The Holder of this blog uses no cookies and collects no data whatsoever. He is only a guest on the Blogger platform. He has made no agreements concerning third party data collection and is not provided the opportunity to know the data collection policies of any of the standard blogging applications associated with the host platform. For information regarding the data collection policies of Facebook applications used on this blog contact Facebook. For information about the practices regarding data collection on the part of the owner of the Blogger platform contact Google Blogger.
Showing posts with label Freeware. Show all posts
Showing posts with label Freeware. Show all posts

Wednesday, January 10, 2007

CleanUp! Information Page

The information in Virtual Grub Street's computer postings is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.
*
Intro. CleanUp! was created by Stephen R. Gould. It is a popular utility designed to clean your browser's history, bookmarks, favorites, cookies, temporary files created while surfing the web, empties the Recycle Bin, deletes files from your temporary folders, and more, making it impossible to retrieve their contents using standard commercial retrieval tools. CleanUp! can clean more than 4.2GB in a single operational cycle.

Versions. -- 4.5.2, 4.0, 3.1.2, 3.0 Latest Version Covered: 4.5.2

File Size. 332 KB. File Type. -- exe Most recent update: -- November 2006

Compatible Operating Systems: -- The same version of CleanUp! runs on Windows 95, Windows 98, Windows ME, Windows NT 4.0 Workstation, Windows NT 4.0 Server, Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, Windows XP Home, and Windows XP Professional.

Compatible Browsers: -- Internet Explorer (versions 1.x-6.x), Netscape Navigator/Communicator (versions 1.x-7.x), Mozilla (1.x), Firefox (1.x) and Opera (versions 2.x-7.x)

Notes:

  • Warning! CleanUp! does not create backup files before it deletes the originals. Once a file is "cleaned up" it is permanently lost;
  • Warning! CleanUp! should not be used on 64 bit systems.
  • Warning! The CleanUp!'s "Scan local drives for temporary files" option may result in the inadvertant deletion of required system and/or Windows Office 2003 files. The Major Geeks download page suggests disabling this option. CleanUp! 4.5.2 has removed the "Scan local drives for temporary files" option from Standard CleanUp!. It is now only activated with "Thorough CleanUp!" or "Custom CleanUp!".
  • CleanUp! 4.5.2 includes a "Demo" mode in order to "to help new users evaluate the utility without actually deleting anything from their computer." It is also possible to run the log file option while in the Demo mode in order to fully evaluate the files that CleanUp! will delete under the given configuration.
  • CleanUp! can remove many user-defined filenames from user-defined directories and delete many custom registry entries with "Custom Files/Directories" and "Custom Registry Entries" features listed under the "General Options" tab.
  • In the "Wipe Clean" mode, CleanUp! overwrites a file three times with different data, then renames it 27 times before deleting it.

Latest Version. CleanUp! can be downloaded from the following locations:

Previous Versions. Previous versions of the CleanUp! can be downloaded from the following locations:

A CleanUp 3.1.2 tutorial is available at Geeks to Go!

Other VGS Freeware/Trialware Information Pages:

Posted by at
Labels:

Monday, October 17, 2005

Elite Toolbar Remover Information Page

The information in Virtual Grub Street's computer postings is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.


*

Intro: The Elite Toolbar Remover was created by an Italian male named Gian Carlo Calo who is very careful to keep his personal information off of the web. Calo would seem to be one of several Italians who have formed the company Simply Tech. The company offers the freeware Elite Toolbar Remover as well as freeware encryption programs. Paypal donations are requested on a discrete location at the bottom of the page.

Latest Version. SimplyTech's new Elite Toolbar Remover has just announced another update (to Version 2.1.2) that removes SearchMiracle.EliteBar [a.k.a. YupSearch (see YupSearch Addendum), Elite Toolbar, Elitum, ETBrun, LQ, etc.] even without putting the computer in Safe Mode.

vs. PokaPoka. The site JayLoden.com, however, recently reports (Oct 14, 2005 01:20AM) that the tool is presently unable to remove variants of PokaPoka above pokapoka75:

"There is a new version of the ETRemover from SimplyTech out, so if you're experiencing problems with EliteBar and/or PokaPoka I suggest you try that. I gave it a go on the most current pokapoka variant I could get (pokapoka76) and it didn't remove it at the time of writing. However, I will be sending the author of ETRemover a dump file of pokapoka76.exe and hopefully he will be able to update ETRemover."

vs. EliteBar.d. As VGS reported, on May 22, the Elite Toolbar Remover can not remove adw_elitebar.d. This variant utilizes entirely random files names. The variant is not common.

Removes other malware. Calo claims that the tool can remove the following other infections, as well: EliteBar; EliteToolbar; EliteSidebar; BargainBuddy; Browser Aid; CashToolbar; FreshBar; GameSpy; MoneyTree; Nail.exe; NaviSearch; navpsrvc.exe (also known as: W32/Forbot-EF, worm); SearchMeUp; SideStep; Spybot - Randex; SupportSoft; SurfSideKick; Win32.RBot; Winmon.exe (also known as: W32/Agobot-KA, trojan); WinMoviePlugIn; and InternetExplorer Plugin. Limited searching on these claims indicates that the tool does in fact remove these adware/malware items.

EliteBar fights back. The creators of SearchMiracle.EliteBar have specifically attempted to develope new variants to target the Elite Toolbar Remover (a fine recommendation of Calo's skills). Newer versions of the Remover have involved features and instructions in order to overcome these counterattacks:


The variants in circulation [since] the end of January 2005... do a cache detect of the words: "EliteToolbarRemoverV10.zip" which was the old name of our previous version 1.0.

If you are trying to download it from a mirror site you will receive the following error:

''Cannot copy file, Cannot read from file source or disk''

This is not a message from your operating system, but a stupid message from the malware that is actually running in your PC.

The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even though it is [actually] there! After all, these are very clever programmers, aren't they?

Anyway, it is [certain] that these people will also blacklist the new name of the zip we are using now, so if this occurs... we suggest you to download the software to another PC and [put] it on a diskette or a USB pendrive and run it on the infected PC in Safe Mode, as usual.

It is not clear whether or not these instructions are continue to apply to the newer versions of the tool. The instructions regarding running the tool in Safe Mode are not supposed to be necessary as of Version 2.1.2.

Special Offer. For those who find the 2.x.x. series does not work for them, SimplyTech is also continuing to download a 1.3.2 version from here:


In the words of Giancarlo Calo: "[W]e have decided to take the old v.1.3.x and fill it with the latest malware definitions, so we can now offer the v.1.3.2 that is more stable but is and remain a discontinued Beta product.It will no longer be supported, however, nor does SimplyTech have any specific plans to update its definitions in the future."

VGS on the Remover. The successive updates of the ETR can be followed by reading the following articles previously posted in the pages of Virtual Grub Street:


Downloads:

Latest Version. Version 2.1.2 of the Elite ToolBar Remover can be downloaded from the following locations:



Previous Versions. Previous versions of the Elite Toolbar Remover can be downloaded from the following locations:

Special Case Software. When downloading the Elite Toolbar Remover, the user may get an message indicating that she or he needs to install the following files: Msinet.ocx or Comctl32.ocx. Should this be the case, it will be necessary to download one of the following auxiliary files:

Calo recommends using the "Setup Kit" over the "DLL.zip" option.




Other VGS Freeware/Trialware Information Pages:




Also see:



[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at
Labels:

Wednesday, June 15, 2005

HijackThis vs. SearchForFree.

SearchForFree is a relatively new piece of adware/malware. It is a start page hijacker downloaded by icasserv.exe (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd). The start page is actually hijacked by htmlsync.exe. The infection also uploads bookmarks into the Internet Explorer browser.

