 Description
ClearSearch is a address-bar-search and search-sidebar hijacker
from clear-search.com/clrsch.com, consisting of an Internet
Explorer Browser Helper Object (BHO) and a process run at
startup that updates and reinstalls the software.
Variants
ClearSearch/IECS: simple address bar search hijacker.
At the time of writing, points searches to MSN.
ClearSearch/CSIE: includes a more complicated set
of targeting instructions and functions, which at the time
of writing do not appear to be working. Sends address bar
searches to Lycos and sidebar searches to MSN. Has new class
ID and filenames.
ClearSearch/Lycos: as CSIE, but lives in a different
folder, Program Files\Lycos.
ClearSearch/CSBB: update to CSIE with different
names/IDs, targeted at 81.201.104.136 (a Copernic/Inktomi
cost-per-click search server).
Also known as
BKDR_RULEDOR.E, by Trend anti-virus.
IGetNet/ClearSearch. ClearSearch was previously classified
here as a variant of IGetNet,
because it was installed using an IGetNet-authored installer
over IGetNet's update mechanism. However it is a separate
codebase which has now been developed independently of the
IGetNet software. IGetNet deny any further involvement with
ClearSearch.
Distribution
ClearSearch/IECS was silently installed by IGetNet.
This installer also removes any previously-loaded IGetNet
variants, and disables the address-bar-search part of any
known competitors it finds, including the Xupiter,
HuntBar/MSLink,
CommonName
and NewDotNet
parasites, as well as the iWon toolbar and Netword, which
are not considered unsolicited commercial software.
ClearSearch/CSIE and ClearSearch/Lycos are silently installed
by the Sidesearch
parasite.
ClearSearch/IECS and ClearSearch/CSIE have been silently
installed by the FavoriteMan
parasite.
ClearSearch/CSBB is silently installed by the WildMedia
parasite.
What it does
Advertising
Yes. The ClearSearch/CSIE, Lycos and CSBB variants have the
ability to open pop-up (and pop-under) windows. However this
has not, at the time of writing, been observed in operation.
The terms of use for ClearSearch do mention the software opening
pop-ups.
Privacy violation
Unknown.
Security issues
Yes. Can silently download and execute arbitrary code from
its controlling server, as a self-updating feature.
Stability problems
No.
Removal
The IECS variant provides no uninstaller. The CSIE variant,
as if to make up for this, supplies five uninstallers in the
Control Panel's Add/Remove Programs feature: LookSmart Search
Lycos Search, RON Display, URL Display and Context
Display. Sadly they don't seem to work.
The CSBB variant calls them Search Aid, Alt Win, RON
Display, URL Display and Context Display. For me, these
not only didn't work, but also crashed the Add/Remove Programs
panel.
Manual removal
Open a command prompt window (from Start->Programs->Accessories)
and enter the following commands. For the IECS variant:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClearSearch\IE_ClrSch.DLL"
Or, for the CSIE variant:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClearSearch\CSIE.DLL"
Or, for the CSBB variant:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClearSearch\CSBB.DLL"
Or, for the Lycos variant:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Lycos\IEagent\CSIE.DLL"
Then open the registry (click Start, choose Run, enter
regedit), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the entry ClrSchLoader (IECS, CSBB variants)
or ClrSrchLoader (CSIE, Lycos variants).
Reboot the machine and you should be able to delete the ClearSearch
folder in Program Files, or Lycos\IEagent in the Lycos variant.
You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\ClrSch
to clean up if you like, and for the CSIE variant also the
key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\SOFTWARE (which seems to be a programming error).
|