Background message "Warning! Spyware detected Solved/Closed

Question

I let my roomie use my comp while I was away for a few weeks. I returned to find "Warning! Spyware detected on your computer! Install antivirus or spyware remover to clean your computer" as my background message. I tried to place a new background on but this message still appears in the middle. I just bought Norton 360 but it doesn't seem to be detecting it. Also if I leave my computer idle for too long a blue screen pops up with a bunch of computer nomenclature and eg. bogus_driver or something of the sort being the problem. If I hit any button on the keypad it will close that screen and it will no longer pop up until the computer is idle again.

Ebomb · Accepted Answer

Here is how to do it.  Its already been posted, but this is the definitive answer:

-Search your drives for *.bmp
-Find the one that matches your background
-Note the last 3 characters before the .bmp - mine was called phccekj0e3cn.bmp
-Search your drives for the last 3 characters noted in previous step.  in my case I searched on *3cn
-This search resulted in 4 files for me.
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file)
-end the process - mine was called lphccekj0e3cn.exe
-delete all files found in your search
-reboot and you should have your display tab back for background right-click -> properties
-if you do then you are good to go.  set your background and don't let other people who have no clue (most people) use your computer

murphy · Answer

I got this spyware/trojan also - replaced my picture on screen with same saying.  Continually popped up messages saying I was infected, click here for spyware, etc.    Changed my privacy settings to accept all cookies.  Slammed me with ads.  Was a particularly insidious problem.  Since I am not techy inclined,  I went to Office Max and bought a disk called PC Restoration (save the receipt - you need numbers off it).  You plug in the disk, and it takes you to a web site where you get one of their techs.  You let him log onto your computer through a process they give you.  It took them hours to fix it - but they did.  They keep working on it until it is fixed.  Cost $99 for the disk.  That is the expensive way I guess - but it worked for me.

chevy_77 · Answer

I just received the exact same thing on my PC tonight.  Something popped up and wanted me to install it or block it???  I had NO idea what it was and it didn't seem right, due to nothing like that happens when my PC needs an update.  Usually has that yellow caution type symbol down in the taskbar by the time.....So when this weird one popped up I clicked block it.  I did a virus scan and also a spyware scan.  3 came up but then a 4th one.  I decided to try fixing it myself and deleted all 4.  BUT I still have that same warning up on my main screen/desktop and also it won't allow me to restore it back to a different date.  

Can you please tell me what you did and how????

PLEASE AND THANK YOU!!!!!

(all I was on at the time was Facebook site and that thingy popped up then all went to poop)

Pam

su · Answer

Start the Windows in safe mode and search for .bmp file which shows the same as background. select last fourletters of that .bmp file and search in the windows for all the files. and search in registry also. 

once you done restart the computer. Install the you ethernet drivers if you miss any. 

gpedit.misc to change the hidden display property to disable in system settings.

Debbie · Answer

Hi I've just had the same problem over the weekend and have had success removing what turned out to be a large number of trojan viruses which found their way in through a fake email ecard I received.
I used the Dr Web Cure it  programme which is free www.freedrweb.com/
If your computer won't stay on long enough for you to download it off the internet which is what happened to me, then what I did was to download it from another computer onto a cheap disk I bought from asda. I then started my computer in safe mode, inserted the disk, and the Dr Web download icon popped up after about a 20 second wait. Just click on it (it took me about 10 goes before it wanted to activate) and then follow the download instructions.
I would recommend the 'Complete' scan. I ran the express scan first which allowed me delete about 7 viruses but when I ran the complete scan it found even more. The complete scan takes 2 hours.
Hope this helps, Debbie.
PS I'm no computer nerd, in fact I don't have a clue about the things, but I found this process quite simple and more importantly, successful. Good luck!

madshady · Answer

hey mikethedike

1.it's may be good idea in display settings after that warning there isin't any desktop tab in it that's the problem too 

2.and another problem that in my computer there was a adware so I put it into qurantine and deleted, but it also show that screen ;(

mikethedike · Answer

hi mad shady,
                 I am sorry, but I dint get you. Can you explain in brief so I can help you out of this problem

awaitng

pramod · Answer

Hi mike,
I too got the same screen saying "your computer is been affected and use a spyware to clean your computer". I could remove the program files containing the Antivirus XP 2008 but couldn't remove that blue screen. And today when I was downloading one of the adobe photoshop softwares the screen colour changed to white bearing the same message. Please do help me to remove the virus from the computer. Please do help.. 
Waiting eagerly for the solution.. 
thanks

Ebomb · Answer

Ugh! I got ahead of myself in the previous post.  If you followed those directions you still will be missing the 'Desktop' and/or 'Screen Saver' tabs in your Display Properties. (right click on background and select properties)

Also, just deleting the background image is not enough!  This is a nasty sucker running a process, it may not find the background anymore but its still doing harm.  i.e. my computer started blue screening and rebooting over and over after like 20 min

So here is the complete definitive answer: (thank you again for previous posts pointing me in the right direction)

REMOVE THE FILES FROM YOUR HARD-DRIVE:
-Right-Click on My Computer and select Search...
-click All files and folders
-search for *.bmp (all or part of file name)
-Find the one that matches your background 
-Note the name of the .bmp file - mine was called phccekj0e3cn.bmp (copy and paste into notepad or something as you weill need this later, or write it down as your computer can reboot)
-Search your drives for the last 3 characters noted in previous step. in my case I searched on *3cn 
-This search resulted in 4 files for me. 
-Go to your task manager, look under the processes tab, and find the process that matches the name of one of the files you are trying to delete (the .exe file) 
-end the process - mine was called lphccekj0e3cn.exe 
-delete all files found in your search 

REMOVE REGISTRY ENTRIES: (not as important since the files are no longer there but still good idea)
-Start -> Run
-regedit
-Edit -> Find
-I searched on *3cn (the last 3 characters) but this returned some valid registry entries.  I suggest you either carefully delete all entries that look they are related.  I found 5 or 6 valid entries, but they were obvious to me to not be related.
-typically they will have the full name like "lphccekj0e3cn"  In fact you could probably search on whatever the .exe name was (minus the .exe extension) and you can surely delete all those entries.  

FIX REGISTRY ENTRIES:
-this is what I missed in the previous post.  The first time this thing runs it changes entries in your registry to hide the 'Desktop' and/or 'Screen Saver' tabs
-In the registry navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage'


Check out your display properties again, they should be back to normal.

Empty your recycle bin to get rid of it for good

Rebooting at this point is probably a good idea.

AppsBabu · Answer

Hi Ebomb,

Thank you very much for your perfect step by step instructions to get rid of the junk.

Thanks
Appsbabu

Caitlin88 · Answer

Hi Ebomb,

Thank you so much!!! I was about to throw my laptop across the room!!!! O man!!! You saved me thousands of dollars!

Paul · Answer

I appear to have been infected with this problem.  I could not find the link to which you refer.  I went to the web site you listed, and did a search for the string of letters and numbers you mention to identify the entry that was supposed to contain the needed fix.  My search for that string did not yield any result.  Can you confirm that you had a correct listing to find the fix, or can you copy the instructions and send them to me by email?  I am desperate, and have worked on this problem for over a week without success.  I simply cannot get the bogus message to disappear.

rediak · Answer

hey ebomb!  thanks so much for the info!  it worked..... However I am still having problems with my internet explorer and firefox.  

For example whenever I search something on google, if I click on any of the links that my search brings up, I will be taken to a different page.   Theses pages are always some stupid advertising for random antivirus or anti-spyware software.   I cant seem to get rid of this problem.   If anyone can help me fix this, I would greatly appreciate it!

isaac · Answer

Ebom is the greatest !!!.
Worked for me too, thanks.
Also delete Rich Video Codec in IE
Thanks again

SicariuS · Answer

Hi people, 
Ive been havin problems with this one just now.. its very vague as per how I got it, my fiance tells me she didnt do anything out of the ordinairy.. 

Anyway, I caught the bugger in a very early stadium, where it hasnt altered my security settings.
I have had this one with various workstations at work and I can tell you that it isnt over by doing the steps Ebomb provided.
Although when you get it in the early stage (be sure that the screensaver didnt enable itself yet) you can remove it with those steps.

When you did them (In safe mode!! with the network cable unplugged!!) do NOT reboot until you have checked the following: 

Before you do anything, Start > Run > regedit [Enter] 
look for ScreenSaveActive and put that to 0 (it disables the screensaver)

Check Msconfig (start > Run > Msconfig [Enter] ) and go to the startup tab, check if theres anything that you dont trust.. or turn off everything for safety

Check your screensaver file

Go to c:\Windows\system32\drivers\etc and edit the hosts file in notepad (open with notepad) 
See if theres anything else but 127.0.0.1 in there.. if there is anything else, delete everything unless you have put it there

Check your entire registry for those 3 letters (for example e2s) plus scr (search for *e2s.scr) and change that into ribbons.scr (default windows screensaver)
and do the same for .bmp

Delete all your cache and cookies, AND your system restore points and turn on security in IE/firefox

If you still have problems, I suggest installing a premium antivirus package or bringing the machine to an expert, if you dont want to pay for it, re-install windows after backing up everything :)

IanK · Answer

how do I search when my desktop is gone thanks to that bmp file. I have no start menu, I have no desktop. I dont know how to search in DOS. PLease help I want to get rid of this blue screen and get my desktop and start button back.

