crazy rogue system alert popup

Status
Not open for further replies.

darkmatter14

Posts: 10   +0
hey, im a computer novice, but im pretty sure ive got a nasty infection. its a popup in the lower righthand corner that say i have spyware and to download this software, but im sure its some sort of fraud; the problem is that i've tried several programs, and although they have found certain problems, they never wipe the source. i've seen other posts on this topic, and on other sites, also ive used HijackThis like the forums said to, but i have no idea what to delete or keep and i've heard warning to be careful because programs like that can ruin a PC. im using XP service pack 2, and i'll attach my HJT log so if somebody could please just help me out
 
Hello and welcome to Techspot.

Your system has a lop infection as well as other nasties.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/...pmod;dl=item16

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop.
If not, double click the program again and it will finish.

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, the C:\Nolop log and an AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I just got mine cleaned of the same thing. Just wait for howard_hopkinso he fixed mine it took a day but i was the first that he seen. He can help you clean it in about an hour or so. Just do exactly what he says and do not follow anything that anyone else did in other threads about their problem. I would suggest to look at the sticky about the malware and spyware that is at the top of this forum. Do the 11 steps there exactly and post a new hijack so he can look at it further. This is all that i can do for you but its a start. O by the way it did not effect anything on my computer, and it took a day to get off so you should be fine.
 
well...

ok, ive done what you said, however my problem persists. i ran NoLop! and it found something so i deleted it; then i proceded to follow the 11 steps in the virus guide; i ran everything and deleted anything that poppedup except for with ccleaner and smitFraudFix because ive heard the former may delete personal files(ie photos or music or w/e) and the later can really mess up your computer; additionally i havent gone into safe mode, i just release my IP; unfortunately, im still infected(that popup is SO annoying)
 
Please post a fresh HJT log as either a .txt or .log attachment. I won`t open a .doc file due to the risk of viruses. Also, you didn`t attach the Nolop.log file, please do so.

Regards Howard :)

This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
ok here it is

sorry about that, misread the instruction in the 11 steps; i can't find a log for the NoLop! just an infected file but i suppose you dont want that
 
hey

ive noticed that someone was having the same problem on the forums, and you told them, malliksharma, to make a log with autoruns, so i figured i would do the same... it seems like a lot people are having this problem
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

CD Guard Drivers Auto Removal (v2) (psrem02)<Disable the service name and/or the name in brackets.
CD Guard Drivers Auto Removal (v1) (psrem01)<Disable the service name and/or the name in brackets.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

psrem02.exe
psrem01.exe
objbase.exe
emMON.exe
Bookdale.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [grim bib title else] C:\Documents and Settings\All Users\Application Data\Eggs site grim bib\Bookdale.exe

O4 - HKLM\..\Run: [emMON] emMON.exe

O4 - HKCU\..\Run: [PlayAudio] C:\DOCUME~1\Andy\APPLIC~1\CREATI~1\objbase.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm801YYUS

O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)

O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe

O23 - Service: CD Guard Drivers Auto Removal (v2) (psrem02) - Protection Technology - C:\WINDOWS\system32\psrem02.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\psrem02.exe
C:\WINDOWS\system32\psrem01.exe
C:\DOCUME~1\Andy\APPLIC~1\CREATI~1<Delete the entire folder.
C:\Documents and Settings\All Users\Application Data\Eggs site grim bib<Delete the entire folder.
C:\windows\emMON.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
well i did what you said, but the stupid system alert popup is still there

btw, i dont know if this means anything but the whole i was in safe mode, the system alert popup continued to flash
 
Your HJT log is now clean.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

Regards Howard :)

This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply. Let me know if you`re still having problems.

Regards Howard :)

This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
well, before i use that, i would just like to let you know that i stoped the system alert popup. after reading your other post about the subject to other users, i found that in most cases, you asked them to eliminate a file called geplxss.dll with killbox; so i did that and it stopped, however i will proceed with your last instuction because im mostly sure there were other parts, and lets be honest, you know a ton more about computers than I do
 
If you`ve already killed that file with Killbox, there`s no need to try and kill it again with Avenger. That file was the source of your problems.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
i can finally get back to my normal computer life now! thank you so much for your help :D i guess i should start deleting all these random programs i downloaded to clean my computer

i just tried to add/remove program system alert popup, because although it was gone from the taskbar, the thing was still in the add/remove program; all of a sudden, spydawn popped up again and it saw that ive been reinfected! why cant i kill this wretched virus??!!

ok so ive uninstalled spydawn, and avenged system alert popup
 
Run the Ccleaner programme as per the instructions in this thread HERE.

With the Ccleaner programme still open, click on Tools. In the list of installed programmes, highlight the system alert popup and click the delete entry button and click ok when prompted. Close Ccleaner and reboot your system.

Post a fresh Autoruns log.

Regards Howard :)

This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I`d still like to see a fresh Autoruns log. That`s because the Ccleaner programme only removes the entry in add remove programmes and not the infection itself.

You should also go HERE and follow the instructions for removing Spydawn.

Regards Howard :)

This thread is for the use of darkmatter14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back