E2Give

Does anybody know how to remove this &%$%(&^&^ piece of (&^&^)#%@# from a Windows XP Pro machine? Things tried already:

  1. Ad-Aware
  2. MS Anti-Spyware
  3. Manually delete all registry keys containing iebhos.dll
  4. Unregister it using REGSVR32 in a command window

This damned this apparently has the ability to mutate its process name to some random collection of characters on startup. And when it is removed thru either Ad-Aware or the MS Anti-Spyware utility, it somehow hides its source and re-installs itself within moments - despite telling MS Anti-Spyware to block the installation.

I’ve spent about 4 hours today trying to kill this &^%^%(^$$%(%(()

Try the following:

That site also has an automated repair tool but I cannot vouch for it.

And I just got this piece of e-mail from the E2Give “support” guys.

Anybody got any guesses on well this might work? I gotta tell ya, I’m way reluctant to attempt an install of something else that these fuckers recommend. Particularly when I’ve already tried allowing one install that MS Anti-Spyware strongly recommended I block.

I’m downloading Hi-Jack and Spybot right now - which by the way I’m getting at a whopping 4.5KB/sec. Fucking hell. Hafta see how those go, I guess.

Yep. Got that same list from www.spyany.com/program/article_spy_rm_E2Give.html

No joy, but thank you.

Whoops. That’s not the right URL. This is where I found that list:

www.spywareremove.com/removeE2Give.html

I should note that I highly recommend paying for a spyware remover. I know there are a bunch for free such as Ad-Aware and Spybot but unsurprisingly spyware makers realize the popularity of these and program around them (even had one that specifically disabled AdAware).

I know it sucks to think of dropping $30 or more to stop these pests but in my experience it is money well spent given the reality and ubiquitousness of spyware. Personally I use two paid for spyware blockers (Spyware Doctor and Spysweeper). I also have MS-Antispyware. I have noticed my two paid for programs catching different things but between them they have pretty much caught most everything. MS-Antispyware has so far only nabbed one thing the others seemed to have missed. Unlike antivirus software which you should only have one instance of running two anti-spyware programs can live in harmony and I recommend two of some anti-spyware running.

Whatever you get be sure to research any paid for anti-spyware. Some anti-spyware is really spyware itself so buyer beware.

I agree. I think that’s the route I’m heading - buying Spyware Doctor. Thanks for the recommendationI’m just not too keen on buying it to install on my machine here at work - particularly since I’m pretty sure I got this infection when someone else was logged on to it. I’ve used the Internet regularly for about 10 years now, and this is the first time I’ve ever been invaded like this.

So much for that - and my thirty bucks. It detects and removes the thing okay - the current installation anyway. Fucking thing just reinstalls itself. Even tho’ Spyware Doctor says it’s catching the reinstall and “unregistering” that evil “iebhos.dll” file. Wherever this thing is trying to reinstall itself from is damned well hidden.

I am not in front of my PC with my Spyware Doctor installed but I think it is Spyware Doctor that can do a scan at boot to remove the baddies that keep coming back. Essentially it runs a scan, romves the spyware, then reboots the machine and before almost anything else happens it runs another scan. In theory this should nab the bad guy before it can do its thing and remove it for good.

Of course I may be remembering it wrong and it is Spysweeper that does this but I think I remembered correctly. Worth looking into.

I’ll take a look in the Spyware Doc help. Thanks much, Whack-a-mole. You’ve been very helpful.

You might also try starting Windows in Safe Mode and then running a Spyware Doctor scan. Safe Mode should prevent the nasty spyware from loading and trying to dodge around your system. The Spyware Doctor scan at startup should achieve much the same thing but this is another route you might try.

Persistent recurrence of the same malware means there is some hidden process reinstating it; it will sometimes be the case that in fact two processes are running, each looking out for, and reinstating the other - since you can’t easily kill the two processes simultaneously, this can be infuriatingly difficult to deal with.

I would recommend:
-download HijackThis from [url=“http://www.spywareinfo.com/~merijn/downloads.html”]here
-Boot to Safe Mode
-Run HijackThis and save a log file
-Boot normally and Visit http://www.hijackthis.de/ - paste the log file into the web form and click Analyze
-It’s pretty good at identifying malware - make a note of the bad stuff
-Boot to Safe Mode again
-Run HijackThis and use it to remove the offending entries you identified and wrote down earlier.

This should kill them all in one fell swoop.

:smack:

Fixed Hijackthis link

Okay. That helps. I’ve identified the other file that’s reinstalling e2give’s iebhos.dll. It’s iniwin32.dll. But I can’t seem to get rid of that fucker now. It’s always reported as “being in use” when I try to delete it.

Do I need to “unregister” it? I’ve tried removing all of the registry keys it seems to be associated with.

Booting into Safe mode to do your fixes will probably result in that dll not being loaded, rendering it available for removal. Try the HijackThis thing though - it’s actually a quite easy way to do all these manual changes to registry, startup folder and ini files, all at once, through a GUI.

I’ve run both MS Anti-Spyware and HijackThis in safe mode. They both get rid of the actuall installation (C:\Program Files\E2G\iebhos32.ddd) in fine fashion, but neither of them will allow me to get rid of the source (C:\Windows\System32\iniwin32.dll). I had high hopes for the Hijack This, but it gives me an “unknown error” trying to remove iniwin32.dll.

In the meantime, y’all might find this amusing. It’s the e-mails I’ve exchanged with the E2Give “support” team today.

If you can’t remove that DLL after a reboot, sounds like something might still be using it; would you like to run HijackThis again and post your log here?

Alternatively, it might just be that you can’t remove it because it is registered; you could try typing:
**Regsvr32 /u ininwin32.dll **
in a command window

It might work even better if you type the filename correctly:
**regsvr32 /u iniwin32.dll **

For programs that stubbornly refuse to being stopped try Killbox (aka Pocket Killbox). Very nice utility that forces crap you do not want running to stop no matter what it thinks about it.

Here’s the Straight Dope:

E2give is a variant of vundo (also called winfixer or vurtumundo). It cannot be removed manually. Don’t believe their tech support: if they’re putting vundo onto your machine, they aren’t interested in helping you (or they are up to a million on the clueless meter).

Luckly, there is a repair tool. Even better: it now works in many cases without an expert to interpret your hijackthis log.

The tool was developed at http://www.atribune.org. I’ve put up a link and instructions at http://www.siena.edu/antivirus/Spyware/vundo.asp.

Give that a try. It seems to work pretty well. However, if it doesn’t, you’ll need to post a hijackthis log somewhere where an expert can analyze it (like the forums at http://www.spywareinfo.com.

And be careful about buying antispyware software. Most is spyware itself. This site lists which programs are legit: http://www.spywarewarrior.com/rogue_anti-spyware.htm Note that there are only five antispyware programs listed at “trustworthy” (though there are some clones of these.