Thanks

Sean · Answer

hey there

the thing is that I have already removed the spyware virus but now my background is just white no words no nothing. putting a new background doesnt seem to work and I cant seem to find the bmp file at all. was wondering if u could help me out 

THx heaps

Sean

Anubislee · Answer

Ok so I had all the symptoms, followed all of ebombs steps, and the steps that sir posted to do after. And I no longer have problems with my desktops backround. But I still have problems with:

My internet being really really really slow.

Websites don't load fully / correctly, the format is way f'd up.

Can't even access my router settings page anymore, it WAS loading f'd up before, now it just times out after a while.

I can't update any of my anti-virus software, they all just error in some strange way.

I can't install anything, install.exe files just error when I double click them, no matter what they are or where they are from, it just says they are corrupt. I'm assuming this is the virus keeping me from getting rid of it? -_-



I triple checked every step, I've done everything. If anyone knows what might still be wrong or what I MAY have missed, please help me out. I'd be more greatful than I can even put into words.

Blacmale · Answer

I had the same problem.  Wallpaper & Screensavor tab missing and fake virus alert.  I used this software and it got rid or it, Malwarebytes Anti-Malware.

Here is the link:
https://download.cnet.com/Malwarebytes/3000-8022_4-10804572.html

The free version works just fine.  Also if when you reboot you get an "Cannot Display This Video Mode" message. Unplug your monitor then reboot.  When you're sure that the log on prompt is up, replug your monitor.

Here is a copy of my Malwarebytes log, The ones labeled "Trojan.FakeAlert" is this perticular spyware.  Also it restore the noscreensavor and nobackground that was placed in the RegKey


Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

10:34:12 AM 08/27/08
mbam-log-08-27-2008 (10-34-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 139484
Time elapsed: 1 hour(s), 5 minute(s), 2 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcpwej0e741 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache (Adware.2020search) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache\T10312.tmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\vdo_g.ini (Stolen.Data) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphcpwej0e741.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphcpwej0e741.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phcpwej0e741.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\amegino\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Des · Answer

Thanks to all that provided the valuable information on this thread...

I have had this problem as well and have sucessfully got rid of it...using your advice
My IT guys was about to wipe my drive and re-install windows when I found this thread...

Again...Thanks...U ALL rock...!!!

SicariuS · Answer

Hi there people,

Seen as to how I cant reply to the mail I got through this site, i'm hoping to do that here..

I received some questions as to how to reach the search option when this virus is active..

I have to warn you though.. this particular bug downloads other viruses that change more stuff on reboot.. thats why it is VERY VERY important to remove the network cable, and not reboot unless its impossible to continue working before a reboot.

If you have done all the steps that Ebomb and I have provided (or cannot do some of the steps since it hijacked your explorer) and still have problems, here are some more tips.

Don't pin me down on this though, I don't know whether this helps.

Do NOT use your computer like normal when the virus is still there, you risk infecting other people and even being shut down by your ISP, and in the worst cases you risk being prosecuted for spreading spam/malware

Never download an "antivirus program" or "malware remover" unless you know it works (or one of the following: NOD32, Kaspersky, Norton/symantec, AVG and some other premium brands)

you MUST boot in safe mode (press f8 a couple of times right after you turn on your computer and get the black screen with the text stuff, that means BEFORE the windows logo with the moving bars) when youre in safe mode, you'll get a message about system restore.. this cannot be used since the virus could have infected a restore point.

When Safe Mode fully loaded, you should not get the warning message and blue/white background, if you do, press ctrl+alt+del, do task manager and look in your process list.

- If you see any weird processes in there, try to end them manually, but dont try too hard cause theyll probably stay.
Write the names of the processes (all that you dont trust) and look them up in google on a comp that is not infected, here you should eb able to find the meaning of most of them.. if not, its probably a virus, or a program you dont need.

- If you dont see a start bar, or icons: Try to manually start Explorer by doing CTRL+ALT+DEL, task manager, File > New task> explorer [enter]
If you cant get task manager to work, you have a problem that surpasses my knowledge, and its time to either use a recovery disk, re-install windows, or bring the computer to a specialist.

- If you cant start Explorer (the start bar and icons), theres another method to get it to work. Which requires some extra labour:

Go on a computer that is not infected and follow this link: 
https://download.cnet.com/Trend-Micro-HijackThis/3001-8022_4-10781312.html?spi=a9bfc7c9b036de3f980fb8a30b2ee5ad (if possible)
Or look for hijackthis.

You can then put it on a usb stick or CD/DVD and open it in the infected computer by inserting it and browsing to the drive through CTRL+ALT+DEL, task manager, File > New task>[drive letter]:\hijackthis
This program helps you opening an alternative task manager and file explorer/basic scanner

With this program you can analyze the startup sequence and save a logfile to show other people, do this, and post the logfile on this forum (or multiple to get quicker help)

You can also use this program to open your task manager list in case you can't, or dont trust the windows one (some viruses have been known to alter it)


This "manual" has become quite a mess now, but if you go over it a couple times, I hope you get what I mean...

So here's what I expect you to do:
- Follow all the instructions (Ebomb and mine, and read the other people's too ofcourse) 
- If these dont work, get Hijackthis
- FIRST follow your own intuition, find all processes on google, try to manually remove stuff with hijackthis after researching them
- Try premium antivirus trial packages
- Post your Hijackthis log on this forum and tell us your symptoms in one message, if we can help, we will!
- If all else fails (and I mean everything) Think about re-installing windows over this infected one. 
Then back up everything on a dvd or usb stick (documents, pictures, saved games, every important possession) 

IMPORTANT: Take your time for backing up, the windows that is installed now will not have the virus installed but your harddrive will be a mess (imagine post-apocalyptic new york on rush hour) and it still does contain the virus file on it.
When youre absolutely positive that you backed up every valuable file, it is time to do a system format. 
You can do this by letting the windows installation make a new file system (theres plenty of tutorials about this and im not going in-depth on this) 
Do know that upon doing a format, you will delete everything on the computer, and you will not be able to recover anything after the format.

SicariuS · Answer

Ok, so I thought I had everything gone, but it seems like my browsers are being hijacked by this virus, look out for the results you find on google..

If anyone can help find out where this comes from, I very much appreciate it

So: Whenever I do a search on Google, on both IE and FireFox, google wants to redirect me to some page called "youreverydayhealth.com" and something with blogs.

I checked all my harddrives (2 TB) with all known anti spyware/adware/cvs programs, hijackthis, I dont have files in my process list that could do harm, I deleted all BHO's, I let my router determine the DNS, not my computer, I have no other virus symptoms, no bad cookies, an empty cache, https://www.google.nl/?gws_rd=ssl is my basic search provider and starting page and my hosts file is alright (empty).

I scanned my registry to anything with blogs or health, and all I could find was the high secured area of iexplorer (all the websites with security = 4 -means blocked- rating)

Also every tracert shows up legit addresses.

Any suggestions would be appreciated.

mikethedike · Answer

unplug ur system from the net connection

delete the history, cookies, and temp files from ur iinternet explorer 

check in any new software has been intalled in 
startmenu/programs/"check in any new software has been intalled itself here " unintall it if it doent allo to delete it

emplty ur recyler bin

awaiting comments

also check out 

Melisio Mascarenhas
India

stevie · Answer

mine went away after I renewed a $39.95 one year norton plan. however, I had to download new updates  to norton to get the message "spyware detected on your computer" to go away.  so, just be patient and download the updates. hope this helps.

sunshine · Answer

I located the 3 files but when I went to  processes in the task manager, none looked even close.  The files were blphcgenj0e95t and phcgenj0e95t.  Also NONE of my processes listed have any NUMBERS in them at all!  I have had this virus for a week.  My young son needs the computer for school work now and I am a novice MOM.  Any suggestions would be appreciated.

Tommet · Answer

I was having this same problem and had to reformat 2x.  All was fine until this past Friday, and this same virus started taking over again.  Now, I got past all the screesaver issues, I was able to delete some files before it got to the "screensaver" changing part.  But now here are my issues. 1) Task Manager will not come up because the admin rights have been taken over by this virus. 2) When I go to "Start" Ctrl Panel, My Computer, none of those items are available 3) I get into "My Computer" by backdooring it, and my C:/ and D:/ drives are not available.  I have to manually type them in to view them.  The virus has gotten into my external hard drives as well, which the free version of avast is picking up, but the virus will not let me delete these files after being found through avast.  When I go into the drive, I do not see these files.  I am running programs that were mentioned earlier in this post, trying to get rid of this thing. Also, where the "Time" is, in the bottom right had corner, it has "VIRUS ALERT!" displaying all the time.  Any help would be appreciated.  Thanks!

Flordeli · Answer

Ebomb, I was able to followed your detail instructions and resolve this problem.  Thanks you very much for sharing your knowledge with us................regards!

jeepster40 · Answer

I used malwarebytes. It's free and worked like a charm. I am a network admin so I get to fix this stuff all the time. I use a mac so as of now I don't have to put up with this stuff. Plus it is just way cooler :-)

jeeva · Answer

yes i'm also facing same problem......how to remove spyware from my computer

Jojo · Answer

Thanks Ebomb!!!!

Instructions were clear and concise, fixed my problem with the darn worm.  Any idea if it diasbles your firewall and system restore aswell?  

Thanks

hamid · Answer

hi 
pleas help me ! this  virus is in my compiuter & mey background . 
my anti virus&spywar nod32 but can't find it . 
i dont know what I doing now .
pleas help me .

unanon · Answer

This is the clearest, most succinct solution to this problem I've found - and it works like a charm!  Thanks SO much for the step-by-step instructions on how to rid oneself of this annoying little virus.