Because Virtual Grub Street seeks to bring computer users together with freeware (or, occasionally, trialware) tools with which to remove malware infections, the "How to Remove SearchForFree" page suggests downloading and running Pocket KillBox on individual key files and cleaning up the bits and pieces that remain.

This does not mean that Pocket KillBox is the only - or even, necessarily, the best - available means of removal. For the present, it is the only freeware fix that would seem to be available. The vast majority of computer infections can be manually removed should the user be sufficiently aware of the specifics of manual removal and the dangers involved. The manual method can, however, be quite time consuming compared to an effective freeware fix.

HijackThis is a very popular tool used to glean detailed information on spyware, adware and trojans that may have invaded a computer. As described on the Tom Coyote HijackThis page, When launched, it creates a log of "certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed."

It would not be entirely unfair to describe HijackThis as a program designed to simplify manual removal. Rather than search for files individually - the names of which the user may or may not know - and follow the file path to delete them, HJT provides an orderly log and a "fix" function. It is important to realize that the "fix" function is nothing more than a "delete" function, however, and the dangers inherent in manual removal remain. Care must be taken not to delete legitimate files or registry keys. It is always advisable to make a backup copy of the files in question before proceeding.

While HJT tutorials are available on the web, the log in question is a great confusion to the uninitiated. When their computers become infected, they flock to "expert" forums where they post their raw logs and beg for further instructions. For one thing, there a great many different file names, some vital for proper system operation and others malicious. Even after considerable study it can be difficult to know which are which.

These forum threads are a source of considerable information. They can introduce the reader to a wide range of freeware packages and free online scans available on the web. They also provide keyfile names and paths that can be used to find and manually remove the components of an infection, should the user prefer that option to downloading HijackThis or other programs.

The cleanest HJT fix, as regards SearchForFree, would seem to be the one represented by this thread from DesignTechnica. The expert directs the suppliant to download his preferred anti-adware/malware freeware packages:

Download The Stand Alone Version of CW Shredder, [SpyBot S&D], [Ad-Aware],...


They are probably the three best known throughout the web. But the instructions do not yet call for using the packages. Instead the following:

Reboot To Safe Mode (tap F8 on Startup)
Delete this file
C:\WINDOWS\System32\icasServ.exe


A quick check at VGS's "How to Remove SearchForFree" reminds us that 'The file "icasserv.exe" is the downloader for this infection and is a also known as the "icasserv-a trojan" (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd) .'

In fact, none of the freeware packages is able to remove SearchForFree. The expert's removal instructions will amount to nothing more than manually removing the keyfiles, while in Safe Mode, for the SearchForFree infection:

C:\WINDOWS\System32\icasServ.exe
C:\WINDOWS\System32\isystem.exe
C:\WINDOWS\System32\ldriver.exe
C:\WINDOWS\htmlsync.exe

After the removal is effected, the suppliant is instructed that he should "Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run CW Shredder, Ad-Aware and SpyBot S&D,delete what they find , Empty recycle bin." It is unclear what, if anything, from the SearchForFree infection is removed in this fashion.

It is important to realize that the "O4 - Startup: winupdate12900161[1].exe" entry that the expert deletes, after all of this, as the last step of the fix, is meant to repair a second infection not related to SearchForFree.

Geek Girl's fix, at this thread, from My Tech Support's forums, has one advantage and one disadvantage compared to the thread from Design Technica's expert. On the downside, she requires a greater number of downloads:

Download / Install / Update / and Run: [Ad-Aware] SE check for any updates before running it. Get the plug-in for fixing VX2 variants. You can download it at this SITE[.] To run this tool, install to the hard drive, then open [Ad-Aware]->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

Download and install SpyBot S&D . Run SpyBot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit SpyBot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.


Again, all of these are quality pieces of freeware, but none of them can remove the infection.

On the upside, her instructions on how to remove the icasServ.exe file clearly involves using the "process manager" function of HijackThis:

Go into [HijackThis]->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time).

C:\WINNT\System32\icasServ.exe



The Design Technica thread seems to direct the suppliant to manually delete the file rather than use the process manager.


