Limited Time!
Totally FREE Web Design!
Click here!

Parasite: EasySearchBar

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

EasySearchBar is an Internet Explorer toolbar. EasySearchBar (easysearchbar.com) is written by Alcena LLC (alcena.com) and controlled by Hot Rocket Marketing (hotrocketinc.com/adreportz.com).

Variants

EasySearchBar/esb comprises the search toolbar esb.dll itself and an updater process ESBUpdate.exe run at startup. The search toolbar’s ActiveX class names mention MotleyFool (fool.com), but only because it is based on related example code from codeproject.org.

EasySearchBar/Testing and EasySearchBar/DLManage are ActiveX downloader controls used to install EasySearchBar/esb. They typically bundle other parasites when it installs, including ClearSearch/CSBB, TVMedia/SSK and SpecialOffers. Some EasySearchBar/Inst installers only install other parasites, and do not bother with the toolbar.

Distribution

Installed by ActiveX drive-by download on pop-up ads, including those spawned by ‘poisoned’ DRM-protected Windows Media files spread on file-sharing networks spread by Overpeer.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. Can silently download and execute arbitrary unsigned code from its controlling server esb.alcena.com. The ActiveX downloader controls of the Inst variants can also be used by any web page in the future to silently reinstall this and other bundled software from esb.alcena.com.

Stability problems

None known.

Removal

There is an entry in the Control Panel’s Add/Remove Programs list for ‘EasySearchBar’. However this merely removes a registry key, which makes the toolbar not work any more. All program files are left in place, and the updater process is left installed.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ESB\esb.dll"

Next, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, right-click and delete the entry ‘EasySearchBar’ pointing at ESBUpdate.exe.

Restart the computer and you should be able to delete the ‘ESB’ folder from Program Files, and the ‘esb’ folder from the Windows folder.

To remove the ActiveX downloader controls, open the Downloaded Program Files folder (inside the Windows folder) and remove the entry ‘TestingCtl Control’ (Testing variant) or ‘ESB Control’ (DLManage variant).