E2G, Apropos media, QoolAid, iebhos.dll

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have recently found numerous computers with spyware and adware related to
these known spyware programs. The symptons I have observed include:

Internet Explorer will open and immediately close
When connected to a LAN adware pop-ups come through constantly
Browser windoows open that have strange title bars such as "WMOV"
Terrible performance due to the number of programs running in active memory

I have tried Spyware Doctor, Spybot, Hijack This, Adaware SE, Fix It
Utilities, Norton System Utilities, etc. Using a combination of Spyware
Doctor, Adaware SE, manual file removal, and manual regisrty key removal, I
can limit the number of infections to 6, which Spyware Doctor can then clean.
The 6 that are left are Apropos Media. The problem is, upon reboot (even
into safe mode) the infections return. I have also removed all programs from
startup that are not system related. IeBHOs.dll always returns. Of course,
once IE is opened, all of the infections return immediately. IeBHOs.dll is
known browser hijacker and all of the resources on the internet have removal
instructions, but none work.

Any ideas?

The best fix that I have come up with is to transfer the data and reformat
and reload the OS.
 
From: "RedflameTech" <[email protected]>

| I have recently found numerous computers with spyware and adware related to
| these known spyware programs. The symptons I have observed include:
|
| Internet Explorer will open and immediately close
| When connected to a LAN adware pop-ups come through constantly
| Browser windoows open that have strange title bars such as "WMOV"
| Terrible performance due to the number of programs running in active memory
|
| I have tried Spyware Doctor, Spybot, Hijack This, Adaware SE, Fix It
| Utilities, Norton System Utilities, etc. Using a combination of Spyware
| Doctor, Adaware SE, manual file removal, and manual regisrty key removal, I
| can limit the number of infections to 6, which Spyware Doctor can then clean.
| The 6 that are left are Apropos Media. The problem is, upon reboot (even
| into safe mode) the infections return. I have also removed all programs from
| startup that are not system related. IeBHOs.dll always returns. Of course,
| once IE is opened, all of the infections return immediately. IeBHOs.dll is
| known browser hijacker and all of the resources on the internet have removal
| instructions, but none work.
|
| Any ideas?
|
| The best fix that I have come up with is to transfer the data and reformat
| and reload the OS.
|

I suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm

I also suggest using a News Client and posting in; alt.privacy.spyware
 
I have the same problem with E2Give which keeps reapearing after bootup.
I've used microsofts antispyware, which says that it has been deleted, but it
returns every time. Has anyone found the root programme that generates the
E2Give?

Hoping

Dave
 
From: "Dave Sharers" <Dave (e-mail address removed)>

| I have the same problem with E2Give which keeps reapearing after bootup.
| I've used microsofts antispyware, which says that it has been deleted, but it
| returns every time. Has anyone found the root programme that generates the
| E2Give?
|
| Hoping
|
| Dave



Perform Part 1 then perform Part 2.
Then perform the Alternate Part 1 then perform Alternate Part 2

It is suggested to perform Normal Mode and Safe Mode scans.



Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

Swandog46's Apropos Adware/RootKit remover
http://swandog46.geekstogo.com/aproposfix.exe


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *
 
You might try BHO demon like David Lipman suggested. There are registry
entries in HKEY_LOCAL_MACHINE\Software,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
and\or RunOnce

Deleting these keys would normally fix the problem. There are also some
entries in CLSID which is where active X controls are referenced. By using
the edit->find and searching for and E2G as the search string, you can find
all of the related references and delete them. The reason it reloads on
reboot is the Run or the RunOnce key. The problem is, the registry entries
are recreated on reboot. The question I have is how????? The only thing
that I can come up with is that it hides in system restore, so you might try
going to System Restore (right click my computer and select the System
Restore tab, and check the "Turn off system restore box." Then, run a
spyware removal tool like Spyware Doctor or even the Microsoft tool. Then
try rebooting after it is cleaned. Try this and tell me if it has any
effect. I gave up on the system I had that was infected and reinstalled the
OS, but I would still like to know if anything works. Please respond with
your efforts.

Tim Potteiger
(e-mail address removed)
 
Back
Top