50 users online (1 members and 49 guests)  

Thread: SubSearch BHO


  Results 1 to 10 of 10
  1. #1
    HTML's Avatar
    Administrator

    Status
    Offline
    Join Date
    Aug 2000
    Posts
    3,445

    Follow HTML On Twitter Add HTML on Facebook Add HTML on Google+ Add HTML on Linkedin Visit HTML's Youtube Channel

    SubSerach BHO

    admin note: This thread is a spinoff from another, I felt it deserved its own thread so I have moved this part of the conversation here. BUT... I messed up and deleted the posts I was moving here. lucky I have it open in another browser window pre-delete I will quote the posts which led to this thread.

    by benzden:

    Google is getting so good all we're going to have to do is place its search box on our site and tell people to just type in what they're looking for - no more need for 'links' to other related or interesting sites.

    ... hmmmmm, maybe I could start marketing sites for people that contain just their picture and a google search box in whatever kind of template they desire ...



    On Google ...

    Anyone know how to get rid of that annoying left side frame that began popping up with Google results about a week or so ago? (It shows the top 5 picks - oftentimes just ads for unrelated web sites.)
    by Mikailus:
    That thing on the left seems to come and go according to people I know who have seen it. I use Google all the time and have never seen it. May be a browser setting or experimental thing by Goo?

    I wondered if it only shows to people whose privacy settings block the adwords?
    by Dave:
    I have never heard of that before, could be associated with the new plan for the adwords.

    Speaking of Google, did you see the new Google based search box on the front page of the forums? I just added it yesterday, give it a shot, type in tables or something.
    by Mikailus:
    Apparently the cause of your problem is called BHO demon. It affects all search engines. It is discreetly packaged with Hotbar (hotbar.com) according to what I read about it today. Might be part of other free programs.

    Search for SbSrch_V2.dll and delete it.

    In the registry navigate to HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ and delete the KEY called "IeMsnSbSrch_1"

    If it won't delete click start/run and type in "cmd" without the quotes - at the dos prompt type "regsvr32 /u SbSrch_V2.dll" without the quotes - reboot. You should be able to delete it.

    There is a method to uninstall part of the program and get rid of it but I won't post it here as a matter of principal. You would be left with part of the program which is 100% scumware IMO.

    I can't verify this info as I haven't had to deal with it.

    Voila! No more side bar.

    More scumware to "enhance" our surfing experience by making itself look like a legitimate part of the web page we are searching on.
    by Mikailus:
    I installed hotbar and found nada. No file, couldn't reproduce the alleged effect.

    Maybe it comes with another proggy. Maybe Goo did something about it. Maybe the moon is made of cheese. Who knows?

    Anyone having problems with it may be able to verify the above info (or not).
    by benzden:
    Okay, knock on Bill Gates, I got rid of the left frame in the Google search results window. Here's how from a Windows 98(presumably SE) OS:




    registry - HKEY_CURRENT_USER\Software\VB and VBA Program Settings\

    renamed IeMsnSbSrch_1 to IeMsnSbSrch_1out03306 and added a new String value named source03306 with the URL of this thread as the contents.



    start/run:

    regsvr32 /u C:\windows\system\sbsrch_V2.dll


    post reboot:

    renamed C:\WINDOWS\SYSTEM\SbSrch_V2.dll to
    SbSrch_V2out03306.dll




    Mine was dated 2/13/03, so that's when it probably appeared and began screwing up my search results display. I recommend the above method for any and all changes to the Windows OS files, because it leaves an audit trail of what one has done where it is done so that subsequent reappearances can be spotted more easily.

    Is this something that Ad-Aware should be aware of?
    by Mikailus:
    Did anyone with that left frame right click on the page it displayed and look at Properties to find out which site it was?

  2. #2
    HTML's Avatar
    Administrator

    Status
    Offline
    Join Date
    Aug 2000
    Posts
    3,445

    Follow HTML On Twitter Add HTML on Facebook Add HTML on Google+ Add HTML on Linkedin Visit HTML's Youtube Channel
    Ok that post brings us up to now, I took a look at what you are getting and it is the SubSearch BHO (browser helper object) possibly related to adscholar ad network. I have not verified the adscholar link but am working on it.

    Adaware may already know about this I know it is in the Spybot S&D database, however I think you have the newer version which was recently updated to try and avoid detection by the cleaners.

    What SubSearch does is it determines when you are doing a search and opens their own "enhanced results" on the side, these enhanced results are named so because they are paid links which enhance the owners pocket while interfering with your internet experience.

    The first SubSearch BHO from December of 2002 was running on the backend www.hightrafficads.com, the newer version running www.popunder.info and www.cpcads.com

    The BHO does come complete with an auto-update function which does its work in the background. Is this to not bother you while you are doing other things or because they feel the less you know the better, make up your own mind .

