The Holder of this blog uses no cookies and collects no data whatsoever. He is only a guest on the Blogger platform. He has made no agreements concerning third party data collection and is not provided the opportunity to know the data collection policies of any of the standard blogging applications associated with the host platform. For information regarding the data collection policies of Facebook applications used on this blog contact Facebook. For information about the practices regarding data collection on the part of the owner of the Blogger platform contact Google Blogger.
Showing posts with label Adware/Spyware. Show all posts
Showing posts with label Adware/Spyware. Show all posts

Friday, February 16, 2007

Most Recent Mirar Toolbar Article

Virtual Grub Street's most recent Mirar Toolbar article -- Mirar Toolbar's New Uninstall Pages -- has just been posted at its Eye Online blog (RSS):

Mirar Toolbar's New Uninstall Pages (February 16, 2007). "NetNucleus has clearly tried to upgrade the public face of its Mirar Toolbar uninstallation process while retaining the advertising advantages it has built into the process. The extent of legitimate improvement remains to be seen."
Posted by at No comments:
Labels: , ,

Wednesday, February 07, 2007

Sunbelt Tangles with NetNucleus

Sunbelt Software has received a letter from Rinaldo Cartaya, the Mirar Brand Manager at NetNucleus (the maker of the Mirar Toolbar), dated 14 December 2006, which they have posted in a PDF file here. The letter claims that Sunbelt has "misrepresented" the Mirar Toolbar by referring to it as "Adware". According to Mr. Cartaya, toolbar is a "bona fide search tool". Legal action is threatened if immediate action is not taken to remove the said "misrepresentation" from Sunbelt's site and software.

Happily, Sunbelt took the time to craft a detailed response to Cartaya's representation of his product. That response (also a PDF file posted at the Sunbelt blog), forwarded to Cartaya via Sunbelt's corporate counsel, Frederick Cooper, III, provides an excellent overview of how the Mirar Toolbar is generally installed and (only partially) uninstalled. Among the numerous examples of how the BHO can be installed, the following:


For a substantial part of 2006, the Mirar toolbar was distributed with screensavers and other freebie applications from TeamTaylorMade at web sites such as screensavers.com, ezthemes.com, teamtaylormade.com, and large download sites such as winsite.com. These bundleware packages included the Mirar toolbar until some time in late November or early December of 2006.

Still further, TeamTaylorMade's software packages were themselves distributed by MediaMotor through its own web sites such as joysticksavers.com. Additionally, TeamTaylorMade screensavers were offered for download at a variety of other third-party web sites.

Whether installing TeamTaylorMade's freebie software or the larger bundle of adware applications from MediaMotor, users were typically given little or no notice that the Mirar toolbar would be installed on their computers. As a result, TeamTaylorMade and MediaMotor have been the subject of a number of complaints, including a critical report by StopBadware.org1 as well as a complaint by the Federal Trade Commission2, which successfully secured court injunctions against both MediaMotor and TeamTaylorMade that prohibit the defendants from installing adware and spyware on users' PCs or using deceptive installation practices.

Sunbelt's is a particularly informative letter and well worth the read.

The following contact information is gleaned from the above letters:

Mr. Rinaldo Cartaya
Mirar Brand Manager
NetNucleus Corp.
80 Bloor Street
15th Floor
Toronto, Ontario, Canada M5S 2V1
Telephone: (416) 238-5405 Ext. 215
Email: rcartaya@netnucleus.com

Perhaps VGS readers will want to contact Mr. Cartaya with their comments about his product.



Also See:

Posted by at 2 comments:
Labels: ,

Wednesday, November 16, 2005

How to Remove Nail.exe.

The following is a detail page of Virtual Grub Street's Adware & Malware Identifier Index:

The information in the Adware & Malware Identifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.





ABetterInternet, ABetterInternet.transponder, Aurora, Nail.exe.

  • Associated Worms/Trojans: Trojan.Win32.Stervis.b, Win32.Afrootix, Troj/Dropper.Agent.AG, Trojan horse Dropper.Agent.AG, TROJ_AGENT.QW , Trojan.Aurora, Trojan.Bolger, Dloader.LI, Trojan horse Generic.CZ, Trojan horse Generic.EA, Troj/Generic, Hacktool.Rootkit, Trojan.Win32.Madtol.a, TROJ_MADTOL.A, Troj/Nail, Trojan.Nail
  • Executable Files: adbltzun.exe; aurareco.exe; aurora.exe; aurora-wise1.exe; bho_prob.exe; biprep.exe; buddy.exe; morphrec.exe; nail.exe; newdevin.exe; polall1b.exe; poller.exe; svcproc.exe; thnall~1.exe (thnall1b.exe; thnall1p.exe; thnall2r.exe; thnall2r.exe); uacupg.exe; and many more.
  • Dynamic Link Libraries: aurorahandler.dll; banner.dll; bi.dll; bolger.dll; ceres.dll; drpmon.dll; imgiant.dll; zserv.dll; and many more.
  • Directory/Search Page: http://www.abetterinternet.com/
  • Uninstall Page URL:
  • Related Articles: Important Removal Tool Note. Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize.
  • Notes: Aurora.ABetterInternet and Nail.exe are two separate items that are generally bundled together -- so generally that they are widely addressed as the same infection. BI.dll, ceres.dll, host.dll and newdevin.exe have been identified as transponder files.

