The Holder of this blog uses no cookies and collects no data whatsoever. He is only a guest on the Blogger platform. He has made no agreements concerning third party data collection and is not provided the opportunity to know the data collection policies of any of the standard blogging applications associated with the host platform. For information regarding the data collection policies of Facebook applications used on this blog contact Facebook. For information about the practices regarding data collection on the part of the owner of the Blogger platform contact Google Blogger.
Showing posts with label SearchMiracle/Elitebar. Show all posts
Showing posts with label SearchMiracle/Elitebar. Show all posts

Friday, May 27, 2005

More on Variant ADW_ELITEBAR.D.

A March 2005 forum thread at Midtown Computer Systems Enterprise provides more detail on ADW_ELITEBAR.D . It's a bit garbled, though: intertwined with discussions about how malware gets installed on computers and about the relative merits of Firefox compared to Internet Explorer. But some things are clarified in the course of "bu2's" (the plaintiff's) attempts to remove this resistant variant of SearchMiracle/EliteBar.

First he informs us of the original condition of the machine, which can be quite helpful:


I use WIN XP Home SP2, IE 6.0, my AV is PC-Cillin. I also use Spy Hunter and Beta version of MS Antispyware. Recently I somehowgot ADW_ELITEBAR.D adware that keeps reloading instantly afterI get rid of it with the AV.

It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know, from VGS's article "Diabolical New EliteBar Variant Strikes the Web!!!!", has claimed that it is able to remove EliteBar.D (a claim that Gian Carlo, at SimplyTech, disputes).

Next, he lets us follow the decision-making process:


I am still deciding what exactly to do and when. Trend Micro has a"solution" re the culprit at: [url] http://www.trendmicro.com/vinfo/grayware/ graywareDetails.asp?SNAME=ADW%5FELITEBAR%2ED [/url] I could not make it run. I'll have another look, maybe I was hasty and missed something. It just opens a DOS like C: Command Prompt it seems to run but nothing happens.We are talking about their instructions to download TMAPTN.ZIP with the latest grey something files. Why am I paying them and updating religiously several times a day? Anyway the program that uses the above file (tmntsrv.exe) does not run or does not run properly when I do it.

I also was told to look into Simply Tech site [url] http://www.simplytech.it/ETRemover/ [/url] and download the Elite Bar Remover
which I did and I am deciding whether to run it now or after my monthly (data)
backups just in case something goes awry.

Once the system is clean I may well switch to another Internet Browser. I am not happy with MS leaving so many holes in their software. Also their Beta Antispyware, while pretty good, cannot even see the Elite Bar!? The Trend Micro Antivirus Scan can not see it either but the special Scan for Spyware feature does and it even deletes it but the s*it reinstalls itself instantly.

The utility that Trend Micro claimed would remove EliteBar.D is "tmntsrv.exe". Whether due to the nature of the malware, his failure to properly deploy the removal tool or some other problem, the program fails even to run properly. He considers downloading and running the SimplyTech Elite Toolbar Remover.

The Beta version of MicroSoft Antispyware, we learn, was not able even to detect ADW_ELITEBAR.D. At some point bu2 (exactly when is not clear) does use "the special Scan for Spyware feature" provided with his Trend Micro service. It detects and briefly removes the malware which immediately thereafter reinstalls. Whether it actually reinstalled on reboot is not stated but it seems likely.

Next he tries SimplyTech's EliteBar Removal Tool. At this point, both SimplyTech and he are not aware that there is a variant of EliteBar that the removal tool won't remove:



Well, I ran the remedy as explained at [url] http://www.simplytech.it/ETRemover/ [/url] That was in WIN XP Safe Mode and ... I scored a big victory for the
ADW_ELITEBAR.D

It did not budge. As soon as I checked on it, after removing it with the "remover" and restarting the PC - I found it was still there.

Gian Carlo's commentary, soon after, in his own SimplyTech forum, can be found in VGS's article "Diabolical New EliteBar Variant Strikes the Web!!!!". What it all comes down to in the end is that no removal tool presently exists, free or commercial.


Source: Midtown Computer Systems Enterprise>message1508783



Also See:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , ,

Sunday, May 22, 2005

Diabolical New EliteBar Variant Strikes the Web!!!!

Giancarlo Calo, of SimplyTech.it, freeware Baron of the Internet, by virtue of his EliteBar Removal Tool, reports that a new malware variant has appeared on the net that Trend Micro has designated ADW_ELITEBAR.D. The first contacts with the new variant are described in an April 1 through 19 May, 2005, thread at Simply Tech's EliteBar forum. In the words of Calo, in the original April 1, 2005, forum posting:
Well, as far as we are working on this pest we can say that it is NOT an EliteToolbar malware! It is acting in a half-way as a virus and half-way as a malware/spyware. It is using some new typologies of attack we have never watched before... We don't know if its a new product of the same guys who released the EliteToolbar malware, but we can say it is not an EliteToolbar malware and we are not yet able to do an automatic remover for it.

