Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I have a flashing icon on my tray. Its a free download to get rid of spyware etc. No matter what I do it will not close nor can it be deleted. I need help with this to get rid of this SPYLOCKED program. I do believe it is spyware that is embedded within my system. Please help. Thanks
Didn't find the information you thought to find? Check out these Similar Threads
Here is how we like to begin our analysis of your pc:
For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy. AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. They can be found here:
With AdAware and Spybot: DL, follow the install instructions, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.
Then we use HiJackThis v1.99.1
Please download HijackThis! SetUp from here. Save the file to your desktop.
Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.
Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.
Here is how we like to begin our analysis of your pc:
For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy. AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. They can be found here:
With AdAware and Spybot: DL, follow the install instructions, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.
Then we use HiJackThis v1.99.1
Please download HijackThis! SetUp from here. Save the file to your desktop.
Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.
Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.
Logfile of HijackThis v1.99.1
Scan saved at 7:09:32 PM, on 4/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
OK, I'm not seeing anything obvious, but lets run the first part of SmithFraud Fix and see what it finds.
Please download SmitfraudFix (by S!Ri). Save it to your desktop.
Double-click the Smithfraud.exe and it will install a new folder to your desktop, called SmithFraudFix. Shortly after that a dos command window will appear. Once it opens, hit any key to continue.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.
No need for a new HJT log, just the results from the SmithFraud tool.
OK, I'm not seeing anything obvious, but lets run the first part of SmithFraud Fix and see what it finds.
Please download SmitfraudFix (by S!Ri). Save it to your desktop.
Double-click the Smithfraud.exe and it will install a new folder to your desktop, called SmithFraudFix. Shortly after that a dos command window will appear. Once it opens, hit any key to continue.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.
No need for a new HJT log, just the results from the SmithFraud tool.
SmitFraudFix v2.171
Scan done at 9:13:57.63, Wed 04/25/2007
Run from C:\Documents and Settings\Administrator.COMPUTER\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!
Please download, install, and update the free version of AVG Anti-Spyware 7.5 Save the file to your desktop.
Double-click the file and select your language.
Follow the prompts to install. The application will add three start ups to your system, be sure and allow them if you have any real time monitoring of your system.
Once install has completed, run the program.
Be sure the two options are enabled:
Resident shield
Aromatic updates
From the main AVG 'Status' screen, click the update now link the update should begin automatically. If not then hit the [Manual Update] Burton to begin updating.
After the update finishes, the status bar will display "Update successful"
Click the 'Scanner' tab, and select the 'Settings' tab.
Under 'How to act?' click 'Recommended actions' and select 'Quarantine'
Under 'Reports' be sure to tick the radio button for 'Automatically generate report after each scan' and un-tick the 'Only if threats were found box.
Exit AVG. DO NOT run a scan yet.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
AFTER SmitfraudFix finishes (and after a reboot if required), please open AVG. (If a reboot is required, please boot BACK into Safe Mode.)
Click on Scanner
Click on Complete System Scan and the scan will begin.
When the scan is finished, click the [Save report] button at the bottom of the screen.
Then hit the [Save report as] button.
Save the report to your desktop.
Click the 'Scanner' tab again and then click the [Apply all actions] button.
Close AVG
Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the AVG report and a new HijackThis log. (please edit out all 'cookies', 'Recycler folder' and 'restore\system volume folder' references from the AVG log)
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!
Please download, install, and update the free version of AVG Anti-Spyware 7.5 Save the file to your desktop.
Double-click the file and select your language.
Follow the prompts to install. The application will add three start ups to your system, be sure and allow them if you have any real time monitoring of your system.
Once install has completed, run the program.
Be sure the two options are enabled:
Resident shield
Aromatic updates
From the main AVG 'Status' screen, click the update now link the update should begin automatically. If not then hit the [Manual Update] Burton to begin updating.
After the update finishes, the status bar will display "Update successful"
Click the 'Scanner' tab, and select the 'Settings' tab.
Under 'How to act?' click 'Recommended actions' and select 'Quarantine'
Under 'Reports' be sure to tick the radio button for 'Automatically generate report after each scan' and un-tick the 'Only if threats were found box.
Exit AVG. DO NOT run a scan yet.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
AFTER SmitfraudFix finishes (and after a reboot if required), please open AVG. (If a reboot is required, please boot BACK into Safe Mode.)
Click on Scanner
Click on Complete System Scan and the scan will begin.
When the scan is finished, click the [Save report] button at the bottom of the screen.
Then hit the [Save report as] button.
Save the report to your desktop.
Click the 'Scanner' tab again and then click the [Apply all actions] button.
Close AVG
Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the AVG report and a new HijackThis log. (please edit out all 'cookies', 'Recycler folder' and 'restore\system volume folder' references from the AVG log)
I TRIED TO D/L THIS SOFTWARE AS YOU INSTRUCTED BUT IT WOULD NOT ALLOW IT. THE ERROR MESSAGE SAID IT COULD NOT WRITE TO DISK ERROR. NOW WHAT THANKS
OK, there looks to be something odd there, lets get a start up list with HJT.
Open HJT, click the [None of the above, just start the program] button.
Then click the [Config] button in the lower right hand of the program.
Then select the [Misc Tools] button.
In the upper left hand side of the program tick the two boxes [List also minor sections (full)] button and the [List empty sections (complete)] and hit the [Generate StarupList log] button, select 'Yes' when prompted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.
OK, there looks to be something odd there, lets get a start up list with HJT.
Open HJT, click the [None of the above, just start the program] button.
Then click the [Config] button in the lower right hand of the program.
Then select the [Misc Tools] button.
In the upper left hand side of the program tick the two boxes [List also minor sections (full)] button and the [List empty sections (complete)] and hit the [Generate StarupList log] button, select 'Yes' when prompted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.
StartupList report, 4/26/2007, 9:23:51 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present
- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd
End of report, 29,713 bytes
Report generated in 1.933 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Could you please upload the following file to http://www.uploadmalware.com/
C:\WINNT\system32\Proxy.exe<<<--this file
Add a lnk to this thread and in the 'Note' section, type in 'for Andy' please.
You can use your forum user name if you like.
Now we can kill that service and delete the file once it is submitted.
Go to: Start > Run > type " services.msc ", then click OK
When the Services window appears scroll down to the Remote Procedure Call (RPC) Manager service. Be sure to highlight the right one, there are a couple of other Remote Procedure Call services that are legit.
Click it to highlight it, then <right-click> and select: Properties Select and set "Service Status" option to "Stop" Select: "Startup type" and set it to "Disabled", click Apply, then OK.
Then try to download the AVG app again. Let me know how that goes.
Could you please upload the following file to http://www.uploadmalware.com/
C:\WINNT\system32\Proxy.exe<<<--this file
Add a lnk to this thread and in the 'Note' section, type in 'for Andy' please.
You can use your forum user name if you like.
Now we can kill that service and delete the file once it is submitted.
Go to: Start > Run > type " services.msc ", then click OK
When the Services window appears scroll down to the Remote Procedure Call (RPC) Manager service. Be sure to highlight the right one, there are a couple of other Remote Procedure Call services that are legit.
Click it to highlight it, then <right-click> and select: Properties Select and set "Service Status" option to "Stop" Select: "Startup type" and set it to "Disabled", click Apply, then OK.
Then try to download the AVG app again. Let me know how that goes.
I TRIED TO D/L AVG AND IT DID BUT WHEN I TRIED TO RUN THE PROGRAM THIS MESSAGE BOX CAME UP---NSIS ERROR--THE INSTALLER YOU ARE TRYING TO USE IS CORRUPT OR INCOMPLETE. THIS COULD BE A RESULT OF DAMAGED DISK A FAILED D/L OR VIRUS. PLEASE HELP. IM TRYING HERE TO GET RID OF THIS FLASHING ICON ON MY DESK TOP. I APPRECIATE ALL OF THE DIAGNOSIS AND HELP BUT ALL I WANT TO DO IS GET RID OF THIS FLASHING ICON. THANK. I AWAIT YOUR RESPONSE.
I TRIED TO D/L AVG AND IT DID BUT WHEN I TRIED TO RUN THE PROGRAM THIS MESSAGE BOX CAME UP---NSIS ERROR--THE INSTALLER YOU ARE TRYING TO USE IS CORRUPT OR INCOMPLETE. THIS COULD BE A RESULT OF DAMAGED DISK A FAILED D/L OR VIRUS. PLEASE HELP. IM TRYING HERE TO GET RID OF THIS FLASHING ICON ON MY DESK TOP. I APPRECIATE ALL OF THE DIAGNOSIS AND HELP BUT ALL I WANT TO DO IS GET RID OF THIS FLASHING ICON. THANK. I AWAIT YOUR RESPONSE.
You may need to disable your Norton anti-spyware to download the tool. Try that and then run it, let me know how it goes.
If you need, try and find a friends or neighbors computer to download the installer then stick it on your pc to install it.
You may need to disable your Norton anti-spyware to download the tool. Try that and then run it, let me know how it goes.
If you need, try and find a friends or neighbors computer to download the installer then stick it on your pc to install it.
I DONT HAVE NORTON ANTI-SPY... I HAVE TRIED TO D/L THIS PROGRAM AGAIN..IT TELLS ME WHEN I RUN IT THAT IT IS CORRUPTED..IS THERE ANOTHER PROGRAM THAT I CAN USE TO CONTINUE MY ENDEVOR..TO CORRECT THIS PROBLEM...THANKS
I DONT HAVE NORTON ANTI-SPY... I HAVE TRIED TO D/L THIS PROGRAM AGAIN..IT TELLS ME WHEN I RUN IT THAT IT IS CORRUPTED..IS THERE ANOTHER PROGRAM THAT I CAN USE TO CONTINUE MY ENDEVOR..TO CORRECT THIS PROBLEM...THANKS
Sorry for that I didnt realize this was yelling Geri.....but I am at the end of my rope. I just want to get this out of my system so it wont be so distracting. Can you help me perhaps..or do you have any Ideas maybe. Temerc is very smart and very helpful, I just wish to get this taken care of..Again I'm truely sorry. Thanks Sally