    • Nail.exe can be removed by running the NailFix.exe tool followed by the Ewido Security Suite. This should be followed by running CCleaner or CleanUp! (on prefetch files and recycle bins for all users). All tools should be run with Windows in Safe Mode.
    • The Nail.exe file itself can be removed by NailFix.exe or the Ewido Security Suite. Many or all of the active components of Aurora or ABetterInternet can be removed by the Ewido Security Suite. Again, all tools should be run with Windows in Safe Mode.
    • Trlokom claims that its 15 day trialware product, SpyWall, can remove Aurora. This presumably includes the file Nail.exe.







Also See:

Posted by at 1 comment:
Labels:

Wednesday, June 15, 2005

Recent "How to Remove" Detail Pages.

The following "How to Remove" detail pages have recently been posted at Virtual Grub Street. How to Remove pages are linked from the Adware & Malware Indentifier Index.

How to Remove (Uninstall, Delete, Get Rid of) ConfuSearch;
How to Remove (Uninstall, Delete, Get Rid of) EasySearch, HotOffers;
How to Remove (Uninstall, Delete, Get Rid of) Ibis Toolbar;
How to Remove (Uninstall, Delete, Get Rid of) IELoader;
How to Remove (Uninstall, Delete, Get Rid of) I-LookUp;
How to Remove (Uninstall, Delete, Get Rid of) ISearchTech.SideFind;
How to Remove (Uninstall, Delete, Get Rid of) ISTBar;
How to Remove (Uninstall, Delete, Get Rid of) nCase, Zango;
How to Remove (Uninstall, Delete, Get Rid of) SearchRelevancy;
How to Remove (Uninstall, Delete, Get Rid of) VX2.

The How to Remove SearchForFree detail page has also recently been updated. Further pages will follow.
Posted by at No comments:
Labels: ,

HijackThis vs. SearchForFree.

SearchForFree is a relatively new piece of adware/malware. It is a start page hijacker downloaded by icasserv.exe (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd). The start page is actually hijacked by htmlsync.exe. The infection also uploads bookmarks into the Internet Explorer browser.

Because Virtual Grub Street seeks to bring computer users together with freeware (or, occasionally, trialware) tools with which to remove malware infections, the "How to Remove SearchForFree" page suggests downloading and running Pocket KillBox on individual key files and cleaning up the bits and pieces that remain.

This does not mean that Pocket KillBox is the only - or even, necessarily, the best - available means of removal. For the present, it is the only freeware fix that would seem to be available. The vast majority of computer infections can be manually removed should the user be sufficiently aware of the specifics of manual removal and the dangers involved. The manual method can, however, be quite time consuming compared to an effective freeware fix.

HijackThis is a very popular tool used to glean detailed information on spyware, adware and trojans that may have invaded a computer. As described on the Tom Coyote HijackThis page, When launched, it creates a log of "certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed."

It would not be entirely unfair to describe HijackThis as a program designed to simplify manual removal. Rather than search for files individually - the names of which the user may or may not know - and follow the file path to delete them, HJT provides an orderly log and a "fix" function. It is important to realize that the "fix" function is nothing more than a "delete" function, however, and the dangers inherent in manual removal remain. Care must be taken not to delete legitimate files or registry keys. It is always advisable to make a backup copy of the files in question before proceeding.

While HJT tutorials are available on the web, the log in question is a great confusion to the uninitiated. When their computers become infected, they flock to "expert" forums where they post their raw logs and beg for further instructions. For one thing, there a great many different file names, some vital for proper system operation and others malicious. Even after considerable study it can be difficult to know which are which.

These forum threads are a source of considerable information. They can introduce the reader to a wide range of freeware packages and free online scans available on the web. They also provide keyfile names and paths that can be used to find and manually remove the components of an infection, should the user prefer that option to downloading HijackThis or other programs.

The cleanest HJT fix, as regards SearchForFree, would seem to be the one represented by this thread from DesignTechnica. The expert directs the suppliant to download his preferred anti-adware/malware freeware packages:

Download The Stand Alone Version of CW Shredder, [SpyBot S&D], [Ad-Aware],...


They are probably the three best known throughout the web. But the instructions do not yet call for using the packages. Instead the following:

Reboot To Safe Mode (tap F8 on Startup)
Delete this file
C:\WINDOWS\System32\icasServ.exe


A quick check at VGS's "How to Remove SearchForFree" reminds us that 'The file "icasserv.exe" is the downloader for this infection and is a also known as the "icasserv-a trojan" (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd) .'

In fact, none of the freeware packages is able to remove SearchForFree. The expert's removal instructions will amount to nothing more than manually removing the keyfiles, while in Safe Mode, for the SearchForFree infection:

C:\WINDOWS\System32\icasServ.exe
C:\WINDOWS\System32\isystem.exe
C:\WINDOWS\System32\ldriver.exe
C:\WINDOWS\htmlsync.exe

After the removal is effected, the suppliant is instructed that he should "Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run CW Shredder, Ad-Aware and SpyBot S&D,delete what they find , Empty recycle bin." It is unclear what, if anything, from the SearchForFree infection is removed in this fashion.

