Wednesday, June 15, 2005

HijackThis vs. SearchForFree.

SearchForFree is a relatively new piece of adware/malware. It is a start page hijacker downloaded by icasserv.exe (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd). The start page is actually hijacked by htmlsync.exe. The infection also uploads bookmarks into the Internet Explorer browser.

Because Virtual Grub Street seeks to bring computer users together with freeware (or, occasionally, trialware) tools with which to remove malware infections, the "How to Remove SearchForFree" page suggests downloading and running Pocket KillBox on individual key files and cleaning up the bits and pieces that remain.

This does not mean that Pocket KillBox is the only - or even, necessarily, the best - available means of removal. For the present, it is the only freeware fix that would seem to be available. The vast majority of computer infections can be manually removed should the user be sufficiently aware of the specifics of manual removal and the dangers involved. The manual method can, however, be quite time consuming compared to an effective freeware fix.

HijackThis is a very popular tool used to glean detailed information on spyware, adware and trojans that may have invaded a computer. As described on the Tom Coyote HijackThis page, When launched, it creates a log of "certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed."

It would not be entirely unfair to describe HijackThis as a program designed to simplify manual removal. Rather than search for files individually - the names of which the user may or may not know - and follow the file path to delete them, HJT provides an orderly log and a "fix" function. It is important to realize that the "fix" function is nothing more than a "delete" function, however, and the dangers inherent in manual removal remain. Care must be taken not to delete legitimate files or registry keys. It is always advisable to make a backup copy of the files in question before proceeding.

While HJT tutorials are available on the web, the log in question is a great confusion to the uninitiated. When their computers become infected, they flock to "expert" forums where they post their raw logs and beg for further instructions. For one thing, there a great many different file names, some vital for proper system operation and others malicious. Even after considerable study it can be difficult to know which are which.

These forum threads are a source of considerable information. They can introduce the reader to a wide range of freeware packages and free online scans available on the web. They also provide keyfile names and paths that can be used to find and manually remove the components of an infection, should the user prefer that option to downloading HijackThis or other programs.

The cleanest HJT fix, as regards SearchForFree, would seem to be the one represented by this thread from DesignTechnica. The expert directs the suppliant to download his preferred anti-adware/malware freeware packages:

Download The Stand Alone Version of CW Shredder, [SpyBot S&D], [Ad-Aware],...


They are probably the three best known throughout the web. But the instructions do not yet call for using the packages. Instead the following:

Reboot To Safe Mode (tap F8 on Startup)
Delete this file
C:\WINDOWS\System32\icasServ.exe


A quick check at VGS's "How to Remove SearchForFree" reminds us that 'The file "icasserv.exe" is the downloader for this infection and is a also known as the "icasserv-a trojan" (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd) .'

In fact, none of the freeware packages is able to remove SearchForFree. The expert's removal instructions will amount to nothing more than manually removing the keyfiles, while in Safe Mode, for the SearchForFree infection:

C:\WINDOWS\System32\icasServ.exe
C:\WINDOWS\System32\isystem.exe
C:\WINDOWS\System32\ldriver.exe
C:\WINDOWS\htmlsync.exe

After the removal is effected, the suppliant is instructed that he should "Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run CW Shredder, Ad-Aware and SpyBot S&D,delete what they find , Empty recycle bin." It is unclear what, if anything, from the SearchForFree infection is removed in this fashion.

It is important to realize that the "O4 - Startup: winupdate12900161[1].exe" entry that the expert deletes, after all of this, as the last step of the fix, is meant to repair a second infection not related to SearchForFree.

Geek Girl's fix, at this thread, from My Tech Support's forums, has one advantage and one disadvantage compared to the thread from Design Technica's expert. On the downside, she requires a greater number of downloads:

Download / Install / Update / and Run: [Ad-Aware] SE check for any updates before running it. Get the plug-in for fixing VX2 variants. You can download it at this SITE[.] To run this tool, install to the hard drive, then open [Ad-Aware]->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

Download and install SpyBot S&D . Run SpyBot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit SpyBot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.


Again, all of these are quality pieces of freeware, but none of them can remove the infection.

On the upside, her instructions on how to remove the icasServ.exe file clearly involves using the "process manager" function of HijackThis:

Go into [HijackThis]->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time).

C:\WINNT\System32\icasServ.exe



The Design Technica thread seems to direct the suppliant to manually delete the file rather than use the process manager.


While there might appear to be two different file paths to icasServ.exe in the two threads there is not. The path "C:\WINDOWS\System32\icasServ.exe " is the system path for a Windows XP machine. The path "C:\WINNT\System32\icasServ.exe" is the system path for a Windows 2000/NT machine. The file "icasServ.exe " always loads up in the "%System%" path.

1 comment:

emily said...

I really liked the information on investment fraud, great job! I have my own investment fraud secrets blog if you would like to come and see what I have on mine.