Tuesday, February 22, 2005

More from the Mailbag re Startpage.sj and SearchMiracle/EliteBar

Well, my most recent post has certainly attracted attention. I had intended to write a follow up piece with further (and I hope) helpful information -- and now even moreso. For the moment, however, I will present a couple of items by way of a mailbag piece replying to the comments posted to "Elite Bar Adventures".

First I would like to point out that I have not said, nor should anyone understand, that the Blogspot "Next Blog" button has a virus. The point is only that the random blog approach loads-up blogs, into one's browser, that one might otherwise choose not to visit for reasons of system safety. Presumably, we all try to steer clear of sites that are, for one reason or another, questionable. Regardless (for example) what one might think of sex sites, etc., they tend to purvey much more adware and many more viruses.

Next, many thanks to Timothy Klein for doing a bit of research of his own that I was not able to do. According to Timothy:

from looking at the source for the web-page in question, and downloading the Javascripts it downloads with wget and reading them, this is both specific to Windows AND Internet Explorer.

Unfortunately, Internet Explorer is my only real choice for the time being , regardless of the fact that I understand it as being the target of virtually every virus or bit of adware presently being designed.

Timothy's comments about the blog "owners" in question are also worth considering:

the author of the blog in question may not even realize their page
is doing this. IOW, they may not be malicious. It appears that the "cover"
action is a bit of Javascript to play music. The author of the blog MAY have
just cut-and-pasted that bit of code, hoping to snaz up their blog with sound.
Or not.

I had no wish to imply that the blog owner was intentionally malicious. In fact, I would be pleased to learn that they were totally unaware and just a little chastened.

I'll quote Rob Thomas's comment in full:

It's really sad you struggled with all those other, wierd,
programs, when the two best ones, hijackthis and spybot are free, small, and
easily downloaded. Also, 'defragging' and 'registry cleanups' do absolutely
nothing to remove adware or virus infestations. Don't waste your time next time 8)

I do not defrag in order to get rid of a virus. Whenever I suspect a virus, or other form of malicious code, is generating new files, perhaps with vital data strings, I alternate anti-virus/virus-removal attempts with defrags -- hoping the latter will maximize computer speed and either 1) alter a data transmission or 2) cause the virus to have to search a bit for where its data has gone. How likely this is, I can not say with certainty, but it seems to help. As for registry clean-up, I'm sorry but I have to disagree there.

More importantly, about Hijackthis and Spybot: In researching the connection between SearchMiracle/EliteBar and StartPage.sj I have come by enough information to say that they were working in tandem much earlier than February 10, 2005, when Panda Software first detected StartPage. A brief check shows desperate forum members crying out for help, to defend against StartPage symptoms at least as early as September of last year. The following forum-post gives some very helpful information, including, it would seem, the fact that neither SpyBot nor Hijackthis worked, at that time, against StartPage: http://www.techsupportnewsletter.com/showthread.php?t=29990

My piece was intended, actually, to be a piece alerting everyone to the fact that StartPage.sj (/sk) was the source of the problems people were having getting rid of their SearchMiracle/EliteBar. I have since learned that it showed up in all scans, of all commercial anti-virus software, prior to February 10th, as quasi-harmless "adware.elitebar". It is designed to overcome resident anti-virus software, as its first task, such that scans indicate it is adware. Instead it is a very sophisticated, voracious and destructive virus. After protecting itself and its Search/Miracle component from detection or removal, it apparently harvests site information and transmits it back to a remote data base.

If Timothy Klein discovered only adware, he is absolutely correct. The initial injection is just that. The adware then pings the data bank and alters the IE browser such that the next software download or information placard that arrives at the subject computer has all of its button-urls replaced with the destination-url of the StartPage trojan. Click! It's all over!

The following free online virus scan and information links have recently been added to the Gilbert Wesley Purdy Online Bibliography: Bit Defender; Free Country; Freedom; House Call; Panda; and Symantec. As I pointed out in the previous post, the Panda Software online scan can also remove StartPage.sj.

Have you checked out the Online Bibliography yet? **


Dr. Pedant said...

1) Sweet bleeding Jesus you really are completely clueless, aren't you (see my comment re. your previous post on this subject)? I absolutely love this sentence:

"Somehow, Panda is the only Anti-Virus company that has yet detected it. In a matter of hours after it detected the trojan it had developed a program to remove it."

Think about it for awhile. Try. Really.

2) You refer to pop-ups reduced to a normal level. Hmmm. My normal level is none, zero. Could it be you have more than one infection? A few that might have been around for awhile--long enough to infect 1500 files? Nah. Couldn't happen to a computer genius like you, no way.

3) It's all told, not all tolled. What kind of poet are you?

4) "Only the EliteBarB remained and I had manually removed its brain."

You might have thought about keeping it. Might come in handy, yuck yuck yuck.

Just so I'm not picking on you anonymously, it's ashinbrot at yahoo.com.

Anonymous said...

Flaming is alive and well! Now was that really constructive?