According to Calo, Trend Micro seems to have felt, at one point, that its commercial software could remove the infection but Simply Tech still found the malware intact after Trend Micro's process. The Trend Micro ADW_ELITEBAR.D information page presently lists only manual removal instructions. This is not the only item that is unclear. TM desribes one toolbar on the ADW_ELITEBAR.D page while Calo provides a photo of an infection that leaves two toolbars, one top and one bottom. Just how these inconsistencies will be resolved remains to be seen. All of that aside, Calo describes a truly diabolical new approach to malware:
It doesn't install any dll and changes the name of its executable on a randomic basis using real words took in documents of the user. It also traces and log the activity of the user and writes a log file with the attributes used for the system files. It works in low-level with the system and it is impossible to dump it from the system memory because it fools you directing your attention on a process that is not the real responsable of the infestation.
This would appear to mean that the main executable file randomly changes its name while the infection is in the computer such that it is all but impossible to target and delete it. The naming process ("...using real words [taken from] documents [in the user's computer]") makes it difficult to tell legit from infected files or to locate the infected file through file searches. An excellent picture of the double toolbar arrangement is located at the forum posting. Giancarlo Calo, and Simply Tech, offer what little help they can for the time being:
At the moment the only way we can helping you removing this infestation is acting on your pc via a Remote Administration program. If you need for our help write us a mail (simplytech@simplytech.it) about it and feel free to ask for details and times of intervention.

In at least some instances, the help provided will provide SimplyTech with much needed data in return. It is sure to help the effort to head off this variant before it ends up on all of our computers. Also see:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , ,

Friday, May 20, 2005

EliteBar Removal Tool Updates to 1.3.0!!!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 2)


Giancarlo Calo, over at SimplyTech.it, is staying aggressive with his freeware EliteBar Removal Tool. Among the infections it claims to remove "every trace" of are the following. The items highlighted in red are linked to Virtual Grub Streets's "How to Remove/Detailed Information" pages:



EliteBar; EliteToolbar; EliteSidebar; BargainBuddy; Browser
Aid; CashToolbar; FreshBar; GameSpy; MoneyTree; Nail.exe; NaviSearch; navpsrvc.exe (also known as: W32/Forbot-EF, worm); SearchMeUp; SideStep; Spybot - Randex; SupportSoft; SurfSideKick; Win32.RBot; Winmon.exe (also known as: W32/Agobot-KA, trojan); and WinMoviePlugIn.



The "How to Remove" detail pages for SearchMiracle/EliteBar consist of the articles regularly posted at VGS. The file information for EliteBar is located on the Adware & Malware Indentifier Index itself. Further detail pages will be added on a continuing basis.

Simply Tech's description of the reason why SearchMiracle/EliteBar is so difficult to remove verifies the information in the various Virtual Grub Street articles over the past several months:


Actually some software like Spybot v.1.3, CWShredder v.2.12, Noadware,Adaware v.6, SpyNuker 2004 and SBC Yahoo! Anti-spy have no success in deleting this very frustrating malware. These programs find and delete it, but it keeps coming back since this new variant is very difficult to remove from the
operating system.

The main problem is that the malware creates a lot of registry entries and executes at PC startup, winding itself into RAM and deletes its own *.exe from the C:\Windows\System32 directory.

When ordinary tools try to remove it, they only clean the registry calls, the C:\Windows\EliteToolbar directory and the cabinets files where it originated from, but they don't take any action against the malware itself that is currently running in RAM and waiting for the PC OS to be shut down only to repeat the infestation once again!
This would seem to be a trick that the newer malware/adware products are widely copying. Perhaps this is the reason that the EliteBar Removal Tool has added so many porducts to the list of infections it removes. It is certainly the reason that most HijackThis and manual removal instructions direct the user to do main and downloader file deletions while in Safe Mode.







Also see:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , , ,

Saturday, April 23, 2005

HijackThis vs. the Elitebar Removal Tool

The following HijackThis thread, from Web User Forums, highlights a number of key points about the modus operandi of the SearchMiracle/EliteBar downloader. It also highlights the comparative merits of SimplyTech's EliteBar Removal Tool.

The user's opening comments are typical:

I've just started getting IE pop-up windows appearing every so often. They appear regardless of whether I'm actually using my browser (Maxthon).

I've run [Ad-Aware], [SpyBot S&D], and installed SpywareBlaster and SpywareGuard. Removed a heap of items, but the popups are still appearing. Included below is a [HijackThis] log (created immediately after a reboot).


No standard anti-spy software has managed to fend off the infection entirely. A HijackThis log is posted together with a plea for help.