It is important to realize that the "O4 - Startup: winupdate12900161[1].exe" entry that the expert deletes, after all of this, as the last step of the fix, is meant to repair a second infection not related to SearchForFree.

Geek Girl's fix, at this thread, from My Tech Support's forums, has one advantage and one disadvantage compared to the thread from Design Technica's expert. On the downside, she requires a greater number of downloads:

Download / Install / Update / and Run: [Ad-Aware] SE check for any updates before running it. Get the plug-in for fixing VX2 variants. You can download it at this SITE[.] To run this tool, install to the hard drive, then open [Ad-Aware]->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

Download and install SpyBot S&D . Run SpyBot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit SpyBot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.


Again, all of these are quality pieces of freeware, but none of them can remove the infection.

On the upside, her instructions on how to remove the icasServ.exe file clearly involves using the "process manager" function of HijackThis:

Go into [HijackThis]->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time).

C:\WINNT\System32\icasServ.exe



The Design Technica thread seems to direct the suppliant to manually delete the file rather than use the process manager.


While there might appear to be two different file paths to icasServ.exe in the two threads there is not. The path "C:\WINDOWS\System32\icasServ.exe " is the system path for a Windows XP machine. The path "C:\WINNT\System32\icasServ.exe" is the system path for a Windows 2000/NT machine. The file "icasServ.exe " always loads up in the "%System%" path.
Posted by at No comments:
Labels: ,

Friday, May 27, 2005

More on Variant ADW_ELITEBAR.D.

A March 2005 forum thread at Midtown Computer Systems Enterprise provides more detail on ADW_ELITEBAR.D . It's a bit garbled, though: intertwined with discussions about how malware gets installed on computers and about the relative merits of Firefox compared to Internet Explorer. But some things are clarified in the course of "bu2's" (the plaintiff's) attempts to remove this resistant variant of SearchMiracle/EliteBar.

First he informs us of the original condition of the machine, which can be quite helpful:


I use WIN XP Home SP2, IE 6.0, my AV is PC-Cillin. I also use Spy Hunter and Beta version of MS Antispyware. Recently I somehowgot ADW_ELITEBAR.D adware that keeps reloading instantly afterI get rid of it with the AV.

It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know, from VGS's article "Diabolical New EliteBar Variant Strikes the Web!!!!", has claimed that it is able to remove EliteBar.D (a claim that Gian Carlo, at SimplyTech, disputes).

Next, he lets us follow the decision-making process:


I am still deciding what exactly to do and when. Trend Micro has a"solution" re the culprit at: [url] http://www.trendmicro.com/vinfo/grayware/ graywareDetails.asp?SNAME=ADW%5FELITEBAR%2ED [/url] I could not make it run. I'll have another look, maybe I was hasty and missed something. It just opens a DOS like C: Command Prompt it seems to run but nothing happens.We are talking about their instructions to download TMAPTN.ZIP with the latest grey something files. Why am I paying them and updating religiously several times a day? Anyway the program that uses the above file (tmntsrv.exe) does not run or does not run properly when I do it.

I also was told to look into Simply Tech site [url] http://www.simplytech.it/ETRemover/ [/url] and download the Elite Bar Remover
which I did and I am deciding whether to run it now or after my monthly (data)
backups just in case something goes awry.

Once the system is clean I may well switch to another Internet Browser. I am not happy with MS leaving so many holes in their software. Also their Beta Antispyware, while pretty good, cannot even see the Elite Bar!? The Trend Micro Antivirus Scan can not see it either but the special Scan for Spyware feature does and it even deletes it but the s*it reinstalls itself instantly.

The utility that Trend Micro claimed would remove EliteBar.D is "tmntsrv.exe". Whether due to the nature of the malware, his failure to properly deploy the removal tool or some other problem, the program fails even to run properly. He considers downloading and running the SimplyTech Elite Toolbar Remover.

The Beta version of MicroSoft Antispyware, we learn, was not able even to detect ADW_ELITEBAR.D. At some point bu2 (exactly when is not clear) does use "the special Scan for Spyware feature" provided with his Trend Micro service. It detects and briefly removes the malware which immediately thereafter reinstalls. Whether it actually reinstalled on reboot is not stated but it seems likely.

Next he tries SimplyTech's EliteBar Removal Tool. At this point, both SimplyTech and he are not aware that there is a variant of EliteBar that the removal tool won't remove:



Well, I ran the remedy as explained at [url] http://www.simplytech.it/ETRemover/ [/url] That was in WIN XP Safe Mode and ... I scored a big victory for the
ADW_ELITEBAR.D

It did not budge. As soon as I checked on it, after removing it with the "remover" and restarting the PC - I found it was still there.

Gian Carlo's commentary, soon after, in his own SimplyTech forum, can be found in VGS's article "Diabolical New EliteBar Variant Strikes the Web!!!!". What it all comes down to in the end is that no removal tool presently exists, free or commercial.


Source: Midtown Computer Systems Enterprise>message1508783



Also See:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , ,

Sunday, May 22, 2005

Diabolical New EliteBar Variant Strikes the Web!!!!

