SubSearch is an Internet Explorer Browser Helper Object. It detects when you are using a search engine, and opens its own 'enhanced results' sidebar containing paid links. This is styled to look a bit like the search engine you are using at the time.

Variants

SubSearch/HighTraffic was the original version from December 2002. Its controlling server is www.hightrafficads.com. There are two subvariants, /A (from 11 th December) and /B (17 th December) which seem to vary only in their class ID.

SubSearch/v2 is a version rewritten as a single DLL, from January 2003. Its controlling server is www.popunder.info (with www.cpcads.com apparently acting as a backup). It opens a characteristic 'Enhanced Search' with sponsored links when you use any other search engine.

SubSearch/v21 and SubSearch/v22 are updates to v2. v22 adds an explorer-bar-search hijacker pointed at www.dothesearch.com.

Also known as

Qual Net , after the company name used in the original download file.

Distribution

Installed by ActiveX drive-by download in pop-up adverts sourced from Adscholar.

Later versions are installed by earlier variants through an update feature.

Advertising

Yes. Apart from the fake search results, v2 and later can also show pop-up adverts when IE is first opened, if directed to do so by their controlling server.

Privacy violation

No. Currently there is no unique ID or cookie being used to track search usage.

Security issues

Yes. SubSearch has a silent auto-update feature. The HighTraffic variant can be directed by any web site to download and execute code from its controlling server.

The v2-v22 variants connect periodically to their controlling server which can direct them to download and execute code from it.

The v2 variant suffers from a critical security hole: it can be directed by any web page to download any file and write it anywhere to the filesystem, including over other program files which may then get run.

Stability problems

None known.

Removal

There is no uninstall feature. Most anti-spyware software can remove SubSearch.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands (HighTraffic variant):

Or for the v2 variant:

Or for the v21 variant:

Or for the v22 variant:

Restart Windows and you should be able to delete the SubSearch program files from the System folder. (The System folder can be found in the Windows folder; it is called 'System32' on Windows NT/2000/XP, and just 'System' on Windows 95/98/Me.) These files are named BHO2.dll and MSNIE.dll (HighTraffic variant), sbsrch_v2.dll (v2), SbSrch_V21.dll (v21) or SbSrch_V22.dll (v22).

With the v2-v22 variants you can also delete winfgnet_1.dat or winfgnet_2.dat, and, rmvold.exe (which may be there if you previously had v2 and it upgraded itself to v21).

The v22 variant also has msvcn.dll, restore.exe and backup.reg files to delete. Then you can use Internet Options -> Programs -> Restore Web Settings to get the default search explorer bar back.

You can also delete the registry key HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IeMsnSbSrch_1 (v2 and v21 variants) or HKEY_CURRENT_USER\Software\VB and VBA Program Settings\MsnIeUpdate to clean up if you like.