Oh desktop settings - I'm so happy to have you back!  Never leave me again!

TARA · Answer

SOMEBODY PLEASE HELP! 
i had also had that warning of spyware come up on my desktop. however I foolishly thought the problem would go away if I simply used one of my own images as a background. 
so now I have my own background image but am still missing the screensaver/background image tab. 
i tried the bmp method....but I dont get wat im supposed to be looking for as my background image is my own pic which I chose. is that the image im supposed to be looking for as a bmp format??? please help!! :(

matt022 · Answer

hey I had the same problem and ebomb your directions helped me thx.
but now something strange has happened with my browser
anytime I Google search something
and click on one of the search links it redirects me and takes me to some worthless shady website
the only way I can access websites is by typing in the url
my internet is also running very slow now
i get the feeling some form of spyware is still in my comp and using my net
any help would be greatly apreciated !!!
thank you!!!!

raulkatz · Answer

I had all of the above symptoms.  I found and deleted the files, edited the registry, but PC still would not boot.  As a last ditch attempt I downloaded this antivirus program Malwarebytes to a flashdrive from another PC and installed and ran in protected mode.  There were 12 infections (none bad).  Then rebooted and ran a full scan which took about 70 minutes.  The program found another 25 infections.  

Here is the link again that was provided earlier:
https://download.cnet.com/Malwarebytes/3000-8022_4-10804572.html 

PC is now working great.  I set a new restore point and am happy with all of the assistance, time and effort everyone has put into solving this stupid needless problem!

Thanks!

taniaaaaa · Answer

THANKSSS EBOMBB!!!!!!!!!!! you're AMAZINGGG!!!

gantsa · Answer

thanx a lot 

i delet the registry key


all fine now

keyes1989 · Answer

hey guys, I followed all the steps and the background and virus message went away, however everytime I log into my profile its fine for about 30 seconds and then it just restarts.... any ideas?

keyes1989 · Answer

can anyone help! I need that comp for tonight:|

hello · Answer

Finally this worked.

Go To 
c:\windows\system32\

Sort all files using date modified. 
You will notice below files that created on the day when the virus is came. Just delete and reboot

avgrsstx.dll
blphcarvjoel39.scr
fntcache.dat
lphcarvj0el39.exe
karina.dat

keyes1989 · Answer

it still hasn't worked and I dled ad aware 2008 and installed it using a flash drive but the virus somehow changed all the language to everything on my comp to spanish:| luckily I have the english version on my laptop so I know what to push. this is so fucking annoying

melana · Answer

hi needhelp,
                 before attempting all this have u try to scan ur pc first dear and check whether it detect it and therefore can solve the problem dear,,,,,,,if not then I advise u thus to format ur system dear good luck ;-)

nstephens2k3 · Answer

Hey everyone.

I have the same problem on my computer. I've followed ebombs steps yet I still cannot get rid of it.

My virus .EXE on my processes tab is called lphc5mfj0er59 so I searched in My Computer for r59.bmp. From searching for this one bmp file was located, and it was my background image. I deleted it and then from my Recycle Bin, and then proceeded on to make the registry changes as specified by Ebomb. I then restarted my computer and it has had no effect! I have tried these steps in safe mode and in normal mode.

As well as phc5mfj0er59.exe loading on processes tab there are some other dodgey looking processes too, such as -

ezi_hnm2.exe
ZCfgSvc.exe
McVSEscn.exe
AOLDial.exe
AOLacsd.exe
AOLSP Scheduler.exe

I can access the Internet through Ethernet cable however the virus has damaged my wireless as it says its unable to detect a supported wireless adapter. please install a supported adapter.

Any advice or help would be very much appreciated! Any ideas?

Thanks in advance.

Jayesch · Answer

Hi Ebomb,

Recently I ran into same problem. Google search yielded your page. Thanks a bunch for your help.

Thanks
Jayesh

elimorgan · Answer

I hope that someone can help.  I have the same problem that everyone here is discussing and have printed the instructions for the removal, however... I am not able to access anything on the computer or stay logged in long enough to do any of those actions.  When I boot the computer, the Windows logo comes on, the log in screen appears and I log in as usual, then it goes to a solid blue screen... nothing on it at all, no start key or shortuts.  After about 3 seconds of blue screen, it automatically logs out and goes back to the log in screen.  This is the same if I start the computer in Safe Mode... blank blue screen and then logged out promptly!  What can I do?!!?!?  I am concerned about the new pictures on my hard-drive of my newborn that I haven't backed up yet (only 1 month old) and don't want to lose my data if at all possible!!!  Appreciate any help that's offered!

Thanks in advance!

SOLUTION · Answer

Hi guys,

I got the same virus/spyware but I think I got rid of it.

