Some few of readers may recall the article YupSearch Addendum posted in VGS's pages this past March 18th. Of course, seven months ago is ancient history on the Internet (and especially ancient in matters of adware and malware). I had since noticed, in passing, that there seemed to have been some changes in how that search engine front-page was being employed. I promised myself to set aside some time, eventually, in order to check out the new version and have discovered a few items to pass along.
To recap, very briefly, a key point from the Addendum:
YupSearch... detects when "404" pages ("page not found") load up into the browser and redirects the browser to the base search engine in their place.
The original YupSearch was a redirect target only. It had no toolbar of its own.
That ended with the EliteSideBar version of the EliteBar infection (a.k.a. adw_elitebar.b). The EliteSideBar opens on left side of screen with numerous entries from the YupSearch front-page rather than from Searchmiracle. Or at least at first, for the EliteSideBar is programmed to download the full-bore Elite ToolBar after the SideBar is installed. If the download is successful, an Elite***32.exe or Kalv***32.exe file is installed and the file InprocServer32 and the YupSearch hijack target are deleted. Thus:
EliteSideBar 08dll + InprocServer32 = the adw_elitebar.b version of YupSearch
or perhaps better put:
EliteSideBar 08dll + Nothing = YupSearch (EliteBar.b version).
EliteSideBar 08dll + elite***32.exe (or kalv***32.exe) = EliteSideBar with a YupSearch redirect
and the user (or technician) will find a HijackThis (or other) entry for the SearchMiracle front-page as hijacker target.
The EliteSideBar, however, with its EliteSideBar 08dll and InprocServer32, seems not to have been a very effective variant of EliteBar. It has been all but abandoned for another trojan downloader the name of which has since become infamous: PokaPoka**.exe. The scheme is the same:
PokaPoka + Nothing = YupSearch
PokaPoka.exe + Elite***32.exe = EliteBar with a YupSearch redirect..
Once Elite***.exe is downloaded, the YupSearch hijacker target is deleted and the SearchMiracle hijacker installed. The YupSearch front-page target now only appears, if it appears at all, on special redirects, the most common being redirects away from 404 ("page not found") pages.
The reason I refer to SearchMiracle and YupSearch "front-pages" rather than "search engines" is explained in YupSearch Addendum.
- Elite Toolbar Remover Information Page (October 17, 2005).
- LQfix Information Page (October 15, 2005) There's a new tool in town!
- How to Remove PokaPoka. (October 12, 2005) Does your EliteBar variant include PokaPoka.exe?
- EliteBar Removal Tool Updates to 2.0.1. (September 21, 2005) The EliteBar Removal Tool now comes in two flavors and two generations!
- SearchMiracle.EliteBar Then and Now (September 21, 2005). Hijacks, heroes, updates and links.
- EliteBar Removal Tool Updates to 2.0.0!!!!! (September 15, 2005). Includes expanded list of infections removed by the removal tool.
- More on Variant ADW_ELITEBAR.D. (May 27, 2005). "It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know..."
- Diabolical new EliteBar variant Strikes the Web!!!! or the one the EliteBar Removal Tool can't remove (May 22, 2005).
- EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005). Includes expanded list of infections removed by the removal tool.
- Adware & Malware Identifier Index (updated regularly). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
- Is Google Associated with a SearchMiracle Knock-Off? (April 27, 2005) "A question begs the asking: How does NetNucleus generate revenue from its Mirar Toolbar search directory if it enters search terms in the Google Search Engine?"
- EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005). "The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there!"
- HijackThis vs. SearchMiracle/EliteBar (April 11, 2005).
- YupSearch Addendum (March 18, 2005).
- Audio Seek Alert (March 18, 2005).
- How to Remove SearchMiracle/ EliteBar (February 27, 2005).
- Online Bibliography (Regularly updated). A bibliography of Gilbert Wesley Purdy's work on the Web and elsewhere including computer topics.
[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]