home

chromehelper.exe

Creative Island Media, LLC

This adware background process is controlled and started by the Updater.exe executable (if the process is stopped the updater will restart it) and is desigend to install the extension within the Chrome borwser and inject and popup various types of ad formats including pop-ups, inline text links and banners. ChromeHelper is packaged with one of many a branded adware applications, from Injekt. The application chromehelper.exe by Creative Island Media has been detected as adware by 10 anti-malware scanners. While running, it connects to the Internet address update.betterxperience.com on port 80 using the HTTP protocol.
Publisher:
WatchDog  (signed by Creative Island Media, LLC)

Product:
WatchDog

Version:
3, 0, 0, 1

MD5:
f8460c5bfd0375db98325ed16aa53cb2

SHA-1:
30b302379d0456f1b008d5424443118d3023efe1

SHA-256:
df6237bcde0ae2afdd7e20cf73c040cc8c0be6e90c3c671f3453db4e1e5e5590

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
4/16/2024 8:21:30 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3160

Dr.Web
Adware.Plugin.128
9.0.1.083

ESET NOD32
Win32/ExFriendAlert (variant)
9.10682

herdProtect (fuzzy)
variant of iehelper.exe (Adware)
2015.6.29.14

IKARUS anti.virus
PUA.ExFriendAlert
t3scan.1.8.3.0

Malwarebytes
PUP.Optional.SearchDonkey.A
v2015.03.24.03

NANO AntiVirus
Riskware.Win32.Plugin.dbxktm
0.28.2.61721

Reason Heuristics
PUP.Injekt
15.3.24.15

Sophos
Search Donkey
4.98

VIPRE Antivirus
SearchDonkey
23830

File size:
245.9 KB (251,768 bytes)

Product version:
3, 0, 0, 1

Original file name:
dog.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\ProgramData\application data\rhelpers\chromehelper\chromehelper.exe

Digital Signature
Signed by:
Creative Island Media, LLC

Authority:
VeriSign, Inc.

Valid from:
5/20/2013 5:00:00 PM

Valid to:
5/21/2014 4:59:59 PM

Subject:
CN="Creative Island Media, LLC", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Creative Island Media, LLC", L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
68F23F4D2767F6491DEA9186F2E5CB89

File PE Metadata
Compilation timestamp:
10/2/2013 1:57:36 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:Y1hDqIZLwlmnWN/68zIyrjSHoWT0Cp2kL93YabMtfxMKZ4b+Wry9n5XtQwnPM2bu:Y11JZc3sZ1sD46/PQAEjj5DTF6Cvp

Entry address:
0x160EB

Entry point:
E8, 68, 96, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, F8, D4, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 20, 29, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, CC, 90, 42, 00...
 
[+]

Entropy:
6.3372

Code size:
159.5 KB (163,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to update.betterxperience.com  (54.218.62.24:80)

TCP (HTTP):
Connects to d.pullupdate.com  (54.230.15.37:80)

TCP (HTTP):
Connects to d.betterxperience.com  (54.230.13.123:80)

 
http://d.betterxperience.com/updater/dedu.txt

Remove chromehelper.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.