Giancarlo Calo, of SimplyTech.it, freeware Baron of the Internet, by virtue of his EliteBar Removal Tool, reports that a new malware variant has appeared on the net that Trend Micro has designated ADW_ELITEBAR.D. The first contacts with the new variant are described in an April 1 through 19 May, 2005, thread at Simply Tech's EliteBar forum. In the words of Calo, in the original April 1, 2005, forum posting:
Well, as far as we are working on this pest we can say that it is NOT an EliteToolbar malware! It is acting in a half-way as a virus and half-way as a malware/spyware. It is using some new typologies of attack we have never watched before... We don't know if its a new product of the same guys who released the EliteToolbar malware, but we can say it is not an EliteToolbar malware and we are not yet able to do an automatic remover for it.

According to Calo, Trend Micro seems to have felt, at one point, that its commercial software could remove the infection but Simply Tech still found the malware intact after Trend Micro's process. The Trend Micro ADW_ELITEBAR.D information page presently lists only manual removal instructions. This is not the only item that is unclear. TM desribes one toolbar on the ADW_ELITEBAR.D page while Calo provides a photo of an infection that leaves two toolbars, one top and one bottom. Just how these inconsistencies will be resolved remains to be seen. All of that aside, Calo describes a truly diabolical new approach to malware:
It doesn't install any dll and changes the name of its executable on a randomic basis using real words took in documents of the user. It also traces and log the activity of the user and writes a log file with the attributes used for the system files. It works in low-level with the system and it is impossible to dump it from the system memory because it fools you directing your attention on a process that is not the real responsable of the infestation.
This would appear to mean that the main executable file randomly changes its name while the infection is in the computer such that it is all but impossible to target and delete it. The naming process ("...using real words [taken from] documents [in the user's computer]") makes it difficult to tell legit from infected files or to locate the infected file through file searches. An excellent picture of the double toolbar arrangement is located at the forum posting. Giancarlo Calo, and Simply Tech, offer what little help they can for the time being:
At the moment the only way we can helping you removing this infestation is acting on your pc via a Remote Administration program. If you need for our help write us a mail (simplytech@simplytech.it) about it and feel free to ask for details and times of intervention.

In at least some instances, the help provided will provide SimplyTech with much needed data in return. It is sure to help the effort to head off this variant before it ends up on all of our computers. Also see:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , ,

"How to Remove" Detail Pages.

The following "How to Remove" detail pages have recently been posted at Virtual Grub Street. How to Remove pages are linked from the Adware & Malware Indentifier Index.

The How to Remove Mirar Toolbar detail page has also recently been updated. Further pages will follow.

Posted by at No comments:
Labels: ,

Friday, May 20, 2005

EliteBar Removal Tool Updates to 1.3.0!!!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 2)


Giancarlo Calo, over at SimplyTech.it, is staying aggressive with his freeware EliteBar Removal Tool. Among the infections it claims to remove "every trace" of are the following. The items highlighted in red are linked to Virtual Grub Streets's "How to Remove/Detailed Information" pages:



EliteBar; EliteToolbar; EliteSidebar; BargainBuddy; Browser
Aid; CashToolbar; FreshBar; GameSpy; MoneyTree; Nail.exe; NaviSearch; navpsrvc.exe (also known as: W32/Forbot-EF, worm); SearchMeUp; SideStep; Spybot - Randex; SupportSoft; SurfSideKick; Win32.RBot; Winmon.exe (also known as: W32/Agobot-KA, trojan); and WinMoviePlugIn.



The "How to Remove" detail pages for SearchMiracle/EliteBar consist of the articles regularly posted at VGS. The file information for EliteBar is located on the Adware & Malware Indentifier Index itself. Further detail pages will be added on a continuing basis.

Simply Tech's description of the reason why SearchMiracle/EliteBar is so difficult to remove verifies the information in the various Virtual Grub Street articles over the past several months:


Actually some software like Spybot v.1.3, CWShredder v.2.12, Noadware,Adaware v.6, SpyNuker 2004 and SBC Yahoo! Anti-spy have no success in deleting this very frustrating malware. These programs find and delete it, but it keeps coming back since this new variant is very difficult to remove from the
operating system.

The main problem is that the malware creates a lot of registry entries and executes at PC startup, winding itself into RAM and deletes its own *.exe from the C:\Windows\System32 directory.

When ordinary tools try to remove it, they only clean the registry calls, the C:\Windows\EliteToolbar directory and the cabinets files where it originated from, but they don't take any action against the malware itself that is currently running in RAM and waiting for the PC OS to be shut down only to repeat the infestation once again!
This would seem to be a trick that the newer malware/adware products are widely copying. Perhaps this is the reason that the EliteBar Removal Tool has added so many porducts to the list of infections it removes. It is certainly the reason that most HijackThis and manual removal instructions direct the user to do main and downloader file deletions while in Safe Mode.







Also see:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , , ,

Wednesday, April 27, 2005

Is Google Associated with a SearchMiracle Knock-Off?

Related Story: How to Remove Mirar Toolbar "It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log."


