where's the salt?

05/12
2010

Antispyware Soft Malware: Annoyance of the week (4,425 views)

In the past weeks, more and more clients are reporting infections with *Antispyware Soft* malware.

Antivirus Soft is yet another fake antispyware, similar to Antivirus Live and/or Spyware Protect 2009.

It imitates a system scan and claims to find multiple infections, no matter which shortcut you try to click on or which program you try to start.

Signs of infection:
Usually it starts with balloon notifications in the system tray:

Antispyware Soft

Antispyware Soft

But it quickly gets worse:

Antispyware Soft Warning"

Antispyware Soft Warning

And screens similar to this will appear over and over:

Antispyware Soft

Not only is it highly annoying, but do not make the mistake and give in to the scare by *buying their program*: If you do, the makers will also have your personal information and your credit card data!

The removal process only takes about 10 minutes:
Disclaimer: Editing the registry can be dangerous. If you are unsure, contact a professional. We take no responsibility for changes you make that leave your computer in a vegetative state.
Back up your system and your registry before making any changes.

Below are 16 simple steps to remove Antispyware Soft from your computer.

1. Restart your computer in *Safe Mode with Networking* mode (by hitting F8 during the startup process until you are presented with the selection screen). You will internet access later to download/update the removal tools.
If you have access to another computer, you don’t even need to restart. Simply download and copy the 2 files from step 5 and 10 to a USB stick and get the removal process on the infected computer started right away.

2. Open Internet Explorer, click on the Tools menu and select Internet Options:
IT Tools

3. Select the LAN settings:
IE LAN Settings

4. Uncheck Use a proxy server for your LAN:
IE LAN Settings

5. Download Hijack This, but save it as/rename it to iexplore.exe and then save it to your Desktop (alternate download link).

6. Double-Click the iexplore.exe icon to run HijackThis.
iexplore.exe-HijackThis

7. Click *Do a system scan only* and look for entries like this:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [random] C:\Documents and Settings\user\Local Settings\Application Data\[random]\[random]sysguard.exe
O4 – HKCU\..\Run: [random] C:\Documents and Settings\user\Local Settings\Application Data\[random]\[random]sysguard.exe
O4 – HKCU\..\Run: [random] "C:\Users\Owner\AppData\Local\[random]\badwsftav.exe"
O4 – HKCU\..\Run: [random] "C:\Users\Owner\AppData\Local\[random]\bogjsftav.exe"

The actual file names might differ, but they all start with O4 and seem to end with sysguard.exe or some other random alpha-combination (badwsftav.exe and bogjsftav.exe in the above example).
The first entry should only be there if you haven’t yet reset the Internet Explorer settings outlined in steps 2-4.

8. Check the box next to these entries and click *Fix checked*.

9. Close HijackThis.

10. Download MalwareBytes Anti-malware (MBAM).

11. Double-click mbam-setup-1.46.exe to install MBAM.
(If you get error messages from the malware that the file is infected or cannot e opened, simply rename mbam-setup-1.46.exe to something else – abcd.exe is perfectly acceptable for our purpose)

12. Make sure that both checkboxes next to *Update Malwarebytes’ Anti-Malware* and *Launch Malwarebytes’ Anti-Malware* are checked, and then click *Finish*.

13. Select *Perform Quick Scan* and click *Scan*, and MBAM will start scanning your computer. Depending on your hardware/configuration this can be a lengthy process. Go get a cup of coffee or go to the store, but don’t interrupt the process.

14. MBAM will list all infections as it finds them; when the scan is finished click *OK* and *Show Results*.
MBAM Findings

15. Ensure all items are checked and click *Remove Selected*.

16. MBAM will open a log file (in Notepad) and it might require a restart (you should do a reboot anyway since you’re still in Safe Mode).

Done!

Tags:

Date posted: Wednesday, May 12th, 2010 at 8:20 am (6 years, 10 months ago.)
Posted in: business mix, tech mix
Comments RSS Feed Comments RSS Feed
Reply
Ttrackback
About the author:

Nina Khoury is a software engineer, self-described geek and EVP of ninanet site solutions. She founded one of the first online agencies in Austria in 1997, taught at various universities for seven years and now lives in Sin City - Las Vegas, NV.

6 Responses to “Antispyware Soft Malware: Annoyance of the week”

  1. 1

    […] This post was mentioned on Twitter by ninanet. ninanet said: Antispyware Soft Malware: Annoyance of the week http://bit.ly/aRsFvN #spyware #virus #infection #removal […]

    Tweets that mention Antispyware Soft Malware: Annoyance of the week -- Topsy.com on May 12th, 2010 at 1:34 pm
  2. 2

    If I find the people responsible for this they are going to wake up six feet under the ground.

    Pissed Off Programmer on May 24th, 2010 at 8:11 pm
  3. 3

    This should not be legal, and whoever made Antispyware Soft should die. On the other hand, this was a completely helpful article and it saved me!

    Mad on May 27th, 2010 at 6:19 pm
  4. 4

    This article was a lifesaver. MUCH easier to use than the others and I didn’t have to buy crap to get rid of the fake antivirus. Thanks VERY much!

    Twolf on May 28th, 2010 at 1:50 am
  5. 5

    After a lengthy process & 3 hours, my husband managed to remove this POS & scan the files last night.

    Unfortunately, I didn’t find your page till today. We had to do everything in Firefox because IE wouldn’t work. Tried everything today & it’s gone, but IE & other programs still not working because LAN settings are all out of whack.. Can I run your solution after what he did last night??

    christine on May 28th, 2010 at 8:50 am
  6. 6

    Christine,

    sorry to hear you were having such a hard time :(
    But have you checked the IE settings outlined in steps 2-4? They take care of the LAN settings.
    Of course you can run everything in the list at any time:
    if HiJackThis or Anti-Malware find suspicious items – delete those items (unless you have a really good reason to keep them)

    BTW, Firefox is the better choice anyway.

    nina on May 28th, 2010 at 9:04 am

Leave a Reply


search

Categories

Send this to friend