The expert's instructions are typical of the early strategy attempted by HijackThis experts:

*Open [HijackThis], take another scan and place a checkmark next to these entries.

R3 - URLSearchHook: IncrediFindBHO Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exeO4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll [see VGS's Key File Index for more information on this file]

*Close all open Windows except [HijackThis] and click on "fix Checked".

* Open Windows Explorer, navigate to and delete the following
Files/Folders:

C:\Program Files\Common files\SearchUpgrader\>>>folder
C:\winnt\system32\elitekck32.exe>>>file
C:\WINNT\system32\NavLogon.dll>>>file [see VGS's Key File Index for more information on this file]

Reboot the Computer in normal mode, then click the "Post Reply" button and post a new log in this thread for further review and evaluation.



While this approach may provide some limited, and temporary, relief, SearchMiracle will soon be back in full force. As HijackThis experts have generally discovered, the downloader for the infection detects, and, if necessary, reinstalls itself from RAM as Windows is closed. (The related file can have different names for different variations of the infection but always appears, to date, in the form "elite***32.exe".) This explains the next set of comments from the user:

I've done everything as you suggested, noting:

"C:\winnt\system32\elitekck32.exe>>>file": This file wasn't there. Searched entire HD and couldn't find it.
"C:\WINNT\system32\NavLogon.dll": Deleted *after* reboot, as was in use before reboot. [see VGS's Key File Index for more information on this file]

After 1st reboot, the elitekck32.exe entry (O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe) had reappeared, so I fixed it again and rebooted a 2nd time. It's still there, see new HJT log below. The pop-up windows are still appearing.

The file for "elitekck32.exe" is no longer on the hard drive. The resident file was deleted by SearchMiracle itself when "eleitekck32.exe" was removed. The file is probably designed to be deleted in order to avoid the problem of having to rename it in order to successfully re-install.

The second round of instructions (in response to the updated HijackThis log) make the matter still clearer:

*Open [HijackThis], take another scan and place a checkmark next to these entries.

O4 - HKLM\..\Run: [load32] C:\WINNT\system32\winldra.exe [see VGS's Key File Index for more information on this file]

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe
O21 - SSODL: NnjrTTQcGY - {372715F7-9D8D-BF5D-D9F5-F29E65298DCD} - C:\WINNT\system32\xqzq.dll (file missing)

*Close all open Windows except [HijackThis] and click on "fix Checked".
*Open Windows Explorer, navigate to and delete the following Files/Folders if present:

C:\WINNT\system32\winldra.exe >>>file [see VGS's Key File Index for more information on this file]
C:\winnt\system32\elitekck32.exe >>>file
C:\WINNT\system32\xqzq.dll >>> file

*
*
*


Reboot the Computer in normal mode, then click the "Post Reply" button and post a new log in this thread for further review and evaluation.



A number of files have returned: first the downloader exe and then the files it has begun to reinstall. The HijackThis expert, in this particular case, is stumped. He keeps advising that the user reboot in normal mode which will only reload elitekck.32.exe back up into RAM from where it will reinstall when Windows is closed. In the new, successful Hijackthis threads the expert knows to reboot in Safe Mode and then delete the file. This prevents elite***.32.exe from loading up into RAM. If it can't get to RAM it can't download back onto the hard drive.

This thread will end up successful, however, and for an intersting reason. The user takes the matter of getting rid of elite***32.exe into her/his own hands:

Hi, think I've got to the bottom of the elitekck32.exe file.

Another forum (http://forum.iamnotageek.com/history/topic.php/1819049822-1.html) put me onto this [Elite Toolbar Remover]... I've run it and it's removed the Elitekck32.exe malware, as shown in the new HJT log below. I've not posted logs for each account as I suspect that's not the problem.


She/he has downloaded and run the Elitebar Removal Tool and now returns to clean up some loose ends not related to SearchMiracle/EliteBar.

Again, this thread seems to highlight the relative merits of HijackThis and the Elitebar Removal Tool. The removal tool is quickly downloaded and specifically targets the problematical elite***32.exe file. HijackThis is not limited to a single strain of infection(s). Given some time for the HijackThis expert community to get a grasp of a particular infection there is an excellent chance that a fix can be developed.Using it can also add to the user's knowledge level about infections and his/her computer.



Also see:


[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]


Also from the Library of Babel:

  • Pierce Butler, Fanny Kemble, et al.  July 22, 2020.  ‘“An attempt of the Pennsylvania Supreme Court to make a way around the original Fugitive Slave Law, of 1793, by finding a private agent guilty of kidnapping for having remanded a slave from Pennsylvania to Maryland was forcefully overturned by the U. S. Supreme Court in Prigg v. United States (1842).”’

  • The Best Translation of Dante’s Divina Commedia.  July, 14, 2019.  “For the next month, then, I put aside a few hours each night.  Not only with Singleton and Merwin.  In the glorious Age of the Internet, the first step could only be a search for what books relating to the subject were available on Google Book Search and the Internet Archive.”

