Crazy spyware problem.

[ZGangsta]

Ok, here’s the situation. I was trying to install some free guitar tab software, and the site I got it from looked good, the EULA was clean, so I went ahead. BAM, the biggest torrent of spyware I’ve ever seen is tossed onto my system. I swear it was like Vietnam on my system as I scrambled to fix stuff. Millions of popups, installers just randomly running that I couldn’t abort, hell.
So I managed to quiet everything down, killed the 12 (yes 12) IE toolbars, uninstalled all the software, and ran all the spyware killers. Everything is back to normal exept for 1 thing. There is still one popup (Search results for poker online) that keeps appearing in an IE window (even though Opera is my default browser) every minute or so. I went for dinner and came back with like a million windows to close. I’ve run spybot, ad-aware, Giant, and Hijack-this, and it remains.
I’ve traced the problem to the key “kalvsys” in HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Run.
It shows up everytime I run Spybot as: Elitum.EliteBar
It shows up everytime I run Ad-Aware as: Ebates Moneymaker
Giant shows nothing
Hijack This shows: O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvins32.exe
Everytime I delete this (in any program) it reappears the next time it’s run. If I delete the key in the registry it reappears after about 5 seconds. If I rename it, a new key appears. If I change its value data (C:\winnt\system32\kalvins32.exe) it resets itself. Oh I can’t find C:\winnt\system32\kalvins32.exe either.

This is driving me crazy, especially since I just got HL2 last night but can’t play it because this damn popup keeps taking the focus back to IE.
Any help would be appreciated.

 

[bluey424]

Check out the creation date on that file, and search for other files that have the same creation date. Also search by company (if it has a company assocation, which adware like that usually does). List all the files you come up with on paper. Boot into safe mode, kill those files. Then, run regedit, and search for each filename seperately, and kill any key that references it, or any directory thats obviously associated with it (i.e. full of keys that reference it and named the company name). Hope this helps.

 

[Malk-a-mite]

Hope this helps.

Do all of the above - and search online for references to the files.

http://www.pestpatrol.com/pestinfo/e/ebates_moneymaker.asp

Kill these running processes with Task Manager:
c:\my documents\55nn2.exe
c:\program\couponsandoffers\couponsandoffers1.exe
care2gtu.exe
profilepath+\local settings\temp\ebatesmoemoneymaker.exe
programfilesdir+\blue haven media\kazoom\ebatesmoemoneymaker_ver14.exe
programfilesdir+\blue haven media\kazoom\ebatesmoemoneymaker14.exe
programfilesdir+\care2gtu\popup.exe
programfilesdir+\ebates_moemoneymaker\ebatesmoemoneymaker0.exe
programfilesdir+\ebatesmoemoneymaker\ebatesmoemoneymaker.exe
programfilesdir+\ebatesmoemoneymaker\popup.exe
programfilesdir+\limeshop\popup.exe
programfilesdir+\webrebates\webrebates.exe
programfilesdir+\websearch\websearch.exe
programfilesdir+\websearch\websearch1.exe
saveinstwmcm.exe
systemroot+\dkry.exe
webrebates0.exe
webrebates1.exe

 

[MiXdNuTs]

go to run and type msconfig. edit your startup file and kill any bad processes. Then run your spyware scans again. it is preempting them if it loads first.

 

[ZGangsta]

go to run and type msconfig. edit your startup file and kill any bad processes. Then run your spyware scans again. it is preempting them if it loads first.

Yeah I did that, and the only bad process that appears is kalvins32. When I uncheck the box, it gets rechecked on its own as soon as the screen refreshes.

Kill these running processes with Task Manager:
c:\my documents\55nn2.exe
c:\program\couponsandoffers\coupons andoffers1.exe
care2gtu.exe
profilepath+\local settings\temp\ebatesmoemoneymaker.exe
programfilesdir+\blue haven media\kazoom\ebatesmoemoneymaker_ve r14.exe
programfilesdir+\blue haven media\kazoom\ebatesmoemoneymaker14.exe
programfilesdir+\care2gtu\popup.exe
programfilesdir+\ebates_moemoneymak er\ebatesmoemoneymaker0.exe
programfilesdir+\ebatesmoemoneymake r\ebatesmoemoneymaker.exe
programfilesdir+\ebatesmoemoneymake r\popup.exe
programfilesdir+\limeshop\popup.exe
programfilesdir+\webrebates\webreba tes.exe
programfilesdir+\websearch\websearc h.exe
programfilesdir+\websearch\websearc h1.exe
saveinstwmcm.exe
systemroot+\dkry.exe
webrebates0.exe
webrebates1.exe

None of those files appear in task manager, or exist on my machine. I've searched online for solutions and haven't found anything relevant.


As for the safe mode thing, I can't get in. Hitting F8 when I'm prompted does nothing. i don't know if there's someting up with my wireless keyboard (I can get to BIOS fine), or something else. Is there another way to rboot to safe mode? i'm using Win2000.

Thanks for all the help.

 

[Lowbatt]

I've run into wirless keyboards not working during the f8 screen before. Just hook up a normal one. Also its probaly a dll somewhere that is recreatign the .exe files.

Use a porcoess viewer other than the default one. I suggest this one http://sysinternals.com/ntw2k/freeware/procexp.shtml

it will tell you what files are being used by that process or .exe file running and then go into safe mode and kill that file anywhere you can find it.

I've noticed some new spyware programs will hide .dll's in your aplication data folder. Any real program will have a folder under there but if you see any stray files just sitting outside of a folder I suggest deleting them or renaming them and see if that helps.

 

[bluey424]

Is the USB port you have your wireless receiver to on-board or on an expansion card? If its not on board, (and sometimes on older mobo's, even if it is), windows won't take input from your mouse/keyboard until windows is up, I had this issue on an old asus board.

The not-so-technical way of getting into safe mode without having to hit F8 at the right time is to pull your power cable out midway through your computer loading windows (the spash screen is a good choice). Then plug it back in and with that next bootup, windows by default will go to the previous-boot-failed screen and allow you to choose safe mode. If you can't select an option on that screen, go beg/borrow/steal a ps2 keyboard away from someone long enough to get this issue taken care of.

 

[Drunken_Donkey]

what you can also try is removing the security permisions on the file so that no one can run it. Then delete the registry keys and then you can re-enable the permisions and delete the file or leave it with no permisions so i cant be reinstalled or run.