Background message "Warning! Spyware detected
Solved/Closed
I let my roomie use my comp while I was away for a few weeks. I returned to find "Warning! Spyware detected on your computer! Install antivirus or spyware remover to clean your computer" as my background message. I tried to place a new background on but this message still appears in the middle. I just bought Norton 360 but it doesn't seem to be detecting it. Also if I leave my computer idle for too long a blue screen pops up with a bunch of computer nomenclature and eg. bogus_driver or something of the sort being the problem. If I hit any button on the keypad it will close that screen and it will no longer pop up until the computer is idle again.
Related:
- What is the risk of turning off messages about virus protection
- What is the risk of turning off messages about spyware and related protection - Best answers
- Risk of turning off messages about virus protection - Best answers
- Message cannot be saved as draft yahoo ✓ - Forum - Yahoo Mail
- Messenger messages disappeared 2022 - Forum - Facebook Messenger
- This message was deleted text copy - Forum - Android
- Sorry friends my facebook account was hacked message ✓ - Forum - Facebook
- Marketplace messages disappeared - Forum - Facebook Messenger
84 replies
Hi I've just had the same problem over the weekend and have had success removing what turned out to be a large number of trojan viruses which found their way in through a fake email ecard I received.
I used the Dr Web Cure it programme which is free www.freedrweb.com/
If your computer won't stay on long enough for you to download it off the internet which is what happened to me, then what I did was to download it from another computer onto a cheap disk I bought from asda. I then started my computer in safe mode, inserted the disk, and the Dr Web download icon popped up after about a 20 second wait. Just click on it (it took me about 10 goes before it wanted to activate) and then follow the download instructions.
I would recommend the 'Complete' scan. I ran the express scan first which allowed me delete about 7 viruses but when I ran the complete scan it found even more. The complete scan takes 2 hours.
Hope this helps, Debbie.
PS I'm no computer nerd, in fact I don't have a clue about the things, but I found this process quite simple and more importantly, successful. Good luck!
I used the Dr Web Cure it programme which is free www.freedrweb.com/
If your computer won't stay on long enough for you to download it off the internet which is what happened to me, then what I did was to download it from another computer onto a cheap disk I bought from asda. I then started my computer in safe mode, inserted the disk, and the Dr Web download icon popped up after about a 20 second wait. Just click on it (it took me about 10 goes before it wanted to activate) and then follow the download instructions.
I would recommend the 'Complete' scan. I ran the express scan first which allowed me delete about 7 viruses but when I ran the complete scan it found even more. The complete scan takes 2 hours.
Hope this helps, Debbie.
PS I'm no computer nerd, in fact I don't have a clue about the things, but I found this process quite simple and more importantly, successful. Good luck!
Here is how to do it. Its already been posted, but this is the definitive answer:
-Search your drives for *.bmp
-Find the one that matches your background
-Note the last 3 characters before the .bmp - mine was called phccekj0e3cn.bmp
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
-reboot and you should have your display tab back for background right-click -> properties
-if you do then you are good to go. set your background and don't let other people who have no clue (most people) use your computer
-Search your drives for *.bmp
-Find the one that matches your background
-Note the last 3 characters before the .bmp - mine was called phccekj0e3cn.bmp
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
-reboot and you should have your display tab back for background right-click -> properties
-if you do then you are good to go. set your background and don't let other people who have no clue (most people) use your computer
Hi Ebomb,
Thank you so much man...... thanks a million.... thanks a trillion.... thanks a lot. I could fix the problem completely. Now no virus. I got backthe desktop and screensaver options in desktop properties window. Your method really worked..... Thank you buddy... be in touch..... can I get your personal email id.... mine is attitude_dedication@rediffmail.com.
Thanks once again and take care..
Thank you so much man...... thanks a million.... thanks a trillion.... thanks a lot. I could fix the problem completely. Now no virus. I got backthe desktop and screensaver options in desktop properties window. Your method really worked..... Thank you buddy... be in touch..... can I get your personal email id.... mine is attitude_dedication@rediffmail.com.
Thanks once again and take care..
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
40
>
cal
Aug 27, 2008 at 12:06 AM
Aug 27, 2008 at 12:06 AM
try to do it in safe mode
Hello, I've been googling everything, I've done all the instructions given out there, except for downloading anysoftware, because I can't get to the internet, I've done the tskmgr instructions and deleted the files, I've restarted in safe mood and disabled turn off system restore, I've run avg after deleting from registry files and search my entire computer and it found those trojans even after I deleted from registry and taskmgr. So when it showed that AVG asked if I wanted to remove I said remove, so I'm thinking it's gone, I can't find anymore of those files. However I did the policies thing for desktop to be enabled again, I changed my desktop and my screensaver went back to what I had before Antivirus, I restarted my pc and boom that message in the middle of my desktop is still there.
It wont go away, I can't connect to internet or anything.
What am I missing what am I doing wrong????
It wont go away, I can't connect to internet or anything.
What am I missing what am I doing wrong????
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
40
>
Ann
Sep 8, 2008 at 04:25 AM
Sep 8, 2008 at 04:25 AM
ok Ann, pls follow the below given info
The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
Melisio Mascarenhas
India
The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
Melisio Mascarenhas
India
Ana
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Sep 10, 2008 at 12:48 AM
Sep 10, 2008 at 12:48 AM
I read the instructions you provided to remove the annoying background screen, however I wish I would have read this before I installed an anti virus software the removed the annoying screen and the pop ups forcing consumers to purchase their product. I now have the screen saver problem that appears when computer is idle advising there was an error in the installation of a new software and it names all these files and suggest a reboot. The computer appears to be rebooting but it is not. Its like some sick persons way to annoy you with a screen saver that is an eye soar. So my question is how do I get rid of this and I know you have posted directions several time sorry if I am not getting it. Each time you posted it you ask that we look for the original file or even a file with bogus numbers. When I do the search for the file .bmp it pulls of 1400 files of pics which I totally understand. What I dont get is which file it could be if it is in that section or did I miss my chance when the anti virus software I installed deleted it. I just want to change the background on my computer and take the screen saver off. I dont have these tabs and maybe I was just fast reading but it appears to be a problem that is linked. Also I dont mean to sound like an air head but a little fix it for dummys instructions would be helpful. I also want to point out this is sad I can not fix it my self as I did get an associates degree in IT. Maybe it was not the major for me but I am very fasinated by it.
Ann
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Sep 10, 2008 at 08:35 PM
Sep 10, 2008 at 08:35 PM
Thanks! it worked. I have my bg back now
Gratefull !!! Very
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Sep 13, 2008 at 01:13 PM
Sep 13, 2008 at 01:13 PM
Thanks, I followed Ebomb and your instructions and I got rid of it completelly....after 3 days of downloading all sort of crap.
Thanks again!!!
Thanks again!!!
Grateful
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Sep 18, 2008 at 05:26 PM
Sep 18, 2008 at 05:26 PM
Thank you sooooo much I had this damned thing for a few days before I finally found it, but still had the issue with the background you made it sooo simple, but one last thing. Every time I click anything in an webbrowser I am redirected to other pages that have nothing to do with what im searching for. any clues?
Thanks
Robert S
Thanks
Robert S
Mike
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Sep 30, 2008 at 06:52 PM
Sep 30, 2008 at 06:52 PM
I tried to do the following:
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ÂPolicies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
and now I have no desktop just a blue screen. Can anyone help?
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ÂPolicies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
and now I have no desktop just a blue screen. Can anyone help?
Help
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Oct 10, 2008 at 06:55 PM
Oct 10, 2008 at 06:55 PM
hey I cant find registry what is it
hey I had the same problem and ebomb your directions helped me thx.
but now something strange has happened with my browser
anytime I Google search something
and click on one of the search links it redirects me and takes me to some worthless shady website
the only way I can access websites is by typing in the url
my internet is also running very slow now
i get the feeling some form of spyware is still in my comp and using my net
any help would be greatly apreciated !!!
thank you!!!!!! verymuch
but now something strange has happened with my browser
anytime I Google search something
and click on one of the search links it redirects me and takes me to some worthless shady website
the only way I can access websites is by typing in the url
my internet is also running very slow now
i get the feeling some form of spyware is still in my comp and using my net
any help would be greatly apreciated !!!
thank you!!!!!! verymuch
PLEASE HELP!! im having the same problems as everyone else. I think I may have a virus. my screen savers is now all white. last week it said the same message that the other people were talking about. I AM VERY NEW to computers and have no clue what you are talking about. is there any way you could give a bit more detailed instructions? I have tried searching in drives for .bmp & the only thing that comes up are pictures of different screen savers and other s. savers things ive never seen. I dont see any.bmp after the files. please help
PLEASE HELP!! im having the same problems as everyone else. I think I may have a virus. my screen savers is now all white. last week it said the same message that the other people were talking about. I AM VERY NEW to computers and have no clue what you are talking about. is there any way you could give a bit more detailed instructions? I have tried searching in drives for .bmp & the only thing that comes up are pictures of different screen savers and other s. savers things ive never seen. I dont see any.bmp after the files. please help
Ebomb
Let me tell you what happened to me and maybe you can help me and also give a warning to others.
I consider myself to be pretty careful when downloading anything onto my pc. Well it just so happens that a volcano is about to erupt in Alaska so I wanted to find live web cam coverage. So I was lead by Google to what looked like an authentic web site When I went to down load the viewer that was required to view said video the normal Norton warning you could be downloading a virus ect ect ect. came up.
after installing the viewer well you guessed it every Trojan and worm you can imagine. I was majorly infected after many different virus sweeps the system seams to be clear, however I am left with a blue screen and can not load any background or wallpaper and all I have read here and tried to find bmps and check the reg edit for the suggested codes I find none if you can suggest any thing else I would appreciate it.
Let me tell you what happened to me and maybe you can help me and also give a warning to others.
I consider myself to be pretty careful when downloading anything onto my pc. Well it just so happens that a volcano is about to erupt in Alaska so I wanted to find live web cam coverage. So I was lead by Google to what looked like an authentic web site When I went to down load the viewer that was required to view said video the normal Norton warning you could be downloading a virus ect ect ect. came up.
after installing the viewer well you guessed it every Trojan and worm you can imagine. I was majorly infected after many different virus sweeps the system seams to be clear, however I am left with a blue screen and can not load any background or wallpaper and all I have read here and tried to find bmps and check the reg edit for the suggested codes I find none if you can suggest any thing else I would appreciate it.
hi . so , obviously , I have the virus stated . and I think your method will work .. it's just , I have a couple of problems ..
for one , when you say look for your wallpaper , do youu mean the 'YOUR SYSTEM IS INFECTED' message which is currently on the background , or do you mean the one before that? because I have found the one before that , but seeing as I have created numerous new accounts to try and rid my computer of the virus , the wallpaper was a default . it was just called 'wallpaper'. when searchingg *per , about 400 results came up , some of them just harmless default games like minesweeper .
secondly , whenever I press ctrl alt del , or try andd get to task manager another way , it comes up with a box saying ' your system is infected ' or , if I continue pressing it ' this has been disabled by your administrator ', making me unable to access it . I am the administrator and I did not disable it.
have any ideas of how I can still fix the virus ? also , when you had this virus , did you experience messages coming up when you tried to get on some websites , saying that the security preference or something , prevented you from being on it ? or did some just close completely ? because thats whats happening with mine .
basically , I have a bad feeling its conkedd , and that there's no going back .
for one , when you say look for your wallpaper , do youu mean the 'YOUR SYSTEM IS INFECTED' message which is currently on the background , or do you mean the one before that? because I have found the one before that , but seeing as I have created numerous new accounts to try and rid my computer of the virus , the wallpaper was a default . it was just called 'wallpaper'. when searchingg *per , about 400 results came up , some of them just harmless default games like minesweeper .
secondly , whenever I press ctrl alt del , or try andd get to task manager another way , it comes up with a box saying ' your system is infected ' or , if I continue pressing it ' this has been disabled by your administrator ', making me unable to access it . I am the administrator and I did not disable it.
have any ideas of how I can still fix the virus ? also , when you had this virus , did you experience messages coming up when you tried to get on some websites , saying that the security preference or something , prevented you from being on it ? or did some just close completely ? because thats whats happening with mine .
basically , I have a bad feeling its conkedd , and that there's no going back .
I got this spyware/trojan also - replaced my picture on screen with same saying. Continually popped up messages saying I was infected, click here for spyware, etc. Changed my privacy settings to accept all cookies. Slammed me with ads. Was a particularly insidious problem. Since I am not techy inclined, I went to Office Max and bought a disk called PC Restoration (save the receipt - you need numbers off it). You plug in the disk, and it takes you to a web site where you get one of their techs. You let him log onto your computer through a process they give you. It took them hours to fix it - but they did. They keep working on it until it is fixed. Cost $99 for the disk. That is the expensive way I guess - but it worked for me.
I got this spyware/trojan also - replaced my picture on screen with same saying. Continually popped up messages saying I was infected, click here for spyware, etc. Changed my privacy settings to accept all cookies. Slammed me with ads. Was a particularly insidious problem. Since I am not techy inclined, I went to Office Max and bought a disk called PC Restoration (save the receipt - you need numbers off it). You plug in the disk, and it takes you to a web site where you get one of their techs. You let him log onto your computer through a process they give you. It took them hours to fix it - but they did. They keep working on it until it is fixed. Cost $99 for the disk. That is the expensive way I guess - but it worked for me.
I located the 3 files but when I went to processes in the task manager, none looked even close. The files were blphcgenj0e95t and phcgenj0e95t. Also NONE of my processes listed have any NUMBERS in them at all! I have had this virus for a week. My young son needs the computer for school work now and I am a novice MOM. Any suggestions would be appreciated.
Hi Sunshine,
If you cannot locate the strange files in your process list (any file with a name that doesnt seem like a word or acronym) you might be in luck and able to remove the background without too much problems.
Go to Start> Run> type "Regedit" and press ok (without the " " )
In this registry editor, press ctrl+F on your keyboard.. this is the Find option.
Look for 'NoDispBackgroundPage' and/or 'NoDispScrSavPage' and delete them.
Also look for ScreenSaveActive and put that to 0 (it disables the screensaver)
Then do another check in your process list and close Explorer (you wont have a start bar etc. but dont panic..)
Wait 30 seconds and then press (in the task manager) File > New Task (run...) > type "explorer"
Check the screensaver and set it to a screensaver with a normal name (or keep it off) and change the background and background colour.
If you're unable to do this, I suggest following all the steps I provided earlier.
Good luck!
If you cannot locate the strange files in your process list (any file with a name that doesnt seem like a word or acronym) you might be in luck and able to remove the background without too much problems.
Go to Start> Run> type "Regedit" and press ok (without the " " )
In this registry editor, press ctrl+F on your keyboard.. this is the Find option.
Look for 'NoDispBackgroundPage' and/or 'NoDispScrSavPage' and delete them.
Also look for ScreenSaveActive and put that to 0 (it disables the screensaver)
Then do another check in your process list and close Explorer (you wont have a start bar etc. but dont panic..)
Wait 30 seconds and then press (in the task manager) File > New Task (run...) > type "explorer"
Check the screensaver and set it to a screensaver with a normal name (or keep it off) and change the background and background colour.
If you're unable to do this, I suggest following all the steps I provided earlier.
Good luck!
Didn't find the answer you are looking for?
Ask a question
This is the clearest, most succinct solution to this problem I've found - and it works like a charm! Thanks SO much for the step-by-step instructions on how to rid oneself of this annoying little virus.
Oh desktop settings - I'm so happy to have you back! Never leave me again!
Oh desktop settings - I'm so happy to have you back! Never leave me again!
this thing wont let me go to task manager and also I cannt delete the gay files what should I do and I cant roll back because my restore point is after I recieved this shit
Start the Windows in safe mode and search for .bmp file which shows the same as background. select last fourletters of that .bmp file and search in the windows for all the files. and search in registry also.
once you done restart the computer. Install the you ethernet drivers if you miss any.
gpedit.misc to change the hidden display property to disable in system settings.
once you done restart the computer. Install the you ethernet drivers if you miss any.
gpedit.misc to change the hidden display property to disable in system settings.
Ugh! I got ahead of myself in the previous post. If you followed those directions you still will be missing the 'Desktop' and/or 'Screen Saver' tabs in your Display Properties. (right click on background and select properties)
Also, just deleting the background image is not enough! This is a nasty sucker running a process, it may not find the background anymore but its still doing harm. i.e. my computer started blue screening and rebooting over and over after like 20 min
So here is the complete definitive answer: (thank you again for previous posts pointing me in the right direction)
REMOVE THE FILES FROM YOUR HARD-DRIVE:
-Right-Click on My Computer and select Search...
-click All files and folders
-search for *.bmp (all or part of file name)
-Find the one that matches your background
-Note the name of the .bmp file - mine was called phccekj0e3cn.bmp (copy and paste into notepad or something as you weill need this later, or write it down as your computer can reboot)
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
REMOVE REGISTRY ENTRIES: (not as important since the files are no longer there but still good idea)
-Start -> Run
-regedit
-Edit -> Find
-I searched on *3cn (the last 3 characters) but this returned some valid registry entries. I suggest you either carefully delete all entries that look they are related. I found 5 or 6 valid entries, but they were obvious to me to not be related.
-typically they will have the full name like "lphccekj0e3cn" In fact you could probably search on whatever the .exe name was (minus the .exe extension) and you can surely delete all those entries.
FIX REGISTRY ENTRIES:
-this is what I missed in the previous post. The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
Also, just deleting the background image is not enough! This is a nasty sucker running a process, it may not find the background anymore but its still doing harm. i.e. my computer started blue screening and rebooting over and over after like 20 min
So here is the complete definitive answer: (thank you again for previous posts pointing me in the right direction)
REMOVE THE FILES FROM YOUR HARD-DRIVE:
-Right-Click on My Computer and select Search...
