In the Windows XP notification area (also known as the system tray, next to the Windows clock) a balloon message appears looking like a system alert. The message claims that I have spyware installed on the computer, and instructs me to click the balloon to remove the spyware. This opens an Internet Explorer window which is trying to sell me spyware removal products. Obviously this is some sort of unsolicited advertising. In an attempt to remove this adware I have run Norton Antivirus 2006 together with Ad-Aware SE and Spybot Search & Destroy. This detected and removed the adware (VirusProtectPro 3.6) but the icon is still visible in the notification area. Subsequent rescans do not detect the adware, so presumably the core components have been removed from the computer, although the icon remains. How can I remove the icon from the system all together?

As you mentioned within your question, the message which appears informing that you have spyware installed on your computer, and subsequently attempts to sell you spyware removal products, is malware in itself. More specifically, it seems that some adware has found its way onto your computer. This demonstrates how some unscrupulous people are attempting to sell products over the internet, by tricking the unsuspecting user into thinking there is something wrong with the computer to sell a product which will “fix” the problem. Fortunately, you have realised that the message is not legitimate and taken the appropriate steps to remove this from your computer.

Looking at the description for the VirusProtectPro 3.6 adware on the computer, this certainly does seem to match the symptoms which are being demonstrated on your computer (i.e. a message balloon offering to sell you spyware removal products). While the antivirus, adware and spyware removal utilities on your computer have not redetected the adware, the icon suggests the adware may not have been removed from the computer. The icon is a continuing annoyance in its own right despite the anti-adware programs being run and claiming to have removed the adware, the icon part remains! In this case, we may need to take more drastic measures to remove the icon from your system.

Before proceeding any further, there is another anti-adware and anti-spyware program you can try to remove this adware from your computer. Windows Defender is a free program offered by Microsoft to help protect Windows based computers against malware threats. This can be downloaded for free at: www.microsoft.com/downloads . Once this has downloaded and installed on your computer, update Windows Defender with the latest definition files. Then, complete a full scan of your computer for any spyware or malware. Hopefully this should detect the adware, and complete a more thorough removal of the adware to include the removal of the icon from the Windows notification area.

Should the problem still continue after running Windows Defender, a more manual removal process may be necessary. It is likely that the icon is launching as a startup item on the system, and we therefore need to check the startup items to see whether this can be disabled. Go to the “Start” menu > “Run” and type “msconfig” (without the quotes) then click OK. In the window that appears, click the “Startup” tab. This will list all the programs and processes which load on Windows startup. Look through this list for any processes which seem related to VirusProtectPro or look suspicious. If you find a process which you suspect is related to VirusProtectPro untick the entry for that process, click OK, and then restart the computer. Once the computer has restarted, check whether the icon is still present in the Windows system tray. Should the icon not appear, this indicates that the previously disabled process was causing the issue. In this case, simply leave that process disabled. Additionally, you could also delete the executable file associated with the startup entry. To locate the executable file, open the System Configuration Utility and click the “Startup” tab. Alongside the name of the process you should also see the path where the process executable is located. Note down the path of this executable and then use Windows Explorer or My Computer to navigate to this path. Once this is complete, you should see the process. If you are not confident in deleting this process all together, a first step could be to rename the file. Assuming that nothing untoward happens after renaming this file, you could then delete the file from your computer.

In the event that the problem still remains after disabling that process you should return to the System Configuration Utility and re-enable the previously disabled process, and try disabling another process. Continue this for all the suspect processes until you find the process causing the problem. That said, there is an outside chance you may not locate the process causing the problem, and disabling any of the processes will not resolve the problem. In this situation it seems that the adware has been deeply embedded within your Windows system, and it could be quite difficult (if not impossible) to remove without causing major system disruption. In this situation, please contact me for further advice.