Eliminating a nuisance program

[ShadowHM]

Hi

I am about to give up on this and just re-format the hard drive.

One of my sons suffered a brain-dead moment a couple of weeks ago. His ditzy friend Mikey told him about an 'upgrade' to MSN messenger and offered to send the file. Without taking a moment to consider that this is from MIKEY (if Mikey said the sky was blue, my son would check first before agreeing) he hit the 'accept' button. ARGH

The program in question is, I think, called memo face.exe

I have removed it from the start-up menu (via unchecking with msconfig). It has installed itself in the Windows Applications folder, under the heading 'two ford' along with another one called 'bagsfasthideaway'. I have deleted both of those folders, and then cleared the recycled bin. And then run msconfig again to make sure that it is not checked.

I have done this procedure a few times. And the damned things keep coming back. I don't know enough about registry files to muck around in there myself.

Norton does not think it is a virus. AdAware and Spybot do not recognize it as a problem item.

But the damn thing keeps bolluxing up my browser, giving me pop-ups (even though I do have a pop-up blocker) that wants me to go install another program that will 'clean' my computer. I am also getting pop-ups that want to send me to a gambling site. Further, of course, this makes my whole system run slower, and with my little computer, that is not a Good Thing™.

So, before I start the painful process of trying to save data files externally, prior to the re-formatting, does anyone have an idea of what I could do instead?

Shadow, who is (sadly) the only computer maintenance worker in this household

[Kylearan]

Hi,

if the latest definition files for AdAware and Spybot don't detect any problems, you might try PestPatrol. Sometimes, it is able to detect malware AdAware or Spybot don't recognize. Unfortunately, it's not free, but there's a free online scanner for your computer available on their homepage. I *think* you have to use IE and enable ActiveX to be able to use it, though (haven't tried it yet).

If you feel uncomfortable with an unknown program scanning your PC via Internet, or if PestPatrol is unable to solve your problem, you might try HijackThis. It's a tool that scans specific parts of the registry and writes it to a logfile. You then can use the automatic analyzation script on the site, or post the logfile to one of the fora linked to there, to let more experienced users help you remove the malware.

Hope that helps, and good luck!

-Kylearan

[Assur]

What happenend to your son? :)

[Rhydderch Hael]

You *are* going to have to spelunk into the registry for this one, I'd think. Look it over and find anything that pops to your eye, like the names of these folders/files in question.

Messing with the regs is fun. In Win98, it allowed me to change the name of my Recycle Bin and get rid of those little corner arrows on Shortcuts.

[Baajikiil]

Whenever I've had to remove such a problem, I often just search the web(through google) for the name(s) of the programs that are causing the problem. Usually I find that other people have had the same problem, and someone somewhere has posted in a tech forum the exact way to remove the program in question.

I'm the IT guy for several of my friend's familys :(

EDIT: The methods described always lead to registry editing. I did try quickly searching for the names you mentioned without any luck. Manually looking through the registry is your best bet unfortunately.

[kandrathe]

Symantec also has an online web based virus scan that has saved me a couple of times. http://security.symantec.com/sscv6/default...id=ie&venid=sym (must use IE :( but still works well)

There is a nice tiny program I use called WinPatrol from BillPStudios, that allows you to remove malware that is running, and it stays resident and warns you whenever something tries to install itself into the typical malware hooks in the OS or the browser, or even if something tries to mess with your HOSTS. file (to hijack your DNS lookups).

Or, Run Regedit
The registry place to look is;
HKEY_LOCAL_MACHINE -> SOFTWARE -> MICROSOFT -> WINDOWS -> RUN

There can be similiar run hooks in each of the HKEY_USERS as well, but that is more rare.

Also, sometimes things will install themselves as services, so it is worth reviewing that list from the control panel to see if anything unusual is installed there. Often, more sophisticated (frustrating) malware will install itself in multiple ways, and if not totally removed will reinstall the portions you've tried to remove.

Sometimes you cannot remove the offending malware as it is either loaded into memory and has made itself a SYSTEM file, so then you need to identify the culprits, reboot in safe mode, remove the culprits, and then reboot again in normal mode.