-click All files and folders
-search for *.bmp (all or part of file name)
-Find the one that matches your background
-Note the name of the .bmp file - mine was called phccekj0e3cn.bmp (copy and paste into notepad or something as you weill need this later, or write it down as your computer can reboot)
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
REMOVE REGISTRY ENTRIES: (not as important since the files are no longer there but still good idea)
-Start -> Run
-regedit
-Edit -> Find
-I searched on *3cn (the last 3 characters) but this returned some valid registry entries. I suggest you either carefully delete all entries that look they are related. I found 5 or 6 valid entries, but they were obvious to me to not be related.
-typically they will have the full name like "lphccekj0e3cn" In fact you could probably search on whatever the .exe name was (minus the .exe extension) and you can surely delete all those entries.
FIX REGISTRY ENTRIES:
-this is what I missed in the previous post. The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
I got rid of all the viruses and such/background etc.....BUT, I am also having a problem with my computer.....
It show's my Windows Live OneCare antivirus/spyware is working 100% BUTTTTT, whenever my kids/myself are on the computer, it ALSO shuts down to that blue screen with warnings and such////then reboots itself over and over again....till I hit the enter button then it goes back to whatever we were doing on the computer. Why isn't this one fixed???? I'm lost and confused.....
Please help since the LIVECARE ain't fixing up that problem.....
It show's my Windows Live OneCare antivirus/spyware is working 100% BUTTTTT, whenever my kids/myself are on the computer, it ALSO shuts down to that blue screen with warnings and such////then reboots itself over and over again....till I hit the enter button then it goes back to whatever we were doing on the computer. Why isn't this one fixed???? I'm lost and confused.....
Please help since the LIVECARE ain't fixing up that problem.....
It's not really rebooting -- it's an "evil genius" screen saver. Check your screen saver tab to see if the goofy looking name (as described by Ebomb) is still selected. If so, pick something else (or none), then search for the .scr file with that name and delete it. You could still have the registry entries too, so search for those in regedit and delete them.
If your screen saver tab is still missing, go back to Ebomb's last post above and try again -- you may have missed one of the steps.
If your screen saver tab is still missing, go back to Ebomb's last post above and try again -- you may have missed one of the steps.
Ebomb - you are a lifesaver!!
Thank you so much for your instructions, I have downloaded so many anti spyware and antivirus programs over the past few hours trying to get rid of this thing. Turns out all I needed to do was follow your simple instructions and voila, the problem is gone!!
SO GRATEFUL!
Everybody follow these instructions and it will be fixed, I can guarantee it!
Thank you so much for your instructions, I have downloaded so many anti spyware and antivirus programs over the past few hours trying to get rid of this thing. Turns out all I needed to do was follow your simple instructions and voila, the problem is gone!!
SO GRATEFUL!
Everybody follow these instructions and it will be fixed, I can guarantee it!
Hi!!! THANK YOU SOOOO MUCH for those EASY STEPS to go by. The other replies were kinda confusing, but yours WAS GREAT AND SEOOO EASY!!!!
BUT>>>>>>>>>>I went to where you stated this: FIX REGISTRY ENTRIES:
-this is what I missed in the previous post. The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
I did do that and I was able to have my properties back/able to change my settings for screen saver.......BUT>>>>>that file is STILL THERE AND I DONT KNOW HOW TO DELETE IT FROM MY SCREEN SAVER LIST......
I clicked on it but this box pops up and is very ODD looking...don't wanna click anything on it as I'm scared it may just come back to attack me...lol. The file that came up in my pc that won't delete from my screensavers list is called: blphc11pj0ep57
HOW DO I DELETE THAT??????
Please and THANK YOU SO MUCH!!!!!!!!!!
BUT>>>>>>>>>>I went to where you stated this: FIX REGISTRY ENTRIES:
-this is what I missed in the previous post. The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
I did do that and I was able to have my properties back/able to change my settings for screen saver.......BUT>>>>>that file is STILL THERE AND I DONT KNOW HOW TO DELETE IT FROM MY SCREEN SAVER LIST......
I clicked on it but this box pops up and is very ODD looking...don't wanna click anything on it as I'm scared it may just come back to attack me...lol. The file that came up in my pc that won't delete from my screensavers list is called: blphc11pj0ep57
HOW DO I DELETE THAT??????
Please and THANK YOU SO MUCH!!!!!!!!!!
Ebomb,
I tried everything you did in the first step and restarted my computer and now my screen is just blue and still I cannot change it. So I went back and you created new steps and I thought "great! my answer!" but you asked my to get my last three characters which I had deleted and forgotten, but I know they are not the same as yours were. I emptied my recycling bin so there is no way to find them. what should I do?
I tried everything you did in the first step and restarted my computer and now my screen is just blue and still I cannot change it. So I went back and you created new steps and I thought "great! my answer!" but you asked my to get my last three characters which I had deleted and forgotten, but I know they are not the same as yours were. I emptied my recycling bin so there is no way to find them. what should I do?
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
40
>
Kristy
Aug 26, 2008 at 12:18 AM
Aug 26, 2008 at 12:18 AM
wait
1) which method did you use ??
2) the scan spyware method??
or the other ones (search sepecific files one)
if the spyware method
then the software hasnt been installed properly
try uninstalling and reintall it once more
follow the steps again
then try to fix it
if its the second method then u have to run ur system in safe mode, then delete it
awaiting comments
Melisio Mascarenhas
1) which method did you use ??
2) the scan spyware method??
or the other ones (search sepecific files one)
if the spyware method
then the software hasnt been installed properly
try uninstalling and reintall it once more
follow the steps again
then try to fix it
if its the second method then u have to run ur system in safe mode, then delete it
awaiting comments
Melisio Mascarenhas
Hey Ebomb! You are the BEST! I really apriciate your job! I believe you saved many many people!
Although I have a question to make and I would be thankful if you reply me. Before I read your post I tried Superantispyware which I think removed the bmp files and the exe that you refer to be found in taskbar menu>proccesses. I believe it worked because I didn't find neither the bmp files nor the exe. So the only I had to do was to clean my registry...well hopefully, I made a search but I found nothing. Finally I deleted the 2 files that hide the desktop and screensaver tabs. Right now, everthing seem to be working good. My question is: Do you think I have to do something else? I had the bad idea to restore my system at the point before using superantispyware (which means the point in total chaos), but I didn't do it. Should I do it and follow your help from the start or not?
