Problem with icon in sytem tray

[TonyR]

I share a desktop computer running Windows XP Home Edition with my stepson.

He has just gone off on a 4 week holiday and I find an unwanted icon in the
system tray which flashes alternately a red shield with a cross and a blue
circle with a question mark.

Periodically it issues a message balloon with a message saying ' System
Alert -system has detected spyware on this computer. Click this message to go
to a site where you can download antispyware software'

(This is not the exact wording but it is something to this effect).

If I click the ballooon, my NOD32 antivirus system prevents
Internet Explorer going to the site with a message that this site is known
to be dangerous. I have carried out a spyware scan using Spybot and it found
zlob.downloader.vdt (4 entries all in registry) and win.32.bho (2 entries
both in registry). Spybot says that it has cleaned these out. I have also run
a virus scan with NOD32 and it reports nothing found.

Clicking the 'customize notifications' from taskbar properties, shows an
entry for this icon but no title.

Can anyone tell me what this nuisance is and where it comes from and, more
importantlly how can I get rid of it?

Many Thanks
TonyR

 

[Malke]

I share a desktop computer running Windows XP Home Edition with my
stepson.

He has just gone off on a 4 week holiday and I find an unwanted icon in
the system tray which flashes alternately a red shield with a cross and a
blue circle with a question mark.

Periodically it issues a message balloon with a message saying ' System
Alert -system has detected spyware on this computer. Click this message to
go to a site where you can download antispyware software'

(This is not the exact wording but it is something to this effect).

If I click the ballooon, my NOD32 antivirus system prevents
Internet Explorer going to the site with a message that this site is known
to be dangerous. I have carried out a spyware scan using Spybot and it
found zlob.downloader.vdt (4 entries all in registry) and win.32.bho (2
entries both in registry). Spybot says that it has cleaned these out. I
have also run a virus scan with NOD32 and it reports nothing found.

Your system is infected with a rogue antivirus program. It is called "rogue"
because it pretends to be A Good Guy but is really Evil. Do not pay them!
Since you didn't mention the name of the program that is trying to get you
to buy it, I can't point you to specific removal steps. Look for those
removal steps here:

Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

These may work for you and all may be well. However, in many cases the
computer will also be infected with Zlob and/or Vundo trojans and protected
by a rootkit. These machines are extremely difficult to clean.

If your machine is one of these cases, either get guided help at one of the
specialty forums below OR back up your data and do a clean install of
Windows. It is your choice. If you are unsure how to back up your data or
how to do a clean install, you can take your machine to a local computer
professional. I don't recommend using BigComputerStore/GeekSquad types of
places.

PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25Look
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Malke

 

[TonyR]

The url of the site concerned (the site which the message balloon tries to
go) is www.antispycheck.com/?aid1012

 

[Malke]

The url of the site concerned (the site which the message balloon tries to
go) is xxx.antispycheck.xxx/?aid1012

Please do not post unmunged malicious URLs! If you must post malicious URLs
(and there was no reason to do so in your case since you could have just
posted the *name* of the rogue software), then "x" out the www. and
the .com.

So do as I suggested and go to the BleepingComputer tutorials and look for
the rogue software's name. Etc.

Malke