The Internet is changing the world in more ways than immediately meet the eye. The world has become a vastly more complex place as a result of it. What may seem wonderfully simple -- starting a blog, for example, or adding advertising to one's site -- is freighted with issues that only unfold with the passage of time.

This blog is hosted by Blogspot.com. Originally intended to be an arts and lit blog, an early posting/article about the spyware pest SearchMiracle/EliteBar was so popular, throughout the web, that it became known as an adware/spyware blog. It became so popular, in fact, that it seemed reasonable to include some unobtrusive Google Ads.

In February of 2003, Google bought the company that owned Blogspot blogs and it has since offered its bloggers a quick and easy way to contract for advertising revenues. The revenues are based upon the number of times the Google Ads on a site are clicked. The contract is a much simplified version of similar contracts signed between search engines and the companies that pay to advertise on them.

These decisions were made easier by the fact that I think very highly of Google. Its search engine is by far the best on the web. To "Google it" is common practice now for millions, myself very much included. The company's handling of its Initial Public Offering (IPO), while harrowing, suggested that its owners didn't want to be just another company -- that they wanted to be fairer and more responsible than most.

Of course, adware is, at base, an attempt to make greater profits through pay-per-click (or pay-per-display) advertising contracts. I was not unaware of the potential conflict between Obiter Dicta's role as a source of information and commentary on slash and burn pay-per-click Internet advertising and its relationship with Google Ads. But the risk seemed small. I accept the inevitable role of responsible advertising in developing the net. I draw my boundary lines at: stealth downloading of adware; downloads achieved through misleading or intentionally confusing a user; hijacking of start pages; disabling and altering a user's resident software (thus damaging private property); providing no effective means of uninstalling the software; and harvesting a user's private information (perhaps even to sell as a secondary income stream). I was being consistent.

The reader may imagine my curiosity when I began, while grazing HijackThis logs of computers infested with Enternet Media's SearchMiracle/EliteBar, to notice a new listing: another pseudo search page: http://ny.contentmatch.net/. The listing seems to have begun appearing in numerous SearchMiracle-related logs in March of this year (2005).

The page is yet another front page represeting itself as an information directory while doing nothing more than inserting canned search terms into a search engine. The directory even looks suspiciously like the SearchMiracle and YupSearch directories. It is the target of another Browser Helper Object (BHO), this one referred to as the "Mirar Toolbar". Like SearchMiracle, it has more than one directory page fronting on the same search engine.: http://awbeta.net-nucleus.com/ being another. In the modern world, success breeds... well... knock-offs.

Again, after the fashion in these matters, the home page for Mirar, http://www.getmirar.com/, was notably unhelpful. It contained nothing more than a bright photo spread, a link to a toolbar download and a generic e-mail contact address. Of course, people very rarely download from these home pages so there is no link to a EULA and no descriptive information about Mirar's wonderful product. There is a link to an uninstall page which begins by offering the reader a number of "free gifts," for which the user must register, and refuses to allow him or her to proceed until at least one is chosen. While there may be a means to uninstall, the user who tries this route must traverse a labyrinth in order to get to it.

After considerable searching, I discovered that there was, indeed, a EULA for the Mirar Toolbar. It is located at http://policy.getmirar.com/EULA.html. The link from the Mirar homepage -- or to any page for that matter -- seems to have been forgotten.

The EULA provides information required by the laws of most civilized countries. The reader learns that Mirar is the product of a company called Net Nucleus based out of Toronto, Ontario. Until about a week ago, it included a statement of Net Nucleus's relationship with a company called WhenU:


By downloading the Software, you will also automatically receive a bundled software product called SaveNow and SearchBar, proprietary software products of WhenU.com Inc. (“WhenU”). By clicking on the “I Accept” or “Yes” button, you are also consenting to the terms of the license granted by WhenU, which are provided below.
WhenU is infamous for any number of reasons not the least of which is having briefly been removed from both the Google and Yahoo search engines [story] for engaging in a practice called cloaking. It has been accused, by malware watchdog Ben Edelman, of failing to obey its own privacy policy [details]. While it denied the allegations, it changed its policy to more accurately reflect that fact that it collects users' personal information:


As described in WhenU's Response, WhenU changed its privacy policy subsequent to the posting of this research. In particular, WhenU revised the privacy policy posted on some pages of its public web sites, but failed to revise other pages, and failed to revise the privacy policy and other privacy promises embedded within WhenU software installers.

It is not clear whether a relationship continues between the two companies.

Both WhenU and Mirar Toolbar often bundle their product with third party software. Mirar is widely reputed to utilize stealth downloads. This may also be what is meant by Symantec's vague warning that:


It will also attempt to download and install the Mirar toolbar from a predetermined Web site.

Mirar's recent habit of appearing in HijackThis logs infested with SearchMiracle/EliteBar, known to stealth download via malicious Java Scripts, suggests the possibility that it has expanded its old bundling approach.

