Monday, April 11, 2005

HijackThis vs. SearchMiracle/EliteBar

HijackThis is a very popular tool used to glean detailed information on spyware, adware and trojans that may have invaded a computer. As described on the Tom Coyote HijackThis page, When launched, it creates a log of "certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed."

The log in question is a great confusion to the uninitiated. When their computers become infected, they flock to "expert" forums where they post their raw logs and beg for further instructions. The process is highly informative and more than a little amusing.

Since the Enternet Media adware program SearchMiracle/EliteBar (also known as ETBRUN, Elitum, Elite Toolbar etc.) has been at large on the net, logs of infected computers have begun to appear in profusion. Early on, the HijackThis faithful showed every confidence that their anti-spy program was up to the task of removing the pest. In the meantime, it has become clear that there are few HijackThis forum threads that end with the adware and its associated StartPage.sj trojan having been successfully removed.

Whether due to frustration with SearchMiracle in particular, or difficult logs in general, the forum experts have begun adding an imposing list of other anti-adware/spyware programs that they require the supplicant to download into her or his computer before they will consent to attempt a fix. The following list, from the Tech Support Forum, is exemplary:

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download and install SpyBot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Please download Ad-Aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into [Ad-Aware]->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the
hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the HijackThis forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Still, most threads break off with the supplicant crying out that pop-ups remain in control of their computers. StartPage.sj (or the then most recent version of StartPage) appears to load key files in areas of the computer that HijackThis does not log.

Recently, a more promising approach has begun to be used. In a Tech Guide Forum thread, of March 9, 2005, the expert has suggested a new tack, and, while he/she was not overflowing with confidence, the thread ended with a smiley face emoticon. The infection is Adware.HuntBar, a close variant on SearchMiracle that also utilizes the infamous StartPage.sj trojan.

The new approach? Scan first with Panda Online Scan and then address the remaining items on the HijackThis log:

Go to this link >>>Online virus scan at Panda's http://www.pandasoftware.com/activescan/co...n_principal.htm
Don't start it yet

Now, this is VERY IMPORTANT
Close out all unnecessary programs running in the background
Close out all Windows

Bring up the Task Manager(right click the bottom taskbar and select Task Manager) End process on these if you can...

After that is done you will have only the Task Manager and the page from Panda's open

Click the SCAN MY PC button>>>This should bring up a pop up window from Panda's

Close down the IE page that I linked you to Panda's but keep their popup window open...


It involved a bit of a struggle but the final outcome was worth the effort. Those who have read OD's original SearchMiracle/EliteBar piece, Elite Bar Adventures, are already aware that the Online Panda Scan is able and willing to remove the StartPage.sj trojan for free.

There are two points that may not be clear in the thread, however. After the first Panda Online Scan, the StartPage.sj trojan remained in several files. My personal experience was that Panda had to clean twice before StartPage's EliteBar downloader file could be removed. Also, it is not likely that the final step of this thread will work for SearchMiracle/EliteBar.

Geek Girl at Computer Technical Support Forums also started with Online scanning, on March 20th, and a set of initial instructions quite similar to those posted at Tech Guide Forum. On this occasion the infection was SearchMiracle itself. Her scanning instruction were slightly enhanced:

Scan your pc with one of these free online scanners:
Panda ActiveScan
RAV AntiVirus
Housecall. Be sure to put a check the box beside AutoClean.

Whether or not RAV or Housecall are able to remove StartPage.sj for free, I can not say. These instructions would seem to argue that they are.

This is not to say that HijackThis simply can not remove SearchMiracle without the help of an online scan, as evidenced by this thread at Geeks to Go in which the Staff Expert provided a swatch of code to be used in concert with a safe mode boot. Those guys must be working overtime over there. Whether or not it removed the most recent version of SearchMiracle, however, is impossible to tell.

Of course, there is also no telling whether the infection rose from the ashes, in any of these cases, and the disgusted supplicant decided not to return to the given forum. However much resurgence of the infection doesn't appear to have occurred, OD makes no representations about any of the software, fixes, etc., cited above. As always, the rule is "Supplicant Beware!"



Also see:



[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

No comments: