DelphiFAQ Home Search:

Red circle with white cross in taskbar tray - saying 'Your computer is infected'

 

comments72 comments. Current rating: 4 stars (13 votes). Leave comments and/ or rate it.
Belorussian Translation

Question:

My computer was infected a while ago with Spysheriff and I got rid of it. But I discovered a red circle with a white cross in my taskbar. When I move my mouse over it, it says 'Your computer is infected':


Answer:

This one is easy to get rid off.
  1. Open the task manager (press Control+Alt+Del)
  2. Select Processes and look for a process named 13242.exe or similar (a pattern of numbers) and kill this process.
    Look for a process named Archive.exe and kill it as well.
    Note that the name of this other program may be different in your case - a known other name is tool2.exe .

  3. Search your hard disk for the file name 13242.exe (or whatever number it may have been in your case). In my case this was in:
    \Documents and Settings\user1\Lokale Einstellungen\Temp
    Other users reported to have found these files in c:\Windows.

    As you can see in the screenshot, I found a LOT of executable files there, most of them the length 0. I could not delete those files until I had killed process 'Archive.exe'.

    The file archive.exe was entered as an auto-start in the registry here:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    I deleted the file Archive.exe from C:\Program Files\Archive:

     Directory of C:\Program Files\Archive
    
    11/24/2004  04:21p      <DIR>          .
    11/24/2004  04:21p      <DIR>          ..
    11/24/2004  04:21p             106,496 archive.exe
                   1 File(s)        106,496 bytes
                   2 Dir(s)   3,235,689,984 bytes free
    


Belorussian Translation
Content-type: text/html

Comments:

You are on page 1 of 5, other pages: [1] 2 3 4 5
2006-01-05, 22:30:03
anonymous from United States  
rating
Can u help me please? I have the same problem and it keeps re-installing antispyware!!! its soooooooo fucking annoying!!! i have windows xp
2006-01-05, 23:40:27
anonymous from United States  
just reboot your computer dude
2006-01-06, 10:00:39
anonymous from Canada  
i do not have any of those in my processes....other ways to identify?
2006-01-08, 11:20:12
anonymous from Indonesia  
i also have the same problem just today, and i can not find any of the files mentioned above. But the again i'm not sure what kind of ad/spy ware infecting my PC. but it does leave the same sign. Can any one tell me waht to do??
2006-01-09, 17:08:33
dennis26miles@msn.com from United States  
i have something new with our freindly spysheriff. it has made a large sale sheet my homepage. i got rid of everything so that it is gone from my regedit, and add/rmove -- but it has:

1. a balloon in my lower left hand corner says: 'Intrusion etc. blah, blah and click' -- of course a click infrcts

2. In the cntrl-alt-del there is a process labeled atlyd32,exe -- when i end it - it ends - and guess what -- it recreates itself and gores back in the processes automatically

3. when i find atlyd32 in the registry i cannot delete it as it is running -- and i cannot stop it from running.

how do we gety rid of atlyd32?

better can we send the address of spysheriff to the patriot's act commotteee to be put permanently in gitmo

help!!!!!!!!
2006-01-09, 17:30:22
anonymous from United States  
Dennis:

There must be another process running that restarts atlyd32.exe.

It is also possible that the trojan (ATLYD32.EXE) gets invoked each time you start up ANY program. Read this document to get rid of this hook:

http://www.delphifa..013.shtml

It has a downloadable script that will remove those hooks in the registry, or you can do it manually. Afterwards you should delete that file - atlyd32.exe will be either in

C:\WINDOWS\atlyd32.exe or in
C:\WINDOWS\SYSTEM32\atlyd32.exe
2006-01-10, 03:08:59
NPK from Nepal  
Plese tell me, are the files x.exe, tool2.exe,tool3.exe,tool4.exe,tool5.exe also the reasons of the message? Are these files created by secure32 or spysheriff ???
2006-01-11, 02:16:11
vi from Australia  
i have the exact same problem but i cant find 13242.exe or archive.exe in my processess, ive got tool2.exe and ive deleted it over and over again. but it keeps happening.
2006-01-18, 08:34:09
[hidden] from United Kingdom  
rating
I could not find the files you mentioned
2006-01-18, 10:07:52
anonymous from United Kingdom  
Great help kept going and finally got rid of all except small red circle wot white cross as cannot find the files mentioned to remove it
2006-01-24, 10:14:39
anonymous from United Kingdom  
Thaks a bunch. worked first time. That was so annoying
2006-01-26, 08:35:59
Finally... from Turkey  
I have cleaned up that crazy thing finally.First I did the things above.But this was useless.I run a program called Faber Toys which is the advenced of Windows task Manager.I found the tool2.exe in otomatic works when start up.I killed that one!Now I am glad.Thanks for everything
2006-01-27, 13:28:30
anonymous from United States  
answer: stop looking at porn all day long - that is where these programs come from
2006-02-03, 20:35:36
anonymous from Australia  
Does anyone know how I can delete these fuckers. I have scanned through them and allthough the properties info suggests where they are being sourced from, they are obviously hidden or will not let me delete them as I get pop ups saying the program is still running.
2006-02-03, 22:37:21
anonymous from United States  
Hello - Microsoft has a free beta2 spyware program that deletes spysheriff and its variants (pest trap, etc.). It works and cleans out the program. Then search the web for 'spysheriff wallpaper remove' to find the right settings to restore your wallpaper and other items. Depending on your variant, the instructions are slightly different, but not difficult. Good luck.
You are on page 1 of 5, other pages: [1] 2 3 4 5

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: