home

InstallHelper.dll

ToolbarInnoSetupHelper

First Offer LTD

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The module InstallHelper.dll by First Offer has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
First Offer LTD  (signed and verified)

Product:
ToolbarInnoSetupHelper

Version:
1.0.0.0

MD5:
dea44952068c0f582b4e98010cb55e20

SHA-1:
0e9c218af8b0d482d4a169430f0be74e08f7378a

SHA-256:
ed1727a79990031499c7feae34f927c364da7f976443b4de2439cb317e0beab0

Scanner detections:
4 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/25/2024 10:31:48 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:InstalleRex-BF [PUP]
2014.9-141101

AVG
Generic
2015.0.3304

Dr.Web
Adware.Plugin.364
9.0.1.0305

Reason Heuristics
PUP.Installer.FirstOffer.N
14.11.1.8

File size:
133.1 KB (136,264 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2012

Original file name:
InstallHelper.dll

File type:
Dynamic link library (Win32 DLL)

Bundler/Installer:
WebPick InstalleRex

Language:
Swedish (Sweden)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\installhelper.dll

Digital Signature
Signed by:
First Offer LTD

Authority:
COMODO CA Limited

Valid from:
10/8/2013 2:00:00 AM

Valid to:
10/9/2014 1:59:59 AM

Subject:
CN=First Offer LTD, O=First Offer LTD, STREET=Habarzel 21 Tel Aviv, L=Tel aviv, S=Israel, PostalCode=69710, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
49900242461D96CB7B045BE0A258338E

File PE Metadata
Compilation timestamp:
10/1/2014 10:15:03 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:7OeuqJ5A/QgZQG9/Tih9rd89RkhHsUVN0ijim:nuqBh9a92/Om

Entry address:
0x20DCE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 01, 00, 06, 04, 01, 00, 06, 09, 01, 00, 06, 0B, 01, 00, 06, 0D, 01, 00, 06, 28, 00, 00, 06, 29, 00, 00, 06, 2A, 00, 00, 06, 2B, 00, 00, 06, 2E, 00, 00, 06, 30, 00, 00, 06, 31, 00, 00, 06, 33, 00, 00, 06, 34, 00, 00, 06, 35, 00, 00, 06, 36, 00, 00, 06, 37, 00, 00, 06, 38, 00, 00, 06, 39, 00, 00, 06, 3A, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
123.5 KB (126,464 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=12820644&publisher_id=282&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=38461932&external_id=0&session_id=76923864&hardware_id=89744508&installer_file_name=installhelper.dll

Remove InstallHelper.dll - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.