Please help, I am running spybot 1.4, ad-awareSE, hijackthis. Both find the spyware and claim to remove it but do not. I have even gone though the registry manualy and tried to remove the instances but cannot, They almost re-appear as soon as I remove them. Here are my logs, Thank you.
-Things i have noticed
-I have C:\Program Files\E2G\IeBHOs.dll cannot delete with kilbot.exe (tried unregistering it also)
-C:\Documents and Settings\pma_up\Local Settings\Temporary Internet Files Folder is full of crazy .js files that i cannot delete

I have searched forums all over some with similar problems but can't fix this. It always comes right back
Thank you guys so much, you guy work magic
Matthew


Logfile of HijackThis v1.99.1
Scan saved at 3:39:36 PM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\pma_up\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.org/
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - AppInit_DLLs: iniwin32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

hi pmaup,

ok we will use hjt, then boot into safe mode:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O20 - AppInit_DLLs: iniwin32.dll
-----------------------
next boot computer into SAFE MODE. you reach safe mode by tapping the f8 key during a computer reboot. chose the first option safe mode.might want to copy/paste the rest of this to notepad and save it so you can find and read it in safe mode:
-----------------------
once in safe mode:

look here C:\Program Files and delete the E2G folder
next do this:
start>settings>Control Panel> click the Internet options icon

Next:

Click on Delete Cookies.

Click on Delete Files, Make sure Delete all offline content is checked and then click on OK


Then click on Settings, then click on View Files if there is any thing in there, delete what you can
(edit>select all--- then file>delete)

Then at the top in the address bar, at the end where it says:

\Temporary Internet Files

change it to \Temp then hit enter and delete what you can.


prefetch:

Go to:

Start> Run

And type this in:

C:\windows\prefetch

Once this is open Delete everything in the folder

also while in safe mode run spybot and avast and ms anti spyware.

after they finish, reboot computer normally, rescan and post anew hjt log.
looks like you have some entries disabled with MSCONFIG utility. you know what they all are?

shelf life

hi pmaup,

you still with us?

Sorry, the pc was my fathers and he just reformated :-( Before i could try that. This is why spyware is such a problem it forces us to drastic measures. I work at a computer store and i cannot tell you how many people buy new computers because of spyware. Maybe the the spyware companies are dell-HP-Gateway?????
Thank you though so much Shelf i am sure i will return soon, but hopefully not, Thank you again
thank you all!!!
Matthew

hi pmaup,

ok, no problem. heres some info for the new start:

Be careful of what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Make sure you understand what it is you will be downloading and installing to your computer. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits?. Read the EULA agreement, you know, that paragraph of stuff you "agree to" before the software installs? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. DO YOU TRUST THE SOURCE?

Make sure you keep your Windows OS current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)
occasionaly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Internet Explorer Privacy & Security Settings (https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm)
Working with Internet Explorer 6 Security (http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx)
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser. You can have and use more than one browser on your computer.
Like Firefox (http://www.mozilla.org/products/firefox/),


Install a Firewall:A firewall will control what comes in from the internet and what leaves your computer to the internet. A firewall will also alert you when a application trys to connect to the internet from your computer, this is a good way to catch crapware or trojans, trying to connect out bound from your computer- whats that and why does it need a internet connection? You can deny it access it until more investigation is done. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. Microsoft XP firewall only provides inbound protection. SP2 adds in and out bound protection which is better than nothing, but is not as robust as third party firewalls, Be sure to run only >one< firewall.If you use another, be sure to disable XP's built in firewall. If you use Zone Alarm learn what needs/uses your internet connection. If something unusal or out of the ordinary "asks" deny it access until more investigation is done.
Zone Alarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zass)
OutPost Lite (http://www.agnitum.com/products/outpostfree/download.php)

Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser. You dont have to use it.
look here (http://www.codecutters.org/outlook/)
and here (http://www.tames.net/security/oesettings.htm)
Or try Pegasus Mail, safer by default,no tweaking needed. (http://www.pmail.com/)

Make sure you have and keep updated Antivirus software
Free for home users:
avast! 4 Home Edition Download (http://www.avast.com/eng/free_virus_protectio.html)
AVG free version 7.0 (http://free.grisoft.com/freeweb.php/doc/2/)
AntiVir Personal Edition (http://www.free-av.com/)

Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy (http://www.sunbelt-software.com/)Free trial version
Spybot Search and destroy (http://www.safer-networking.org/en/index.html)
Ad-Aware SE Personal edition (http://www.lavasoft.de/)
Microsoft Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" (http://www.spywarewarrior.com/rogue_anti-spyware.htm) programs that "claim to remove" spyware.Check here first.
Dont be tempted to click on popup ads offering free scans or free downloads for malware removers. Read the above line again.

AntiTrojan software to fill in the gap:
a2 free (http://www.emsisoft.com/en/software/free/)
Ewido Anti-Malware (http://www.ewido.net/en/)
Trojan Hunter (30 day trial version) (http://www.misec.net/)
Tauscan trial version (http://www.agnitum.com/products/tauscan/)

Other programs to consider:
Process Guard (http://www.diamondcs.com.au/processguard/) stop events/processes with user intervention
SpywareBlaster (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49) add security to IE
IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD) adds adware peddlers sites/domains to IE restricted zone
CleanUp (http://www.stevengould.org/software/CleanUp/index.html) cleans out temp files,history, autoforms etc
ATF cleaner (W2K,XP only) (http://www.atribune.org/content/view/25/2/) cleans out temp files, history etc

Learn More:
Browser Checkup (http://www.jasons-toolbox.com/BrowserSecurity/)
Parasite Free (http://www.doxdesk.com/parasite/prevention.html)
Safe Hex (http://www.claymania.com/safe-hex.html)
Shelf Lifes page (http://security-central.us/SafeHex/index.htm)
Home Computer Security (http://www.cert.org/homeusers/HomeComputerSecurity/)