  • A Memoriam for W. S. Merwin.  April 17, 2019.  “It took about three days, as I recall, for me to surrender to the fact that W. S. Merwin was the finest English language poet of his time.  I wished I’d been prepared to read him years ago.”

  • Be sure to check out the Browser's Guide to the Library of Babel.

Also from Virtual Grub Street:

  • The Fascinating Itinerary of the Gelosi Troupe, 1576.  June 10, 2019.  “The Spanish soldiers had not been paid and unpaid soldiers tend to rob and loot.  The citizens were prepared to give them a fight.  Violent flare ups were occurring everywhere.”

  • A Thousand Years of English Terms.  June 2, 2019.  ‘One person did not say to another, “Meet you at three o’clock”.    There was no clock to be o’.  But the church bell rang the hour of Nones and you arranged to meet “upon the Nones bell”.’


Posted by at 3 comments:
Labels: , ,

Monday, April 18, 2005

EliteBar Removal Tool Alert: Update V.1.2.2.!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 1)


The thousands of people who are still flocking to the O.D. article How to Remove SearchMiracle/ EliteBar (also known as ETBRUN), and the scores of links to the various O.D. articles on SearchMiracle/EliteBar and related adware/spyware, make it clear that Giancarlo Calo's freeware EliteBar Removal Tool is still the clear means of choice for removing this pest. The removal tool, however, is not limited strictly to SearchMiracle. Calo lists the following variant toolbars that can be removed by this software:


EliteBar (adware toolbar); EliteToolbar (adware toolbar); EliteSidebar (adware toolbar); Browser Aid (adware toolbar); CashToolbar (adware toolbar); SearchMeUp (adware toolbar); navpsrvc.exe (also known as: W32/Forbot-EF, worm); FreshBar (also known as: ADW_FRESHBAR.B, adware).

Recently Calo's Elite Toolbar Remover has received its most powerful endorsement to date. The newest updates of SearchMiracle/EliteBar incorporate code designed specifically to attack the remover:


We, at SimplyTech.it, in early January 2005, released a freeware utility that helped you restore your OS functionality by killing this malware. Since this version 1.0 of our EliteToolbar Remover, the silly guys at EliteToolbar have released some new variants of their malware. The variants in circulation from the end of January 2005, in fact, do a cache detect of the words: "EliteToolbarRemoverV10.zip" which was the old name of our previous version 1.0.

If you are trying to download it from a mirror site you will receive the following error:

''Cannot copy file, Cannot read from file source or disk''

This is not a message from your operating system, but a stupid message from the malware that is actually running in your PC.

The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there! After all, these are very clever programmers, aren't they?

Anyway, it is sure that these people will also blacklist the new name of the zip we are using now, so if this occurs and some new variants will circulate the Internet from today we suggest you to download the software to another PC and take it on a diskette or a USB pendrive and run it on the infected PC in Safe Mode, as usual.

So then, it is vitally important to be sure that you are downloading the latest (EliteToolbar Remover V.1.2.2) version of the remover. It is also important to read the informative Elite Toolbar Remover page at Simply Tech.

The software provided by Simply Tech is entirely freeware. The group offsets it cost as best it can by donations. A PayPal link is provided at the bottom of the Elite Toolbar Remover page. Please help them keep up their fine efforts if you can.



Also see:



[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: , , ,

Monday, April 11, 2005

HijackThis vs. SearchMiracle/EliteBar

HijackThis is a very popular tool used to glean detailed information on spyware, adware and trojans that may have invaded a computer. As described on the Tom Coyote HijackThis page, When launched, it creates a log of "certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed."

The log in question is a great confusion to the uninitiated. When their computers become infected, they flock to "expert" forums where they post their raw logs and beg for further instructions. The process is highly informative and more than a little amusing.

Since the Enternet Media adware program SearchMiracle/EliteBar (also known as ETBRUN, Elitum, Elite Toolbar etc.) has been at large on the net, logs of infected computers have begun to appear in profusion. Early on, the HijackThis faithful showed every confidence that their anti-spy program was up to the task of removing the pest. In the meantime, it has become clear that there are few HijackThis forum threads that end with the adware and its associated StartPage.sj trojan having been successfully removed.

Whether due to frustration with SearchMiracle in particular, or difficult logs in general, the forum experts have begun adding an imposing list of other anti-adware/spyware programs that they require the supplicant to download into her or his computer before they will consent to attempt a fix. The following list, from the Tech Support Forum, is exemplary:

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download and install SpyBot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Please download Ad-Aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into [Ad-Aware]->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the
hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the HijackThis forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Still, most threads break off with the supplicant crying out that pop-ups remain in control of their computers. StartPage.sj (or the then most recent version of StartPage) appears to load key files in areas of the computer that HijackThis does not log.


