I have no idea how or where I got this from but I have this question mark and a circle with a line through it like you would have in a no smoking sign lets say, in my system tray.

I clicked on it and it takes me to a “security center” message saying I have a virus and to BUY their software to clean it. It takes me to www.spyblocker.com

I don’t want to buy and I cant seem to get rid of this blinking icon in my system tray or the software associated. It had an uninstall program in my control panel which I ran, but its still there even though its no longer showing in Add Remove programs.

I’m also unable to right click the icon to see what directly or where the target is.

I ran avast on boot up, it found some infected files in recovery and deleted them. But this thing it doesn’t seem to notice or get rid of.

HELP!
Thanks in advance,
Snow

Malicious rogue anti-spyware.

A new tool RogueRemover, available here http://www.malwarebytes.org/rogueremover.php, download and try this.

Thanks for your quick reply. Trying it now… Will report back.

Snow

Downloaded and ran it, rebooted but the bugger is still there.
Any other suggestions?

There is probably a run command to activate this. Something you can do quickly is, Windows Start button, Run, type msconfig and click OK. Select the Startup Tab and check what is there report any thing you are unsure of or post a screen shot of it.

If that isn’t obvious then it would be best to download this tool, hijackthis and read the first tutorial on how to set it up and run it in order to produce a log file.

Program & Tutorial - Also useful as a diagnostic tool - Download HiJackThis.zip HJT has now been sold to Trend Micro inc. but the 1.99.1 version should still be available here or at one of the download sites. - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3

Post the contents of a HJT log and we will try to pin down what is starting it.

Ok here is the log I got from Hijack.

Thanks so much for your time!
Snow

It would have ben easier had you pasted the contents of the log as suggested, that way people don’t have to download and open it to see the contents.

So I will do it here:
Logfile of HijackThis v1.99.1
Scan saved at 6:21:28 PM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\The Crows\Application Data\Microsoft\Internet Explorer\Quick Launch\msimn.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\THECRO~1\LOCALS~1\Temp\Rar$EX00.360\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CursorXP] “C:\Program Files\CursorXP\CursorXP.exe” -s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider ‘smnsp.dll’ missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

What is your firewall as it would appear you don’t have an active firewall ?

The MyWebSearch is of a dubious nature
O8 - Extra context menu item: &Search - http :// [break] edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU

Other than that I don’t see anything obvious.

Do you have an Intel Graphics card or chip (motherboard with integrated graphics) as this file is associated with that ?
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
Though why it is a winlogon Notify is beyond me and I feel you should have this file scanned.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners. Post the results here if anything is detected.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

Did you have CounterSpy installed as this ‘missing’ file is associated with that, since the file is missing the entry should be fixed.
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

These O20 - Winlogon Notify: entries can be used by some malicious programs purporting to be legit entries often associated with these fake security warnings.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html a log should be produced, post the ‘contents’ here.

Below is an example of a Vundo infection, though there are many different filenames.

O2 - BHO: (no name) - {EFCB1D95-FFF6-47BB-B6C9-61A523F04322} - C:\WINDOWS\system32\vturr.dll
[/b]O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll[/b]

Hi Snow,

Have you tried looking in Start>Control Panel>Add/Remove Programs for Spyblocker or any other scam anti-spyware programs?

I have found Spybot Search & Destroy effective in removing these scam programs:

http://www.safer-networking.org/

AVG Anti-Spyware and Ad-Aware are two more free scanners you should run:

http://free.grisoft.com/doc/avg-anti-spyware-free/lng/us/tpl/v5

http://www.download.com/3000-2144-10045910.html

As David said, there’s nothing malicious obvious in your HijackThis! log, so it might be worth looking for hidden programs (rootkits) with these scanners:

http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5

http://fileforum.betanews.com/detail/Panda_AntiRootkit/1168278229/1

(If you do find and remove any rootkits, run all your previous scans again: avast! Spybot, AVG etc., because once a rootkit is removed, the malware it was hiding will become visible to these scanners.)

Hi Snow :

  I doubt you have a "virus", but something more serious. Spent some time
  on a "Google Search" and it appears "Spyblocker" ( small "b") is a rogue
  product using the "name" of the legitimate "SpyBlocker" ( capital "B" ) 
  and/or a component of the legitimate "SpySweeper" program !?

  The HijackThis program you have appears to be residing in a "Temporary"
  Folder ; a no-no . It might be easier to uninstall the HijackThis you have,
  then download it from www.thespykiller.co.uk/files/HJTsetup.exe . 

At the download prompt, choose “Save”.
Navigate to the saved file and double-click the installer, HJTsetup.exe.
HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.

  And nowadays some Malware "hide" from detection of "Hijackthis"
  and many Malware Experts recommend "renaming" "HijackThis" to
  something like "hijackthat", etc .

  Since this seems to be a relatively new piece of malware, perhaps it
  would be best if you got the assistance of an experienced, trained,
  volunteer Malware "Expert", like "MrCharlie" on the Spyware Beware
  Forums at http://forums.maddoktor2.com/index.php?s=175e569a3f1f23976f85d6f0675af6fc&showforum=17   !?

Hiya

Thanks everyone,

I ended up cleaning out just about everything that I absolutely did not need.
Then I reinstalled and ran the program David suggested before I did the hijack thing.
WAHLAH, mysteriously, it seems to be gone. Well…the icon is gone.

My computer is still running slower than the norm.
Since I have 2 drives, one with all my data and one with programs, I’m going to format my programs hard drive and boot from the 2nd data one which also has windows running on it, then reinstall windows clean and my necessary programs.

Thank God I have a laptop I can use in the meantime.

I REALLY REALLY appreciate all the time you guys took with me and how quickly you responded. I did not panic because you all made me feel confident that it would be found and taken care of.

I think was taken care of David’s first solution AND uninstalling a bunch of crap and running it again. But I think it already had caused some damage so I’m gonna clean it all up.

Thanks again I really appreciate your help and your time, all of you.

Snow

RogueRemover is updated regularly. I suspect a new definition was added in the time between uninstalling and reinstalling the product.

Ah ok well that makes sense.

Meanwhile, I had 2 Excel files I’ve been working on for weeks, had them saved on my desktop… they’re gone. Did a search, gone. Zippo. I think when I ran the virus check originally, I left it running over night and put the option to delete any infected files. Gone… aaahhhh.

I’m not gonna panic… I’m still searching…
But I think I’m in… denial mode.