In the open, as it were, where it is not camouflaged by being a small part of a big bundled infection, the Mirar Toolbar tends to be described as in the following letter to the InfoPackets Newsletter (May 2004):


Gazette Reader 'SweetImage' writes: " Dennis is there any way to get rid of the Mirar toolbar once and for all? I have searched sites where I have found loads of people having the same problem. I have used at least 8 different Adware-blocking programs to remove the toolbar from my system, but none of them can get rid of this rotten thing! Mirar support has not answered my emails and I am going absolutely crazy trying to remove it from my system. I cannot use the Windows System Restore because it won't allow me to roll back (except for today's date) -- and furthermore, Dell can't help me. Am I stuck with this toolbar? I don't even know where it came from! Thank you very much if you can help! "

Such is the sound of yet another satisfied customer.

All of this said, this would be just another sad but all too familiar story if it weren't for one fact. The surprise of this story comes when a visitor to http://ny.contentmatch.net/ or http://awbeta.net-nucleus.com/ clicks on one of the canned search engine terms only to find that the Mirar directory, to which it forcibly redirects a user's browser, is a portal to the Google Search Engine.

Of course, these directories are uniformly created as a source of advertising revenue. A question begs the asking: How does NetNucleus generate revenue from its Mirar search directory if it enters search terms in the Google Search Engine? Put more directly: Does Google have a business relationship with NetNucleus -- a company widely reputed to use stealth downloads and that recently shows up with alarming frequency in HijackThis logs together with software utilizing startpage trojans to install spyware -- to enhance advertising revenues from its search engine?

I, for one, will be pleased to learn that there is no such relationship, that there is another explanation and that Mirar will be required to cease its practice of downloading (stealthily or otherwise) portals to the Google Search Engine. Also that my tiny part in the Google empire will not be considered to be the actual bad business arrangement. It seems that starting a blog is not so wonderfully simple as it would appear. It is only natural to experience some amount of anxiety over the vast interconnectedness that threatens to leave us all subject to situations that seem beyond our ability to foresee. In light of the many issues this article touches upon, the question can only be asked: For all of the potential of it, just how real is this electronic democracy? How real can it remain?



Also See:
  • Sunbelt Tangles with NetNucleus (February 7, 2007). NetNucleus, purveyor of the Mirar Toolbar, threatens to sue Sunbelt Software for labeling it's product "Adware". Sunbelt replies with a devastating overview of Mirar's stealth installation methods (and more).
  • How to Remove Mirar Toolbar "It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log."
  • Adware & Malware Identifier Index (May 9, 2005). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
  • Online Bibliography (Regularly updated). A bibliography of Gilbert Wesley Purdy's work on the Web and elsewhere including computer topics.
Posted by at No comments:
Labels: ,

Saturday, April 23, 2005

HijackThis vs. the Elitebar Removal Tool

The following HijackThis thread, from Web User Forums, highlights a number of key points about the modus operandi of the SearchMiracle/EliteBar downloader. It also highlights the comparative merits of SimplyTech's EliteBar Removal Tool.

The user's opening comments are typical:

I've just started getting IE pop-up windows appearing every so often. They appear regardless of whether I'm actually using my browser (Maxthon).

I've run [Ad-Aware], [SpyBot S&D], and installed SpywareBlaster and SpywareGuard. Removed a heap of items, but the popups are still appearing. Included below is a [HijackThis] log (created immediately after a reboot).


No standard anti-spy software has managed to fend off the infection entirely. A HijackThis log is posted together with a plea for help.

The expert's instructions are typical of the early strategy attempted by HijackThis experts:

*Open [HijackThis], take another scan and place a checkmark next to these entries.

R3 - URLSearchHook: IncrediFindBHO Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exeO4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll [see VGS's Key File Index for more information on this file]

*Close all open Windows except [HijackThis] and click on "fix Checked".

* Open Windows Explorer, navigate to and delete the following
Files/Folders:

C:\Program Files\Common files\SearchUpgrader\>>>folder
C:\winnt\system32\elitekck32.exe>>>file
C:\WINNT\system32\NavLogon.dll>>>file [see VGS's Key File Index for more information on this file]

Reboot the Computer in normal mode, then click the "Post Reply" button and post a new log in this thread for further review and evaluation.



While this approach may provide some limited, and temporary, relief, SearchMiracle will soon be back in full force. As HijackThis experts have generally discovered, the downloader for the infection detects, and, if necessary, reinstalls itself from RAM as Windows is closed. (The related file can have different names for different variations of the infection but always appears, to date, in the form "elite***32.exe".) This explains the next set of comments from the user:

I've done everything as you suggested, noting:

"C:\winnt\system32\elitekck32.exe>>>file": This file wasn't there. Searched entire HD and couldn't find it.
"C:\WINNT\system32\NavLogon.dll": Deleted *after* reboot, as was in use before reboot. [see VGS's Key File Index for more information on this file]

After 1st reboot, the elitekck32.exe entry (O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe) had reappeared, so I fixed it again and rebooted a 2nd time. It's still there, see new HJT log below. The pop-up windows are still appearing.

The file for "elitekck32.exe" is no longer on the hard drive. The resident file was deleted by SearchMiracle itself when "eleitekck32.exe" was removed. The file is probably designed to be deleted in order to avoid the problem of having to rename it in order to successfully re-install.

The second round of instructions (in response to the updated HijackThis log) make the matter still clearer:

*Open [HijackThis], take another scan and place a checkmark next to these entries.

O4 - HKLM\..\Run: [load32] C:\WINNT\system32\winldra.exe [see VGS's Key File Index for more information on this file]

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe
O21 - SSODL: NnjrTTQcGY - {372715F7-9D8D-BF5D-D9F5-F29E65298DCD} - C:\WINNT\system32\xqzq.dll (file missing)

*Close all open Windows except [HijackThis] and click on "fix Checked".
*Open Windows Explorer, navigate to and delete the following Files/Folders if present:

C:\WINNT\system32\winldra.exe >>>file [see VGS's Key File Index for more information on this file]
C:\winnt\system32\elitekck32.exe >>>file
C:\WINNT\system32\xqzq.dll >>> file

*
*
*


Reboot the Computer in normal mode, then click the "Post Reply" button and post a new log in this thread for further review and evaluation.



A number of files have returned: first the downloader exe and then the files it has begun to reinstall. The HijackThis expert, in this particular case, is stumped. He keeps advising that the user reboot in normal mode which will only reload elitekck.32.exe back up into RAM from where it will reinstall when Windows is closed. In the new, successful Hijackthis threads the expert knows to reboot in Safe Mode and then delete the file. This prevents elite***.32.exe from loading up into RAM. If it can't get to RAM it can't download back onto the hard drive.

This thread will end up successful, however, and for an intersting reason. The user takes the matter of getting rid of elite***32.exe into her/his own hands:

Hi, think I've got to the bottom of the elitekck32.exe file.

Another forum (http://forum.iamnotageek.com/history/topic.php/1819049822-1.html) put me onto this [Elite Toolbar Remover]... I've run it and it's removed the Elitekck32.exe malware, as shown in the new HJT log below. I've not posted logs for each account as I suspect that's not the problem.


She/he has downloaded and run the Elitebar Removal Tool and now returns to clean up some loose ends not related to SearchMiracle/EliteBar.

Again, this thread seems to highlight the relative merits of HijackThis and the Elitebar Removal Tool. The removal tool is quickly downloaded and specifically targets the problematical elite***32.exe file. HijackThis is not limited to a single strain of infection(s). Given some time for the HijackThis expert community to get a grasp of a particular infection there is an excellent chance that a fix can be developed.Using it can also add to the user's knowledge level about infections and his/her computer.



Also see:


[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]


Also from the Library of Babel:

  • Pierce Butler, Fanny Kemble, et al.  July 22, 2020.  ‘“An attempt of the Pennsylvania Supreme Court to make a way around the original Fugitive Slave Law, of 1793, by finding a private agent guilty of kidnapping for having remanded a slave from Pennsylvania to Maryland was forcefully overturned by the U. S. Supreme Court in Prigg v. United States (1842).”’

  • The Best Translation of Dante’s Divina Commedia.  July, 14, 2019.  “For the next month, then, I put aside a few hours each night.  Not only with Singleton and Merwin.  In the glorious Age of the Internet, the first step could only be a search for what books relating to the subject were available on Google Book Search and the Internet Archive.”

  • A Memoriam for W. S. Merwin.  April 17, 2019.  “It took about three days, as I recall, for me to surrender to the fact that W. S. Merwin was the finest English language poet of his time.  I wished I’d been prepared to read him years ago.”

  • Be sure to check out the Browser's Guide to the Library of Babel.

Also from Virtual Grub Street:

  • The Fascinating Itinerary of the Gelosi Troupe, 1576.  June 10, 2019.  “The Spanish soldiers had not been paid and unpaid soldiers tend to rob and loot.  The citizens were prepared to give them a fight.  Violent flare ups were occurring everywhere.”

  • A Thousand Years of English Terms.  June 2, 2019.  ‘One person did not say to another, “Meet you at three o’clock”.    There was no clock to be o’.  But the church bell rang the hour of Nones and you arranged to meet “upon the Nones bell”.’


Posted by at 3 comments:
Labels: , ,

Monday, April 18, 2005

EliteBar Removal Tool Alert: Update V.1.2.2.!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 1)


The thousands of people who are still flocking to the O.D. article How to Remove SearchMiracle/ EliteBar (also known as ETBRUN), and the scores of links to the various O.D. articles on SearchMiracle/EliteBar and related adware/spyware, make it clear that Giancarlo Calo's freeware EliteBar Removal Tool is still the clear means of choice for removing this pest. The removal tool, however, is not limited strictly to SearchMiracle. Calo lists the following variant toolbars that can be removed by this software:


EliteBar (adware toolbar); EliteToolbar (adware toolbar); EliteSidebar (adware toolbar); Browser Aid (adware toolbar); CashToolbar (adware toolbar); SearchMeUp (adware toolbar); navpsrvc.exe (also known as: W32/Forbot-EF, worm); FreshBar (also known as: ADW_FRESHBAR.B, adware).

Recently Calo's Elite Toolbar Remover has received its most powerful endorsement to date. The newest updates of SearchMiracle/EliteBar incorporate code designed specifically to attack the remover:


We, at SimplyTech.it, in early January 2005, released a freeware utility that helped you restore your OS functionality by killing this malware. Since this version 1.0 of our EliteToolbar Remover, the silly guys at EliteToolbar have released some new variants of their malware. The variants in circulation from the end of January 2005, in fact, do a cache detect of the words: "EliteToolbarRemoverV10.zip" which was the old name of our previous version 1.0.