Recently, a more promising approach has begun to be used. In a Tech Guide Forum thread, of March 9, 2005, the expert has suggested a new tack, and, while he/she was not overflowing with confidence, the thread ended with a smiley face emoticon. The infection is Adware.HuntBar, a close variant on SearchMiracle that also utilizes the infamous StartPage.sj trojan.

The new approach? Scan first with Panda Online Scan and then address the remaining items on the HijackThis log:
Go to this link >>>Online virus scan at Panda's http://www.pandasoftware.com/activescan/co...n_principal.htm
Don't start it yet

Now, this is VERY IMPORTANT
Close out all unnecessary programs running in the background
Close out all Windows

Bring up the Task Manager(right click the bottom taskbar and select Task Manager) End process on these if you can...

After that is done you will have only the Task Manager and the page from Panda's open
Click the SCAN MY PC button>>>This should bring up a pop up window from Panda's
Close down the IE page that I linked you to Panda's but keep their popup window open...

It involved a bit of a struggle but the final outcome was worth the effort. Those who have read OD's original SearchMiracle/EliteBar piece, Elite Bar Adventures, are already aware that the Online Panda Scan is able and willing to remove the StartPage.sj trojan for free.

There are two points that may not be clear in the thread, however. After the first Panda Online Scan, the StartPage.sj trojan remained in several files. My personal experience was that Panda had to clean twice before StartPage's EliteBar downloader file could be removed. Also, it is not likely that the final step of this thread will work for SearchMiracle/EliteBar.

Geek Girl at Computer Technical Support Forums also started with Online scanning, on March 20th, and a set of initial instructions quite similar to those posted at Tech Guide Forum. On this occasion the infection was SearchMiracle itself. Her scanning instruction were slightly enhanced:
Scan your pc with one of these free online scanners:
Panda ActiveScan
RAV AntiVirus
Housecall. Be sure to put a check the box beside AutoClean.

Whether or not RAV or Housecall are able to remove StartPage.sj for free, I can not say. These instructions would seem to argue that they are.



This is not to say that HijackThis simply can not remove SearchMiracle without the help of an online scan, as evidenced by this thread at Geeks to Go in which the Staff Expert provided a swatch of code to be used in concert with a safe mode boot. Those guys must be working overtime over there. Whether or not it removed the most recent version of SearchMiracle, however, is impossible to tell.

Of course, there is also no telling whether the infection rose from the ashes, in any of these cases, and the disgusted supplicant decided not to return to the given forum. However much resurgence of the infection doesn't appear to have occurred, OD makes no representations about any of the software, fixes, etc., cited above. As always, the rule is "Supplicant Beware!"



Also see:
[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]
Posted by at No comments:
Labels: , ,

Friday, March 18, 2005

EliteBar By Any Other Name

The following listing, which appears in the page of the Spyware Guide, seems like a good way to make people aware of the variety of names under which one or another variation of tool bar is offered by Enternet Media, Inc. or its affiliates. A number of these tool bars are offered as freeware with a EULA which is intended to leave the company at liberty to perform a number of vaguely described functions via the User's computer with legal liability wholly transferred to / residing with the User.





Full Name: EliteBar Websearch
Type: Adware
Also Known as: EliteToolBar[,] Elite Bar Search Miracle[,] SearchMiracle EliteBar[,] EM Toolbar[,] Enternet Media Toolbar[,] EliteBar Internet Explorer Toolbar.
Danger Level: 6 [Explain]
Official Description: Adware: Program that creates advertisments on your Pc. [Read complete listing.]


My personal experience and the results of a wide range of searches indicate that the EliteBar/SearchMiracle version should be rated "Danger Level: 8" by the Spyware Guide's own rating criteria.



Also See:



[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: ,

AudioSeek Alert!

The YupSearch front page now appears at a new url: http://www.audioseek.net/. That is to say, now SearchMiracle, YupSearch and AudioSeek are all the names of front-pages for the advertising search engine that is presently the scourge of the Internet.



Also See:
Posted by at No comments:
Labels: ,

Yup Search Addendum

The search entries that generally bring people to O.D. would seem to make it clear that many fail to understand that YupSearch connects to the same adverstising search engine as SearchMiracle. It is merely SearchMiracle by another name. Both are front-pages for the base search engine which, those afflicted will note, does not display a unique url. Only the colors of the front-pages are different. Click any link on the "search engine directory page" of YupSearch or SearchMiracle and you go directly to exactly the same page. There is no actual directory. The "directory listings" are merely a canned search engine entries.

When the EliteBar adware is downloaded into a computer, SearchMiracle loads up key-word links to the base search engine in texts loaded up in the Internet Explorer browser. YupSearch, on the other hand, detects when "404" pages ("page not found") load up into the browser and redirects the browser to the base search engine in their place.

