Wednesday, November 16, 2005

EliteBar Removal Tool Updates to V.2.0.0!!!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 3)

Giancarlo Calo, over at, remains aggressive with his freeware Elite Toolbar Remover. Among the infections it claims its version V.2.0.0 can remove "every trace" of are the following. The items highlighted in red are linked to Virtual Grub Streets's "How to Remove/Detailed Information" pages:

EliteBar; EliteToolbar; EliteSidebar; BargainBuddy; Browser Aid; CashToolbar; FreshBar; GameSpy; MoneyTree; Nail.exe; NaviSearch; navpsrvc.exe (also known as: W32/Forbot-EF, worm); SearchMeUp; SideStep; Spybot - Randex; SupportSoft; SurfSideKick; Win32.RBot; Winmon.exe (also known as: W32/Agobot-KA, trojan); WinMoviePlugIn; and [InternetExplorer Plugin].

The "How to Remove" detail pages for SearchMiracle/EliteBar consist of the articles regularly posted at VGS. The file information for EliteBar is located on the Adware & Malware Indentifier Index itself. Further detail pages will be added on a continuing basis.

Simply Tech's description of the reason why SearchMiracle/EliteBar is so difficult to remove verifies the information in the various Virtual Grub Street articles over the past months:

Actually some software like [SpyBot S&D] v.1.3, CWShredder v.2.12, Noadware, [Ad-Aware] v.6, SpyNuker 2004 and SBC Yahoo! Anti-spy have no success in deleting this very frustrating malware. These programs find and delete it, but it keeps coming back since this new variant is very difficult to remove from the operating system.

The main problem is that the malware creates a lot of registry entries and executes at PC startup, winding itself into RAM and deletes its own *.exe from the C:\Windows\System32 directory.

When ordinary tools try to remove it, they only clean the registry calls, the C:\Windows\EliteToolbar directory and the cabinets files where it originated from, but they don't take any action against the malware itself that is currently running in RAM and waiting for the PC OS to be shut down only to repeat the infestation once again!

This is now well known to be a trick that the newer adware and malware products are widely copying. Perhaps this is the reason that the Elitebar Removal Tool has added so many products to the list of infections it removes. It is certainly the reason that most HijackThis and manual removal instructions direct the user to do file deletions while in Safe Mode.

Giancarlo describes the new feature specific to Version 2.0.0 as follows:

An [h]euristhic search done with commercial antivirus programs (like Norton AntiVirus and McAfee Virus Scan) gave some FALSE POSITIVE messages when they opened the ETRemover_V130.exe and ETRemover_V131.exe files....

The new version 2.0.1 (and the previous beta V.2.0.0) overcomes to this problem by using an external ETRDEF.DAT file wich contains the definitions of all the malwares, virus, trojans and the Registry keys scanned by the program to clean the infected pc.

The new version has also added InternetExplorer Plugin to the list of infections it claims to remove. Otherwise, the removal tool would seem to be unchanged.

Also see:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elitum Elite Toolbar Elite Tool Bar ETBrun YupSearch Yup Search.]

No comments: