Background message "Warning! Spyware detected [Solved/Closed]
Griff - - Latest reply: Pota - Feb 27, 2017 at 08:17 PM
Related:
- What is the risk of turning off messages about spyware and related protection
- What is the risk of turning off messages about virus protection - Best answers
- Risk of turning off messages about spyware and related protection - Best answers
- Gmail inbox message ✓ - Forum - Gmail
- Please open my Gmail account ✓ - Forum - Gmail
- Facebook messager - Download - Internet
- How to hide whatsapp messages - How-To - Mobile
- How to send voice message on instagram ✓ - Forum - Instagram
20/84 replies
Best answer
Hi I've just had the same problem over the weekend and have had success removing what turned out to be a large number of trojan viruses which found their way in through a fake email ecard I received.
I used the Dr Web Cure it programme which is free www.freedrweb.com/
If your computer won't stay on long enough for you to download it off the internet which is what happened to me, then what I did was to download it from another computer onto a cheap disk I bought from asda. I then started my computer in safe mode, inserted the disk, and the Dr Web download icon popped up after about a 20 second wait. Just click on it (it took me about 10 goes before it wanted to activate) and then follow the download instructions.
I would recommend the 'Complete' scan. I ran the express scan first which allowed me delete about 7 viruses but when I ran the complete scan it found even more. The complete scan takes 2 hours.
Hope this helps, Debbie.
PS I'm no computer nerd, in fact I don't have a clue about the things, but I found this process quite simple and more importantly, successful. Good luck!
I used the Dr Web Cure it programme which is free www.freedrweb.com/
If your computer won't stay on long enough for you to download it off the internet which is what happened to me, then what I did was to download it from another computer onto a cheap disk I bought from asda. I then started my computer in safe mode, inserted the disk, and the Dr Web download icon popped up after about a 20 second wait. Just click on it (it took me about 10 goes before it wanted to activate) and then follow the download instructions.
I would recommend the 'Complete' scan. I ran the express scan first which allowed me delete about 7 viruses but when I ran the complete scan it found even more. The complete scan takes 2 hours.
Hope this helps, Debbie.
PS I'm no computer nerd, in fact I don't have a clue about the things, but I found this process quite simple and more importantly, successful. Good luck!
A few words of thanks would be greatly appreciated. Add comment
4634 users have said thank you to us this month
Here is how to do it. Its already been posted, but this is the definitive answer:
-Search your drives for *.bmp
-Find the one that matches your background
-Note the last 3 characters before the .bmp - mine was called phccekj0e3cn.bmp
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
-reboot and you should have your display tab back for background right-click -> properties
-if you do then you are good to go. set your background and don't let other people who have no clue (most people) use your computer
-Search your drives for *.bmp
-Find the one that matches your background
-Note the last 3 characters before the .bmp - mine was called phccekj0e3cn.bmp
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
-reboot and you should have your display tab back for background right-click -> properties
-if you do then you are good to go. set your background and don't let other people who have no clue (most people) use your computer
Ebomb
Let me tell you what happened to me and maybe you can help me and also give a warning to others.
I consider myself to be pretty careful when downloading anything onto my pc. Well it just so happens that a volcano is about to erupt in Alaska so I wanted to find live web cam coverage. So I was lead by Google to what looked like an authentic web site When I went to down load the viewer that was required to view said video the normal Norton warning you could be downloading a virus ect ect ect. came up.
after installing the viewer well you guessed it every Trojan and worm you can imagine. I was majorly infected after many different virus sweeps the system seams to be clear, however I am left with a blue screen and can not load any background or wallpaper and all I have read here and tried to find bmps and check the reg edit for the suggested codes I find none if you can suggest any thing else I would appreciate it.
Let me tell you what happened to me and maybe you can help me and also give a warning to others.
