This one is suspect #1. CTRL+ALT+DEL, right click it and end the task. Do a search on the C drive for ‘BARGAINS.EXE’ (or other drives, most likely the C drive though), and delete it, as well as it’s root folder (ex: C:\Programs Files\Bargain_crap\BARGAINS.EXE), the root folder being ‘Bargain_crap’ in this example. If this doesn’t work, do the same thing in Safe Mode.
When you say you’ve ran Spybot and Adaware…
Have you downloaded and ran the current versions, as well as updated them before you ran them? Adaware SE Spybot - Search & Destroy 1.3
You could try downloading Hijack This! and posting the list here for someone more knowledgeable than I to look at. Remember, though, if you use that program and delete everything you’re screwed, so be careful.
If you’re going to do it manually, this alone is not enough to stop it. You’ll need to search youre registry and delete all of those references as well at the least (start > run > regedit > ctrl +f). I’ve successfully helped a lot of dopers get rid of nasty bugs here; in the sticky I specifically recommend NOT immediately ending a suspect program listed in your task manager.
A much better solution is to (and this is only if the spyware/adware/antivirus utilities aren’t cleaning it) download the sysinternals process explorer and file monitor.
Run the process explorer; it gives you complete control over all aspects of any running process, including immediate annihilation, or, what we are concerned with which is suspending the process. That means it is forbidden to use any resources and can only sit there, effectively paralyzed. This is much more useful to us than closing it.
If you right click on the process and choose properties you can learn some very interesting things about it, such as its path, its command line start switches, its current working directory, its threads (eg whats it been doing lately?), legible strings of text contained within the process, which can help identify it, and a lot more.
So you do that, and you jot that stuff down. After that, while its still suspended, you open up file monitor. Basically this is a real time file monitor; it shows you what sort of hard drive activity each program is engaged in as it happens. So you open this up, “resume” your spyware/adware/virus, and watch it for a second to find out just what exactly its doing and where its doing it. After your done spying on the little bastard go ahead and nuke him. Finally, proceed with your cleanup, using all this information you’ve gathered to be more effective.
This only explains removing the registry keys from the ‘run’ folder in the registry. But nothing about removing it from your hard drive. Still very informative. I would suggest doing this, and then deleting the actual files from the harddrive.
I’m pretty sure that it would though. The worst case scenaro is that the ‘run’ portion of the registy would have caused a ‘BARGAINS.EXE not found’ error on startup, because the file was already deleted. My fault for not mentioning the registry edit though. Just remove the keys, from Ponsters’ link.