Elite Bar Adventures

The following story is, unfortunately, true. What is even more unfortunate is that there is considerably more to the story. I, too, decided to end a long day of site maintenance (etc.) by browsing the Blogspot "Recently Updated" rolling index which dovetails into the "Next Blog" button. I'll let Mr. Alvin Borromeo , of Blogspots MT Law Blog, tell his story and will follow it with further vitally important information concerning our shared experiences and the astonishing results of my subsequent investigation:

CAUTION: Mallory & Tsibouris Co., LPA does not endorse the use of the "Next Blog" icon at the upper right hand corner of this blog. Please see this post for further information. Monday, January 24, 2005

Spyware on Blogspot?
If you look to the upper right hand corner of this webpage, you will see an icon to go to the "next blog." Clicking on this icon will take you to a randomly selected Blogger blog. Yesterday I was surfing the web on my home computer and hit the "next blog" icon a few times to see what's out there. One of the hits was nana***.blogspot.com (the actual name has numbers in place of the astisks). Pop-ups immediately appeared on my computer immediately after I visited the nana blog, even though I have a pop-up blocker installed. I started getting messages about system resources, etc. I immediately closed all of my browsers, but it was too late. When I re-opened my browser it went to a different home page. My computer was hijacked! Sure enough, Ad-aware (from lavasoft) indicated that my computer had been infected with the Search Miracle/Elite Bar virus.I sent Blogger an e-mail to investigate. I will post their response. In the meantime, I will not be clicking on the "next blog" icon in the near future.

The blog I was directed to, at the time my computer was attacked, was called "Cut Me Deep". But far more happened than the simple download of the SearchMiracle/EliteBar adware. Realizing that the destruction of my Yahoo Pop-Up blocker, and a flood of pop-up ads, at the rate of some dozens per minute, the considerable majority advertising Microsoft Anti-spyware/adware, indicated a possibly serious attack, I brought out the full bag of tricks and went to work. Norton is my first line of information/defense but it, too, was disabled after a few preliminary scans.

I needed information from an uncorrupted source and logged back online and went to the Symantec Free Virus Scan page and spent an hour and more getting the Active-X scan files to download. Another hour was required in order to complete the search. Symantec informed me that I had about ten files infected with EliteBarB adware and nearly 1500 files infected with some generic form of the adware called simply: "adware.elitebar". But one detail of the scan report was shocking: the majority of the infected files were Norton/Symantec program and data files. There were perhaps 10 other infected files, most of them infected with the "B" version of EliteBar adware. Something was clearly out of place.

After a day of chasing down the the parasite files and digging out the Windows registry entries inserted by EliteBarB, my computer worked considerably better with the exception that pop-up ads continued at a much faster rate than normal. This lasted for another couple of hours, as I managed to do a Windows program integrity scan (no errors) and tried to disrupt any lingering remnants of the adware by doing repeated defrags and registry optimizations. Soon the Norton package was again inoperable: clearly attacked by the EliteBar adware! I was furious. This "adware" was a sophisticated and voracious virus. Surely, a criminal act. Why wasn't anyone going after these guys?

The next day again, I decided that the Norton/Symantec data file corruption was something I had to get around somehow. I decided to try another Free Virus Scan site and to see how the results compared. As luck would have it, I choose Panda Software's Scan (a company nominally headquartered out of Bilboa, Spain). Panda's Active X files downloaded reasonably quickly. The scan was reasonably quick as well. But the results were very different. Like Norton/Symantec, Panda informed me that I had some files infected with EliteBarB, but only 5 rather than 10. Panda also told me that I had some 1500 infected files all tolled... But the files, it informed me, were not infected with some generic form of EliteBar adware. It identified them as a "startpage.sj" trojan!!!!!! This trojan, it informed me, had been detected for the first time two days before it attacked my computer. No further information, of any substance, was available.

While Norton/Symantec only gives free scans, Panda also gives free decontamination of all detected worms and viruses (but not of any spyware or adware -- you must buy their software for that). I decided to take the decon. Sure enough, once the trojan was removed the pop-ups were reduced to a normal level and my computer ran normally again. Only the EliteBarB remained and I had manually removed its brain.

But now I notice that shortly after pages are loaded up in my browser they begin to display dozens of links to a search engine with the address www.searchmiracle.com/. Numerous web searches inform me that this is the sign of SearchMiracle/EliteBar adware. Not only that, but they inform me that startpage.sj (there is also an ".sk" version) appears nowhere on Yahoo and in only a few listings on Google almost all of which are sites of Panda or its subsidiaries. Because Panda clearly operates under a number of subsidiary names in various parts of the world, it is possible that only Panda lists an advisory for startpage.sj and only it has the software to remove it. As for the search engine www.searchmiracle.com/ , it provides no information about its owner and none is available via any major search engine.

Moreover, when a "HTTP Error 404 - File or directory not found" message would normally be the result of a search for a URL that did not exist, or link that was broken, my browser sent me to http://www.yupsearch.com/search.php. This is the same advertising search engine as www.searchmiracle.com/. It simply enters via a different front URL.

The only thing that can be said, with any degree of certainty about startpage.sj, is that it may not be a trojan, per se, but may enter the host computer, install the searchmiracle/elitebar adware tool bar in place of the traditional Microsoft Elite Toolbar, and, then, protect itself and/or SearchMiracle/EliteBar from removal by corrupting the program and data files of at least Norton, and perhaps other major anti-virus competitors, so that they indicate simply, generic EliteBar adware. Somehow, Panda is the only Anti-Virus company that has yet detected it. In a matter of hours after it detected the trojan it had developed a program to remove it.

Also see:

• PokaPoka.exe + Nothing = YupSearch (October 19, 2005). What do people mean when they say they have "YupSearch" instead of "EliteBar"?
• Elite Toolbar Remover Information Page (October 17, 2005).
• LQfix Information Page (October 15, 2005) There's a new tool in town!
• How to Remove PokaPoka. (October 12, 2005) Does your EliteBar variant include PokaPoka.exe?
• EliteBar Removal Tool Updates to 2.0.1. (September 21, 2005) The EliteBar Removal Tool now comes in two flavors and two generations!
• SearchMiracle.EliteBar Then and Now (September 21, 2005). Hijacks, heroes, updates and links.
• EliteBar Removal Tool Updates to 2.0.0!!!!! (September 15, 2005). Includes expanded list of infections removed by the removal tool.
• More on Variant ADW_ELITEBAR.D. (May 27, 2005). "It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know..."
• Diabolical new EliteBar variant Strikes the Web!!!!or the one the EliteBar Removal Tool can't remove (May 22, 2005).
• EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005). Includes expanded list of infections removed by the removal tool.
• Adware & Malware Indentifier Index (updated regularly). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
• EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005). "The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there!"
• HijackThis vs. SearchMiracle/EliteBar (April 11, 2005).
• How to Remove SearchMiracle/ EliteBar (February 27, 2005)

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]