ClearSearch.net

[rada44]

Guys,

Sorry if I'm being confusing. I am referring to the entry above Global Startup....As I mentioned in my initial post it is HKE_USER\s-1-5-21....1006\Software\Microsoft\Windows\Current Version\Run\
Microsoft Update Detection and it is definitely associated with ClearSearch. I guess the thread is getting a little long but I also mentioned ClearSearch as the start of the problem in my first post and that's ClearSearch.net not .com. To recap ClearSearch.net is the result of a SpyBot scan. It branches down to the above mentioned reg key which also appears as an 04 item (above Global Startup) in the HJT scan.

jholland, I haven't had time yet to do WPFind scan that you recommend but will do and send.

Thanks again for the time and patience,
Robin

[jholland1964]

No, that is not associated with that;
The entry you are citing;
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
Checks for updates to MS Works. This program noted above IS in the proper location C:\PROGRAM FILES\MICROSOFT WORKS.
It has NOTHING to do with Clearsearch.
This entry also is seen in numerous logs daily. It is there because the Microsoft Works Suite, by default, sets up automatic updates. This CAN be disabled. This has nothing to do with spyware. It is a legitimate, though unnecessary auto start file.

I also apologize. You definitely DID say Clearsearch.net...just threw me when you mentioned that Spybot was scanning CoolWebSearch files...I thought, why would it be scanning Coolwebsearch files? I know now you meant scanning FOR Coolwebsearch files.

[rada44]

Attached is the WPFind log. I had to delete a bit to get it within the allowed limits. I hope I didn't cut anything essential.

The Microsoft reg key in question is most definitely involved. It may well be a legitimate key and ClearSearch is hitching a ride. The reason I am so sure is that the SpyBot scan turns up ClearSearch in red (as in bad) and when you click on it for more info it branches down to the key in question. When you tell SpyBot to fix is removes that key until you reboot. It undoubtedley recreates itself through Microsoft's endless powers and it takes ClearSearch right along with it.

Robin

[jholland1964]

Attached is the WPFind log. I had to delete a bit to get it within the allowed limits. I hope I didn't cut anything essential.

The Microsoft reg key in question is most definitely involved. It may well be a legitimate key and ClearSearch is hitching a ride. The reason I am so sure is that the SpyBot scan turns up ClearSearch in red (as in bad) and when you click on it for more info it branches down to the key in question. When you tell SpyBot to fix is removes that key until you reboot. It undoubtedley recreates itself through Microsoft's endless powers and it takes ClearSearch right along with it.

Robin

Robin, I don't even see the reg key HKEY_USER\S-1-5-21.....etc. even IN your WPFind log. You must have cut it out when you "deleted a bit". I don't see ClearSearch anywhere in the portion of the log that you posted.
Have looked again at your HJT log, and I still don't see anything...however, your browser was running, your Messenger was running and SpyBot TeaTimer was running during the HJT scan. Close down ALL UNNECESSARY programs and run the HJT scan again. These all can interfere with getting an accurate scan.

[CharlesP]

Dear Sir,
I followed your procedure and loaded the log into Hijack Analyser but afraid the results are 'all Greek to me':-

http://hjt.iamnotageek.com/parse.php?log=256185

Spybot Shows the following:-
ClearSearch.Net: Autorun settings (CursorXP) (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1606980848-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \CursorXP

ClearSearch.Net: Autorun settings (ATIPTA) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\ATIPTA


--- Spybot - Search && Destroy version: 1.3 ---
2006-08-25 Includes\Cookies.sbi
2006-08-25 Includes\Dialer.sbi
2006-08-25 Includes\Hijackers.sbi
2006-08-25 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2006-08-25 Includes\Malware.sbi
2006-08-25 Includes\PUPS.sbi
2006-08-25 Includes\Revision.sbi
2006-08-25 Includes\Security.sbi
2006-08-25 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-08-25 Includes\Trojans.sbi
I've tried deleting the registry values but netsearch.net keeps on returning.
I'd be most obliged for your help!
Chas.

[jholland1964]

Robin, I again apologize for not coming back after Aug. 16. It was a busy time here in my home, grandkids, etc. My online time was very limited. I truly am sorry. This is NOT how we hope this forum will work, I promise. I truly feel the problem WAS a false positive because of the older version of Spybot.
I do hope this will not chase you away, I will be more vigilant. I promise.
Judy

[rada44]

Judy,

There is no need to apologize and I was not being sarcastic in my thanks. I've learned the hard way that in dealing with the "evil doers" of the computer world the course is never straight forward. Specifically, you made me aware of the need to keep things up-to-date and your confirmation of the false positive with explanation really did make me feel more comfortable. I have something less than full confidence in what I get from Microsoft. On the one hand Clearsearch.net seemed to do nothing but appear in the scan but on the other hand I didn't feel particularly good about having something lerking in the background tracking my every move.

I also appreciate the time and patience that computerfolks like you donate to help the computer-challenged like me in our time of need. If my comments were a little tart, it reflects my frustration more than anything else.

Thanks again,
Robin

[jholland1964]

Sure didn't mean that your comments were anything than what they were, comments. I WAS remiss in not checking back. You are right, one key thing in keeping your clean and running well is keeping and eye on your updates. Even though many can be set to automatic there are many programs out there that just don't let you know if there is a newer version available. I always try to run the newest version of programs, this way you usually can be sure that little holes have been filled and things like these false positives have been corrected. Don't be a stranger.
Judy