Neighbor has tons of spyware

No problem. This benefits me as well. This is a tricky one for sure. Good luck with it and please feel free to ask for more help.

oh one other thing should i continue to leave atlbt32.exe alone?

after all this is done i should realy get them firefox because her kids are into everything.

I didn't notice where it was mentioned that you disabled system restore? If you don't it could explain why some things keep coming right back at you.

For Jim, the only clue I could find about ieoe.exe was this pdf:
http://www.cit.gu.edu.au/~noran/Docs/HEA-Page89.pdf

Looks like some type of runtime environment. Might be something with SP2. (My first thought was Internet ExplorerOutlookExpress)

For now. I'd hate to get rid of it not knowing what it is. Put back in the system32 directory and maybe we'll be able to find something out about it later.

ok. Yeah system restore has been off on this computer for months.

after this i gotta sort out her performance issues too. Dang this is gunna take a while.

It's in there doesn't hurt to mention it though. Things were getting a bit disjointed in this thread; my fault- I compiled all the repair procedures in a later post including the bit about system restore. Not surprised you missed it.



Thanks for that. That's what I thought but I also considered that it might be something masquerading under the guise of something familiar.

Check this log and fix:

http://www.d-a-l.com/help/archive/index.php/t-1023.html

This guy had ieoe.exe and was instructed to remove it with no apparent adverse results. Besides, it's a runonce item and after it's run, it's not needed any longer.

He did solve it (next to last post). I've never heard of about:buster, but apparently another hijack fix program that might be worth looking into.

hmmm norton didnt pick up anything (what a waste of 50+ minutes) oh well im gunna reboot now and try and rid this demon spawn. Wish me luck. before i do what do you advise i do about ieoe.exe?

Remove it. I've found a couple of other threads where the user was told to remove ieoe.exe.

I did a search on my system for that file and it's not present so I'm guessing it's safe to remove.

i dont know why but for some strange reason the computer will not let me boot in safe mode or enter the bios for some reason. ive tryed about 10 times. Safe mode worked before when i press F8 during startup but now it is not working. any idea why? Do i 100% need to enter safe mode to remove the spyware?

hmm, I don't know what to think about this new problem. It won't hurt to try it in normal mode. I'll see if I can turn up anything about your safe mode problem. You might try a cold boot. Is the keyboard usb?

i booted it in diagnostic mode ... its pritty much the same as safe mode but without the low res and hardware stuff.

right now im back home eating, i cleaned it all out with hijack this. Its scanning with ad-adware at the moment and then im gunna scan with spybot. then il clean the internet cache and throw it back into normal mode and hopefully the spyware will be gone... il post the log when its all done ... thanks for the help so far.

ok i cleaned out everything that i needed to but i found 2 files with ad-adware and i went to look at hi-jack this again and i found this suspisious file. i am still in diagnostic mode at her house. this is the hijack this file i took while in diagnostic mode.... im hoping to get all the nasties in one go this time. Thanks for the help.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O19 - User stylesheet: (file missing)




this file looks suspicious to me, what do you think? \/ \/
O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll

Fix these two.

O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
O19 - User stylesheet: (file missing)

It sure does look much cleaner now.

I'd recommend installing spywareblaster.
http://www.javacoolsoftware.com/spywareblaster.html

I checked the status of this with spywaredata.com:
spywaredata.com

It looks like this is still pending. Make a backup of it to floppy and "fix" it and see what happens. The backup will let you restore it if it's necessary, but I seriously doubt it.

(That link is Google's cached version of the page, btw -- it's the only way I could see it without going through all the links.)