Now the matter will be even a bit more confusing. The YupSearch front page now appears at a new url: http://www.audioseek.net/. That is to say, now SearchMiracle, YupSearch and AudioSeek are all the names of front-pages for the advertising search engine that is presently the scourge of the Internet.



Also See:



[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Posted by at No comments:
Labels: ,

Sunday, February 27, 2005

How to Remove SearchMiracle/EliteBar

The following is VGS's original "How to Remove SearchMiracle.EliteBar" page. The information and links continue to be valid. It was created before VGS began its ongoing series of "How to Remove... 'detail pages,'" which include detailed file and removal tool information. The regularly updated "How to Remove SearchMiracle.EliteBar" detail page is located >>> Here.


How to Remove (Delete, Uninstall, Get Rid of) SearchMiracle/EliteBar.


Darren_st maintains an informative site on SearchMiracle/EliteBar (also known as ETBRUN) which links to a freeware EliteBar Removal Tool developed by an Italian named Giancarlo Calo. The site provides:

1) background on SearchMiracle ("It was created by a company called Entranet Media who own a web site called www.searchmiracle.com.... the Trojan Downloader will [...] download files from a web site @ install.searchmiracle.com.");
2) a history page giving versions and the dates they were released (a placard informed me that I had the most recent version: "Version 59 (approx 1st January 2005) EliteToolBar");
3) a description of the method of infection it utilizes; and,
4) walks the reader through a process to remove it.

His description of the adware/virus generally squares with what I experienced but I have no way of knowing whether or not it is updated to the latest version of the Startpage trojan. My experience seems to have been slightly different and this may mean that the version I encountered was an upgrade.

Some who have downloaded the EliteBar Removal Tool have posted positive reviews. As always, each reader will have to use his best judgment. I make no representations whatsoever concerning the site or the software.


Also see:


  • PokaPoka.exe + Nothing = YupSearch (October 19, 2005). What do people mean when they say they have "YupSearch" instead of "EliteBar"?
  • Elite Toolbar Remover Information Page (October 17, 2005).
  • LQfix Information Page (October 15, 2005) There's a new tool in town!
  • How to Remove PokaPoka. (October 12, 2005) Does your EliteBar variant include PokaPoka.exe?
  • EliteBar Removal Tool Updates to 2.0.1. (September 21, 2005) The EliteBar Removal Tool now comes in two flavors and two generations!
  • SearchMiracle.EliteBar Then and Now (September 21, 2005). Hijacks, heroes, updates and links.
  • EliteBar Removal Tool Updates to 2.0.0!!!!! (September 15, 2005). Includes expanded list of infections removed by the removal tool.
  • More on Variant ADW_ELITEBAR.D. (May 27, 2005). "It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know..."
  • Diabolical new EliteBar variant Strikes the Web!!!! or the one the EliteBar Removal Tool can't remove (May 22, 2005).
  • EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005). Includes expanded list of infections removed by the removal tool.
  • Adware & Malware Indentifier Index (updated regularly). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
  • EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005). "The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there!"
  • HijackThis vs. SearchMiracle/EliteBar (April 11, 2005).



    • [re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

    Posted by at No comments:
    Labels: ,

    Thursday, February 24, 2005

    More "Elite Bar Adventures" Links and Info.

    Popdex has just listed "Elite Bar Adventures" as their third most linked-to posting. I provide the short list:

    Popdex crawls over 14,000 sites daily to determine the most popular links on the Internet.

    1. TypeNow.net Themed Fonts Movie and Music Fonts
    http://www.typenow.net/themed.htm
    2. Matthew Yglesias: Closet Tolerants
    http://yglesias.typepad.com/matthew/2005/02/closet_tolerant.html
    3. via blogs
    http://gilbertwesleypurdy.blogspot.com/2005/02/elite-bar-adventures.html
    4. Blizzard Entertainment - World of Warcraft
    http://www.worldofwarcraft.com/



    The following additional blog postings contain links to "E.B.A.": Blog Herald; La Coctelera (in Spanish); and News Burst. I haven't brought over links used for advertising or from subscription blogs. Of course, pretty much everybody has managed to list the piece without the blog name.

    Remember that there are further comments and clarifications to the article in the most recent Mailbag piece.

    Posted by at No comments:
    Labels: ,

    Tuesday, February 22, 2005

    More from the Mailbag re Startpage.sj and SearchMiracle/EliteBar

    Well, my most recent post has certainly attracted attention. I had intended to write a follow up piece with further (and I hope) helpful information -- and now even moreso. For the moment, however, I will present a couple of items by way of a mailbag piece replying to the comments posted to "Elite Bar Adventures".