I'm looking forward for your reply! Thank you again!
Although I have a question to make and I would be thankful if you reply me. Before I read your post I tried Superantispyware which I think removed the bmp files and the exe that you refer to be found in taskbar menu>proccesses. I believe it worked because I didn't find neither the bmp files nor the exe. So the only I had to do was to clean my registry...well hopefully, I made a search but I found nothing. Finally I deleted the 2 files that hide the desktop and screensaver tabs. Right now, everthing seem to be working good. My question is: Do you think I have to do something else? I had the bad idea to restore my system at the point before using superantispyware (which means the point in total chaos), but I didn't do it. Should I do it and follow your help from the start or not?
I'm looking forward for your reply! Thank you again!
Hi ebomb,
It is great that you provided a step by step instructions, of which I will confirm work.
I would also recommend people to install a virus scanner to go with this. I am running Avast 4.8 home addition, it is free and it found this for me. and fixed it on a machine I was working on. The only thing it didn't do is delete the back ground and bring back the tabs on the display setting.
Nice post,
Regards
-LS
It is great that you provided a step by step instructions, of which I will confirm work.
I would also recommend people to install a virus scanner to go with this. I am running Avast 4.8 home addition, it is free and it found this for me. and fixed it on a machine I was working on. The only thing it didn't do is delete the back ground and bring back the tabs on the display setting.
Nice post,
Regards
-LS
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
40
>
johnnyb
Sep 7, 2008 at 08:46 AM
Sep 7, 2008 at 08:46 AM
I have already have posted the solution of this problem in my earlier posting
but here it one more time
REMOVE THE FILES FROM YOUR HARD-DRIVE:
-Right-Click on My Computer and select Search...
-click All files and folders
-search for *.bmp (all or part of file name)
-Find the one that matches your background
-Note the name of the .bmp file - mine was called phccekj0e3cn.bmp (copy and paste into notepad or something as you weill need this later, or write it down as your computer can reboot)
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
REMOVE REGISTRY ENTRIES: (not as important since the files are no longer there but still good idea)
-Start -> Run
-regedit
-Edit -> Find
-I searched on *3cn (the last 3 characters) but this returned some valid registry entries. I suggest you either carefully delete all entries that look they are related. I found 5 or 6 valid entries, but they were obvious to me to not be related.
-typically they will have the full name like "lphccekj0e3cn" In fact you could probably search on whatever the .exe name was (minus the .exe extension) and you can surely delete all those entries.
FIX REGISTRY ENTRIES:
-this is what I missed in the previous post. The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
p.s. if u have prob finding the bmp files try to find it as file named as "pch or else try 3cn"
awaiting comments
Regards
Melisio Mascarenhas
India
but here it one more time
REMOVE THE FILES FROM YOUR HARD-DRIVE:
-Right-Click on My Computer and select Search...
-click All files and folders
-search for *.bmp (all or part of file name)
-Find the one that matches your background
-Note the name of the .bmp file - mine was called phccekj0e3cn.bmp (copy and paste into notepad or something as you weill need this later, or write it down as your computer can reboot)
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
REMOVE REGISTRY ENTRIES: (not as important since the files are no longer there but still good idea)
-Start -> Run
-regedit
-Edit -> Find
-I searched on *3cn (the last 3 characters) but this returned some valid registry entries. I suggest you either carefully delete all entries that look they are related. I found 5 or 6 valid entries, but they were obvious to me to not be related.
-typically they will have the full name like "lphccekj0e3cn" In fact you could probably search on whatever the .exe name was (minus the .exe extension) and you can surely delete all those entries.
FIX REGISTRY ENTRIES:
-this is what I missed in the previous post. The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
p.s. if u have prob finding the bmp files try to find it as file named as "pch or else try 3cn"
awaiting comments
Regards
Melisio Mascarenhas
India
europe
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Nov 16, 2008 at 01:09 PM
Nov 16, 2008 at 01:09 PM
I was so thrilled with your instructions & I did everything. It took the spyware message off. I rebooted,
and then it said, malicious spyware was taken off computer. I was so thrilled, I thought I fixed it.
But, when I try to click on the internet, it
tries to & flips back off. What else can I do?
You've been very helpful. Thank you & I hope maybe you can help with this.
Thanks
and then it said, malicious spyware was taken off computer. I was so thrilled, I thought I fixed it.
But, when I try to click on the internet, it
tries to & flips back off. What else can I do?
You've been very helpful. Thank you & I hope maybe you can help with this.
Thanks
nicki
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Jul 10, 2009 at 08:51 PM
Jul 10, 2009 at 08:51 PM
i know this is an old thread, but the problem of spyware changing wallpaper is still around. however, it now is using a .html file, rather than a .bmp file, and it is named 'critical warning.html' and is in the system32 folder, so do you happen to have another solution to restore the wallpaper? I do have the desktop tab showing, I just cannot click on any of the wallpapers, so I am sure it is just a setting somewhere that I have yet to find....thanks buddy
Hi,
I followed all of your directions, and it seemed to work. But now internet explorer redirects me to weird sites that are obviously still part of this virus anytime I try to search using any search engine. I have been trying to download spybot hoping that would take care of it, but I can't even get to the sites because it redirects me everytime or says internet explorer cannot display blah, blah, blah, you know. Also, my computer has started freezing up to the point I can't do ANYTHING! Please help me.
I followed all of your directions, and it seemed to work. But now internet explorer redirects me to weird sites that are obviously still part of this virus anytime I try to search using any search engine. I have been trying to download spybot hoping that would take care of it, but I can't even get to the sites because it redirects me everytime or says internet explorer cannot display blah, blah, blah, you know. Also, my computer has started freezing up to the point I can't do ANYTHING! Please help me.
how do I search when my desktop is gone thanks to that bmp file. I have no start menu, I have no desktop. I dont know how to search in DOS. PLease help I want to get rid of this blue screen and get my desktop and start button back.
