

    "[BHO CLSID]" = "0x00 [38 MEANINGLESS BYTES]"

    to the recreated subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks

  4. May create various links in the following folders:
    • %UserProfile%\Favourites
    • %UserProfile%\Favourites\Sites

      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

Once this occurs, when Internet Explorer is opened, the Browser Helper Object does the following:
  1. Downloads encrypted configuration and data files from one or more of following domains:

    • u47.cc
    • u45.cx
    • u48.cc
    • u46.cx

      Decrypts the files and saves as %Windir%\[RANDOM FILE NAME] or %System%\[RANDOM FILE NAME].

  2. Adds the value:

    "Set"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft

  3. Adds the value:

    "ImageDescriptor"

    to the registry subkey:

    HKEY_CLASSES_ROOT\icofile

  4. Modifies the values:

    "Default_Page_URL" = "about:blank"
    "Default_Search_URL" = "res://[LOCATION AND NAME OF RESOURCES FILE]/sp.html#37049
    "Use Search Asst" = "no"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  5. Modifies the values:

    "Search Bar" = "res://[LOCATION AND NAME OF RESOURCES FILE]/sp.html#37049
    "Search Page" = "res://[LOCATION AND NAME OF RESOURCES FILE]/sp.html#37049
    "Start Page" = "about:blank"

    in the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  6. Modifies the values:

    "SearchAssistant" = "res://[LOCATION AND NAME OF RESOURCES FILE]/sp.html#37049

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search

  7. Attempts to disable and damage various Security Risks by terminating processes, deleting files and removing registry subkeys. Because the algorithm used by this adware lacks the capability for proper detection of Security Risks, it may also damage legitimate processes and files. Additionally it deletes the following legitimate file:

    %System%\drivers\etc\hosts

    and the folder:

    %Windir%\LastGood

  8. Creates the following registry subkey:

    HKEY_CLASSES_ROOT\CLSID\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

  9. Displays pop-up ads and contacts various web sites without user permission.

Note: The Browser Helper Object duplicates the following functionality of the installer to complicate adware removal:
    • making copies and restoring missing components from backups;
    • downloading and reinstalling missing components when necessary;
    • recreating the CLSID registry subkeys and updating them with information necessary to locate other components of Adware.Iefeats.


Older versions of this adware may:
  1. Adds the value:

    "Image"= "rundll32 [LOCATION OF image.dll]\image.dll,UpdateDll fs"

    to the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

  2. Adds the value:

    "Updater"= "rundll32 [LOCATION OF iefeatsl.dll]iefeatsl.dll\1.new,UpdateDll fs"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

  3. Creates and populate the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\iefeatsl

  4. Registers Browser Helper Objects by creating and populating the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}
    HKEY_CLASSES_ROOT\CLSID\{587DBF2D-9145-4C9E-92C2-1F953DA73773}
    HKEY_CLASSES_ROOT\CLSID\{FD9BC004-8331-4457-B830-4759FF704C22}
    HKEY_CLASSES_ROOT\iefeatsl.ViewSource
    HKEY_CLASSES_ROOT\iefeatsl.ViewSource.1
    HKEY_CLASSES_ROOT\Image.Image
    HKEY_CLASSES_ROOT\Image.Image.1
    HKEY_CLASSES_ROOT\SearchHook.SearchHookObject
    HKEY_CLASSES_ROOT\SearchHook.SearchHookObject.1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587DBF2D-9145-4C9E-92C2-1F953DA73773}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4C9E-92C2-1F953DA73773}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{FD9BC004-8331-4457-B830-4759FF704C22}

  5. Sets the Internet Explorer Start Page to a URL on the domain mshp.dll, and then display a search engine page when the browser is opened.

  6. Downloads the following files:

    • [ADWARE FOLDER]\iefeatsl.dll
    • [ADWARE FOLDER]\image.dll
    • [ADWARE FOLDER]\msiesh.dll
    • [ADWARE FOLDER]\mssearch.dll (not available at the time of this writeup)
    • %Windir%\mshp.dll
    • [ADWARE FOLDER]\dict.dat (a configuration file)
    • [ADWARE FOLDER]\keywords.dat (a configuration file)
    • [ADWARE FOLDER]\update.txt (a configuration file)

      where [ADWARE FOLDER] is adware installation folder, usually %UserProfile%\Application Data\iefeatsl

      Note:
      %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).



Removal Tool
Symantec Security Response has developed a removal tool for Adware.Iefeats. Use this removal tool first, as it is the easiest way to remove this adware.

The tool can be found here:

http://securityresponse.symantec.com/avcenter/FixIefts.exe

The current version of the tool is version 1.0.1 and it will have a digital signature timestamp of Thursday December 2, 3.03 AM (PST).

Note: The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.


The following instructions pertain to all Symantec antivirus products that support security risk detection.
  1. Update the definitions
  2. Prepare paper copy of this removal instruction
  3. Restart the computer in Safe mode or VGA mode
  4. Run the scan, note the full path and file name and delete the files
  5. Restart the computer in Normal mode.
  6. Find and disable the service (Windows NT/2000/XP)
  7. Reverse the changes made to the registry
  8. Delete the Web sites added to the Internet Explorer Favorites menu.
  9. Reinstall your Symantec antivirus program
  10. Reset the Internet Explorer home page
  11. Reset the Internet Explorer Search page

For specific details on each of these steps, read the following instructions.


1. Update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


2. Prepare paper copy of this removal instruction
Because Adware.Iefeats functions as a Microsoft Internet Explorer plugin, it is necessary to close all open Internet Explorer windows to remove it. If you are reading this writeup in Internet Explorer, print this writeup using our printer-friendly option at the top of the page, or write down the following instructions, and then close all Internet Explorer windows.


3. Restart the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
  • In Windows 95, 98, Me, 2000, or XP, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
  • In Windows NT 4, restart the computer in VGA mode.


4. Run the scan, note the full path and file name and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Adware.Iefeats or Adware.CoolWebSearch and depending on which software version you are using, you may see one or more of the following options:

    Note: This applies only to versions of Norton AntiVirus that support security risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports security risk detection, and security risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.

    • Exclude (Not recommended): If you click this button, it will set the risk so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.

    • Ignore or Skip: This option tells the scanner to ignore the risk for this scan only. It will be detected again the next time that you run a scan.

    • Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the risk for this scan only, and thus, the risk will be detected again the next time that you run a scan.

      To actually delete the security risk:
      • Click its file name (under the Filename column).
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

    • Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
      • If you see a message, "Delete Failed" (or similar message), manually delete the file.
      • Click the file name of the risk that is under the Filename column.
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.


5. Restart the computer in Normal mode


6. Find and disable the service (Windows NT/2000/XP)
  1. Click Start > Run.
  2. Type services.msc, and then click OK.
  3. Locate and select the service that was detected as Adware.Iefeats or Adware.CoolWebSearch.

    Note: To locale the service you may need to check the following entries in Services window:
    • Network Security Service
    • Network Security Service (NSS)
    • Remote Procedure Call (RPC) Helper
    • Workstation NetLogon Service

  4. Click Action > Properties.
  5. Make sure that the field Path to executable references one of detected files, then click Stop and change Startup Type to Manual.
  6. Click OK and close the Services window.


7. Reverse the changes made to the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry , for instructions.

  1. Click Start > Run.

  2. Type regedit

    Then click OK.