    First I would like to point out that I have not said, nor should anyone understand, that the Blogspot "Next Blog" button has a virus. The point is only that the random blog approach loads-up blogs, into one's browser, that one might otherwise choose not to visit for reasons of system safety. Presumably, we all try to steer clear of sites that are, for one reason or another, questionable. Regardless (for example) what one might think of sex sites, etc., they tend to purvey much more adware and many more viruses.

    Next, many thanks to Timothy Klein for doing a bit of research of his own that I was not able to do. According to Timothy:

    from looking at the source for the web-page in question, and downloading the Javascripts it downloads with wget and reading them, this is both specific to Windows AND Internet Explorer.

    Unfortunately, Internet Explorer is my only real choice for the time being , regardless of the fact that I understand it as being the target of virtually every virus or bit of adware presently being designed.

    Timothy's comments about the blog "owners" in question are also worth considering:

    the author of the blog in question may not even realize their page
    is doing this. IOW, they may not be malicious. It appears that the "cover"
    action is a bit of Javascript to play music. The author of the blog MAY have
    just cut-and-pasted that bit of code, hoping to snaz up their blog with sound.
    Or not.

    I had no wish to imply that the blog owner was intentionally malicious. In fact, I would be pleased to learn that they were totally unaware and just a little chastened.


    I'll quote Rob Thomas's comment in full:

    It's really sad you struggled with all those other, wierd,
    programs, when the two best ones, hijackthis and spybot are free, small, and
    easily downloaded. Also, 'defragging' and 'registry cleanups' do absolutely
    nothing to remove adware or virus infestations. Don't waste your time next time 8)

    I do not defrag in order to get rid of a virus. Whenever I suspect a virus, or other form of malicious code, is generating new files, perhaps with vital data strings, I alternate anti-virus/virus-removal attempts with defrags -- hoping the latter will maximize computer speed and either 1) alter a data transmission or 2) cause the virus to have to search a bit for where its data has gone. How likely this is, I can not say with certainty, but it seems to help. As for registry clean-up, I'm sorry but I have to disagree there.

    More importantly, about Hijackthis and Spybot: In researching the connection between SearchMiracle/EliteBar and StartPage.sj I have come by enough information to say that they were working in tandem much earlier than February 10, 2005, when Panda Software first detected StartPage. A brief check shows desperate forum members crying out for help, to defend against StartPage symptoms at least as early as September of last year. The following forum-post gives some very helpful information, including, it would seem, the fact that neither SpyBot nor Hijackthis worked, at that time, against StartPage: http://www.techsupportnewsletter.com/showthread.php?t=29990

    My piece was intended, actually, to be a piece alerting everyone to the fact that StartPage.sj (/sk) was the source of the problems people were having getting rid of their SearchMiracle/EliteBar. I have since learned that it showed up in all scans, of all commercial anti-virus software, prior to February 10th, as quasi-harmless "adware.elitebar". It is designed to overcome resident anti-virus software, as its first task, such that scans indicate it is adware. Instead it is a very sophisticated, voracious and destructive virus. After protecting itself and its Search/Miracle component from detection or removal, it apparently harvests site information and transmits it back to a remote data base.

    If Timothy Klein discovered only adware, he is absolutely correct. The initial injection is just that. The adware then pings the data bank and alters the IE browser such that the next software download or information placard that arrives at the subject computer has all of its button-urls replaced with the destination-url of the StartPage trojan. Click! It's all over!

    The following free online virus scan and information links have recently been added to the Gilbert Wesley Purdy Online Bibliography: Bit Defender; Free Country; Freedom; House Call; Panda; and Symantec. As I pointed out in the previous post, the Panda Software online scan can also remove StartPage.sj.

    ********************************************
    ********************************************
    **     Have you checked out the Online Bibliography yet? **
    ********************************************
    ********************************************
    Posted by at 2 comments:
    Labels: , ,

    Friday, February 18, 2005

    Elite Bar Adventures

    The following story is, unfortunately, true. What is even more unfortunate is that there is considerably more to the story. I, too, decided to end a long day of site maintenance (etc.) by browsing the Blogspot "Recently Updated" rolling index which dovetails into the "Next Blog" button. I'll let Mr. Alvin Borromeo , of Blogspots MT Law Blog, tell his story and will follow it with further vitally important information concerning our shared experiences and the astonishing results of my subsequent investigation:
    CAUTION: Mallory & Tsibouris Co., LPA does not endorse the use of the "Next Blog" icon at the upper right hand corner of this blog. Please see this post for further information. Monday, January 24, 2005



    Spyware on Blogspot?
    If you look to the upper right hand corner of this webpage, you will see an icon to go to the "next blog." Clicking on this icon will take you to a randomly selected Blogger blog. Yesterday I was surfing the web on my home computer and hit the "next blog" icon a few times to see what's out there. One of the hits was nana***.blogspot.com (the actual name has numbers in place of the astisks). Pop-ups immediately appeared on my computer immediately after I visited the nana blog, even though I have a pop-up blocker installed. I started getting messages about system resources, etc. I immediately closed all of my browsers, but it was too late. When I re-opened my browser it went to a different home page. My computer was hijacked! Sure enough, Ad-aware (from lavasoft) indicated that my computer had been infected with the Search Miracle/Elite Bar virus.I sent Blogger an e-mail to investigate. I will post their response. In the meantime, I will not be clicking on the "next blog" icon in the near future.

