TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
ADW_RULEDOR.C
Overview
Solution

QUICK LINKS  

Download the latest scan engine

In the wild: No

Reported detections:

 Low
 
Description:

Alias: Backdoor.Ruledor.C

This memory-resident adware program downloads and installs several applications into the system without first notifying the user. The installed applications mostly have adware functionalities as well.

Solution: 


TREND MICRO SOLUTION

  • Minimum scan engine version needed: 7.100
      TMAPTN version needed: 192.08

MANUAL REMOVAL INSTRUCTIONS

Identifying the Spyware Program

Download the latest spyware pattern file and scan your system. Note all files detected as ADW_RULEDOR.C.

Terminating the Adware Program

This procedure terminates the running adware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL+ALT+DELETE
    On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs*, locate the adware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected adware files in the list of running processes.
  5. To check if the adware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the adware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries whose data value is any of the following:
    • ClrSchLoader
    • {2CF0B992-5EEB-4143-99C0-5297EF71F444}
    • UpdateStats
    • couponsandoffers
    • IEDriver
    • WhenUSave
    • RunWindowsUpdate
    • POP
    • AutoUpdater
NOTE: If you were not able to terminate the adware process from memory as described in the previous procedure, restart your system.

Uninstalling Applications

This procedure uninstalls the different applications installed by the adware.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL+ALT+DELETE
    On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs, locate the following processes:
    • Popsrv205.exe
    • sysmond.exe
    • hxdl.exe
    • autoupdate.exe
    • iedriver.exe
    • uptodate.exe
    • couponsandoffers.exe
    • save.exe
    • updatestats.exe
    • sync.exe
  3. Select each process then press either the End Task or the End Process button, depending on the version of Windows on your system.

Removing Other Adware Entries from the Registry

  1. Still in the Registry Editor, look for the following registry keys and delete them:
    • HKEY_LOCAL_MACHINE>SOFTWARE>ClrSch
    • HKEY_LOCAL_MACHINE>SOFTWARE>Lycos>Sidesearch
    • HKEY_LOCAL_MACHINE>SOFTWARE>StatBlaster
    • HKEY_LOCAL_MACHINE>SOFTWARE>{2CF0B992-5EEB-4143-99C0-5297EF71F444}
    • HKEY_LOCAL_MACHINE>SOFTWARE>WhenUSave
    • HKEY_LOCAL_MACHINE>SOFTWARE>TurboDownload
    • HKEY_LOCAL_MACHINE>SOFTWARE>POP
    • HKEY_LOCAL_MACHINE>SOFTWARE>Envolo
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
      CurrentVersion>Uninstall>Lycos Sidesearch
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
      CurrentVersion>Uninstall>StatBlaster
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
      CurrentVersion>Uninstall>{F20239CB-33DC-4ec6-959E-73EDEA0FE4D7}
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Uninstall>{BC3BBF86-E4EC-4412-9676-8355468B3B05}
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion
      >Uninstall>{14D108C8-DD97-4b78-8B50-C981500ABB8F}
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Uninstall>{1A00C40B-DA85-4aa3-A67F-582D9347EECD}
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Uninstall>ClockSync
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Uninstall>POP
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Uninstall>AMServer
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Uninstall>AutoUpdate
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Uninstall>couponsandoffers1.xml
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      explorer>Browser Helper Objects
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer>Toolbar
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer>Extensions
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer>
      Explorer Bars

Deleting Adware Files and Folder

  1. Locate and delete the following files:
    • %Root%\setup_td.exe
    • %Root%\icinstaller.exe
    • %Root%\SaveInstCm.exe
    • %Root%\ezsb.exe
    • %Root%\couponsandoffers1.exe
    • %Root%\HXDLAZWM.exe
    • %Root%\uptodate.EXE
    • %Root%\stlbdist.XML
    • %System%\stlbdist.DLL
    • %System%\mseoxcl40.dll
    • %System%\sx.htm
    • %System%\TD.exe
    • %System%\sb.htm
    • %System%\auto_update_uninstall.exe
    • %System%\auto_update_uninstall.log
    • %Start Menu%\Lycos Sidesearch.lnk
    • %Start Menu%\ClockSync
    • %desktop%\Lycos Sidesearch.lnk
  2. In the Program Files folder, locate and delete the following folders and file:
    • AutoUpdate
    • POP
    • ClockSync
    • Save
    • couponsandoffers
    • Alset
    • Media\Media
    • Lycos\Sidesearch
    • ClearSearch
    • CLRSCHP038.EXE
  3. In the My Documents folder, locate and delete the following folder:
    data
  4. In the Windows Temp directory, locate and delete the following folders:
    • ckz4b783
    • AutoUpdate0
    • ClrSch

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer homepage and search page to the default settings.

  1. Close all Internet Explorer windows.
  2. Open Control Panel. Click Start>Settings>Control Panel.
  3. Double-click the Internet Options icon.
  4. In the Internet Properties window, click the Programs tab.
  5. Click the “Reset Web Settings…” button.
  6. Select “Also reset my home page.” Click Yes.
  7. Click OK.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Download the latest spyware pattern file and scan your system. Then, delete all files detected as ADW_RULEDOR.C.

Details: 

Installation

This memory-resident adware program is usually installed manually in the system.

When run, it creates a folder named ClearSearch under the Program Files directory where it drops a copy of itself as LOADER.EXE. It then adds the following registry entries to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ClrSchLoader="%Program Files%\ClearSearch\Loader.exe"

Upon system startup, it removes other Browser Helper Object (BHO). BHOs are commercial software that acts as Internet Explorer (IE) component that IE loads whenever it executes. It usually serves as toolbar/search assistant.

Although BHOs should be harmless by nature, it can perform the following exploits:

  • Create windows to display additional information on a viewed page
  • Search Web pages viewed in IE and replace banner advertisements with other ads
  • Monitor and report browsing habits
  • Change home/search page

(Note: BHOs are usually not filtered by firewall software, because they are recognized as the browser itself.)

Installing Different Applications

This adware program automatically downloads and installs the following applications and their components into the compromised machine without the user's permission:

  • CLRSCHP038.EXE
    This is a copy of the malware.
  • EZSB.EXE (65,536 bytes)
    This is a utility for electronic distribution of employee pay statements
  • IEDRIVER.EXE (155,648 bytes)
    This software is a pop-up killer that automatically updates itself.
  • HXDL.EXE (70,552 bytes)
    This utililty provides unsolicited system information to the user.
  • AutoUpdate.exe (241,664 bytes)
    This program downloads and installs additional files on the compromised machine.
  • Sync.exe (115,200 bytes)
    This application automatically resets the computer clock.
  • save.exe (248,320 bytes)
    This particular application monitors and tracks Internet usage and relays all gathered information to its clients.
  • couponsandoffers.exe (45,056 bytes)
    This software generates popup messages.
  • popsrv205.exe (348,160 bytes)
    This application resets Internet browser settings and redirects set pages to other Web sites.
  • Lycos SideSearch
    This utility is a Web search and comparison tool.
  • StatBlaster
    This utility tracks baseball game statistics.

Most of these listed applications have adware properties as well and even have their own uninstall features. Note, however, that these installed applications cannot be completely removed through the simple use of their uninstall features.
Analysis by: Marvin Cruz

For additional information about this threat, see:
Solution

Description created: Nov 10, 2003




Tell us how we did. Take our quick survey.