Limited Time!
Totally FREE Web Design!
Click here!

Parasite: ClearSearch

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

ClearSearch is an address-bar-search hijacker distributed and controlled by PBH [Perkins, Brinson, Ho] LLC under the names ClearSearch (clear-search.com, clrsch.com) and Contraco (cntrc.net).

ClearSearch comprises a Internet Explorer Browser Helper Object (BHO) and a process run at startup that updates the software and reinstalls it is it has been partially removed.

Variants

ClearSearch/IECS: simple address bar search hijacker. Controlling servers at clrsch.com. Searches that do not match targeted terms are redirected to MSN.

ClearSearch/CSIE: includes a more complicated set of targeting instructions and functions, which at the time of writing do not appear to be working. Has new class ID and filenames. Controlling servers at qckads.com, sends unmatched address bar searches to Lycos and sidebar searches to MSN.

ClearSearch/Lycos: as CSIE, but lives in a different folder, ‘Program Files\Lycos’.

ClearSearch/CSBB: update to CSIE with different names/IDs, controlling servers at clrsch.com, sending searches to 81.201.104.136.

ClearSearch/CTIE: update to CSIE with different filenames, controlling servers at cntrc.net, sending searches to 81.201.104.136.

Also known as

BKDR_RULEDOR.E, by Trend anti-virus.

IGetNet/ClearSearch. ClearSearch was previously classified here as a variant of IGetNet, because it was installed using an IGetNet-authored installer over IGetNet’s update mechanism. However it is a separate codebase which has now been developed independently of the IGetNet software. IGetNet deny any further involvement with ClearSearch.

Distribution

ClearSearch/IECS was silently installed by IGetNet. This installer also removes any previously-loaded IGetNet variants, and disables the address-bar-search part of any known competitors it finds, including the Xupiter, HuntBar/MSLink, CommonName and NewDotNet parasites, as well as the iWon toolbar and Netword, which are not considered unsolicited commercial software.

ClearSearch/CSIE and ClearSearch/Lycos are silently installed by the Sidesearch parasite.

ClearSearch/IECS and ClearSearch/CSIE have been silently installed by the FavoriteMan parasite.

ClearSearch/CSBB is bundled by the EasySearchBar and WildMedia parasites and PBH LLC’s own product RipperX.

ClearSearch/CTIE is bundled by other PBH products including MiniWeatherAgent and a Minigolf game advertised by a Flash-game pop-up.

What it does

Advertising

Yes. Can open pop-up/pop-under windows when targeted search terms are entered.

Privacy violation

Sends address bar search terms to its controlling servers together with a trackable unique user ID.

Security issues

Yes. Can silently download and execute arbitrary code from its controlling server, as a self-updating feature.

Stability problems

In testing the CTIE variant, any address bar search would pause and then fail without any search results. Using a non-existant domain would consistently crash Internet Explorer.

Removal

The IECS variant provides no uninstaller. The CSIE variant, as if to make up for this, supplies five uninstallers in the Control Panel’s Add/Remove Programs feature: ‘LookSmart Search’ ‘Lycos Search’, ‘RON Display’, ‘URL Display’ and ‘Context Display’. Sadly they don’t seem to work.

The CSBB variant calls them ‘Search Aid’, ‘Alt Win’, ‘RON Display’, ‘URL Display’ and ‘Context Display’. For me, these not only didn’t work, but also crashed the Add/Remove Programs panel.

The CTIE variant is thankfully back to having no uninstaller at all.

Manual removal

Open a command prompt window (from Start->Programs->Accessories) and enter the following commands. For the IECS variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClearSearch\IE_ClrSch.DLL"

Or, for the CSIE variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClearSearch\CSIE.DLL"

Or, for the Lycos variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Lycos\IEagent\CSIE.DLL"

Or, for the CSBB variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClearSearch\CSBB.DLL"

Or, for the CTIE variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Cntrc\CTIE.DLL"

Then open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the entry ‘ClrSchLoader’ or ‘CSVnPnn’ (IECS, CSBB variants; n is a number, differs), ‘ClrSrchLoader’ (CSIE, Lycos variants) or ‘CntrcLoader’ pointing at CTP002.exe (CTIE variant).

Reboot the machine and you should be able to delete the ‘ClearSearch’ folder in Program Files, ‘Lycos\IEagent’ in the Lycos variant or ‘Cntrc’ in the CTIE variant.

You can also delete the registry key ‘cntrc’ (CTIE variant) or ‘ClrSch’ (other variants) to clean up if you like. In the CSIE and CTIE variants also the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\SOFTWARE (which seems to exists due to an error in the installer).