    The blog I was directed to, at the time my computer was attacked, was called "Cut Me Deep". But far more happened than the simple download of the SearchMiracle/EliteBar adware. Realizing that the destruction of my Yahoo Pop-Up blocker, and a flood of pop-up ads, at the rate of some dozens per minute, the considerable majority advertising Microsoft Anti-spyware/adware, indicated a possibly serious attack, I brought out the full bag of tricks and went to work. Norton is my first line of information/defense but it, too, was disabled after a few preliminary scans.

    I needed information from an uncorrupted source and logged back online and went to the Symantec Free Virus Scan page and spent an hour and more getting the Active-X scan files to download. Another hour was required in order to complete the search. Symantec informed me that I had about ten files infected with EliteBarB adware and nearly     1500 files infected with some generic form of the adware called simply: "adware.elitebar". But one detail of the scan report was shocking: the majority of the infected files were Norton/Symantec program and data files. There were perhaps 10 other infected files, most of them infected with the "B" version of EliteBar adware. Something was clearly out of place.



    After a day of chasing down the the parasite files and digging out the Windows registry entries inserted by EliteBarB, my computer worked considerably better with the exception that pop-up ads continued at a much faster rate than normal. This lasted for another couple of hours, as I managed to do a Windows program integrity scan (no errors) and tried to disrupt any lingering remnants of the adware by doing repeated defrags and registry optimizations. Soon the Norton package was again inoperable: clearly attacked by the EliteBar adware! I was furious. This "adware" was a sophisticated and voracious virus. Surely, a criminal act. Why wasn't anyone going after these guys?

    The next day again, I decided that the Norton/Symantec data file corruption was something I had to get around somehow. I decided to try another Free Virus Scan site and to see how the results compared. As luck would have it, I choose     Panda Software's Scan (a company nominally headquartered out of Bilboa, Spain). Panda's Active X files downloaded reasonably quickly. The scan was reasonably quick as well. But the results were very different. Like Norton/Symantec, Panda informed me that I had some files infected with EliteBarB, but only 5 rather than 10. Panda also told me that I had some 1500 infected files all tolled... But the files, it informed me, were not infected with some generic form of EliteBar adware. It identified them as a "startpage.sj" trojan!!!!!! This trojan, it informed me, had been detected for the first time two days before it attacked my computer. No further information, of any substance, was available.

    While Norton/Symantec only gives free scans, Panda also gives free decontamination of all detected worms and viruses (but not of any spyware or adware -- you must buy their software for that). I decided to take the decon. Sure enough, once the trojan was removed the pop-ups were reduced to a normal level and my computer ran normally again. Only the EliteBarB remained and I had manually removed its brain.

    But now I notice that shortly after pages are loaded up in my browser they begin to display dozens of links to a search engine with the address     www.searchmiracle.com/. Numerous web searches inform me that this is the sign of SearchMiracle/EliteBar adware. Not only that, but they inform me that startpage.sj (there is also an ".sk" version) appears nowhere on Yahoo and in only a few listings on Google almost all of which are sites of Panda or its subsidiaries. Because Panda clearly operates under a number of subsidiary names in various parts of the world, it is possible that only Panda lists an advisory for startpage.sj and only it has the software to remove it. As for the search engine www.searchmiracle.com/ , it provides no information about its owner and none is available via any major search engine.



    Moreover, when a "HTTP Error 404 - File or directory not found" message would normally be the result of a search for a URL that did not exist, or link that was broken, my browser sent me to http://www.yupsearch.com/search.php. This is the same advertising search engine as www.searchmiracle.com/. It simply enters via a different front URL.


    The only thing that can be said, with any degree of certainty about startpage.sj, is that it may not be a trojan, per se, but may enter the host computer, install the searchmiracle/elitebar adware tool bar in place of the traditional Microsoft Elite Toolbar, and, then, protect itself and/or SearchMiracle/EliteBar from removal by corrupting the program and data files of at least Norton, and perhaps other major anti-virus competitors, so that they indicate simply, generic EliteBar adware. Somehow, Panda is the only Anti-Virus company that has yet detected it. In a matter of hours after it detected the trojan it had developed a program to remove it.
    Also see:

    [re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

    Posted by at 44 comments:
    Labels: ,
    Subscribe to: Posts (Atom)