Edit: Also, lately I've run into stuff that somehow overwrites or inserts itself deep into the network protocol stack, such that removing it disables access to DNS lookups over the internet. At that point, I punt, save off the data I want and reinstall the OS and applications. Blegh. I hope that is not the case for you.

[LochnarITB]

There might be an easier solution to removing this. If that triumvirate does not recognize it as a problem (with the latest definition files) I would suspect that it has made a startup entry somewhere in the registry that runs a file it has placed in a folder such as windows. You don't need to edit the registry yourself to turn it off. Pick up the program Codestuff Starter. This serves 2 functions. The one I use all the time is to see processes that are running and terminate those that I know don't need to be running. The other is the one you want. Choose the Startups section. This will list all the startups in your registry. There are many places a startup can hide in the registry. You may be surprised at how many things are starting when you start your machine. You can choose to disable items or remove them altogether. If you find a lot of things starting that you don't need, this is a good way to speed up the startup of the machine as well as improve performance by removing the drain of background programs that aren't needed. I hope this helps.

P.S. Kandrathe, thanks for the mention of WinPatrol. If it really is as unobtrusive as it sounds, it looks like it will be a nice addition to my startup list.

[edit]Kandrathe's suggestion, WinPatrol, offers the same function as Starter plus more. I will continue to use both, Starter for my usual startup/process tasks and WinPatrol for its monitoring. You may want to ignore Starter and just use WinPatrol. It also allows you to disable or remove startups as I spoke of above.

[TaiDaishar]

I have encountered such a thing as you describe a few months ago and it drove me nuts, finally I decided to go to Add/Remove programs and see if there is nothing unusual.

I found out that the dang malware was installed as a Windows XP hotfix, I removed it completely and then simply re-updated Windows to make sure I didn't uninstall something that is really from Microsoft.

[Archon_Wing]

Hi

I am about to give up on this and just re-format the hard drive. 

One of my sons suffered a brain-dead moment a couple of weeks ago.  His ditzy friend Mikey told him about an 'upgrade' to MSN messenger and offered to send the file.  Without taking a moment to consider that this is from MIKEY (if Mikey said the sky was blue, my son would check first before agreeing) he hit the 'accept' button.  ARGH

The program in question is, I think, called memo face.exe

I have removed it from the start-up menu (via unchecking with msconfig).  It has installed itself in the Windows Applications folder, under the heading 'two ford' along with another one called 'bagsfasthideaway'.  I have deleted both of those folders, and then cleared the recycled bin.  And then run msconfig again to make sure that it is not checked.

I have done this procedure a few times.  And the damned things keep coming back.  I don't know enough about registry files to muck around in there myself.

Norton does not think it is a virus.  AdAware and Spybot do not recognize it as a problem item. 

But the damn thing keeps bolluxing up my browser, giving me pop-ups (even though I do have a pop-up blocker) that wants me to go install another program that will 'clean' my computer.  I am also getting pop-ups that want to send me to a gambling site.  Further, of course, this makes my whole system run slower, and with my little computer, that is not a Good Thing™.

So, before I start the painful process of trying to save data files externally, prior to the re-formatting, does anyone have an idea of what I could do instead?

Shadow, who is (sadly) the only computer maintenance worker in this household
[right][snapback]64704[/snapback][/right]

If I am correct, the program installed is "Messenger Plus". Head over to the control panel and remove it. Then, if for some reason your son reinstalls the program tell him to not install any additional sponsor programs the install asks for.

The actual program isn't causing the problem, but it includes optional spyware. Yea, don't ask me why. :ph34r: People have used the program without installing any extras and have had no problems.

The actual spyware included with Messenger Plus is called "LOP." It's famous for being a pain in the ass to remove, so I suggest the uninstall

[DeeBye]

Have you tried Microsost's beta anti-spyware tool?

https://www.microsoft.com/athome/security/s...re/default.mspx

I checked it out today, and it looks pretty slick. It even found something that both AdAware and Spybot missed.

I'd also suggest that you set up a separate XP login account for your son, without granting him admistrator status. Deny him the ability to install software without your express permission in the first place.

[Walkiry]

I'm the IT guy for several of my friend's familys :(
[right][snapback]64717[/snapback][/right]

Start charging them :)

[Baajikiil]

Start charging them :)
[right][snapback]65099[/snapback][/right]

Despite my :(, the warm feeling of satisfaction on helping someone in need is all the thanks I require.

Well, that and the fact that none of my friends' parents forget to get me birthday and christmas gifts :)

[Nomad25055]

I'm kind of in the same boat myself. I have ran the following programs: SpyBlaster, Spy Sweeper, Spybot, AdAware, and run adwatch 24/7. On top of this I have made use of Norton Systemworks and the free house call at trendmicro.com. I have modified my registry to no end but I cannot get rid of any one of these programs. I have deleted programs and folders yet they still show up in my registry and I still get IE pop ups. This strikes me as odd, as I never ever use IE. But above all there is one program that I cannot get rid of because I cannot even find it!! It is called kalvdze.exe and is supposed to be in my system32 folder, I cannot find it at all!! I see it in my registry however as kalvsys, and as I have mentioned no amount of regedit will get rid of this or any other files listed in the registry. I have one last hope before resorting to that god of all commands though! I will post my hijack this log and see if there is any hope for my current install of XP Pro.

[Archon_Wing]

Hi,

would you copy and paste the hijack this log out in the post? It's kind of a pain to look at them via screeenshot.

Also, the file could be hidden. Try making Windows display hidden files.

Edit: One of the problems is "Coolwebsearch." Try to run Cwshredder first:
http://www.intermute.com/spysubtract/cwshr...r_download.html

[Baajikiil]

I'm kind of in the same boat myself. I have ran the following programs: SpyBlaster, Spy Sweeper, Spybot, AdAware, and run adwatch 24/7. On top of this I have made use of Norton Systemworks and the free house call at trendmicro.com. I have modified my registry to no end but I cannot get rid of any one of these programs. I have deleted programs and folders yet they still show up in my registry and I still get IE pop ups. This strikes me as odd, as I never ever use IE. But above all there is one program that I cannot get rid of because I cannot even find it!! It is called kalvdze.exe and is supposed to be in my system32 folder, I cannot find it at all!! I see it in my registry however as kalvsys, and as I have mentioned no amount of regedit will get rid of this or any other files listed in the registry. I have one last hope before resorting to that god of all commands though! I will post my hijack this log and see if there is any hope for my current install of XP Pro.

google hits for "kalvsys"

Looks like this is not that uncommon. Kalvsys appears to rewrite itself every 3 seconds or so into the registry. One of those links should detail removing it.

[kandrathe]

I'm kind of in the same boat myself. I have ran the following programs: SpyBlaster, Spy Sweeper, Spybot, AdAware, and run adwatch 24/7. On top of this I have made use of Norton Systemworks and the free house call at trendmicro.com. I have modified my registry to no end but I cannot get rid of any one of these programs. I have deleted programs and folders yet they still show up in my registry and I still get IE pop ups. This strikes me as odd, as I never ever use IE. But above all there is one program that I cannot get rid of because I cannot even find it!! It is called kalvdze.exe and is supposed to be in my system32 folder, I cannot find it at all!! I see it in my registry however as kalvsys, and as I have mentioned no amount of regedit will get rid of this or any other files listed in the registry. I have one last hope before resorting to that god of all commands though! I will post my hijack this log and see if there is any hope for my current install of XP Pro.

url={omitted}
url={omitted}

This is what I would do.

Have been infected with this for about a week now, seem to have got rid now by doing the following:-

1. Boot into Safe Mode
2. Did a search for all files that begin with letters kalv
3. Deleted all of the files.
4. Run regedit
5. Search for kalv
6. Delete all registry keys that contain kalv
7. rebooted into normal mode.

I was also infected with ringtone.exe spyware and I managed to get rid of it at the same time by duplicating above.

Remember playing with your registry can totally ruin your installation of windows - I tried it as I was going to do a clean install if it didn't work.

Hope this helps anyone who is infected.