I went on avg.com and got their software (free for a period of 30 days), I took the smaller version of the two.  I had to install it and run it several times.  The computer kept crashing, etc...  I even had to boot in Safe Mode and run AVG from safe mode one last time.  It kept finding all kinds of trojan viruses and spyware every scan.  After redoing the scan a few times, it became easier and easier.  Now my scans are clean all the time and I no longer have the problem.  The blue screen and warnings about spyware are still there buty these are just the background and a screen saver.  The only thing I don't have yet is the ability to change the background and the screen saver (the virus got rid of these tabs but I'm sure I'm one setting away from being done with the whole nightmare).  I'm buying AVG (they have another free version which is an undefinite trial but they say this product is inferior so I'm going for the real thing).

JF

nstephens2k3 · Answer

I've downloaded AVG and it found loads of trojans which I have got rid of. I tried AVG before trying ebombs advice and following his instructions.

Update: I have got rid of the spyware it seems as my desktop is no longer that damn antivirus message, it is now just a blue background. It seems I have now got rid of the virus as it no longer auto loads on the processes tab which is great and the blue screen no longer appears either. However, I still cannot change my desktop wallpaper as the tab is still not there, nor can I still connect to my wireless.

Any ideas?

Kyle · Answer

Hello, I had this problem and now I found it the file is called "phcg71j0e52c"

Without the "

If you do not find it just type in your search

".bmp"


Without the "


Welcome!

Keef · Answer

this thing wont let me go to task manager and also I cannt delete the gay files what should I do and I cant roll back because my restore point is after I recieved this shit

liyakath · Answer

Pls Give Me Sollution on my Problem

liyakath · Answer

Thank you very much

alex · Answer

hi, I had this same virus, but it seems like I got rid of it as far as I can tell, no reg entries that look like it, or executables,  but for some reason my internet is bugging out.  though it is msn dial up, so that could be the problem itself =(.  any ideas on how I could get my net back up??  right now im just gonna wait an hour then try to dial up again, might just be phone line.

no-nikname · Answer

This is the Vundo virus and trying to remove it with antivirus software after it has infected your pc will not work. All the solutions I have heard on this site will only remove some of the virus. It will evenually take over windows logon and prevent you from making any changes to your pc as the administrator. There are various name for the virus. It will be hard for an ordinary pc user to remove this virus completely and letting it stay on your computer could be dangerous. In the end I reformatted my hard drive and reloaded Windows XP. :-(

jenn · Answer

what would you suggest I do?

420 · Answer

i had the same virus I did the process an it worked thanks much every one my tabs are back an every thing !!!!!!!!

anon · Answer

I got this virus, I have no idea how, and I tried many virus removal programs, and I also ran through the *.bmp walkthrough but nothing worked till I ran Malwarebyte's Anti-malware program in safe mode.

that did the trick

good luck to you all!

https://download.cnet.com/Malwarebytes/3000-8022_4-10804572.html

Roxie · Answer

DON'T BUY ANYTHING that WARNING sign in the middle of your screen presents, it's a case of spyware (Trojan). Download SUPERAntiSpyware for free and scan your computer...keep it installed and do occasional scans and it will protect your computer from these frustrating Trojans!

Same thing happened to my computer so I took it to the Informational Technology computer experts at my school and they showed me this process...it totally worked and now my computer is healthy!

As far as anti-virus software, avast! is really good, plus it's free :)

Hope this helps!

LOL SO EASY · Answer

Just download and install superantispyware and malwarebytes install in regular mode then go to safe mode with no networking then scan... if you cannot go on the internet get a flash drive and put it on their ... I got this on my computer and got it removed a hour later :P

antalvar · Answer

I got a similar problem to everybody else's.
I got the same warning message on my desktop, but suddenly the computer started shutting down, and went off.
The system crashed.
I have Avast ativirus Pro, I dont know if that affected in any way.
Now when I try to start the computer I doesn't load Windows. The windows logo appears in the screen and then goes blank, the only activity I get on the screen is the mouse icon.

I only have to opptions from the booting menu, via CD / DVD or By Disk Boot (this one does the things descrived above) and I dont have a Boot CD.

Please help me! What can I do?

Regards!.

kps7777 · Answer

Hello All:
I got the same virus last night. I was smart enough to not click on any of the pop-up windows, but since my "task manager" was 'greyed out / blocked' I couldn't get to far in troubleshooting this virus myself. Tried several things unsuccessfully and then found this website. I am at work now and not on my infected home computer, but it sounds like Ebomb has found a way to eliminate the pop-ups, the blue screen desktop, and the screen saver problems; however, I am very concerned with several reports that the internet browser does not work. This indicates a much more serious problem and hopefully someone can report how to correct this issue. Before I shut down my PC last night, I tried to research this virus on my browser and sure enough everything I searched on directed me to some bogus site. This sounds like a deeper rooted problem then just deleting a group of files. Since it sounds like the first part of this problem is already resolved, I would really appreciate comments from the people who now have messed up web browsers. Perhaps some of the people who even think they have solved their problems because they no longer have a blue screen desktop have not determined that they have a more serious problem.