If you are trying to download it from a mirror site you will receive the following error:

''Cannot copy file, Cannot read from file source or disk''

This is not a message from your operating system, but a stupid message from the malware that is actually running in your PC.

The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there! After all, these are very clever programmers, aren't they?

Anyway, it is sure that these people will also blacklist the new name of the zip we are using now, so if this occurs and some new variants will circulate the Internet from today we suggest you to download the software to another PC and take it on a diskette or a USB pendrive and run it on the infected PC in Safe Mode, as usual.

So then, it is vitally important to be sure that you are downloading the latest (EliteToolbar Remover V.1.2.2) version of the remover. It is also important to read the informative Elite Toolbar Remover page at Simply Tech.

The software provided by Simply Tech is entirely freeware. The group offsets it cost as best it can by donations. A PayPal link is provided at the bottom of the Elite Toolbar Remover page. Please help them keep up their fine efforts if you can.



Also see:



[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , , ,

Monday, April 11, 2005

HijackThis vs. SearchMiracle/EliteBar

HijackThis is a very popular tool used to glean detailed information on spyware, adware and trojans that may have invaded a computer. As described on the Tom Coyote HijackThis page, When launched, it creates a log of "certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed."

The log in question is a great confusion to the uninitiated. When their computers become infected, they flock to "expert" forums where they post their raw logs and beg for further instructions. The process is highly informative and more than a little amusing.

Since the Enternet Media adware program SearchMiracle/EliteBar (also known as ETBRUN, Elitum, Elite Toolbar etc.) has been at large on the net, logs of infected computers have begun to appear in profusion. Early on, the HijackThis faithful showed every confidence that their anti-spy program was up to the task of removing the pest. In the meantime, it has become clear that there are few HijackThis forum threads that end with the adware and its associated StartPage.sj trojan having been successfully removed.

Whether due to frustration with SearchMiracle in particular, or difficult logs in general, the forum experts have begun adding an imposing list of other anti-adware/spyware programs that they require the supplicant to download into her or his computer before they will consent to attempt a fix. The following list, from the Tech Support Forum, is exemplary:

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download and install SpyBot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Please download Ad-Aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into [Ad-Aware]->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the
hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the HijackThis forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Still, most threads break off with the supplicant crying out that pop-ups remain in control of their computers. StartPage.sj (or the then most recent version of StartPage) appears to load key files in areas of the computer that HijackThis does not log.


Recently, a more promising approach has begun to be used. In a Tech Guide Forum thread, of March 9, 2005, the expert has suggested a new tack, and, while he/she was not overflowing with confidence, the thread ended with a smiley face emoticon. The infection is Adware.HuntBar, a close variant on SearchMiracle that also utilizes the infamous StartPage.sj trojan.

The new approach? Scan first with Panda Online Scan and then address the remaining items on the HijackThis log:
Go to this link >>>Online virus scan at Panda's http://www.pandasoftware.com/activescan/co...n_principal.htm
Don't start it yet

Now, this is VERY IMPORTANT
Close out all unnecessary programs running in the background
Close out all Windows

Bring up the Task Manager(right click the bottom taskbar and select Task Manager) End process on these if you can...

After that is done you will have only the Task Manager and the page from Panda's open
Click the SCAN MY PC button>>>This should bring up a pop up window from Panda's
Close down the IE page that I linked you to Panda's but keep their popup window open...

It involved a bit of a struggle but the final outcome was worth the effort. Those who have read OD's original SearchMiracle/EliteBar piece, Elite Bar Adventures, are already aware that the Online Panda Scan is able and willing to remove the StartPage.sj trojan for free.

There are two points that may not be clear in the thread, however. After the first Panda Online Scan, the StartPage.sj trojan remained in several files. My personal experience was that Panda had to clean twice before StartPage's EliteBar downloader file could be removed. Also, it is not likely that the final step of this thread will work for SearchMiracle/EliteBar.

Geek Girl at Computer Technical Support Forums also started with Online scanning, on March 20th, and a set of initial instructions quite similar to those posted at Tech Guide Forum. On this occasion the infection was SearchMiracle itself. Her scanning instruction were slightly enhanced:
Scan your pc with one of these free online scanners:
Panda ActiveScan
RAV AntiVirus
Housecall. Be sure to put a check the box beside AutoClean.

Whether or not RAV or Housecall are able to remove StartPage.sj for free, I can not say. These instructions would seem to argue that they are.



This is not to say that HijackThis simply can not remove SearchMiracle without the help of an online scan, as evidenced by this thread at Geeks to Go in which the Staff Expert provided a swatch of code to be used in concert with a safe mode boot. Those guys must be working overtime over there. Whether or not it removed the most recent version of SearchMiracle, however, is impossible to tell.

Of course, there is also no telling whether the infection rose from the ashes, in any of these cases, and the disgusted supplicant decided not to return to the given forum. However much resurgence of the infection doesn't appear to have occurred, OD makes no representations about any of the software, fixes, etc., cited above. As always, the rule is "Supplicant Beware!"



Also see:
[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)