Thanks
Thanks
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
40
Aug 30, 2008 at 07:04 AM
Aug 30, 2008 at 07:04 AM
i already have posted the solution of this problem
but here it one more time
The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
awaiting comments
Regards
Melisio Mascarenhas
India
but here it one more time
The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'
Check out your display properties again, they should be back to normal.
Empty your recycle bin to get rid of it for good
Rebooting at this point is probably a good idea.
awaiting comments
Regards
Melisio Mascarenhas
India
alayche
>
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
Oct 19, 2008 at 11:01 PM
Oct 19, 2008 at 11:01 PM
(Solved) (Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)(Solved)
Just a reply to this approach, I have done this. unfortunately the hijack reinstalled itself once I had rebooted the computer.
i would like to add my 2cents worth thanks. you may need to, remove all accurances of text, strings etc from registry. (regedit) .there is a search engine there which you can use to find the entries, also use F3 to find next etc.
the text strings are as follows [ blphc98pj0elc5 , Lphc98pj0elc5, phc98pj0elc5 ]
there may also be [.exe files] for these in C:windows/system32 folder which you will need to delete once you have deleted register entries.
you will need to shutdown the computer then restart to delete these last 2 [.exe files] as they will be in use by windows system.
thankyou all.
alayche
Just a reply to this approach, I have done this. unfortunately the hijack reinstalled itself once I had rebooted the computer.
i would like to add my 2cents worth thanks. you may need to, remove all accurances of text, strings etc from registry. (regedit) .there is a search engine there which you can use to find the entries, also use F3 to find next etc.
the text strings are as follows [ blphc98pj0elc5 , Lphc98pj0elc5, phc98pj0elc5 ]
there may also be [.exe files] for these in C:windows/system32 folder which you will need to delete once you have deleted register entries.
you will need to shutdown the computer then restart to delete these last 2 [.exe files] as they will be in use by windows system.
thankyou all.
alayche
hey there
the thing is that I have already removed the spyware virus but now my background is just white no words no nothing. putting a new background doesnt seem to work and I cant seem to find the bmp file at all. was wondering if u could help me out
THx heaps
Sean
the thing is that I have already removed the spyware virus but now my background is just white no words no nothing. putting a new background doesnt seem to work and I cant seem to find the bmp file at all. was wondering if u could help me out
THx heaps
Sean
Ok so I had all the symptoms, followed all of ebombs steps, and the steps that sir posted to do after. And I no longer have problems with my desktops backround. But I still have problems with:
My internet being really really really slow.
Websites don't load fully / correctly, the format is way f'd up.
Can't even access my router settings page anymore, it WAS loading f'd up before, now it just times out after a while.
I can't update any of my anti-virus software, they all just error in some strange way.
I can't install anything, install.exe files just error when I double click them, no matter what they are or where they are from, it just says they are corrupt. I'm assuming this is the virus keeping me from getting rid of it? -_-
I triple checked every step, I've done everything. If anyone knows what might still be wrong or what I MAY have missed, please help me out. I'd be more greatful than I can even put into words.
My internet being really really really slow.
Websites don't load fully / correctly, the format is way f'd up.
Can't even access my router settings page anymore, it WAS loading f'd up before, now it just times out after a while.
I can't update any of my anti-virus software, they all just error in some strange way.
I can't install anything, install.exe files just error when I double click them, no matter what they are or where they are from, it just says they are corrupt. I'm assuming this is the virus keeping me from getting rid of it? -_-
I triple checked every step, I've done everything. If anyone knows what might still be wrong or what I MAY have missed, please help me out. I'd be more greatful than I can even put into words.
I had the same problem. Wallpaper & Screensavor tab missing and fake virus alert. I used this software and it got rid or it, Malwarebytes Anti-Malware.
Here is the link:
https://download.cnet.com/Malwarebytes/3000-8022_4-10804572.html
The free version works just fine. Also if when you reboot you get an "Cannot Display This Video Mode" message. Unplug your monitor then reboot. When you're sure that the log on prompt is up, replug your monitor.
Here is a copy of my Malwarebytes log, The ones labeled "Trojan.FakeAlert" is this perticular spyware. Also it restore the noscreensavor and nobackground that was placed in the RegKey
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2
10:34:12 AM 08/27/08
mbam-log-08-27-2008 (10-34-12).txt
Scan type: Full Scan (C:\|)
Objects scanned: 139484
Time elapsed: 1 hour(s), 5 minute(s), 2 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 10
Memory Processes Infected:
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcpwej0e741 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache\T10312.tmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\vdo_g.ini (Stolen.Data) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phcpwej0e741.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\amegino\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
Here is the link:
https://download.cnet.com/Malwarebytes/3000-8022_4-10804572.html
The free version works just fine. Also if when you reboot you get an "Cannot Display This Video Mode" message. Unplug your monitor then reboot. When you're sure that the log on prompt is up, replug your monitor.
Here is a copy of my Malwarebytes log, The ones labeled "Trojan.FakeAlert" is this perticular spyware. Also it restore the noscreensavor and nobackground that was placed in the RegKey
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2
10:34:12 AM 08/27/08
mbam-log-08-27-2008 (10-34-12).txt
Scan type: Full Scan (C:\|)
Objects scanned: 139484
Time elapsed: 1 hour(s), 5 minute(s), 2 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 10
Memory Processes Infected:
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcpwej0e741 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache\T10312.tmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\vdo_g.ini (Stolen.Data) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phcpwej0e741.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\amegino\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
Thanks to all that provided the valuable information on this thread...
I have had this problem as well and have sucessfully got rid of it...using your advice
My IT guys was about to wipe my drive and re-install windows when I found this thread...
Again...Thanks...U ALL rock...!!!
I have had this problem as well and have sucessfully got rid of it...using your advice
My IT guys was about to wipe my drive and re-install windows when I found this thread...
Again...Thanks...U ALL rock...!!!
Hi there people,
Seen as to how I cant reply to the mail I got through this site, i'm hoping to do that here..
I received some questions as to how to reach the search option when this virus is active..
