The iSearch Toolbar
With iDownload threatening various anti-spyware authors and security sites, we at the AHBL are in the mood to talk about our experiences with the iSearch toolbar and what it did to a machine owned by one of our users.
Before we begin, let us point you to some great articles on just how malicious the iSearch toolbar is, from other people's experience (Links: ABCNews, Spyware Guide, DSLReports, Benjamin Edelman, Wilders Security Forums, ReveNews). These sites give a great reading on the toolbar and what other people have gone through just to make this bastard of a program go away.
Now, we fully expect iDownload to threaten us and send us a C&D for posting this article. The AHBL takes abuse on the Internet very seriously, and will not let companies bully us into taking down the truth. If iDownload wishes to dispute the fact that their product is spyware, they are welcome to dispute any of our findings here with solid evidence and not just threats of lawsuits.
We are not afraid, nor do we run and hide in the face of a challenge.
It all started about a week ago with a call from one of our users, who was reporting that she was seeing an unusual toolbar on her screen. Every attempt to remove it had failed, and none of her anti-spyware programs were functioning (except for Microsoft Antispyware) anymore. Every time she attempted removal, the program would forcefully reinstall itself on reboot.
Using our remote control toolkit (consisting of either VNC or TB2k from Netopia), we started doing remote cleaning (easier said then done). Scans with Ad-Aware showed no spyware installed, while Spybot S&D would crash one of the critical system processes and force a shutdown. Microsoft Antispyware would attempt to remove iSearch, only to have it wedge itself in on reboot, undoing everything done previously.
Using HijackThis, we managed to get a good idea of the way iSearch was doing its dirty deeds. With help from this site, we tracked down the toolbar dll files and the misc droppings it leaves behind on the system. We then used CWShredder, an excellent program that can wrestle allot of the most notorious toolbars out of the system. All was looking good until reboot, and once again the toolbar was back, but this time, Microsoft Antispyware was able to block it from putting the toolbar back in.
Step one complete! But, now we had another problem - how to fully remove it from the system so that it would quit trying to run itself on startup. Checking the installed ActiveX controls showed nothing, as did checking the Startup registry keys (both user and system).
On a whim, we tried the iSearch Toolbar's uninstaller (we refuse to put the link to it here, for which you'll understand in a moment). Perhaps the worst mistake we made - the uninstaller seemed to 'remove' it, but instead, it tried to force the toolbar on the system yet again (Thankfully, Microsoft Antispyware stopped it). Poof went the system, and it forcefully rebooted itself while we were busy documenting what had happened so far. On reboot, the toolbar was back.
Frustrated, we decided to reinstall all of our antispyware programs. Once we had Ad-Aware installed, we discovered that doing a smart scan was pointless - it wasn't removing the startup program that was reinstalling the toolbar. After the 45 minute full scan of the machine, Ad-Aware had located a group of files installed in various locations, including temp directories. Once Ad-Aware had safely removed iSearch, we rebooted.
For the first time that day, the machine started without the iSearch toolbar trying to install. Success! A full scan in all of our other free antispyware tools we had on hand showed no traces remaining.
Unfortunately, the damage that was done to the machine because of the iSearch toolbar was severe - Norton Antivirus refused to work anymore, and we were having problems with various programs that relied on digital signatures to verify their program binaries. This was mostly due to damage to the Windows certificate store (the machine is unable to verify legit signatures anymore, and occasionally has problems visiting SSL enabled websites).
A review of the day produced the following overview:
Time spent on cleaning the machine: 6 - 7 hours.
Results of using the uninstaller: Nil - program forcefully reinstalled itself AFTER running the uninstaller
Programs needed to extract the toolbar: Ad-Aware, Microsoft Antispyware, HijackThis, CWShredder
How this toolbar got installed: Unknown, though most likely cause is either using a driveby-download ActiveX control/exploit, or using the newly discovered Windows Media Player DRM exploit.
Total damage done to machine: Severe, even after fully removed, certain parts of the system refuse to function correctly:
1. Norton Antivirus refuses to function anymore due to inability to verify digital signatures on the main Norton Antivirus exe files. Reinstall does _not_ help, as the problem appears to be with the Windows certificate store.
2. Ad-Aware was crippled completely, changed to hide the results of the scans to prevent proper removal. Reinstall fixes this.
3. Spybot S&D was crippled completely, and would cause critical system processes to crash, forcing the machine to reboot. Reinstall fixes this.
4. Machine performance was severely degraded, Internet Explorer randomly crashing. Problem went away once iSearch Toolbar was removed.
5. Windows certificate store damaged, system is no longer capable of verifying digital certificates on binaries. This directly affects Norton Antivirus. Reinstall of Windows XP SP2 did not help, and system now has problems viewing some SSL sites.
So yes, iSearch toolbar is one of the worst pieces of malware/spyware/adware we have ever seen. After reviewing the iSearch toolbar agreement, we see these lovely lines which explain why all of our removal tools were crippled:
2. Functionality - Software delivers advertising and various information and promotional messages to your computer screen while you view Internet web pages. iSearch is able to provide you with Software free of charge as a result of your agreement to download and use Software, and accept the advertising and promotional messages it delivers.
By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to iSearch and/or it's partners, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from iSearch affiliates; and install Third Party Software.
In addition, you further understand and agree, by installing the Software, that iSearch and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer.
Apparently, iDownload likes to give itself the right to make whatever changes it wants to your system to ensure that its program isn't disabled/removed.
We at the AHBL have therefore, with the above information, make the following opinions about iSearch Toolbar:
iSearch Toolbar is Spyware
iSearch Toolbar is Adware
iSearch Toolbar is Malware
iSearch Toolbar does everything in its power to prevent removal, including crippling and damaging the system and other programs to accomplish this goal.
Like we've said in the article previously, if iDownload wishes to dispute our findings, they are welcome to, and we actually would like them to clarify and point out to us exactly why we got the results we did while trying to remove the iSearch toolbar, that was installed without the knowledge of the person who owns the computer in question.
The AHBL prides itself on being accurate, and will make any necessary corrections to this article to ensure that.
The iSearch Toolbar