Virus: Teebik (Many Queens)

I was working along in Windows 7, minding my own business, when suddenly I found myself accosted by numerous beautiful cartoon women.


This was a separate window running under Google Chrome, which I had open at the time.  The URL said “”  There was a Chrome message bar under the address bar saying, “This page is in Chinese (Simplified Han).  Would you like to translate it?”

When I clicked on the X at the top right corner of the screen, to close that window, I got this message:

Confirm Navigation

The Hottest MMORPG!!
Play free!!
No Downloads Necessary

Are you sure you want to leave this page?

I was sure.  In fact, I was sure that I did not want this page to come back.  I went to Control Panel > Programs and Features and scanned the list of installed programs, in vain, looking for “teebik” and “lp” and “many queens.”  There did not seem to be a program obviously responsible for this unwanted pop-up.  I wasn’t sure how I had gotten it, but when I clicked on the “Installed On” column, there in Programs and Features, I saw that Freemake Video Downloader was one of the recent installations; and compared to the others (e.g., Acronis True Image; Adobe Acrobat), it was the most likely suspect.  Then again, I had used Freemake previously without this problem, so I could not be certain that it really was the culprit.  Possibly, while installing Freemake or some other program, I had failed to notice one of those pesky checkboxes telling me that I was just about to install some kind of crapware.

Reviewing the message (above), this was my occasion to learn that MMORPG was short for “massively multiplayer online role-playing game.”  I was not sure why that Chrome message bar was telling me that the page was in Han Chinese; the few visible words were in English.  But the Asian style of music playing gently along, and that message, suggested that the program probably had been written by some Chinese person(s); and since I rarely had much need for Chinese programs, it seemed that I might have acquired a virus.

So I ran a scan with Malwarebytes’ Anti-Malware.  Unfortunately, it turned up nothing.  I was using Malwarebytes as a back-up to my regular AVG antivirus; it, too, did not seem to have noticed anything amiss.  A Google search for teebik (above) yielded the impression that Teebik might be a legitimate marketer of various apps.

One site echoed my sense that various downloading and conversion freeware could bring this virus onto one’s machine.  That site recommended using AdwCleaner to remove the Teebik virus.  That was one possible approach; but since I hadn’t heard of AdwCleaner and was not too eager to replace one virus with another, I thought I’d hold off on that approach for the moment.

Another site likewise recommended AdwCleaner, after uninstalling the program responsible for the infection.  That site listed a few other programs that might have been responsible.  None of these seemed to apply to me.  This site also recommended resetting all options on Internet Explorer and Firefox, which did not presently seem to have been infected; all I was seeing was this one Chrome popup.  I didn’t want to spend the time to reconfigure all my browsers, so I decided to hold off on that approach too.  That site also recommended removing unfamiliar extensions from Chrome, so I went into Chrome’s Tools > Extensions and took a look, but I saw no unfamiliar extensions.

While I was there, I hit Ctrl-H to bring up the recent history of my Chrome browsing.  (I think that would bring up Chrome’s history in any case; I was not sure whether functionality here might be affected by my installation of the Recent History extension.)  The list of recently visited webpages included and  I right-clicked on those, hoping for an option to block them, but no such luck.  My list of installed Chrome extensions included Search Engine Blacklist.  In Chrome’s list of installed extensions, I went into that extension’s Options and added those two URLs.  They both defaulted to simply “,” so I deleted the extra one.  That did not seem to have any effect on the popup, which was still tinkling happily along, but possibly it would at least impair further infection or intrusion.

Refreshingly, a different site did not call for the use of AdwCleaner.  Instead, it recommended that I reboot into Safe Mode with Networking (i.e., F8 during bootup).  There, it advised me to use Windows Task Manager (Ctrl-Alt-Del) to kill the process.  I was not too sure of that step:  my use of Task Manager in Normal Mode had indicated merely that this Teebik thing was one of many open Chrome sessions (presumably one for each open tab).  In Task Manager, I had gone to the Applications tab, right-clicked on lp_many_queens_sound, and there I had chosen Go to Process.  The specific Chrome entry highlighted there, in the Processes tab in Task Manager, was taking about 128MB of RAM.  In this regard it stood out from most of the others.  I was curious as to whether that one Task Manager entry was indeed the right one, so I clicked on the End Process button.  I was not sure what to conclude from the results:  the Teebik popup vanished, but so did the rest of Chrome.

I was not sure which of the foregoing measures had made any difference, but it appeared that something had.  Four days later, the Teebik popup had not returned.  I decided to make note of several additional webpages I had opened for advice, in case it became necessary to return to this issue later.  Those sites were,,,, and the site mentioned in the previous paragraph.  For now, at least, this issue appeared to be resolved. A later post offers a workaround that may also be useful in some cases.

This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

4 Responses to Virus: Teebik (Many Queens)

  1. Shrinivas says:


    Similar problem occured to me in last 3 days. Whenever I visted a site name this lp ,many queens appeared from nowhere. So I reduced using that site. Other sites do not give this issue.

  2. dm says:

    Thanks for writing this up, it was useful to me, as i was having the same issue.

  3. Grace amenda says:

    how do l just recognise the virus location

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.