    A serious issue reported from doxdesk is the ability to "be directed by any web page to download any file and write it anywhere to the filesystem, including over other program files which may then get run".

    new ones "popping-up" all the time now

    Dave

  3. #3
    benzden's Avatar
    Senior Member

    Status
    Offline
    Join Date
    Feb 2002
    Location
    San Antonio, Texas
    Posts
    652
    All of which confirms that the Windows OS, itself, is the biggest VIRUS or, at minimum, VIRUS enabling Gateway one has on their computer.




    Oh yes, before forgetting entirely:

    Thanks to Mikailus for that method of disabling that damn new advertising 'frame-up'.
    Last edited by benzden; 03-06-2003 at 05:20 PM.

  4. #4
    HTML's Avatar
    Administrator

    Status
    Offline
    Join Date
    Aug 2000
    Posts
    3,445

    Follow HTML On Twitter Add HTML on Facebook Add HTML on Google+ Add HTML on Linkedin Visit HTML's Youtube Channel
    All of which confirms that the Windows OS, itself, is the biggest VIRUS or, at minimum, VIRUS enabling Gateway one has on their computer.
    Trust me, more than anybody I wish MS would close the holes. Sure MS could do a better job I am not doubting that, but I could guarantee if Netscape was the predominant browser the bums would program their BHOs and viruses to work in NS and forget about MS.

    SE spammers are not out there building their websites to spam Looksmart, nobody cares about that little place. Thousands of folks are sitting in front of their puters as we speak, trying to come up with some new method of spamming Google.

    It is about distribution more than it is vulnerabilities. What is the use of a virus that will not spread because the "highways" have no traffic to be the carriers. A BHO placed in a browser which is not used will have no yield.


    ...IMO

    Dave

  5. #5
    benzden's Avatar
    Senior Member

    Status
    Offline
    Join Date
    Feb 2002
    Location
    San Antonio, Texas
    Posts
    652
    And, after reflecting on that "it's all Windows fault" post, I began thinking about Active-X, which can be toggled on or off via the IE Internet Options/Security process. I had it off for a long time and had to reactivate it before entering the Windows Update site and decided this last time to just leave it enabled.

    It seems that that's possibly how the sbsrc_v2.dll file got into my computer. I don't understand what advantages having Active-X enabled while browsing give me. Anyone who knows more about it care to expound on the pros and cons of Active-X?

  6. #6
    HTML's Avatar
    Administrator

    Status
    Offline
    Join Date
    Aug 2000
    Posts
    3,445

    Follow HTML On Twitter Add HTML on Facebook Add HTML on Google+ Add HTML on Linkedin Visit HTML's Youtube Channel
    I can confirm that it is an active-x exploit.Dave
    AHFBWEB Less customers per server, more power for you!

    Business Class Shared Hosting

  7. #7
    QuietDean's Avatar
    Administrator

    Status
    Offline
    Join Date
    Oct 2000
    Location
    Bournemouth, UK
    Posts
    2,662
    Best bet is to set ActiveX install to 'prompt' instead of off or on. That way, you can decide for yourself.

    Any kosher object, it should be plainly obvious why you need it. If you are surprised, just say no.

    And NEVER set download unsigned activeX objects to enable.
    If one of our members helps you, please click the icon to add to their reputation!
    No support via email or private message - use the forums!
    Before you ask, have you Searched?

  8. #8
    benzden's Avatar
    Senior Member

    Status
    Offline
    Join Date
    Feb 2002
    Location
    San Antonio, Texas
    Posts
    652
    Setting it to prompt is as bad as visiting sites with multiple pop-ups. It has to be either on or off - I just turned it all off. The other thing it does is fill up my ZoneAlarm audiTrail access file every day - a file I transfer into a .cum(ulative) file whenever it exceed 3k bytes, which I how I notice when it fills up faster than usual.

  9. #9
    Philippe's Avatar
    New User

    Status
    Offline
    Join Date
    May 2003
    Posts
    1
    Thanks to Mikailus, I did a search on my computer and found:

    SbSrch_V2.dll
    SbSrch_V21.dll
    SbSrch_V22.dll

    The first was dated 2 weeks into March 2003, then the following about 2 weeks later, and the last another 2-3 weeks later.

    And navigating to HKEY_CURRENT_USER\Software\VB and VBA Program Settings\, I found IeMsnSbSrch_1; and IeMsnSbSrch_2.

    When I checked in the properties for the annoying side bar, it appeared to be coming from www.popunder.info/... etc.

    I don't know how it got onto my computer, but I am glad I found this site!

  10. #10
    benzden's Avatar
    Senior Member

    Status
    Offline
    Join Date
    Feb 2002
    Location
    San Antonio, Texas
    Posts
    652
    Just double checked and discovered no new sbSrch_V2's in the SYSTEM folder - still just the one I commented out on Mar 6th.

    And, no new entries in the registry, either; and, knock on Bill Gates, hopefully there won't be for quite a while.



Tags for this Thread