Friday, May 27, 2005

More on Variant ADW_ELITEBAR.D.

A March 2005 forum thread at Midtown Computer Systems Enterprise provides more detail on ADW_ELITEBAR.D . It's a bit garbled, though: intertwined with discussions about how malware gets installed on computers and about the relative merits of Firefox compared to Internet Explorer. But some things are clarified in the course of "bu2's" (the plaintiff's) attempts to remove this resistant variant of SearchMiracle/EliteBar.

First he informs us of the original condition of the machine, which can be quite helpful:


I use WIN XP Home SP2, IE 6.0, my AV is PC-Cillin. I also use Spy Hunter and Beta version of MS Antispyware. Recently I somehowgot ADW_ELITEBAR.D adware that keeps reloading instantly afterI get rid of it with the AV.

It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know, from VGS's article "Diabolical New EliteBar Variant Strikes the Web!!!!", has claimed that it is able to remove EliteBar.D (a claim that Gian Carlo, at SimplyTech, disputes).

Next, he lets us follow the decision-making process:


I am still deciding what exactly to do and when. Trend Micro has a"solution" re the culprit at: [url] http://www.trendmicro.com/vinfo/grayware/ graywareDetails.asp?SNAME=ADW%5FELITEBAR%2ED [/url] I could not make it run. I'll have another look, maybe I was hasty and missed something. It just opens a DOS like C: Command Prompt it seems to run but nothing happens.We are talking about their instructions to download TMAPTN.ZIP with the latest grey something files. Why am I paying them and updating religiously several times a day? Anyway the program that uses the above file (tmntsrv.exe) does not run or does not run properly when I do it.

I also was told to look into Simply Tech site [url] http://www.simplytech.it/ETRemover/ [/url] and download the Elite Bar Remover
which I did and I am deciding whether to run it now or after my monthly (data)
backups just in case something goes awry.

Once the system is clean I may well switch to another Internet Browser. I am not happy with MS leaving so many holes in their software. Also their Beta Antispyware, while pretty good, cannot even see the Elite Bar!? The Trend Micro Antivirus Scan can not see it either but the special Scan for Spyware feature does and it even deletes it but the s*it reinstalls itself instantly.

The utility that Trend Micro claimed would remove EliteBar.D is "tmntsrv.exe". Whether due to the nature of the malware, his failure to properly deploy the removal tool or some other problem, the program fails even to run properly. He considers downloading and running the SimplyTech Elite Toolbar Remover.

The Beta version of MicroSoft Antispyware, we learn, was not able even to detect ADW_ELITEBAR.D. At some point bu2 (exactly when is not clear) does use "the special Scan for Spyware feature" provided with his Trend Micro service. It detects and briefly removes the malware which immediately thereafter reinstalls. Whether it actually reinstalled on reboot is not stated but it seems likely.

Next he tries SimplyTech's EliteBar Removal Tool. At this point, both SimplyTech and he are not aware that there is a variant of EliteBar that the removal tool won't remove:



Well, I ran the remedy as explained at [url] http://www.simplytech.it/ETRemover/ [/url] That was in WIN XP Safe Mode and ... I scored a big victory for the
ADW_ELITEBAR.D

It did not budge. As soon as I checked on it, after removing it with the "remover" and restarting the PC - I found it was still there.

Gian Carlo's commentary, soon after, in his own SimplyTech forum, can be found in VGS's article "Diabolical New EliteBar Variant Strikes the Web!!!!". What it all comes down to in the end is that no removal tool presently exists, free or commercial.


Source: Midtown Computer Systems Enterprise>message1508783



Also See:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

No comments: