ADW_WINAD.H

Download the latest scan engine

TypeAdware

In the wild: No

Destructive: No

Language: English

Systems affected: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Low

Reported detections:

Low

System  impact:

Low

Information exposure:

Low
 

Description:

This adware may arrive on a system downloaded from the Internet, by an unknowing user while visiting Web site(s). It is a freeware that displays ActiveX popup advertisements.

Upon execution, it drops several files.

It creates a registry entry to ensure its automatic execution at every system startup. It also creates certain registry entries as part of its installation routine.

Description created:  Feb 17, 2005



TECHNICAL DETAILS



Initial samples received on:  Feb 17, 2005

Installer name: AdTools Service

File type: PE

Memory resident: No  

Download URL: http://www.windupdates.com

File size: 134,775 Bytes

Details:

This adware may arrive on a system downloaded from the Internet, by an unknowing user while visiting Web site(s). It is a freeware that displays ActiveX popup advertisements.

Upon execution, this adware drops the following files:

  • %ProgramFiles%\AdTools Service\AdTools.exe
  • %ProgramFiles%\AdTools Service\AdToolsComm.dll
  • %ProgramFiles%\AdTools Service\AdToolsKeep.exe
  • %ProgramFiles%\AdTools Service\Info.txt
  • %System%\ide21201.vxd

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

It creates the following registry entry to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
AdTools Service = "%Program Files%\AdTools Service\AdTools.exe"

It also creates the following registry entries as part of its installation routine.

HKEY_LOCAL_MACHINE\Software\AdTools Service
Param = "96e66a3e0b7ec801c58a1c614211eddadbd55fbc4a7195:386334
6261646666626136316263363438656663346364373531383936333063"
Track = "1"
LastUpdate = "4214ff1e"
Updating = "1"
Reqcount = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\AdTools Service
UninstallString = "%Program Files%\AdToolsService\AdTools.exe /Remove"
DisplayName = "AdTools Service"

This adware runs on Windows 98, ME, NT, 2000, and XP.




SOLUTION


Minimum scan engine version needed: 8.000

Download the latest scan engine

Spyware pattern version needed : 0.619.00

Pattern release date:  Mar 18, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Grayware Files

Download the latest spyware pattern file and scan your computer. Note the path and file name of all files detected as ADW_WINAD.H .

Terminating the Grayware Process

This procedure terminates the running grayware process.

  1. Open Windows Task Manager.
    On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    On Windows NT, 2000, XP, and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the grayware file(s) detected earlier
  3. Select the grayware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. To check if the grayware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

If the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Removing Autostart Entry from the Registry

This solution deletes the registry entry added by this grayware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    AdTools Service = "%Program Files%\AdTools Service\AdTools.exe"
    (Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

NOTE: If you were not able to terminate the grayware process as described in the previous procedure, restart your system.

Removing Other Grayware Entries from the Registry

This solution deletes the registry entries added by this grayware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>AdTools Service
  2. In the right panel, locate and delete the following entries:
    Param = "96e66a3e0b7ec801c58a1c614211eddadbd55fbc4a7195:
    386334626164666662613631626336343865666334636437353138
    3936333063"
    Track = "1"
    LastUpdate = "4214ff1e"
    Updating = "1"
    Reqcount = "1"
  3. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Uninstall>AdTools Service
  4. In the right panel, locate and delete the following entries:
    UninstallString = "%Program Files%\AdToolsService\AdTools.exe /Remove"
    DisplayName = "AdTools Service"
  5. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as ADW_WINAD.H. To do this, Trend Micro customers must download the latest virus pattern file and scan their computers. Other Internet users can use HouseCall, the Trend Micro online threat scanner.