Removing fake BSOD virus


I have laptop with 1 possibly 2 'viruses'

1. Fake BSOD. which you can see attached
2. Balloon pop-up which shows the same phone number as BSOD, saying the PC is going to be rebooted to prevent loss of financial data. You can see at the bottom of the picture a 'log off cancelled' balloon, this is a scheduled task which I have created to run 'shutdown -a' every 5 minutes to stop the reboots.

I have run several AV programs, Malwarebytes, Adwcleaner. although these have cleared other viruses on the PC it has not cleared these two.

Any ideas warmly welcomed,
Gareth McKeeCEO/OwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Try one of the major online scanners (be SURE to use their site). Symantec, Kaspersky, McAfee, Bit Defender.

Also get TDS Killer (Kaspersky) to check for root kit viruses.
Gareth McKeeCEO/OwnerAuthor Commented:
Hi John,

I have tried Kasp, F-Secure and Sophos, along with Sophos stand alone virus removal tool

I will give TDS a go and get back to you soonest,

thanks for the ideas
JohnBusiness Consultant (Owner)Commented:
Is it popping up?

Download, install and run Process Explorer from Microsoft (legitimate tool). Look on the left side for Explorer. Are there any strange (alphanumeric) processes running?  If so, kill the process, exit and do NOT restart. Run Malwarebytes again and allow it to remove the malware.

Also, start in Safe Mode and run Malwarebytes in Safe Mode.
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

Gareth McKeeCEO/OwnerAuthor Commented:
hi John

for completeness I have also uploaded a pic of the balloon message.

I have already completed the Safe Mode run throughs.

Nothing from the TDS killer from Kaspersky, that is nothing found.

I will give Process Explorer a go.
again, thanks for the input.
Gareth McKeeCEO/OwnerAuthor Commented:

'Is it popping up"

the BSOD appears after about 5 minutes of being booted up and then remains, it is always over the top of everything except Task Manager. It is possible to move it.

the balloon message pops up at random time intervals, the shutdown -a sched task is keeping this from actually rebooting the pc at the moment.

JohnBusiness Consultant (Owner)Commented:
So it is a task (process) that is running (which is why I suggested Process Explorer. Also look in Task Scheduler (although not likely there). Look through Process Explorer for suspect processes.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gareth McKeeCEO/OwnerAuthor Commented:
Process explorer, a kill of DV.exe made it disappear, I am currently rebooting to get a better look.
Gareth McKeeCEO/OwnerAuthor Commented:
JohnBusiness Consultant (Owner)Commented:
As noted above, kill the task, quit, do NOT restart and run Malwarebytes again. This allows Malwarebytes to get rid of it when not running.
Gareth McKeeCEO/OwnerAuthor Commented:
DOH - I will do that this time
web_trackerComputer Service TechnicianCommented:
Try the JRT (junk removal tool), Rkill, and Rogue killer, these tools I use often as part of my virus removal tools. They are portable apps that do not install but run from the exe file.
1. Log in safe mode and run malwarebytes.
2. Open msconfig (start>Run >type msconfig ) remove all suspicious start up items and services (check hide microsoft services).
3. Remove suspicious software from add/remove programs (check date installed to match with the incident )
4. Restart
JohnBusiness Consultant (Owner)Commented:
@gareth629 - You identified the problem with Process Explorer. Were you able to remove it?
Gareth McKeeCEO/OwnerAuthor Commented:
Thanks John, you were very helpful.

From Process Explorer I was able to find the program and the reg key which starts it, I have deleted both manually and now all is good.

Thank you
JohnBusiness Consultant (Owner)Commented:
@gareth629 - Thanks for the update and I was happy to help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.