While there might appear to be two different file paths to icasServ.exe in the two threads there is not. The path "C:\WINDOWS\System32\icasServ.exe " is the system path for a Windows XP machine. The path "C:\WINNT\System32\icasServ.exe" is the system path for a Windows 2000/NT machine. The file "icasServ.exe " always loads up in the "%System%" path.
Posted by at No comments:
Labels: ,

Friday, May 20, 2005

EliteBar Removal Tool Updates to 1.3.0!!!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 2)


Giancarlo Calo, over at SimplyTech.it, is staying aggressive with his freeware EliteBar Removal Tool. Among the infections it claims to remove "every trace" of are the following. The items highlighted in red are linked to Virtual Grub Streets's "How to Remove/Detailed Information" pages:



EliteBar; EliteToolbar; EliteSidebar; BargainBuddy; Browser
Aid; CashToolbar; FreshBar; GameSpy; MoneyTree; Nail.exe; NaviSearch; navpsrvc.exe (also known as: W32/Forbot-EF, worm); SearchMeUp; SideStep; Spybot - Randex; SupportSoft; SurfSideKick; Win32.RBot; Winmon.exe (also known as: W32/Agobot-KA, trojan); and WinMoviePlugIn.



The "How to Remove" detail pages for SearchMiracle/EliteBar consist of the articles regularly posted at VGS. The file information for EliteBar is located on the Adware & Malware Indentifier Index itself. Further detail pages will be added on a continuing basis.

Simply Tech's description of the reason why SearchMiracle/EliteBar is so difficult to remove verifies the information in the various Virtual Grub Street articles over the past several months:


Actually some software like Spybot v.1.3, CWShredder v.2.12, Noadware,Adaware v.6, SpyNuker 2004 and SBC Yahoo! Anti-spy have no success in deleting this very frustrating malware. These programs find and delete it, but it keeps coming back since this new variant is very difficult to remove from the
operating system.

The main problem is that the malware creates a lot of registry entries and executes at PC startup, winding itself into RAM and deletes its own *.exe from the C:\Windows\System32 directory.

When ordinary tools try to remove it, they only clean the registry calls, the C:\Windows\EliteToolbar directory and the cabinets files where it originated from, but they don't take any action against the malware itself that is currently running in RAM and waiting for the PC OS to be shut down only to repeat the infestation once again!
This would seem to be a trick that the newer malware/adware products are widely copying. Perhaps this is the reason that the EliteBar Removal Tool has added so many porducts to the list of infections it removes. It is certainly the reason that most HijackThis and manual removal instructions direct the user to do main and downloader file deletions while in Safe Mode.







Also see:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , , ,

Saturday, April 23, 2005

HijackThis vs. the Elitebar Removal Tool

The following HijackThis thread, from Web User Forums, highlights a number of key points about the modus operandi of the SearchMiracle/EliteBar downloader. It also highlights the comparative merits of SimplyTech's EliteBar Removal Tool.

The user's opening comments are typical:

I've just started getting IE pop-up windows appearing every so often. They appear regardless of whether I'm actually using my browser (Maxthon).

I've run [Ad-Aware], [SpyBot S&D], and installed SpywareBlaster and SpywareGuard. Removed a heap of items, but the popups are still appearing. Included below is a [HijackThis] log (created immediately after a reboot).


No standard anti-spy software has managed to fend off the infection entirely. A HijackThis log is posted together with a plea for help.

The expert's instructions are typical of the early strategy attempted by HijackThis experts:

*Open [HijackThis], take another scan and place a checkmark next to these entries.

R3 - URLSearchHook: IncrediFindBHO Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exeO4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll [see VGS's Key File Index for more information on this file]

*Close all open Windows except [HijackThis] and click on "fix Checked".

* Open Windows Explorer, navigate to and delete the following
Files/Folders:

C:\Program Files\Common files\SearchUpgrader\>>>folder
C:\winnt\system32\elitekck32.exe>>>file
C:\WINNT\system32\NavLogon.dll>>>file [see VGS's Key File Index for more information on this file]

Reboot the Computer in normal mode, then click the "Post Reply" button and post a new log in this thread for further review and evaluation.



While this approach may provide some limited, and temporary, relief, SearchMiracle will soon be back in full force. As HijackThis experts have generally discovered, the downloader for the infection detects, and, if necessary, reinstalls itself from RAM as Windows is closed. (The related file can have different names for different variations of the infection but always appears, to date, in the form "elite***32.exe".) This explains the next set of comments from the user:

I've done everything as you suggested, noting:

"C:\winnt\system32\elitekck32.exe>>>file": This file wasn't there. Searched entire HD and couldn't find it.
"C:\WINNT\system32\NavLogon.dll": Deleted *after* reboot, as was in use before reboot. [see VGS's Key File Index for more information on this file]

After 1st reboot, the elitekck32.exe entry (O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe) had reappeared, so I fixed it again and rebooted a 2nd time. It's still there, see new HJT log below. The pop-up windows are still appearing.

The file for "elitekck32.exe" is no longer on the hard drive. The resident file was deleted by SearchMiracle itself when "eleitekck32.exe" was removed. The file is probably designed to be deleted in order to avoid the problem of having to rename it in order to successfully re-install.

The second round of instructions (in response to the updated HijackThis log) make the matter still clearer:

*Open [HijackThis], take another scan and place a checkmark next to these entries.

O4 - HKLM\..\Run: [load32] C:\WINNT\system32\winldra.exe [see VGS's Key File Index for more information on this file]

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe
O21 - SSODL: NnjrTTQcGY - {372715F7-9D8D-BF5D-D9F5-F29E65298DCD} - C:\WINNT\system32\xqzq.dll (file missing)

*Close all open Windows except [HijackThis] and click on "fix Checked".
*Open Windows Explorer, navigate to and delete the following Files/Folders if present:

C:\WINNT\system32\winldra.exe >>>file [see VGS's Key File Index for more information on this file]
C:\winnt\system32\elitekck32.exe >>>file
C:\WINNT\system32\xqzq.dll >>> file

*
*
*


Reboot the Computer in normal mode, then click the "Post Reply" button and post a new log in this thread for further review and evaluation.



A number of files have returned: first the downloader exe and then the files it has begun to reinstall. The HijackThis expert, in this particular case, is stumped. He keeps advising that the user reboot in normal mode which will only reload elitekck.32.exe back up into RAM from where it will reinstall when Windows is closed. In the new, successful Hijackthis threads the expert knows to reboot in Safe Mode and then delete the file. This prevents elite***.32.exe from loading up into RAM. If it can't get to RAM it can't download back onto the hard drive.

This thread will end up successful, however, and for an intersting reason. The user takes the matter of getting rid of elite***32.exe into her/his own hands:

Hi, think I've got to the bottom of the elitekck32.exe file.

Another forum (http://forum.iamnotageek.com/history/topic.php/1819049822-1.html) put me onto this [Elite Toolbar Remover]... I've run it and it's removed the Elitekck32.exe malware, as shown in the new HJT log below. I've not posted logs for each account as I suspect that's not the problem.


She/he has downloaded and run the Elitebar Removal Tool and now returns to clean up some loose ends not related to SearchMiracle/EliteBar.

Again, this thread seems to highlight the relative merits of HijackThis and the Elitebar Removal Tool. The removal tool is quickly downloaded and specifically targets the problematical elite***32.exe file. HijackThis is not limited to a single strain of infection(s). Given some time for the HijackThis expert community to get a grasp of a particular infection there is an excellent chance that a fix can be developed.Using it can also add to the user's knowledge level about infections and his/her computer.



Also see:


[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]


Also from the Library of Babel:

  • Pierce Butler, Fanny Kemble, et al.  July 22, 2020.  ‘“An attempt of the Pennsylvania Supreme Court to make a way around the original Fugitive Slave Law, of 1793, by finding a private agent guilty of kidnapping for having remanded a slave from Pennsylvania to Maryland was forcefully overturned by the U. S. Supreme Court in Prigg v. United States (1842).”’

