home

helper.dll

Rational Thought Solutions

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser as well as modify the computer’s system settings that control applications to run on startup. Part of the Injekt brand of unwanted programs. The module helper.dll by Rational Thought Solutions has been detected as adware by 16 anti-malware scanners. It is also typically executed from the user's temporary directory.
Publisher:
Rational Thought Solutions  (signed and verified)

MD5:
110570663beec7b8843eb1f512b2084e

SHA-1:
4789584396ea75dbb953e12cb87bc3d8baf0bf24

SHA-256:
741bea374653d1bce5480f4b718d054ab2677115da7de3356bf8690189097928

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
4/24/2024 12:18:10 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.PullUpdate
7.1.1

AhnLab V3 Security
PUP/Win32.PullUpdate
2015.08.04

Avira AntiVirus
ADWARE/Adware.Gen7
8.3.1.6

AVG
Generic_r
2016.0.3028

Baidu Antivirus
Adware.MSIL.PullUpdate
4.0.3.1584

Bkav FE
W32.HfsAdware
1.3.0.6979

Dr.Web
Adware.Yontoo.68
9.0.1.0216

ESET NOD32
MSIL/Adware.PullUpdate (variant)
9.12039

IKARUS anti.virus
AdWare.Agent
t3scan.1.9.5.0

Malwarebytes
PUP.Optional.PullUpdate.A
v2015.08.04.10

McAfee
Artemis!110570663BEE
5600.6684

NANO AntiVirus
Riskware.Win32.Yontoo.dqxulg
0.30.24.2668

Panda Antivirus
PUP/PullUpdate
15.08.04.10

Reason Heuristics
PUP.Injekt.RationalThoughtSolutions (M)
15.8.4.10

Rising Antivirus
PE:Adware.PullUpdate!6.258A
23.00.65.15802

SUPERAntiSpyware
Adware.PullUpdate/Variant
9712

File size:
1.3 MB (1,359,856 bytes)

File type:
Dynamic link library (Win32 DLL)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\helper.dll

Digital Signature
Signed by:
Rational Thought Solutions

Authority:
Symantec Corporation

Valid from:
1/24/2015 1:00:00 AM

Valid to:
4/25/2016 1:59:59 AM

Subject:
CN=Rational Thought Solutions, O=Rational Thought Solutions, L=St. James, S=St. James, C=BB

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
00B81C1C4DB6AD87B9B581116F115E4C

File PE Metadata
Compilation timestamp:
7/31/2015 3:39:05 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:P2Vf0QHyV8D8LFFBZDKNwHlC5kI/CarPP76x5BLY0aUTVWB5ORrbxLelLij:P5QHyV8DyFFBZDKNwHla/JH7mBcYRvRv

Entry address:
0xDC9D4

Entry point:
55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, 10, DF, 00, 00, FF, 75, 10, FF, 75, 0C, FF, 75, 08, E8, 07, 00, 00, 00, 83, C4, 0C, 5D, C2, 0C, 00, 6A, 0C, 68, D8, 78, 12, 10, E8, 6D, 6A, 00, 00, 33, C0, 40, 8B, 75, 0C, 85, F6, 75, 0C, 39, 35, 98, 90, 13, 10, 0F, 84, E4, 00, 00, 00, 83, 65, FC, 00, 83, FE, 01, 74, 05, 83, FE, 02, 75, 35, 8B, 0D, 44, C4, 10, 10, 85, C9, 74, 0C, FF, 75, 10, 56, FF, 75, 08, FF, D1, 89, 45, E4, 85, C0, 0F, 84, B1, 00, 00, 00, FF, 75, 10, 56, FF, 75, 08, E8, 11, FE, FF, FF, 89, 45, E4...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
1 MB (1,085,440 bytes)

Remove helper.dll - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.