I consider myself to be pretty careful when downloading anything onto my pc. Well it just so happens that a volcano is about to erupt in Alaska so I wanted to find live web cam coverage. So I was lead by Google to what looked like an authentic web site When I went to down load the viewer that was required to view said video the normal Norton warning you could be downloading a virus ect ect ect. came up.
after installing the viewer well you guessed it every Trojan and worm you can imagine. I was majorly infected after many different virus sweeps the system seams to be clear, however I am left with a blue screen and can not load any background or wallpaper and all I have read here and tried to find bmps and check the reg edit for the suggested codes I find none if you can suggest any thing else I would appreciate it.
hi . so , obviously , I have the virus stated . and I think your method will work .. it's just , I have a couple of problems ..
for one , when you say look for your wallpaper , do youu mean the 'YOUR SYSTEM IS INFECTED' message which is currently on the background , or do you mean the one before that? because I have found the one before that , but seeing as I have created numerous new accounts to try and rid my computer of the virus , the wallpaper was a default . it was just called 'wallpaper'. when searchingg *per , about 400 results came up , some of them just harmless default games like minesweeper .
secondly , whenever I press ctrl alt del , or try andd get to task manager another way , it comes up with a box saying ' your system is infected ' or , if I continue pressing it ' this has been disabled by your administrator ', making me unable to access it . I am the administrator and I did not disable it.
have any ideas of how I can still fix the virus ? also , when you had this virus , did you experience messages coming up when you tried to get on some websites , saying that the security preference or something , prevented you from being on it ? or did some just close completely ? because thats whats happening with mine .
basically , I have a bad feeling its conkedd , and that there's no going back .
for one , when you say look for your wallpaper , do youu mean the 'YOUR SYSTEM IS INFECTED' message which is currently on the background , or do you mean the one before that? because I have found the one before that , but seeing as I have created numerous new accounts to try and rid my computer of the virus , the wallpaper was a default . it was just called 'wallpaper'. when searchingg *per , about 400 results came up , some of them just harmless default games like minesweeper .
secondly , whenever I press ctrl alt del , or try andd get to task manager another way , it comes up with a box saying ' your system is infected ' or , if I continue pressing it ' this has been disabled by your administrator ', making me unable to access it . I am the administrator and I did not disable it.
have any ideas of how I can still fix the virus ? also , when you had this virus , did you experience messages coming up when you tried to get on some websites , saying that the security preference or something , prevented you from being on it ? or did some just close completely ? because thats whats happening with mine .
basically , I have a bad feeling its conkedd , and that there's no going back .
I got this spyware/trojan also - replaced my picture on screen with same saying. Continually popped up messages saying I was infected, click here for spyware, etc. Changed my privacy settings to accept all cookies. Slammed me with ads. Was a particularly insidious problem. Since I am not techy inclined, I went to Office Max and bought a disk called PC Restoration (save the receipt - you need numbers off it). You plug in the disk, and it takes you to a web site where you get one of their techs. You let him log onto your computer through a process they give you. It took them hours to fix it - but they did. They keep working on it until it is fixed. Cost $99 for the disk. That is the expensive way I guess - but it worked for me.
I got this spyware/trojan also - replaced my picture on screen with same saying. Continually popped up messages saying I was infected, click here for spyware, etc. Changed my privacy settings to accept all cookies. Slammed me with ads. Was a particularly insidious problem. Since I am not techy inclined, I went to Office Max and bought a disk called PC Restoration (save the receipt - you need numbers off it). You plug in the disk, and it takes you to a web site where you get one of their techs. You let him log onto your computer through a process they give you. It took them hours to fix it - but they did. They keep working on it until it is fixed. Cost $99 for the disk. That is the expensive way I guess - but it worked for me.
I located the 3 files but when I went to processes in the task manager, none looked even close. The files were blphcgenj0e95t and phcgenj0e95t. Also NONE of my processes listed have any NUMBERS in them at all! I have had this virus for a week. My young son needs the computer for school work now and I am a novice MOM. Any suggestions would be appreciated.
Hi Sunshine,
If you cannot locate the strange files in your process list (any file with a name that doesnt seem like a word or acronym) you might be in luck and able to remove the background without too much problems.
Go to Start> Run> type "Regedit" and press ok (without the " " )
In this registry editor, press ctrl+F on your keyboard.. this is the Find option.
Look for 'NoDispBackgroundPage' and/or 'NoDispScrSavPage' and delete them.
Also look for ScreenSaveActive and put that to 0 (it disables the screensaver)
Then do another check in your process list and close Explorer (you wont have a start bar etc. but dont panic..)
Wait 30 seconds and then press (in the task manager) File > New Task (run...) > type "explorer"
Check the screensaver and set it to a screensaver with a normal name (or keep it off) and change the background and background colour.
If you're unable to do this, I suggest following all the steps I provided earlier.
Good luck!
If you cannot locate the strange files in your process list (any file with a name that doesnt seem like a word or acronym) you might be in luck and able to remove the background without too much problems.
Go to Start> Run> type "Regedit" and press ok (without the " " )
In this registry editor, press ctrl+F on your keyboard.. this is the Find option.
Look for 'NoDispBackgroundPage' and/or 'NoDispScrSavPage' and delete them.
Also look for ScreenSaveActive and put that to 0 (it disables the screensaver)
Then do another check in your process list and close Explorer (you wont have a start bar etc. but dont panic..)
Wait 30 seconds and then press (in the task manager) File > New Task (run...) > type "explorer"
Check the screensaver and set it to a screensaver with a normal name (or keep it off) and change the background and background colour.
If you're unable to do this, I suggest following all the steps I provided earlier.
Good luck!
Start the Windows in safe mode and search for .bmp file which shows the same as background. select last fourletters of that .bmp file and search in the windows for all the files. and search in registry also.
once you done restart the computer. Install the you ethernet drivers if you miss any.
gpedit.misc to change the hidden display property to disable in system settings.
once you done restart the computer. Install the you ethernet drivers if you miss any.
gpedit.misc to change the hidden display property to disable in system settings.
Ugh! I got ahead of myself in the previous post. If you followed those directions you still will be missing the 'Desktop' and/or 'Screen Saver' tabs in your Display Properties. (right click on background and select properties)
Also, just deleting the background image is not enough! This is a nasty sucker running a process, it may not find the background anymore but its still doing harm. i.e. my computer started blue screening and rebooting over and over after like 20 min
So here is the complete definitive answer: (thank you again for previous posts pointing me in the right direction)
REMOVE THE FILES FROM YOUR HARD-DRIVE:
-Right-Click on My Computer and select Search...
-click All files and folders
-search for *.bmp (all or part of file name)
-Find the one that matches your background
-Note the name of the .bmp file - mine was called phccekj0e3cn.bmp (copy and paste into notepad or something as you weill need this later, or write it down as your computer can reboot)
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
REMOVE REGISTRY ENTRIES: (not as important since the files are no longer there but still good idea)
-Start -> Run
-regedit
-Edit -> Find
-I searched on *3cn (the last 3 characters) but this returned some valid registry entries. I suggest you either carefully delete all entries that look they are related. I found 5 or 6 valid entries, but they were obvious to me to not be related.
-typically they will have the full name like "lphccekj0e3cn" In fact you could probably search on whatever the .exe name was (minus the .exe extension) and you can surely delete all those entries.
FIX REGISTRY ENTRIES:
-this is what I missed in the previous post. The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
Also, just deleting the background image is not enough! This is a nasty sucker running a process, it may not find the background anymore but its still doing harm. i.e. my computer started blue screening and rebooting over and over after like 20 min
So here is the complete definitive answer: (thank you again for previous posts pointing me in the right direction)
REMOVE THE FILES FROM YOUR HARD-DRIVE:
-Right-Click on My Computer and select Search...
-click All files and folders
-search for *.bmp (all or part of file name)
-Find the one that matches your background
-Note the name of the .bmp file - mine was called phccekj0e3cn.bmp (copy and paste into notepad or something as you weill need this later, or write it down as your computer can reboot)
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
REMOVE REGISTRY ENTRIES: (not as important since the files are no longer there but still good idea)
-Start -> Run
-regedit
-Edit -> Find
-I searched on *3cn (the last 3 characters) but this returned some valid registry entries. I suggest you either carefully delete all entries that look they are related. I found 5 or 6 valid entries, but they were obvious to me to not be related.
-typically they will have the full name like "lphccekj0e3cn" In fact you could probably search on whatever the .exe name was (minus the .exe extension) and you can surely delete all those entries.
FIX REGISTRY ENTRIES:
-this is what I missed in the previous post. The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
i already have posted the solution of this problem
but here it one more time
The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
awaiting comments
Regards
Melisio Mascarenhas
India
but here it one more time
The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
awaiting comments
Regards
Melisio Mascarenhas
India
- Posts
- 165
- Registration date
- Saturday August 16, 2008
- Last seen
- September 22, 2012
(Solved) (Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)
Just a reply to this approach, I have done this. unfortunately the hijack reinstalled itself once I had rebooted the computer.
i would like to add my 2cents worth thanks. you may need to, remove all accurances of text, strings etc from registry. (regedit) .there is a search engine there which you can use to find the entries, also use F3 to find next etc.
the text strings are as follows [ blphc98pj0elc5 , Lphc98pj0elc5, phc98pj0elc5 ]
there may also be [.exe files] for these in C:windows/system32 folder which you will need to delete once you have deleted register entries.
you will need to shutdown the computer then restart to delete these last 2 [.exe files] as they will be in use by windows system.
thankyou all.
alayche
Just a reply to this approach, I have done this. unfortunately the hijack reinstalled itself once I had rebooted the computer.
i would like to add my 2cents worth thanks. you may need to, remove all accurances of text, strings etc from registry. (regedit) .there is a search engine there which you can use to find the entries, also use F3 to find next etc.
the text strings are as follows [ blphc98pj0elc5 , Lphc98pj0elc5, phc98pj0elc5 ]
there may also be [.exe files] for these in C:windows/system32 folder which you will need to delete once you have deleted register entries.
you will need to shutdown the computer then restart to delete these last 2 [.exe files] as they will be in use by windows system.
thankyou all.
alayche
Ok so I had all the symptoms, followed all of ebombs steps, and the steps that sir posted to do after. And I no longer have problems with my desktops backround. But I still have problems with:
My internet being really really really slow.
Websites don't load fully / correctly, the format is way f'd up.
Can't even access my router settings page anymore, it WAS loading f'd up before, now it just times out after a while.
I can't update any of my anti-virus software, they all just error in some strange way.
I can't install anything, install.exe files just error when I double click them, no matter what they are or where they are from, it just says they are corrupt. I'm assuming this is the virus keeping me from getting rid of it? -_-
I triple checked every step, I've done everything. If anyone knows what might still be wrong or what I MAY have missed, please help me out. I'd be more greatful than I can even put into words.
My internet being really really really slow.
Websites don't load fully / correctly, the format is way f'd up.
Can't even access my router settings page anymore, it WAS loading f'd up before, now it just times out after a while.
I can't update any of my anti-virus software, they all just error in some strange way.
I can't install anything, install.exe files just error when I double click them, no matter what they are or where they are from, it just says they are corrupt. I'm assuming this is the virus keeping me from getting rid of it? -_-
I triple checked every step, I've done everything. If anyone knows what might still be wrong or what I MAY have missed, please help me out. I'd be more greatful than I can even put into words.
I had the same problem. Wallpaper & Screensavor tab missing and fake virus alert. I used this software and it got rid or it, Malwarebytes Anti-Malware.
Here is the link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
The free version works just fine. Also if when you reboot you get an "Cannot Display This Video Mode" message. Unplug your monitor then reboot. When you're sure that the log on prompt is up, replug your monitor.
Here is a copy of my Malwarebytes log, The ones labeled "Trojan.FakeAlert" is this perticular spyware. Also it restore the noscreensavor and nobackground that was placed in the RegKey
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2
10:34:12 AM 08/27/08
mbam-log-08-27-2008 (10-34-12).txt
Scan type: Full Scan (C:\|)
Objects scanned: 139484
Time elapsed: 1 hour(s), 5 minute(s), 2 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 10
Memory Processes Infected:
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcpwej0e741 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache\T10312.tmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\vdo_g.ini (Stolen.Data) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phcpwej0e741.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\amegino\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
Here is the link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
The free version works just fine. Also if when you reboot you get an "Cannot Display This Video Mode" message. Unplug your monitor then reboot. When you're sure that the log on prompt is up, replug your monitor.
Here is a copy of my Malwarebytes log, The ones labeled "Trojan.FakeAlert" is this perticular spyware. Also it restore the noscreensavor and nobackground that was placed in the RegKey
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2
10:34:12 AM 08/27/08
mbam-log-08-27-2008 (10-34-12).txt
Scan type: Full Scan (C:\|)
Objects scanned: 139484
Time elapsed: 1 hour(s), 5 minute(s), 2 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 10
Memory Processes Infected:
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcpwej0e741 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache\T10312.tmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\vdo_g.ini (Stolen.Data) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phcpwej0e741.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\amegino\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
Hi there people,
Seen as to how I cant reply to the mail I got through this site, i'm hoping to do that here..
I received some questions as to how to reach the search option when this virus is active..
I have to warn you though.. this particular bug downloads other viruses that change more stuff on reboot.. thats why it is VERY VERY important to remove the network cable, and not reboot unless its impossible to continue working before a reboot.
If you have done all the steps that Ebomb and I have provided (or cannot do some of the steps since it hijacked your explorer) and still have problems, here are some more tips.
Don't pin me down on this though, I don't know whether this helps.
Do NOT use your computer like normal when the virus is still there, you risk infecting other people and even being shut down by your ISP, and in the worst cases you risk being prosecuted for spreading spam/malware
Never download an "antivirus program" or "malware remover" unless you know it works (or one of the following: NOD32, Kaspersky, Norton/symantec, AVG and some other premium brands)
you MUST boot in safe mode (press f8 a couple of times right after you turn on your computer and get the black screen with the text stuff, that means BEFORE the windows logo with the moving bars) when youre in safe mode, you'll get a message about system restore.. this cannot be used since the virus could have infected a restore point.
When Safe Mode fully loaded, you should not get the warning message and blue/white background, if you do, press ctrl+alt+del, do task manager and look in your process list.
- If you see any weird processes in there, try to end them manually, but dont try too hard cause theyll probably stay.
Write the names of the processes (all that you dont trust) and look them up in google on a comp that is not infected, here you should eb able to find the meaning of most of them.. if not, its probably a virus, or a program you dont need.
- If you dont see a start bar, or icons: Try to manually start Explorer by doing CTRL+ALT+DEL, task manager, File > New task> explorer [enter]
If you cant get task manager to work, you have a problem that surpasses my knowledge, and its time to either use a recovery disk, re-install windows, or bring the computer to a specialist.
- If you cant start Explorer (the start bar and icons), theres another method to get it to work. Which requires some extra labour:
Go on a computer that is not infected and follow this link:
http://www.download.com/... (if possible)
Or look for hijackthis.
You can then put it on a usb stick or CD/DVD and open it in the infected computer by inserting it and browsing to the drive through CTRL+ALT+DEL, task manager, File > New task>[drive letter]:\hijackthis
This program helps you opening an alternative task manager and file explorer/basic scanner
With this program you can analyze the startup sequence and save a logfile to show other people, do this, and post the logfile on this forum (or multiple to get quicker help)
You can also use this program to open your task manager list in case you can't, or dont trust the windows one (some viruses have been known to alter it)
This "manual" has become quite a mess now, but if you go over it a couple times, I hope you get what I mean...
So here's what I expect you to do:
- Follow all the instructions (Ebomb and mine, and read the other people's too ofcourse)
- If these dont work, get Hijackthis
- FIRST follow your own intuition, find all processes on google, try to manually remove stuff with hijackthis after researching them
- Try premium antivirus trial packages
- Post your Hijackthis log on this forum and tell us your symptoms in one message, if we can help, we will!
- If all else fails (and I mean everything) Think about re-installing windows over this infected one.
Then back up everything on a dvd or usb stick (documents, pictures, saved games, every important possession)
IMPORTANT: Take your time for backing up, the windows that is installed now will not have the virus installed but your harddrive will be a mess (imagine post-apocalyptic new york on rush hour) and it still does contain the virus file on it.
When youre absolutely positive that you backed up every valuable file, it is time to do a system format.
You can do this by letting the windows installation make a new file system (theres plenty of tutorials about this and im not going in-depth on this)
Do know that upon doing a format, you will delete everything on the computer, and you will not be able to recover anything after the format.
Seen as to how I cant reply to the mail I got through this site, i'm hoping to do that here..
I received some questions as to how to reach the search option when this virus is active..
I have to warn you though.. this particular bug downloads other viruses that change more stuff on reboot.. thats why it is VERY VERY important to remove the network cable, and not reboot unless its impossible to continue working before a reboot.
If you have done all the steps that Ebomb and I have provided (or cannot do some of the steps since it hijacked your explorer) and still have problems, here are some more tips.
Don't pin me down on this though, I don't know whether this helps.
Do NOT use your computer like normal when the virus is still there, you risk infecting other people and even being shut down by your ISP, and in the worst cases you risk being prosecuted for spreading spam/malware
Never download an "antivirus program" or "malware remover" unless you know it works (or one of the following: NOD32, Kaspersky, Norton/symantec, AVG and some other premium brands)
you MUST boot in safe mode (press f8 a couple of times right after you turn on your computer and get the black screen with the text stuff, that means BEFORE the windows logo with the moving bars) when youre in safe mode, you'll get a message about system restore.. this cannot be used since the virus could have infected a restore point.
When Safe Mode fully loaded, you should not get the warning message and blue/white background, if you do, press ctrl+alt+del, do task manager and look in your process list.
- If you see any weird processes in there, try to end them manually, but dont try too hard cause theyll probably stay.
Write the names of the processes (all that you dont trust) and look them up in google on a comp that is not infected, here you should eb able to find the meaning of most of them.. if not, its probably a virus, or a program you dont need.
- If you dont see a start bar, or icons: Try to manually start Explorer by doing CTRL+ALT+DEL, task manager, File > New task> explorer [enter]
If you cant get task manager to work, you have a problem that surpasses my knowledge, and its time to either use a recovery disk, re-install windows, or bring the computer to a specialist.
- If you cant start Explorer (the start bar and icons), theres another method to get it to work. Which requires some extra labour:
Go on a computer that is not infected and follow this link:
http://www.download.com/... (if possible)
Or look for hijackthis.
You can then put it on a usb stick or CD/DVD and open it in the infected computer by inserting it and browsing to the drive through CTRL+ALT+DEL, task manager, File > New task>[drive letter]:\hijackthis
This program helps you opening an alternative task manager and file explorer/basic scanner
With this program you can analyze the startup sequence and save a logfile to show other people, do this, and post the logfile on this forum (or multiple to get quicker help)
You can also use this program to open your task manager list in case you can't, or dont trust the windows one (some viruses have been known to alter it)
This "manual" has become quite a mess now, but if you go over it a couple times, I hope you get what I mean...
So here's what I expect you to do:
- Follow all the instructions (Ebomb and mine, and read the other people's too ofcourse)
- If these dont work, get Hijackthis
- FIRST follow your own intuition, find all processes on google, try to manually remove stuff with hijackthis after researching them
- Try premium antivirus trial packages
- Post your Hijackthis log on this forum and tell us your symptoms in one message, if we can help, we will!
- If all else fails (and I mean everything) Think about re-installing windows over this infected one.
Then back up everything on a dvd or usb stick (documents, pictures, saved games, every important possession)
IMPORTANT: Take your time for backing up, the windows that is installed now will not have the virus installed but your harddrive will be a mess (imagine post-apocalyptic new york on rush hour) and it still does contain the virus file on it.
When youre absolutely positive that you backed up every valuable file, it is time to do a system format.
You can do this by letting the windows installation make a new file system (theres plenty of tutorials about this and im not going in-depth on this)
Do know that upon doing a format, you will delete everything on the computer, and you will not be able to recover anything after the format.
Really appreciate all the suggestions. I'm by no means a computer expert but managed to follow the process and eliminated the warning message. However, after re-booting, my desktop loaded up with a bunch of "notepad" tabs (iaanotif, OSA9, OLG, yahoo messenger, issch, cxyrgzqh, and many others) further, each desktop application icon I clicked on (EX: Firefox) opened a notepad of misc symbols, not the actual application. additionally, when I tried to reset my desktop image through the start>control panel>appearance and themes, another notepad full of symbols opened. Obviously, I've screwed something up. How do I fix it?
Ok, so I thought I had everything gone, but it seems like my browsers are being hijacked by this virus, look out for the results you find on google..
If anyone can help find out where this comes from, I very much appreciate it
So: Whenever I do a search on Google, on both IE and FireFox, google wants to redirect me to some page called "youreverydayhealth.com" and something with blogs.
I checked all my harddrives (2 TB) with all known anti spyware/adware/cvs programs, hijackthis, I dont have files in my process list that could do harm, I deleted all BHO's, I let my router determine the DNS, not my computer, I have no other virus symptoms, no bad cookies, an empty cache, http://www.google.nl is my basic search provider and starting page and my hosts file is alright (empty).
I scanned my registry to anything with blogs or health, and all I could find was the high secured area of iexplorer (all the websites with security = 4 -means blocked- rating)
Also every tracert shows up legit addresses.
Any suggestions would be appreciated.
If anyone can help find out where this comes from, I very much appreciate it
So: Whenever I do a search on Google, on both IE and FireFox, google wants to redirect me to some page called "youreverydayhealth.com" and something with blogs.
I checked all my harddrives (2 TB) with all known anti spyware/adware/cvs programs, hijackthis, I dont have files in my process list that could do harm, I deleted all BHO's, I let my router determine the DNS, not my computer, I have no other virus symptoms, no bad cookies, an empty cache, http://www.google.nl is my basic search provider and starting page and my hosts file is alright (empty).
I scanned my registry to anything with blogs or health, and all I could find was the high secured area of iexplorer (all the websites with security = 4 -means blocked- rating)
Also every tracert shows up legit addresses.
Any suggestions would be appreciated.
unplug ur system from the net connection
delete the history, cookies, and temp files from ur iinternet explorer
check in any new software has been intalled in
startmenu/programs/"check in any new software has been intalled itself here " unintall it if it doent allo to delete it
emplty ur recyler bin
awaiting comments
also check out
Melisio Mascarenhas
India
delete the history, cookies, and temp files from ur iinternet explorer
check in any new software has been intalled in
startmenu/programs/"check in any new software has been intalled itself here " unintall it if it doent allo to delete it
emplty ur recyler bin
awaiting comments
also check out
Melisio Mascarenhas
India
I actually deleted my entire cookies directories and temp dir to prevent any hidden/encrypted files to be missed.. and I believe I already stated that in my previous post.
The problem is that I could not detect anything on my computer.. even a virusscanner couldnt.
I re-installed windows and got it over with.
The problem is that I could not detect anything on my computer.. even a virusscanner couldnt.
I re-installed windows and got it over with.
I was having this same problem and had to reformat 2x. All was fine until this past Friday, and this same virus started taking over again. Now, I got past all the screesaver issues, I was able to delete some files before it got to the "screensaver" changing part. But now here are my issues. 1) Task Manager will not come up because the admin rights have been taken over by this virus. 2) When I go to "Start" Ctrl Panel, My Computer, none of those items are available 3) I get into "My Computer" by backdooring it, and my C:/ and D:/ drives are not available. I have to manually type them in to view them. The virus has gotten into my external hard drives as well, which the free version of avast is picking up, but the virus will not let me delete these files after being found through avast. When I go into the drive, I do not see these files. I am running programs that were mentioned earlier in this post, trying to get rid of this thing. Also, where the "Time" is, in the bottom right had corner, it has "VIRUS ALERT!" displaying all the time. Any help would be appreciated. Thanks!
Been working on this problem for weeks. Thankyou... my daughter can finally stop nicking my laptop!
I used a pen drive thing instead of a disk.
Top marks.. cheers!