  • The Best Translation of Dante’s Divina Commedia.  July, 14, 2019.  “For the next month, then, I put aside a few hours each night.  Not only with Singleton and Merwin.  In the glorious Age of the Internet, the first step could only be a search for what books relating to the subject were available on Google Book Search and the Internet Archive.”

  • A Memoriam for W. S. Merwin.  April 17, 2019.  “It took about three days, as I recall, for me to surrender to the fact that W. S. Merwin was the finest English language poet of his time.  I wished I’d been prepared to read him years ago.”

  • Be sure to check out the Browser's Guide to the Library of Babel.

Also from Virtual Grub Street:

  • The Fascinating Itinerary of the Gelosi Troupe, 1576.  June 10, 2019.  “The Spanish soldiers had not been paid and unpaid soldiers tend to rob and loot.  The citizens were prepared to give them a fight.  Violent flare ups were occurring everywhere.”

  • A Thousand Years of English Terms.  June 2, 2019.  ‘One person did not say to another, “Meet you at three o’clock”.    There was no clock to be o’.  But the church bell rang the hour of Nones and you arranged to meet “upon the Nones bell”.’


Posted by at 3 comments:
Labels: , ,

Monday, April 18, 2005

EliteBar Removal Tool Alert: Update V.1.2.2.!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 1)


The thousands of people who are still flocking to the O.D. article How to Remove SearchMiracle/ EliteBar (also known as ETBRUN), and the scores of links to the various O.D. articles on SearchMiracle/EliteBar and related adware/spyware, make it clear that Giancarlo Calo's freeware EliteBar Removal Tool is still the clear means of choice for removing this pest. The removal tool, however, is not limited strictly to SearchMiracle. Calo lists the following variant toolbars that can be removed by this software:


EliteBar (adware toolbar); EliteToolbar (adware toolbar); EliteSidebar (adware toolbar); Browser Aid (adware toolbar); CashToolbar (adware toolbar); SearchMeUp (adware toolbar); navpsrvc.exe (also known as: W32/Forbot-EF, worm); FreshBar (also known as: ADW_FRESHBAR.B, adware).

Recently Calo's Elite Toolbar Remover has received its most powerful endorsement to date. The newest updates of SearchMiracle/EliteBar incorporate code designed specifically to attack the remover:


We, at SimplyTech.it, in early January 2005, released a freeware utility that helped you restore your OS functionality by killing this malware. Since this version 1.0 of our EliteToolbar Remover, the silly guys at EliteToolbar have released some new variants of their malware. The variants in circulation from the end of January 2005, in fact, do a cache detect of the words: "EliteToolbarRemoverV10.zip" which was the old name of our previous version 1.0.

If you are trying to download it from a mirror site you will receive the following error:

''Cannot copy file, Cannot read from file source or disk''

This is not a message from your operating system, but a stupid message from the malware that is actually running in your PC.

The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there! After all, these are very clever programmers, aren't they?

Anyway, it is sure that these people will also blacklist the new name of the zip we are using now, so if this occurs and some new variants will circulate the Internet from today we suggest you to download the software to another PC and take it on a diskette or a USB pendrive and run it on the infected PC in Safe Mode, as usual.

So then, it is vitally important to be sure that you are downloading the latest (EliteToolbar Remover V.1.2.2) version of the remover. It is also important to read the informative Elite Toolbar Remover page at Simply Tech.

The software provided by Simply Tech is entirely freeware. The group offsets it cost as best it can by donations. A PayPal link is provided at the bottom of the Elite Toolbar Remover page. Please help them keep up their fine efforts if you can.



Also see:



[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , , ,

Monday, April 11, 2005

HijackThis vs. SearchMiracle/EliteBar

HijackThis is a very popular tool used to glean detailed information on spyware, adware and trojans that may have invaded a computer. As described on the Tom Coyote HijackThis page, When launched, it creates a log of "certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed."

