Parasite: SearchSprint

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

SearchSprint is a toolbar, search results hijacker, e-mail address monitor and error page hijacker (targeted at errorplace.com), controlled by roings.com.

SearchSprint consists of two DLL files, stored in the Windows folder. One provides the plain search toolbar, the other is a Browser Helper Object (BHO) implementing the hijacker behaviour.

Variants

SearchSprint/Wat: in this first variant, the hijacker BHO has the fixed name wat.dll. Toolbar may not be present.

SearchSprint/Rnd uses randomly-generated nonsense for both filenames.

Distribution

Installed by the Roimoi downloader/adware trojan, to which it is closely related.

What it does

Advertising

Yes. When it detects search engine usage it contacts it adds advertising links from search.hi-results.com to the results page, masquerading as results from the search engine itself but marked as “sponsored by hi-results.com”.

Privacy violation

Yes. Any string that looks like an e-mail address, entered into a form on a web page, will be copied and sent to the server ems.emailrounders.com. The terms of use found at roings.com explain that such e-mail addresses will then be sent spam.

Security issues

Unknown.

Stability problems

There are some reports that the toolbar class may sometimes cause 100% CPU usage when an Internet Explorer window is opened.

Removal

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and find the key CLSID inside HKEY_CLASSES_ROOT. Open the subkey {AEE46806-2C5A-4A4E-A5DD-B4531F64A187} and select the ‘InprocServer32’ subkey inside it. The ‘(Default)’ value on the right should tell you the name of the toolbar DLL.

Next, open the Windows folder and look for another randomly-named file that, when you right-click and open the ‘Properties’ window, has an ’Internal Name’ of ‘wat.dll’.

Open a command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u ..\toolbar.dll
regsvr32 /u ..\bho.dll

(Replace ‘toolbar’ and ‘bho’ in these commands with the actual random-nonsense filenames you found in the previous steps.)

Restart the computer and you should be able to delete these two files from the Windows folder. You can also delete the registry key HKEY_LOCAL_MACHINE\Software\ssprint to clean up if you wish.