ANY HELP WOULD BE GREATLY APPRECIATED AS I FEAR THE WORK FOR MY HOME PC ! ! !

kps777 · Answer

Hello Again,

I'm happy to report that I downloaded the Malwarebytes-Anti-Malware software reported by another post and it completely removed this trojan virus, restored my desktop to normal,  reactivated my task manager, corrected my web browser issues, and eliminated all adware pop-ups. This was all with their free software. I was so relieved to get my computer back to normal that I bought their continuing protection for $25 so now their software is always running in the background and it automatically updates its virus definitions at 10pm each evening. Here is the link I used (and as reported earlier by others).


http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_Â­4-10804572.html

Dan · Answer

Download MalwareBytes Anti-Malware

www.malwarebytes.org

And Quick Scan And Remove Viruses

P.S (Completely Free!)

sasa · Answer

i have the same problem

chris · Answer

exactly the smame happened to me. It tok over the whole computer and we had to wipe it clean, which almost didn't work. I almost lost my computer so I reccommend to anyone else, close off internet connections and bring in an expert if you are stil having trouble. I might have been lucky but you might not be :(

taby2cat@yahoo.com · Answer

hey I had the same problem befor but I got it off by going to youtube and searching betaFlux and he has a video called manually delete that subborn virus it works trust me :) and if it doesnt e mail me  and ill give you more info on how to get it off. PS goodLuck:)

De Dee · Answer

Ok to fix this problem,go to https://www.superantispyware.com/ and download this program to remove the virus. don't use malare bytes because the screen wall paper problem will still stay. I used SuperAnti to remove the same problem off my computer.

Shak · Answer

Okay I found the easiest way to remove this once and for all!
1.goto start run...
2.type in regedit
3.go into these files:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
4.delete entries 'NoDispBackgroundPage' and/or 'NoDispScrSavPage' 

Now right click on your desktop, go to properties and everythings back, you can now change your background

Miguel C · Answer

I am aslo having the SAME PROBLEM!! I log onto my destop and a BLUE and yellow Background says WARNING SPYWARE deteced!! and then 2 minutes later an Internet Explorer page opnes up and covers my Whole screen!! and I get go any where from there!!......but when I open my desktop I quickly opne my TASK manger and End the PROCESS to get rid of the PAGE then once that is closed down...MY BackGROUND BECOME black and Says 

  SORRY, your license has Expired
  You need to increase your licenseto continue work
  Click the buttonw below to fix Problem

then underneath there a buttonw that says FIX PROBLEM but if I click it it TAKES ME TO A INTERNET EXPLORER PAGE THAT WANTS ME TO BUY I BELIEVE THE NORTON ANT-VIRUS!!! AND I CANT GET OUT OF THAT PAGE!!

PLEASE PLEASE HELP ME WHAT SHOULD I DO TO FIX MY PROBLEM ITS MAKING MY COMPUTER RUN REALLY SLOW!!

comgeek · Answer

dudes that is a common problem, it is due to the spyware infection, I recommend each of you (who has this message) to install a spyware killer program like Threat Fire or Super anti spyware, I am really sorry but most of the answers above are not helpful, anyhow instead of doing so long manual removal and going to task manager and deleteing files etce tc, is uggest you people to install an antis pyware software that will detect and remove spywares found in ur pc.Good Luck, you may google for free spyware removal program
https://www.google.com/search?q=spyware+removal+adware+killer&client=pub-8124638089754170&forid=1&channel=8107557384&ie=ISO-8859-1&oe=ISO-8859-1&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=en

Tamer_Totti · Answer

My Advice is to buy Webroot software from Bestbuy or costco $39.00 or so and install it on your PC, it will detect and clean this problem right away.  Good Luck.

schell · Answer

will malwarebytes' anti-malware program work? Ebomb, will you please explain it again step by step? and also explain how to search the drives, I need help this will not go away! please! and thank you so much!

ryanasd · Answer

samething happened to me any of you guys can help us well I removed my viruses but the back round is still there to.

Pnut · Answer

I just got this today, I have spybot and Lavasoft Ad-aware but everytime I tried to load them up it wont open and I get like 10 windows saying application error. So I installed the SUPERAntiSpyware and I had no problem installing it and scanning my computer, it found about 15 infected items I deleted them and rebooted my puter but I still have that virus, I cannot change my background.

reevo22 · Answer

I need help!
i have also got this virus with the black background with the flashing warning sign which I need to get rid of......i have tried many ways of getting rid of it and it just doesnt seem to go! I have tried it in safe mode and tried running anti-virus software.....the only problem is that as soon as I start up my laptop and log on and error sign comes up and then it turns to the infamous blue screen of death and starts to do a memory dump! can anyone give me any directions to get rid of this annoyance! thanks.

