ClearSearch.net

[jholland1964]

Robin,
Why would you think this file is showing in your log here;
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

As Gizmokid points out this IS a legitimate entry, nothing unusual about it. It is seen daily in many, if not most HJT logs.
Can you do another Spybot scan and post the log for us? or at least give us the exact wording of each item found?
You never mentioned Clearsearch, and now you say it finds it everytime too...

while it is scanning CoolWWWSeach files...

where does it find it? There should not be ANY CoolWWWSearch Files on the computer. Nothing like that is showing in your HJT log. Any of your logs.
None of these items are showing in your logs.

[jholland1964]

Download WPFind
Usage Instructions: Download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard as a reply back here.

Note: It is important to note that not all files found with this program are necessarily bad. Please use extreme caution when deleting these files as it may cause problems with applications running on your machine.

[rada44]

Guys,

Sorry if I'm being confusing. I am referring to the entry above Global Startup....As I mentioned in my initial post it is HKE_USER\s-1-5-21....1006\Software\Microsoft\Windows\Current Version\Run\
Microsoft Update Detection and it is definitely associated with ClearSearch. I guess the thread is getting a little long but I also mentioned ClearSearch as the start of the problem in my first post and that's ClearSearch.net not .com. To recap ClearSearch.net is the result of a SpyBot scan. It branches down to the above mentioned reg key which also appears as an 04 item (above Global Startup) in the HJT scan.

jholland, I haven't had time yet to do WPFind scan that you recommend but will do and send.

Thanks again for the time and patience,
Robin

[jholland1964]

No, that is not associated with that;
The entry you are citing;
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
Checks for updates to MS Works. This program noted above IS in the proper location C:\PROGRAM FILES\MICROSOFT WORKS.
It has NOTHING to do with Clearsearch.
This entry also is seen in numerous logs daily. It is there because the Microsoft Works Suite, by default, sets up automatic updates. This CAN be disabled. This has nothing to do with spyware. It is a legitimate, though unnecessary auto start file.

I also apologize. You definitely DID say Clearsearch.net...just threw me when you mentioned that Spybot was scanning CoolWebSearch files...I thought, why would it be scanning Coolwebsearch files? I know now you meant scanning FOR Coolwebsearch files.

[rada44]

Attached is the WPFind log. I had to delete a bit to get it within the allowed limits. I hope I didn't cut anything essential.

The Microsoft reg key in question is most definitely involved. It may well be a legitimate key and ClearSearch is hitching a ride. The reason I am so sure is that the SpyBot scan turns up ClearSearch in red (as in bad) and when you click on it for more info it branches down to the key in question. When you tell SpyBot to fix is removes that key until you reboot. It undoubtedley recreates itself through Microsoft's endless powers and it takes ClearSearch right along with it.

Robin

[CharlesP]

Dear Sir,
I followed your procedure and loaded the log into Hijack Analyser but afraid the results are 'all Greek to me':-

http://hjt.iamnotageek.com/parse.php?log=256185

Spybot Shows the following:-
ClearSearch.Net: Autorun settings (CursorXP) (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1606980848-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \CursorXP

ClearSearch.Net: Autorun settings (ATIPTA) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\ATIPTA


--- Spybot - Search && Destroy version: 1.3 ---
2006-08-25 Includes\Cookies.sbi
2006-08-25 Includes\Dialer.sbi
2006-08-25 Includes\Hijackers.sbi
2006-08-25 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2006-08-25 Includes\Malware.sbi
2006-08-25 Includes\PUPS.sbi
2006-08-25 Includes\Revision.sbi
2006-08-25 Includes\Security.sbi
2006-08-25 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-08-25 Includes\Trojans.sbi
I've tried deleting the registry values but netsearch.net keeps on returning.
I'd be most obliged for your help!
Chas.

[jholland1964]

Attached is the WPFind log. I had to delete a bit to get it within the allowed limits. I hope I didn't cut anything essential.

The Microsoft reg key in question is most definitely involved. It may well be a legitimate key and ClearSearch is hitching a ride. The reason I am so sure is that the SpyBot scan turns up ClearSearch in red (as in bad) and when you click on it for more info it branches down to the key in question. When you tell SpyBot to fix is removes that key until you reboot. It undoubtedley recreates itself through Microsoft's endless powers and it takes ClearSearch right along with it.

Robin

Robin, I don't even see the reg key HKEY_USER\S-1-5-21.....etc. even IN your WPFind log. You must have cut it out when you "deleted a bit". I don't see ClearSearch anywhere in the portion of the log that you posted.
Have looked again at your HJT log, and I still don't see anything...however, your browser was running, your Messenger was running and SpyBot TeaTimer was running during the HJT scan. Close down ALL UNNECESSARY programs and run the HJT scan again. These all can interfere with getting an accurate scan.

[bryanpweaver]

In my case I ran spybot and came up with the clearsearch.net errors after reportedly fixing them. I could instantly run spybot again and get the same error time after time.

I expanded the spybot error report so I could see the registry value then I double clicked the registry value and it pointed to my hklm....run. I opened the IMONTRAY entry in my registry and it was pointing to a directory C:\Program Files\Intel\Intel(R) Active Monitor\IMONTRAY.EXE.

I dont have that directory anymore since I uninstalled the Intel Active Monitor so I think spybot is errantly reporting clearsearch.net spybot for a ghost entry in my registry to a file that doesn't exist.

To get around spybot showing the error I reinstalled the Intel Active Monitor and all is well with the world.

http://www.intel.com/design/motherbd/active.htm

Hope that helps your problem too.

Bryan

[jholland1964]

Hi bryan,
Thanks for your input. I must say I have been a bit remiss in not checking back into this thread since Sept. 1st and the original poster, rada44, has not been back since Aug. 16. The second poster, CharlesP, has not come back since Aug. 31. One thing I finally found, which I believe actually would have solved the problem for CharlesP at least, is this; the version of SpyBot Search & Destroy that he, was using was out of date. Note here from his above post;

--- Spybot - Search && Destroy version: 1.3 ---

This false postive became a known issue with version 1.3 and WAS corrected with the newest version which is 1.4.

I do not know what version the original poster rada44 was using and since she never returned I have no way of knowing. I can assume, since no evidence was found in any of her logs that this may also be the case, also since her original HJT log was also an out of date version of that program.

This is why one of the things we always stress here is be sure each program used is the very latest version. There are always changes and adjustments being done, this is why new versions and updates are always ocurring.

Thanks again for your input bryan.
Judy

[rada44]

Judy and everyone else who's chimed in,

Actually, I did come back after August 16th, several times, but since I didn't get any response to my last post I just assumed the novelty had worn off. In the meantime I went to Microsoft's virus, etc. number which is free and now fairly straight forward, unlike the pre-SP2 days. I got somebody that was fairly knowledgeable right off the bat and he gave me two pieces of useful information. He said that Clearsearch.net was a variant of CoolWebSearch and that my problem seemed to be a false positve and I should just instruct Spybot to ignore. I'm running CWShredder 2.19 which I think is the latest version and it does not scan for Clearsearch.net.

I thought I had downloaded the latest version of Spybot as per your instructions, but, in fact, I am running 1.3 (will update). I was originally uncomfortable with the "ignore" solution but since both Microsoft and you agree about the false postive I feel better about it.

Thanks again for the help.

Robin