How to Remove the "Warning: Spyware threat has been detected on your PC" Virus
written by: zero1•edited by: Rebecca Scudder•updated: 10/21/2010
If your desktop background changed into something that contains a "Warning: Spyware threat has been detected on your PC." message, then your computer is infected by a virus. Read on how to remove this virus and the system changes it made.
slide 1 of 7
The virus that displays the message "Warning: Spyware threat has been detected on your PC." is known as Renos, FakeAV, or FakeAlert to some antivirus vendors. This virus has some similarities to SmitFraud in which it infects computers via adware or a fake codec without user's consent, and it changes the desktop background. It does not infect DLL files like SmitFraud does which makes this virus somehow easier to remove.
slide 2 of 7
Signs of Infection
Some signs of infection shows a modified desktop background having the complete message:
Warning: Spyware threat has been detected on your PC.
Your computer has several fatal errors due to spyware activity.
It is strongly recommended to install an antispyware software to close all security vulnerabilities.
Antispyware software helps protect your PC against spyware and other security threats.
CLICK HERE TO SCAN YOUR PC FOR SPYWARE
And here's the screenshot:
The "CLICK HERE TO SCAN YOUR PC FOR SPYWARE" is a hyper-link that points to a URL that downloads a rogue antispyware program.
Some security forum members reported that some variants of this virus takes you to:
An application window with a name "Windows Security Center system" warning shows up.
A fake Window's Security Center message suggesting to visit the malware's website.
It also create dummy folders in Program Files directory having the following names:
It drops a non-executable file on those folder using an executable EXE extension name. It create these dummy files to make it look like it is actually detecting malware, when in fact the files it is reporting are generated by the same fake antivirus.
It drops a copy of itself in Windows' System32 directory. One of the many name it uses is mgmrwmrv.exe.
Additional behavior is that Internet Explorer keeps opening and accessing its malicious URL and that the Task Manager has been disabled.
slide 3 of 7
Step 1: Finding the Malware's Executable
We need to know what executable name the malware is using. The virus add its autostart routine in Userinit to automatically start itself every time the current user account logs in. With our first clue, let us open up regedit by clicking Start > Run > and typing regedit in the input box.
As of this stage, the virus executable have already been removed from running in the computer.
Some of the virus' dummy folders are located in the Program Files directory and should be deleted:
The virus also dropped dummy EXE and DLL files with generated filenames in Windows and System32 folders. Some of the dummy files that has been generated were the following:
The dummy files pose no harm in the system and I suggest not deleting any files which is based on suspicion.
slide 7 of 7
So that's it! We've removed the virus that modified your desktop wallpaper with a fake warning sign. We were able to restore Task Manager via the registry and are now able to personalized our wallpaper. We've also learned how this virus had modified the registry to allow itself to run every startup and how we fixed that one.