TechSpot

crazy rogue system alert popup

By darkmatter14
Mar 3, 2007
  1. hey, im a computer novice, but im pretty sure ive got a nasty infection. its a popup in the lower righthand corner that say i have spyware and to download this software, but im sure its some sort of fraud; the problem is that i've tried several programs, and although they have found certain problems, they never wipe the source. i've seen other posts on this topic, and on other sites, also ive used HijackThis like the forums said to, but i have no idea what to delete or keep and i've heard warning to be careful because programs like that can ruin a PC. im using XP service pack 2, and i'll attach my HJT log so if somebody could please just help me out
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system has a lop infection as well as other nasties.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Please Download NoLop to your desktop from one of the links below...
    http://www.spywareedge.net/nolop/NoLop.exe
    http://www.thespykiller.co.uk/forum/...pmod;dl=item16

    First close any other programs you have running as this will require a reboot
    Double click NoLop.exe to run it
    Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    When scanning is finished you will be prompted to reboot only if infected, Click OK
    Now click the "REBOOT" Button.
    A Message should popup from NoLop.
    If not, double click the program again and it will finish.

    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, the C:\Nolop log and an AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Xtr3m3

    Xtr3m3 TS Rookie Posts: 16

    I just got mine cleaned of the same thing. Just wait for howard_hopkinso he fixed mine it took a day but i was the first that he seen. He can help you clean it in about an hour or so. Just do exactly what he says and do not follow anything that anyone else did in other threads about their problem. I would suggest to look at the sticky about the malware and spyware that is at the top of this forum. Do the 11 steps there exactly and post a new hijack so he can look at it further. This is all that i can do for you but its a start. O by the way it did not effect anything on my computer, and it took a day to get off so you should be fine.
     
  4. darkmatter14

    darkmatter14 TS Rookie Topic Starter

    well...

    ok, ive done what you said, however my problem persists. i ran NoLop! and it found something so i deleted it; then i proceded to follow the 11 steps in the virus guide; i ran everything and deleted anything that poppedup except for with ccleaner and smitFraudFix because ive heard the former may delete personal files(ie photos or music or w/e) and the later can really mess up your computer; additionally i havent gone into safe mode, i just release my IP; unfortunately, im still infected(that popup is SO annoying)
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post a fresh HJT log as either a .txt or .log attachment. I won`t open a .doc file due to the risk of viruses. Also, you didn`t attach the Nolop.log file, please do so.

    Regards Howard :)

    This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. darkmatter14

    darkmatter14 TS Rookie Topic Starter

    ok here it is

    sorry about that, misread the instruction in the 11 steps; i can't find a log for the NoLop! just an infected file but i suppose you dont want that
     
  7. darkmatter14

    darkmatter14 TS Rookie Topic Starter

    hey

    ive noticed that someone was having the same problem on the forums, and you told them, malliksharma, to make a log with autoruns, so i figured i would do the same... it seems like a lot people are having this problem
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    CD Guard Drivers Auto Removal (v2) (psrem02)<Disable the service name and/or the name in brackets.
    CD Guard Drivers Auto Removal (v1) (psrem01)<Disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    psrem02.exe
    psrem01.exe
    objbase.exe
    emMON.exe
    Bookdale.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O4 - HKLM\..\Run: [grim bib title else] C:\Documents and Settings\All Users\Application Data\Eggs site grim bib\Bookdale.exe

    O4 - HKLM\..\Run: [emMON] emMON.exe

    O4 - HKCU\..\Run: [PlayAudio] C:\DOCUME~1\Andy\APPLIC~1\CREATI~1\objbase.exe

    O4 - Global Startup: Adobe Gamma Loader.lnk = ?

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm801YYUS

    O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)

    O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe

    O23 - Service: CD Guard Drivers Auto Removal (v2) (psrem02) - Protection Technology - C:\WINDOWS\system32\psrem02.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\psrem02.exe
    C:\WINDOWS\system32\psrem01.exe
    C:\DOCUME~1\Andy\APPLIC~1\CREATI~1<Delete the entire folder.
    C:\Documents and Settings\All Users\Application Data\Eggs site grim bib<Delete the entire folder.
    C:\windows\emMON.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. darkmatter14

    darkmatter14 TS Rookie Topic Starter

    well i did what you said, but the stupid system alert popup is still there

    btw, i dont know if this means anything but the whole i was in safe mode, the system alert popup continued to flash
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    Regards Howard :)

    This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. darkmatter14

    darkmatter14 TS Rookie Topic Starter

    ok here is my autoruns
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply. Let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. darkmatter14

    darkmatter14 TS Rookie Topic Starter

    well, before i use that, i would just like to let you know that i stoped the system alert popup. after reading your other post about the subject to other users, i found that in most cases, you asked them to eliminate a file called geplxss.dll with killbox; so i did that and it stopped, however i will proceed with your last instuction because im mostly sure there were other parts, and lets be honest, you know a ton more about computers than I do
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    If you`ve already killed that file with Killbox, there`s no need to try and kill it again with Avenger. That file was the source of your problems.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. darkmatter14

    darkmatter14 TS Rookie Topic Starter

    i can finally get back to my normal computer life now! thank you so much for your help :D i guess i should start deleting all these random programs i downloaded to clean my computer

    i just tried to add/remove program system alert popup, because although it was gone from the taskbar, the thing was still in the add/remove program; all of a sudden, spydawn popped up again and it saw that ive been reinfected! why cant i kill this wretched virus??!!

    ok so ive uninstalled spydawn, and avenged system alert popup
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run the Ccleaner programme as per the instructions in this thread HERE.

    With the Ccleaner programme still open, click on Tools. In the list of installed programmes, highlight the system alert popup and click the delete entry button and click ok when prompted. Close Ccleaner and reboot your system.

    Post a fresh Autoruns log.

    Regards Howard :)

    This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. darkmatter14

    darkmatter14 TS Rookie Topic Starter

    ok thx, as far as i can tell, its all gone, but im running avg just to check
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`d still like to see a fresh Autoruns log. That`s because the Ccleaner programme only removes the entry in add remove programmes and not the infection itself.

    You should also go HERE and follow the instructions for removing Spydawn.

    Regards Howard :)

    This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...