Help with Pop Ups (EliteOzz32)

[CPT]

I was having continuing problems with pop ups, even after
I downloaded the beta1 version of MS Spyware, though, the
MS Spyware was easy to use and did handle most of my
problems.

I tracked the problem to an "Elite" toolbar that had been
put on my system...during my brother-in-law's stay, but
that's another story.

To see if you have this same highjack, pop up, virus,
worm...whatever try: Start/Run/MSCONFIG, and go to
the "Start Up" tab. If you see EliteOzz32, then you have
the same problem. You'll notice that if you deselect
this from the Start Up, it will still be there when you
reboot. You'll also notice that while MS Spyware
activates when these pop ups occur, and asks if you want
to remove this, it doesn't work.

To fix the problem:
1. Reboot, and press F5.
2. Select Start up in Safe Mode mode with C:\ prompt.
3. Change directory (cd) to windows\system32 ( cd
C:\windows\system32 )
4. Browse this directory (dir/p)...you'll have to hit
enter to page down to the "e's". Look for anything
starting with "elite". These are the 10 files I had:

elitedoolsav.dat
elitedza32.exe
eliteerror32.dat
eliteift32.exe
elitejka32.exe
elitejng32.exe
elitekeh32.exe
eliteslj32.exe
elitetfa32.exe
elitevmj32.exe

5. Delete each of these files ( DEL elitedoolsav.dat )
(hit enter). Recheck the directory to make sure they're
all gone.

6. Turn off your computer and boot up in Safe Mode
(F5...just Safe Mode, not C:\ prompt).

7. Go to your accessories (start/programs/accessories)
and look for System Restore. Turn this off for
now...you'll need to turn it back on later.

8. Run MSCONFIG again. Select the Start Up tab again, and
uncheck EliteOzz32.

9. Reboot in normal mode. Check the Start Up tab
again...this time EliteOzz32 should have remained
unchecked.

10. Turn back on System Restore.

I understand this is a fairly specific problem and
solution, hope it helps, though.

Thanks,

CPT

 

[Ron Chamberlin]

Hi CPT,
Thanks for a great report!

As far as the Bro-in-law problem, strong passwords on all your accounts
before he comes back again.

Ron Chamberlin
MS-MVP

 

[TerryD]

I was having the exact same problem - only it was on W2K Pro.

First, a HUGE thank you to CPT for pointing me in the right
direction.

Second, I think I'd like to get hold of the very talented
person responsible for this crap, stick
an umbrella where the sun don't shine and open it.

Anyway...here is what I found on W2K and how I got rid of
it.....

Running the Antispyware Beta winds up with 89 infected
items ranging from files to folders to registry key
entries. The most obnoxious is the:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run antiware c:\winnt\system32\eliteynl32.exe

Every time it was deleted by the beta or manually by
myself, it magically reappeared almost immediately. Here
are the steps I took to get rid of it.

1. Reboot into Safe Mode (F8) and select "Safe Mode with
Command Prompt"
2. Log in as Administrator (not an account that has admin
rights).

To make sure you have the same problem:

3. Change to the WINNT folder (cd \winnt) and list all
"elite" references (dir elite*.*)
4. You will find two folders under C:\WINNT
"ELITESIDEBAR" and "ELITETOOLBAR".
The Beta finds these also and deletes them but they appear
to be set up again by the registry entry at reboot. It
looks like they contain all the garbage that this thing
needs to highjack IE.
5. Now change to the system32 folder (cd system32) and
again list all occurrences of "elite" (dir elite*.*). You
should find the following three files:

ELITEHDH32.EXE
ELITEKPO32.EXE
ELITEYNL32.EXE

To remove it, I renamed the program referenced in the
registry, figuring that the beta could successfully remove
everything permanently if the system couldn't find the
program and load it at boot time. Turns out that it worked.

6. Rename the ELITEYNL32.EXE file (RN eliteynl32.exe
elitexxx.txt). I probably went overboard with the new name
but I wanted to make sure I could find it again.
7. Reboot into Safe Mode again (no command prompt this
time) and log in again as administrator.
8. Run Antispyware and remove everything it finds.
9. Once it's done, reboot in Safe Mode to the Command
Prompt to verify everything and remove the renamed file. I
found that the C:\WINNT\ELITESIDEBAR folder was still there
but empty. "rd elitesidebar" gets rid of it. Change to
the system32 folder and delete the file in step 6 above.
10. I rebooted once again and logged in as Administrator
into safe mode and ran Antispyware. Everything was clean.
Just to be sure I rebooted normally, logged on normally
(not administrator) and ran it again with the same results
- clean.

Hope this helps any W2K users.....

TerryD