  3. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    and in the right pane, delete the value:

    "[NAME OF DETECTED FILE]" = "[location and NAME OF DETECTED FILE]"

  4. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    and in the right pane, delete the following value, if it exists:

    "[NAME OF DETECTED FILE]" = "[LOCATION AND NAME OF DETECTED FILE]"

  5. Navigate to the subkey:

    HKEY_CLASSES_ROOT\

    then click Edit > Find. In the "Find what" box, type the name of .dll file that was detected as Adware.Iefeats in section 7. Search for entries of the form:

    "(Default)" = "[LOCATION AND NAME OF DETECTED .dll FILE]"

    in the registry subkey:

    HKEY_CLASSES_ROOT\CLSID\[SEMI-RANDOM CLSID]\InProcServer32

    then write down the [SEMI-RANDOM CLSID] value. You may need to repeat this step for other .dll files that were detected in section 7.

  6. Navigate to and in the left pane delete the following subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[SEMI-RANDOM CLSID]

    where [SEMI-RANDOM CLSID] matches the value found in the previous search.

  7. Navigate to the following subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks

    and in the right pane, delete the value:

    "[SEMI-RANDOM CLSID]"

    where [SEMI-RANDOM CLSID] matches the value found in the previous search.

  8. Navigate to and in the left pane delete the following subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\HSA
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SE
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SW

  9. Navigate to the key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

  10. In the left pane select the "Internet Explorer" key, right click and select New -> Key. Name the new key UrlSearchHooks.

  11. Navigate to this new key and create a new value by right clicking in the right panel and select New -> String Value. Name the value {CFBFAE00-17A6-11D0-99CB-00C04FD64497}.

  12. Exit the Registry Editor.


8. To delete the Web sites added to the Internet Explorer Favorites menu
  1. Start Microsoft Internet Explorer
  2. Click Favorites > Organize Favorites
  3. Delete any suspicious Favorites added by the risk

9. Reinstall your Symantec antivirus program
As this adware may attempt to remove the files and registry subkeys that your Symantec antivirus program uses, you may need to reinstall the program. If your Symantec antivirus program is not working properly, uninstall, and then reinstall it.


10. Reset the Internet Explorer home page
  1. Start Microsoft Internet Explorer.
  2. Connect to the Internet, and then go to the page that you want to set as your home page.
  3. Click Tools > Internet Options.
  4. In the Home page section of the General tab, click Use Current > OK.

For additional information, or if this procedure does not work, read the Microsoft® Knowledge Base article: Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting, Article ID 320159 .


11. Reset the Internet Explorer Search page
Follow the instructions for your version of Windows.

Windows 98/Me/2000
  1. Start Microsoft Internet Explorer.
  2. Click the Search button on the toolbar.
  3. In the Search pane, click Customize.
  4. Click Reset.
  5. Click Autosearch Settings.
  6. Select a search site from the drop-down list, and then click OK.
  7. Click OK.

Windows XP
Because Windows XP is set by default to use animated characters in the search, how you do this can vary. Read all the instructions before you start.
  1. Start Microsoft Internet Explorer.
  2. Click the Search button on the toolbar.
  3. Do one of the following:
    • If the pane that opens looks similar to the following picture, click the word Customize and proceed to step h:




    • If the pane that opens has the words "Search Companion" at the top, and the center looks similar to the following picture, click the Change preferences link and proceed with step d.




  4. Click the Change Internet search behavior link.
  5. Under "Internet Search Behavior," click With Classic Internet Search.
  6. Click OK. Then close Internet Explorer. (Close the program for the change to take effect.)
  7. Start Internet Explorer. When the search pane opens, it should look similar to the following picture:





    Click the word Customize, and then proceed with the next step.

  8. In the Search pane, click Customize.
  9. Click Reset.
  10. Click Autosearch Settings.
  11. Select a search site from the drop-down list, and then click OK.
  12. Click OK.
  13. Do one of the following:
    • If you were using (or want to continue using) the "Classic Internet Search" panel, stop here (or proceed with the next section).
    • If you want to go back to the "Search Companion" search (it usually has an animated character at the button), proceed with step n.

  14. Click the word Customize again.
  15. In the "Customize Search Settings" window, click Use Search Companion > OK.
  16. Close Internet Explorer. The next time you open it, it will again use the Search Companion.