The log in question is a great confusion to the uninitiated. When their computers become infected, they flock to "expert" forums where they post their raw logs and beg for further instructions. The process is highly informative and more than a little amusing.

Since the Enternet Media adware program SearchMiracle/EliteBar (also known as ETBRUN, Elitum, Elite Toolbar etc.) has been at large on the net, logs of infected computers have begun to appear in profusion. Early on, the HijackThis faithful showed every confidence that their anti-spy program was up to the task of removing the pest. In the meantime, it has become clear that there are few HijackThis forum threads that end with the adware and its associated StartPage.sj trojan having been successfully removed.

Whether due to frustration with SearchMiracle in particular, or difficult logs in general, the forum experts have begun adding an imposing list of other anti-adware/spyware programs that they require the supplicant to download into her or his computer before they will consent to attempt a fix. The following list, from the Tech Support Forum, is exemplary:

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download and install SpyBot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Please download Ad-Aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into [Ad-Aware]->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the
hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the HijackThis forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Still, most threads break off with the supplicant crying out that pop-ups remain in control of their computers. StartPage.sj (or the then most recent version of StartPage) appears to load key files in areas of the computer that HijackThis does not log.


Recently, a more promising approach has begun to be used. In a Tech Guide Forum thread, of March 9, 2005, the expert has suggested a new tack, and, while he/she was not overflowing with confidence, the thread ended with a smiley face emoticon. The infection is Adware.HuntBar, a close variant on SearchMiracle that also utilizes the infamous StartPage.sj trojan.

The new approach? Scan first with Panda Online Scan and then address the remaining items on the HijackThis log:
Go to this link >>>Online virus scan at Panda's http://www.pandasoftware.com/activescan/co...n_principal.htm
Don't start it yet

Now, this is VERY IMPORTANT
Close out all unnecessary programs running in the background
Close out all Windows

Bring up the Task Manager(right click the bottom taskbar and select Task Manager) End process on these if you can...

After that is done you will have only the Task Manager and the page from Panda's open
Click the SCAN MY PC button>>>This should bring up a pop up window from Panda's
Close down the IE page that I linked you to Panda's but keep their popup window open...

It involved a bit of a struggle but the final outcome was worth the effort. Those who have read OD's original SearchMiracle/EliteBar piece, Elite Bar Adventures, are already aware that the Online Panda Scan is able and willing to remove the StartPage.sj trojan for free.

There are two points that may not be clear in the thread, however. After the first Panda Online Scan, the StartPage.sj trojan remained in several files. My personal experience was that Panda had to clean twice before StartPage's EliteBar downloader file could be removed. Also, it is not likely that the final step of this thread will work for SearchMiracle/EliteBar.

Geek Girl at Computer Technical Support Forums also started with Online scanning, on March 20th, and a set of initial instructions quite similar to those posted at Tech Guide Forum. On this occasion the infection was SearchMiracle itself. Her scanning instruction were slightly enhanced:
Scan your pc with one of these free online scanners:
Panda ActiveScan
RAV AntiVirus
Housecall. Be sure to put a check the box beside AutoClean.

Whether or not RAV or Housecall are able to remove StartPage.sj for free, I can not say. These instructions would seem to argue that they are.



This is not to say that HijackThis simply can not remove SearchMiracle without the help of an online scan, as evidenced by this thread at Geeks to Go in which the Staff Expert provided a swatch of code to be used in concert with a safe mode boot. Those guys must be working overtime over there. Whether or not it removed the most recent version of SearchMiracle, however, is impossible to tell.

Of course, there is also no telling whether the infection rose from the ashes, in any of these cases, and the disgusted supplicant decided not to return to the given forum. However much resurgence of the infection doesn't appear to have occurred, OD makes no representations about any of the software, fixes, etc., cited above. As always, the rule is "Supplicant Beware!"



Also see:
[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)