popup ads RE: eliteowg32.exe

[Guest]

C:\windows\system32\eliteowg.32.exe entry continues to
reappear in the "windows\run" registry entry (even after
deletion). Found eliteowg32.exe & elitebjo32.exe in
c:\windows\system32\ folder (Elite Toolbar, malware). Ad-
Aware and MS Anti-Spyware would sometimes find, but not
fully eliminate the problem on normal-mode "active" or
manual deep scans (very big bummer!). After full Ad-aware
and MS Anti-Spyware scans were run in Windows safe-mode
(both scanners founds things the other did not... ),
and the eliteowg32.exe & elitebjo32.exe files
were "manually" deleted, the popup ads stopped... I hope
MS can ad this threat to their scanner software for easier
removal for others..?

 

[Andre Da Costa]

Send a suspected spyware report from the tools menu in Microsoft
AntiSpyware.
This is not really a virus but rather the Elite Tool Bar which is a BHO -
browser helper object.

Here is a page that talks about it:
http://uk.geocities.com/darren_st/etb/

You can use their instructions for removal or follow the steps found below:

--
If you are under attack and MSAS does not seem to help:

*Submit suspected spyware report in the tools menu of MSAS*

1. Download:
lspfix.exe www.cexx.org/lspfix.htm
ccleaner.exe www.ccleaner.com
killbox.exe www.bleepingcomputer.com/files/killbox.php

2. Reboot into safe mode - http://tinyurl.com/pfca

3. Clean out all temp file locations - ccleaner.exe
(be sure to configure to delete all temp files
and not just those 48 hours old or older)

4. Run MSAS at least twice in full/deep mode

5. Run a robust, updated antivirus software scan

6. Reboot into normal mode,see if problem has been corrected

7. Install and use killbox to delete stubborn files

Battle Notes:
- If you have trojans (files that won't go away),
you may have to disable System Restore on XP:
http://tinyurl.com/movy

- If your Internet connectivity quits:
http://support.microsoft.com/kb/892350
LSPFix - http://www.cexx.org/lspfix.htm

- This program will not detect or remove viruses
http://www.microsoft.com/athome/security/viruses/default.mspx

** For a detailed attack plan **
http://spywarewarrior.com/sww-help.htm

*** For assistance in battling infestations***
- Get HijackThis.exe from:
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
- Save it to C:\hjt (new folder)
- Open it and select "Scan and Save Log"
- Note where you saved the log
- Send it to Ron Kinner as an attachment
- Ron's email address is (e-mail address removed)
- Put Hijack in the subject so he knows it's not spam
- He will tell you what to do next


Application Notes:
Registering a VB6 dll seems to fix missing agents:
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware

- Several issues are addressed by Microsoft -
Cookies, supported OS, and cost.
http://www.microsoft.com/athome/security/spyware/software/faq.mspx

- This program will not work with Windows 98 or ME.
If you need a tool for 9X/ME, go here:
http://www.majorgeeks.com/downloads31.html

- If your taskbar is on the side of your screen, the alerts
scroll off the screen. Move the taskbar back to the
bottom or top to stop the scroll, then revert back.

- Mark Ferguson maintains an FAQ:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

 

[AndyManchesta]

Hi have you tried the elite bar remover you can get it
from here:

http://www.simplytech.it/ETRemover/ETRemover_V123.zip


Developer: SimplyTech

License: Freeware

Price: FREE

OS: Windows All

Size: 356 KB

Last Updated: April 28th, 2005 13:14



Heres the write up:

This freeware utility helps people to delete the new
infestions caused by the EliteToolbar variants that are
circulating on the Net nowadays...

The main problem is that the malware creates a lot of
registry entries and it goes in execution at the start of
the pc widing itself in RAM and deleting its own *.exe
from the C:WindowsSystem32 directory.

When the ordinary tools try to remove it, they only clean
the registry calls, the C:WindowsEliteToolbar directory
and the cabinets files where it has been originated the
first time, but they don't take any actions against the
malware itself that is currently running in RAM memory
and is waiting for the pc O.S. to be shut down to repeat
the infestation from the back!

This tool should be run from safe mode. It will not be
able to delete files in use by Windows, so running it
from a regular windows session is useless.

Good Luck

Andy