I have to warn you though.. this particular bug downloads other viruses that change more stuff on reboot.. thats why it is VERY VERY important to remove the network cable, and not reboot unless its impossible to continue working before a reboot.
If you have done all the steps that Ebomb and I have provided (or cannot do some of the steps since it hijacked your explorer) and still have problems, here are some more tips.
Don't pin me down on this though, I don't know whether this helps.
Do NOT use your computer like normal when the virus is still there, you risk infecting other people and even being shut down by your ISP, and in the worst cases you risk being prosecuted for spreading spam/malware
Never download an "antivirus program" or "malware remover" unless you know it works (or one of the following: NOD32, Kaspersky, Norton/symantec, AVG and some other premium brands)
you MUST boot in safe mode (press f8 a couple of times right after you turn on your computer and get the black screen with the text stuff, that means BEFORE the windows logo with the moving bars) when youre in safe mode, you'll get a message about system restore.. this cannot be used since the virus could have infected a restore point.
When Safe Mode fully loaded, you should not get the warning message and blue/white background, if you do, press ctrl+alt+del, do task manager and look in your process list.
- If you see any weird processes in there, try to end them manually, but dont try too hard cause theyll probably stay.
Write the names of the processes (all that you dont trust) and look them up in google on a comp that is not infected, here you should eb able to find the meaning of most of them.. if not, its probably a virus, or a program you dont need.
- If you dont see a start bar, or icons: Try to manually start Explorer by doing CTRL+ALT+DEL, task manager, File > New task> explorer [enter]
If you cant get task manager to work, you have a problem that surpasses my knowledge, and its time to either use a recovery disk, re-install windows, or bring the computer to a specialist.
- If you cant start Explorer (the start bar and icons), theres another method to get it to work. Which requires some extra labour:
Go on a computer that is not infected and follow this link:
https://download.cnet.com/Trend-Micro-HijackThis/3001-8022_4-10781312.html?spi=a9bfc7c9b036de3f980fb8a30b2ee5ad (if possible)
Or look for hijackthis.
You can then put it on a usb stick or CD/DVD and open it in the infected computer by inserting it and browsing to the drive through CTRL+ALT+DEL, task manager, File > New task>[drive letter]:\hijackthis
This program helps you opening an alternative task manager and file explorer/basic scanner
With this program you can analyze the startup sequence and save a logfile to show other people, do this, and post the logfile on this forum (or multiple to get quicker help)
You can also use this program to open your task manager list in case you can't, or dont trust the windows one (some viruses have been known to alter it)
This "manual" has become quite a mess now, but if you go over it a couple times, I hope you get what I mean...
So here's what I expect you to do:
- Follow all the instructions (Ebomb and mine, and read the other people's too ofcourse)
- If these dont work, get Hijackthis
- FIRST follow your own intuition, find all processes on google, try to manually remove stuff with hijackthis after researching them
- Try premium antivirus trial packages
- Post your Hijackthis log on this forum and tell us your symptoms in one message, if we can help, we will!
- If all else fails (and I mean everything) Think about re-installing windows over this infected one.
Then back up everything on a dvd or usb stick (documents, pictures, saved games, every important possession)
IMPORTANT: Take your time for backing up, the windows that is installed now will not have the virus installed but your harddrive will be a mess (imagine post-apocalyptic new york on rush hour) and it still does contain the virus file on it.
When youre absolutely positive that you backed up every valuable file, it is time to do a system format.
You can do this by letting the windows installation make a new file system (theres plenty of tutorials about this and im not going in-depth on this)
Do know that upon doing a format, you will delete everything on the computer, and you will not be able to recover anything after the format.
Seen as to how I cant reply to the mail I got through this site, i'm hoping to do that here..
I received some questions as to how to reach the search option when this virus is active..
I have to warn you though.. this particular bug downloads other viruses that change more stuff on reboot.. thats why it is VERY VERY important to remove the network cable, and not reboot unless its impossible to continue working before a reboot.
If you have done all the steps that Ebomb and I have provided (or cannot do some of the steps since it hijacked your explorer) and still have problems, here are some more tips.
Don't pin me down on this though, I don't know whether this helps.
Do NOT use your computer like normal when the virus is still there, you risk infecting other people and even being shut down by your ISP, and in the worst cases you risk being prosecuted for spreading spam/malware
Never download an "antivirus program" or "malware remover" unless you know it works (or one of the following: NOD32, Kaspersky, Norton/symantec, AVG and some other premium brands)
you MUST boot in safe mode (press f8 a couple of times right after you turn on your computer and get the black screen with the text stuff, that means BEFORE the windows logo with the moving bars) when youre in safe mode, you'll get a message about system restore.. this cannot be used since the virus could have infected a restore point.
When Safe Mode fully loaded, you should not get the warning message and blue/white background, if you do, press ctrl+alt+del, do task manager and look in your process list.
- If you see any weird processes in there, try to end them manually, but dont try too hard cause theyll probably stay.
Write the names of the processes (all that you dont trust) and look them up in google on a comp that is not infected, here you should eb able to find the meaning of most of them.. if not, its probably a virus, or a program you dont need.
- If you dont see a start bar, or icons: Try to manually start Explorer by doing CTRL+ALT+DEL, task manager, File > New task> explorer [enter]
If you cant get task manager to work, you have a problem that surpasses my knowledge, and its time to either use a recovery disk, re-install windows, or bring the computer to a specialist.
- If you cant start Explorer (the start bar and icons), theres another method to get it to work. Which requires some extra labour:
Go on a computer that is not infected and follow this link:
https://download.cnet.com/Trend-Micro-HijackThis/3001-8022_4-10781312.html?spi=a9bfc7c9b036de3f980fb8a30b2ee5ad (if possible)
Or look for hijackthis.
You can then put it on a usb stick or CD/DVD and open it in the infected computer by inserting it and browsing to the drive through CTRL+ALT+DEL, task manager, File > New task>[drive letter]:\hijackthis
This program helps you opening an alternative task manager and file explorer/basic scanner
With this program you can analyze the startup sequence and save a logfile to show other people, do this, and post the logfile on this forum (or multiple to get quicker help)
You can also use this program to open your task manager list in case you can't, or dont trust the windows one (some viruses have been known to alter it)
This "manual" has become quite a mess now, but if you go over it a couple times, I hope you get what I mean...
