where's the salt?

05/12
2010

Antispyware Soft Malware: Annoyance of the week (2,888 views)

In the past weeks, more and more clients are reporting infections with *Antispyware Soft* malware.

Antivirus Soft is yet another fake antispyware, similar to Antivirus Live and/or Spyware Protect 2009.

It imitates a system scan and claims to find multiple infections, no matter which shortcut you try to click on or which program you try to start.

Signs of infection:
Usually it starts with balloon notifications in the system tray:

Antispyware Soft

Antispyware Soft

But it quickly gets worse:

Antispyware Soft Warning"

Antispyware Soft Warning

And screens similar to this will appear over and over:

Antispyware Soft

Not only is it highly annoying, but do not make the mistake and give in to the scare by *buying their program*: If you do, the makers will also have your personal information and your credit card data!

The removal process only takes about 10 minutes:
Disclaimer: Editing the registry can be dangerous. If you are unsure, contact a professional. We take no responsibility for changes you make that leave your computer in a vegetative state.
Back up your system and your registry before making any changes.

Below are 16 simple steps to remove Antispyware Soft from your computer.

1. Restart your computer in *Safe Mode with Networking* mode (by hitting F8 during the startup process until you are presented with the selection screen). You will internet access later to download/update the removal tools.
If you have access to another computer, you don’t even need to restart. Simply download and copy the 2 files from step 5 and 10 to a USB stick and get the removal process on the infected computer started right away.

2. Open Internet Explorer, click on the Tools menu and select Internet Options:
IT Tools

3. Select the LAN settings:
IE LAN Settings

4. Uncheck Use a proxy server for your LAN:
IE LAN Settings

5. Download Hijack This, but save it as/rename it to iexplore.exe and then save it to your Desktop (alternate download link).

6. Double-Click the iexplore.exe icon to run HijackThis.
iexplore.exe-HijackThis

7. Click *Do a system scan only* and look for entries like this:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [random] C:\Documents and Settings\user\Local Settings\Application Data\[random]\[random]sysguard.exe
O4 – HKCU\..\Run: [random] C:\Documents and Settings\user\Local Settings\Application Data\[random]\[random]sysguard.exe
O4 – HKCU\..\Run: [random] "C:\Users\Owner\AppData\Local\[random]\badwsftav.exe"
O4 – HKCU\..\Run: [random] "C:\Users\Owner\AppData\Local\[random]\bogjsftav.exe"

The actual file names might differ, but they all start with O4 and seem to end with sysguard.exe or some other random alpha-combination (badwsftav.exe and bogjsftav.exe in the above example).
The first entry should only be there if you haven’t yet reset the Internet Explorer settings outlined in steps 2-4.

8. Check the box next to these entries and click *Fix checked*.

9. Close HijackThis.

10. Download MalwareBytes Anti-malware (MBAM).

11. Double-click mbam-setup-1.46.exe to install MBAM.
(If you get error messages from the malware that the file is infected or cannot e opened, simply rename mbam-setup-1.46.exe to something else – abcd.exe is perfectly acceptable for our purpose)

12. Make sure that both checkboxes next to *Update Malwarebytes’ Anti-Malware* and *Launch Malwarebytes’ Anti-Malware* are checked, and then click *Finish*.

13. Select *Perform Quick Scan* and click *Scan*, and MBAM will start scanning your computer. Depending on your hardware/configuration this can be a lengthy process. Go get a cup of coffee or go to the store, but don’t interrupt the process.

14. MBAM will list all infections as it finds them; when the scan is finished click *OK* and *Show Results*.
MBAM Findings

15. Ensure all items are checked and click *Remove Selected*.

16. MBAM will open a log file (in Notepad) and it might require a restart (you should do a reboot anyway since you’re still in Safe Mode).

Done!

Tags:

Date posted: Wednesday, May 12th, 2010 at 8:20 am (9 years, 2 months ago.)
Posted in: business mix, tech mix
Comments RSS Feed Comments RSS Feed
Reply
Ttrackback
Print This Post Print This Post

6 Responses to “Antispyware Soft Malware: Annoyance of the week”

  1. 1

    […] This post was mentioned on Twitter by ninanet. ninanet said: Antispyware Soft Malware: Annoyance of the week http://bit.ly/aRsFvN #spyware #virus #infection #removal […]

    Tweets that mention Antispyware Soft Malware: Annoyance of the week -- Topsy.com on May 12th, 2010 at 1:34 pm
  2. 2

    If I find the people responsible for this they are going to wake up six feet under the ground.

    Pissed Off Programmer on May 24th, 2010 at 8:11 pm
  3. 3

    This should not be legal, and whoever made Antispyware Soft should die. On the other hand, this was a completely helpful article and it saved me!

    Mad on May 27th, 2010 at 6:19 pm
  4. 4

    This article was a lifesaver. MUCH easier to use than the others and I didn’t have to buy crap to get rid of the fake antivirus. Thanks VERY much!

    Twolf on May 28th, 2010 at 1:50 am
  5. 5

    After a lengthy process & 3 hours, my husband managed to remove this POS & scan the files last night.

    Unfortunately, I didn’t find your page till today. We had to do everything in Firefox because IE wouldn’t work. Tried everything today & it’s gone, but IE & other programs still not working because LAN settings are all out of whack.. Can I run your solution after what he did last night??

    christine on May 28th, 2010 at 8:50 am
  6. 6

    Christine,

    sorry to hear you were having such a hard time 🙁
    But have you checked the IE settings outlined in steps 2-4? They take care of the LAN settings.
    Of course you can run everything in the list at any time:
    if HiJackThis or Anti-Malware find suspicious items – delete those items (unless you have a really good reason to keep them)

    BTW, Firefox is the better choice anyway.

    nina on May 28th, 2010 at 9:04 am

Leave a Reply


search

Categories