Big Problem · Answer

I got that freakin virus now and I cant get it off my computer. I deleted them files and cleaned it up but everytime I restart my computer the background is back again and those freakin messages sayin' spyware detected, blabla ' .  What can I do ?

Arc · Answer

Easy, heres what you got to, do poth PROPERLY, ok?

Click the Start menu
Click Run
Type regedit and click Ok
Find your way to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ ActiveDesktop
Delete all of the entries in that section.
Find your way to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ ActiveDesktop
Delete all of the entries in that section.
Close regedit

BE VERY CAREFUL EDITING THE REGISTRY. You can make the machine completely unusable if you accidentally delete the wrong section.

TheVinMan · Answer

Let me tell you what happened to me and maybe you can help me and also give a warning to others.
I consider myself to be pretty careful when downloading anything onto my pc. Well it just so happens that a volcano is about to erupt in Alaska so I wanted to find live web cam coverage. So I was lead by Google to what looked like an authentic web site When I went to down load the viewer that was required to view said video the normal Norton warning you could be downloading a virus ect ect ect. came up.
after installing the viewer well you guessed it every Trojan and worm you can imagine. I was majorly infected after many different virus sweeps the system seams to be clear, however I am left with a blue screen and can not load any background or wallpaper and all I have read here and tried to find bmps and check the reg edit for the suggested codes I find none if you can suggest any thing else I would appreciate it.

Len · Answer

Melisio
Thank you so much. This was the first time I tried to fix a virus without hiring someone that it worked. BTW I will never complain about Indian tech support again. You're the best!

TURTLEZ · Answer

Guys, if you can, DO NOT SHUTDOWN YOUR PC , it will be more serious. 
You will have a problem with logging in, it is UNFIXABLE unless you have the installer disks, remote connections and stuff. 

And do NOT run AVG or McAfee, They will be manipulated to allow hidden installs of the virus. BE CAREFUL.
Auto recover anything doesn't work in boot up, and it will do the Auto log off to ANY account

This happened to my Netbook, and I have had no luck getting into the files, and I have no disk drive,

JOKirk · Answer

If you're getting logged out as soon as you log in, you probably told antivirus or antispyware to clean something that shouldn't have been removed. In my case, a user had told it to clean userinit.exe, and it deleted it. Userinit.exe relates to windows login -- without it, windows logs you right back out, thanks for stopping by, please try again. When I copied over a userinit.exe from another similar machine, it started logging on.

Unfortunately, the version of this thing has advanced, and previous suggestions are insufficient to resolve the infection. I'm still working on getting things cleaned up. Getting a little frustrated, but I'll post again if I get it done and let you know how.

You'll notice it modifies the hosts file like a lot of malware, and for me, it is blocking malwarebytes loading -- not sure how. LavaSoft AdAware is my next step to try. As I said, I'll keep you guys informed.

Carlos 06/14/09 · Answer

The solution to this virus is acivating the Windows Defender in your computer.I followed the steps that I found in this site.
1-Click on the start button/orb. 2-In the start search box type in “defender”. 3-In the results up top highlight “Windows Defender”. DO NOT CLICK ON DEFENDER NORMALLY it will not open, instead right click and choose “RUN AS ADMINISTRATOR”. 4-When the UAC (User Account Control) dialogue box appears, choose “ALLOW”. This will open Windows Defender. Defender will then run and find the virus and delete it. Now this worked for me and I hope by passing it on, it will work for you without having to buy any additional software to get rid of it.
I did click on defender and  then I clicked FULL SCAN.  It took  1 1/2 hours for the Full Scan to be complete. At the end it got the virus and I only had to click REMOVE ALL.
Thanks for your help.

JAY · Answer

Ok. so I guess my moms coworker borrowed a laptop from her work and then gave it to my mom to do some work, and I turned it on and the spyware background went on and all this pop ups came up. so my dad told me to turn the computer off, so I did. I then turned it back on, logged into the usser and non off the icons appear. No start menu,time/clock, nothing. I tried going on the internet through the task manager, but it wont connect to the internet! I tried in safe mode, nothing. Some one help pleaseee!!! my mom has to return it to her work monday!

walter · Answer

dwayne still eaten cookies in bubbles.

Lp · Answer

Get MalawareBytes Anti Malaware, my laptops used to be crappy. Well no wonder, I had 215 infections. Also that blue screen, That might mean one of the two. 1.Graphics card fail. 2. Overheating.

Background message "Warning! Spyware detected

84 responses

Similar discussions

Subscribe To Our Newsletter!