So here's what I expect you to do:
- Follow all the instructions (Ebomb and mine, and read the other people's too ofcourse)
- If these dont work, get Hijackthis
- FIRST follow your own intuition, find all processes on google, try to manually remove stuff with hijackthis after researching them
- Try premium antivirus trial packages
- Post your Hijackthis log on this forum and tell us your symptoms in one message, if we can help, we will!
- If all else fails (and I mean everything) Think about re-installing windows over this infected one.
Then back up everything on a dvd or usb stick (documents, pictures, saved games, every important possession)
IMPORTANT: Take your time for backing up, the windows that is installed now will not have the virus installed but your harddrive will be a mess (imagine post-apocalyptic new york on rush hour) and it still does contain the virus file on it.
When youre absolutely positive that you backed up every valuable file, it is time to do a system format.
You can do this by letting the windows installation make a new file system (theres plenty of tutorials about this and im not going in-depth on this)
Do know that upon doing a format, you will delete everything on the computer, and you will not be able to recover anything after the format.
nngg4
Posts
1
Registration date
Sunday September 14, 2008
Status
Member
Last seen
September 14, 2008
Sep 14, 2008 at 07:31 PM
Sep 14, 2008 at 07:31 PM
Really appreciate all the suggestions. I'm by no means a computer expert but managed to follow the process and eliminated the warning message. However, after re-booting, my desktop loaded up with a bunch of "notepad" tabs (iaanotif, OSA9, OLG, yahoo messenger, issch, cxyrgzqh, and many others) further, each desktop application icon I clicked on (EX: Firefox) opened a notepad of misc symbols, not the actual application. additionally, when I tried to reset my desktop image through the start>control panel>appearance and themes, another notepad full of symbols opened. Obviously, I've screwed something up. How do I fix it?
Ok, so I thought I had everything gone, but it seems like my browsers are being hijacked by this virus, look out for the results you find on google..
If anyone can help find out where this comes from, I very much appreciate it
So: Whenever I do a search on Google, on both IE and FireFox, google wants to redirect me to some page called "youreverydayhealth.com" and something with blogs.
I checked all my harddrives (2 TB) with all known anti spyware/adware/cvs programs, hijackthis, I dont have files in my process list that could do harm, I deleted all BHO's, I let my router determine the DNS, not my computer, I have no other virus symptoms, no bad cookies, an empty cache, https://www.google.nl/?gws_rd=ssl is my basic search provider and starting page and my hosts file is alright (empty).
I scanned my registry to anything with blogs or health, and all I could find was the high secured area of iexplorer (all the websites with security = 4 -means blocked- rating)
Also every tracert shows up legit addresses.
Any suggestions would be appreciated.
If anyone can help find out where this comes from, I very much appreciate it
So: Whenever I do a search on Google, on both IE and FireFox, google wants to redirect me to some page called "youreverydayhealth.com" and something with blogs.
I checked all my harddrives (2 TB) with all known anti spyware/adware/cvs programs, hijackthis, I dont have files in my process list that could do harm, I deleted all BHO's, I let my router determine the DNS, not my computer, I have no other virus symptoms, no bad cookies, an empty cache, https://www.google.nl/?gws_rd=ssl is my basic search provider and starting page and my hosts file is alright (empty).
I scanned my registry to anything with blogs or health, and all I could find was the high secured area of iexplorer (all the websites with security = 4 -means blocked- rating)
Also every tracert shows up legit addresses.
Any suggestions would be appreciated.
mikethedike
Posts
158
Registration date
Saturday August 16, 2008
Status
Member
Last seen
September 22, 2012
40
Aug 28, 2008 at 11:34 PM
Aug 28, 2008 at 11:34 PM
unplug ur system from the net connection
delete the history, cookies, and temp files from ur iinternet explorer
check in any new software has been intalled in
startmenu/programs/"check in any new software has been intalled itself here " unintall it if it doent allo to delete it
emplty ur recyler bin
awaiting comments
also check out
Melisio Mascarenhas
India
delete the history, cookies, and temp files from ur iinternet explorer
check in any new software has been intalled in
startmenu/programs/"check in any new software has been intalled itself here " unintall it if it doent allo to delete it
emplty ur recyler bin
awaiting comments
also check out
Melisio Mascarenhas
India
I actually deleted my entire cookies directories and temp dir to prevent any hidden/encrypted files to be missed.. and I believe I already stated that in my previous post.
The problem is that I could not detect anything on my computer.. even a virusscanner couldnt.
I re-installed windows and got it over with.
The problem is that I could not detect anything on my computer.. even a virusscanner couldnt.
I re-installed windows and got it over with.
mine went away after I renewed a $39.95 one year norton plan. however, I had to download new updates to norton to get the message "spyware detected on your computer" to go away. so, just be patient and download the updates. hope this helps.
I was having this same problem and had to reformat 2x. All was fine until this past Friday, and this same virus started taking over again. Now, I got past all the screesaver issues, I was able to delete some files before it got to the "screensaver" changing part. But now here are my issues. 1) Task Manager will not come up because the admin rights have been taken over by this virus. 2) When I go to "Start" Ctrl Panel, My Computer, none of those items are available 3) I get into "My Computer" by backdooring it, and my C:/ and D:/ drives are not available. I have to manually type them in to view them. The virus has gotten into my external hard drives as well, which the free version of avast is picking up, but the virus will not let me delete these files after being found through avast. When I go into the drive, I do not see these files. I am running programs that were mentioned earlier in this post, trying to get rid of this thing. Also, where the "Time" is, in the bottom right had corner, it has "VIRUS ALERT!" displaying all the time. Any help would be appreciated. Thanks!
Oct 6, 2008 at 07:52 AM
Mar 24, 2009 at 01:11 PM
Been working on this problem for weeks. Thankyou... my daughter can finally stop nicking my laptop!
I used a pen drive thing instead of a disk.
Top marks.. cheers!
Jun 9, 2009 at 02:55 PM