1. /
  2. Security Response/
  3. Adware.ClearSearch

Adware.ClearSearch

Updated:
February 13, 2007 11:34:10 AM
Type:
Adware
Publisher:
www.clrsch.com
Risk Impact:
High
File Names:
Loader.exe Delete me.exe CSP001.exe csLDRupdater.DLL csAOLinst.DLL CSIE.dll CSIEINST.dll CS
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.ClearSearch is executed, it performs the following actions:
  1. Creates the following folders:

    • %Temp%\ClrSch
    • %ProgramFiles%\ClearSearch
    • %ProgramFiles%\[RANDOM NAME]
    • %UserProfile%\Local Settings\Temp\clrsch

      Notes:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

  2. Adds the values:

    "ClrSchLoader" = "[PATH TO THE ORIGINAL EXECUTABLE]"
    "CSV10P1" =  "%ProgramFiles%\CSBB\CSP001.exe"
    "CSV10P070" =  "%ProgramFiles%\CSBB\CSv10P070.exe"
    "[RANDOM NAME]" = "%ProgramFiles%\[RANDOM NAME]\[RANDOM NAME].exe"
    "5whgue21" = "%ProgramFiles%\5whgue21\5whgue21.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  3. Adds the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\ClrSch
    HKEY_LOCAL_MACHINE\SOFTWARE\CSBB
    HKEY_LOCAL_MACHINE\SOFTWARE\[ORIGINAL EXECUTABLE FOLDER NAME]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000221}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0F2A4ADC-DABF-4980-8DB4-19F67D7B1F95}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60494593-5408-447D-BD5E-A16640D6AF99}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CSIE.CSIECore
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CSIE.CSIECore.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000221}
    HKEY_CLASSES_ROOT\CLSID\[RANDOM VALUE]
    HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM VALUE]


  4. Periodically updates itself by downloading control data from a Web site on the clrsch.com domain.

  5. Contacts a Web site on the clrsch.com domain to track advertisements.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver