Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
A couple weeks ago, our computer began acting up when internet explorer was activated... Popups, redirected to websites(some illicit), and attached "cool search bar" to the top of browsing windows. My brother uses IE still... I don't know where he was, but I found some sites in the history that didn't look particularly... Good. But that's besides the point.
I ran adaware, found a lot of things, quarantined them... Went into the add/remove programs folder, removed some of the programs there... Cleared out IE's cookies and temp folders.
Upon opening IE again, it was back.
Whether this is connected or not, I don't know, but, yesterday we got a bill in the mail for $40 from PremierPremium saying we made two phone calls to the united kingdoms for pay-per-view Websites. (each call exactly 4 minutes, exactly an hour and a half apart from one another, on the same day)
Today, I've been trying to get rid of it... Found it's located in C:/Windows/System under KALVIOH32.exe Upon attempting to delete it, it comes up with the message: Cannot be deleted. Access denied. And, I can't disable it in msconfig, although it is there... It un-disables itself after restarting. Right now, I'm downloading a new version of AVG... I don't think that'll help though. Any help would be greatly appreciated.Update: I was right, AVG didn't detect it. How in the world do you get rid of this thing!?!? Even after doing some research on it, I couldn't find hardly anything...
Anything at all would be appreciated.
Your going to have to locate what section of the registry the file is located in and open the registry and delete it directly out of the registry. This is delicate and tricky but it has locked itself into the registrys subcommand HKEY and the only way to remove it is manually. Next id never ever use Internet explorer again after its clean and kick the s--- out of your brother for downloading porn. Because he really screwed the pooch when you lock into the subcommand
0 
Run HiJackThis and then plug the resulting log into their free log scanner.
You should be able to get rid of most of the stuff that's in there.
larry
0
After two frustrating days of using SpyBot, the freeware version of AdAware, and Wash n go, as well as several registry editors, I finally resorted to buying Adaware SE from lavasoftusa.com. It comes with Ad-watch, an active monitoring ssystem that does many things, but most importantly it allowed me to "automatically" block the creation of the registry key "Kalvsys", which was re-creating itself every 2-3 seconds. While it was blocked (deleted) I rebooted and the key was/is still gone! Well worth the $27 US that I spent on it.
0
I have the dam thing too! Thanks to the Kids. Like reply #3 said it re-writes itself to the regestry in two places every 3 seconds. It's in HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\run & run- I tried deleteing it both places and pulling the plug several times but it's too fast. Anyone that pays money to get rid of this s--- is a fool. And do not pay those phone bills either it just incourages them.
0
Sorry it took me so long to get back here but I'm exausted from trying to clean up this machine. The kids realy trashed it. The solution: Look at kalvwbi32.exe in Windows\System, note the date, use find to find all files with that date, you can delete all that crap. Everything except kalvwbi32.exe Restart windows in safe mode. Start Regedit, click find under edit, type in Kalvsys, find all and delete them. There is the website kalvsys in the Explorer section of the registry. Make sure that you get that too or soon as you go online it will just reinstall itself. And never go to that site looking for these scum all it does is reinfect you. After you eliminate it in the registry you can then delete kalvwbi32.exe in Windows\System and restart in normal mode. And most inportant of all DO NOT pay any phone charges associated with this!!
0
Thanks...
I still don't know if those phone bills were caused by the virus though - I'm afraid it may of been my brother knowingly doing it. Customer Service from PremierPremium(host for sites / people who billed us) seem fairly confident that their pay-per-view websites can't be accessed unless a human goes through the process...
Here's part of their email they sent back to me:
"You had inquired specifically what web site was accessed. Our records show that
a call had been placed to a premium rate adult website called "Live Web Cams".
Premier Premium Communications does not own this site and simply is a billing
company."
and...
"In order to be billed on a per minute basis the user needs to take several
actions. First action the user would have to take is accepting a certified
download. The second action the user had to take was read through a legally
binding disclaimer which started the cost of the call and also stated they
either had to be the telephone line subscriber or have permission from the
telephone line subscriber. Once that step was taken the billing solution would
disconnect them from their standard Internet service provider and reconnect them
to a premium rate Internet service provider in the United Kingdom. Once the
connection has been established, the premium rate web site is shown.Finally once our billing software establishes a connection to our remote billing
server in the United Kingdom, the first 2 minutes aren't billed allowing the
user plenty of time to disconnect from the service and not be billed if for some
rare reason they made a mistake despite our previous precautions or are not
interested in the premium rate website content."There was something that popped up on my computer though - but I don't think it was on the date they billed us on... A dialer for something adult, it may of been a webcam service - When trying to close it, it continued connecting, I eventually got it down, but it was not up for the four minutes they say it was. That only happened once though too, not the two times they say it happened.
Bleh... And they say if I don't pay in time, it'll be fowarded to a licensed collection agency. I don't THINK PremierPremium is bad, they just... Host sites pay-per-view sites... And collect the money.
If any of you KNOW that the Kalvsys, or some other virus / spyware can force your computer on to pay-per-view sites, please tell me, I'd really like to get this resolved... Without paying that $40, and without damaging my parent's credit history...
Thanks again for all the help.
0
I got kalvsys on my PC too. Didn't go searching for porn...was doing a paper on email privacy and apparently ran into unintended links, but I digress. I took Rick Anstine's advice (thanks, Rick!) and found the file in the registry, but I couldn't find the kalvwbi32.exe that he mentioned. I had to go into safe mode and look around, but I found 4 other unassociated files that began with kalv in the Windows\System32 folder. I deleted those along with the kalvsys in the registry. After rebooting, I haven't seen any popups or a nasty toolbar since.
~db
0
I too have the kalvsys spyware/virus. I seem to have eliminated most of it. However the registry key HKLU:software/windows/currentversion/run has the key "kalvsys" which refers to the c:\Winnt\system\kalvegx.exe. The file doesn't exist in that location or any other. In fact there are no files beginning with "kalv" anywhere on the system. Delete the key and it reappears in a few seconds. On reboot, the EliteToolbar folder reappears in the System 32 file. I can't find the process that is respawning the key. There should be a special place in Hell reserved for whoever wrote this browser hi-jacker!
0
go to www.ripoffreport.com and do a search on premier premium communications and you will see more than 300 complaints against this fraudalent company. do not pay! the email you response you got from them was electronically generated and the same one everyone gets. email again threatening to report them to fbi, ftc, bbb and you WILL receive a response saying they will credit you. hope this helps!
0
I work for a college and take care of 600 lab PC's. One of the labs have the kalvsys spyware on it. The computers don't even have a modem, they are on a T1 line. I booted in safe mode and it found 16 different forms of KALVSYS and removed all traces of it on the c:. I then searched the registry and removed all traces in there. The PC was then rebooted and searched the registry for KALVSYS and it found 2 more traces HKCU\software\Microsoft\Search assistant\ACMNU and removed all subfolders under this key, rebooted the PC once again and ran the search on C: and registry with no traces found. This spyware seems to be associated with the ELITE toolbar.
0
I really hate this Elite Toolbar. I wish someone would identify the bugger who wrote this toolbar and make him pay for all this extra work I go thro just so I can eliminate the toolbar. Doesn't people understand that sometimes they just want to be left alone?
Anyway, rant aside, I can't reboot my PC into safe mode since I don't have adminstration rights to this pc (its my company's work pc). But thanks to all who gave advice here. I will try to work with my IT department to eliminate this.
Cheers,
Yate
0
Have been infected with this for about a week now, seem to have got rid now by doing the following:-
1. Boot into Safe Mode
2. Did a search for all files that begin with letters kalv
3. Deleted all of the files.
4. Run regedit
5. Search for kalv
6. Delete all registry keys that contain kalv
7. rebooted into normal mode.I was also infected with ringtone.exe spyware and I managed to get rid of it at the same time by duplicating above.
Remember playing with your registry can totally ruin your installation of windows - I tried it as I was going to do a clean install if it didn't work.
Hope this helps anyone who is infected.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
