Unremoveable spyware/virus

I am trying everything I can to remove this virus/spyware.  Here is where we are right now (all done in safemode):

Hijack This
*********
Logfile of HijackThis v1.99.1
Scan saved at 11:09:16 AM, on 4/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HowardFamily\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\oelsn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yaswxem.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Its the C:\WINDOWS\system32\oelsn.exe and yaswxem.exe in the hijack this that I can't get rid of

Autoruns
********
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\WINDOWS\system32\xuuony.exe reg_run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\WINDOWS\system32\xuuony.exe reg_run
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
      pcgpt.exe

Any time it try to delete oelsn.exe, yaswxem.exe, or xuuony.exe reg_run from the registry it cames right back (even in safemode).  I have tried using msconfig, smitRem, and Hijack this.  I have tried manual removal.  I have tried Norton AV (installed on the system) and TrendMicro House call.  I have tried looking in Add/Remove programs and Services looking for anything that doesn't belong.  None of it has helped.  Even doing searched for the 4 exes doesn't get me anywhere so they must be randomly generated.
TalenhawkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

r-kCommented:
Try this:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file (e.g. xuuony.exe) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Repeat steps (1) to (4) for the other files you want to disable.

(6) Close all windows.

(7) Reboot.

After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.

At this point you can clean up with a standard anti-spyware program. I suggest Ewido, but you can try others that you already have.
TalenhawkAuthor Commented:
I did this, but there is still obviously something evil running because as soon as I remove any of these they are right back in there.  Also did I mention the two below are hidden.  IE I can't see them in regedit or regedt32.  The only why I can see them are autoruns and msconfig.  How do I unhide them in the registry?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\WINDOWS\system32\xuuony.exe reg_run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\WINDOWS\system32\xuuony.exe reg_run
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
      pcgpt.exe
r-kCommented:
Try ewido (http://www.ewido.net/en/) download the free/demo version and scan your system.
I've had luck with that in similar cases.

Also, just to be sure, did you disable these files like I suggested, or did you delete them? Deleting them is not going be as effective as disabling them. Also, you have to disable all that you can identify, then reboot.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
If XP pro, disable system restore, then scan with the tools above as well as Ad-Aware. If you suspect you have a root-kit download and run RootKit revealer from Sysinternals.com
http://www.sysinternals.com/Files/RootkitRevealer.zip Make sure you don't run any apps or access anything while it runs as this will lead to false positives in the scan.
There are certain files and folders that typically say "hidden from MFT but visible in windows API"
Typically the files (not usually the registry keys) that say "Hidden from Windows API" that are likely a rootkit or hiding themselves from scans.
Should you see such files, it's easiest to mount that hardrive in another PC as a secondary drive (slave most likely) and remove them, or if your unsure just zip them up and leave them there so you can restore if you need to. While the HD is mounted as a secondary drive you might as well use that PC to scan it with AV and anti-spyware utilities.

http://www.xinn.org/annoyance_spy-ware.html#Sys-Restore
-rich
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.