Antispysoft Removal Tool:

Has anyone fixed or know how to fix a fake antivirus program with this title. A friend of mine got it and has asked me to fix it for her. It will not allow any spyware or AV software to run and will not allow internet access at all. Im assuming somewhere it has modified some registry key that will not allow access to these programs and was just wondering if anyone knows of a safe place to download a removal tool for this virus? Thanks

_________________
"I can't really hear what Jeremy says, because I got my two Stanley Cup Rings plugging my ears...." -Patrick Roy in reference to Jeremy Roenick's trash talking

Best bet is to put a few tools on a usb drive and boot into safe mode. If there's no usb drive available, you can *try* safe mode with networking.

As far as antivirus scanners, use Malwarebytes and I'm preferential to AVG's boot-time scanner when removing viruses (I think Avast offers better active protection, but I like that AVG scans the machine pre-boot). You might be hard pressed to find downloadable update definitions, though.

_________________

Malwarebytes is the only program that I've used that has consistently been able to get rid of those fake AV variants.

Well, Ive read in some places to try and and open msconfig before anything can boot, remove all startup processes and go from there....

I was hoping for someone on here to work in IT and be able to give me a little bit more in depth instructions or help on how to get this bugger gone, because it very well could help my ability to "get in" if you know what Im getting at....

_________________
"I can't really hear what Jeremy says, because I got my two Stanley Cup Rings plugging my ears...." -Patrick Roy in reference to Jeremy Roenick's trash talking

msconfig ain't gonna help you - safe mode is.

_________________

hehe. "Safe mode" is your way to "get in".

_________________

I was just hoping Microsoft, or a reputable AV company (I work for Trend Micro) SOMEBODY has a removal tool for this I can run from a USB and just make it go away....

_________________
"I can't really hear what Jeremy says, because I got my two Stanley Cup Rings plugging my ears...." -Patrick Roy in reference to Jeremy Roenick's trash talking

Um, working for Trend Micro, shouldn't you just be like "uh..psst! Guys? Sorta got a problem here, and we could probably benefit from creating AN ANTIVIRUS SOLUTION FOR IT THAT WORKS!"

That being said,

1. Boot into safe mode.
2. As soon as Windows loads, be fast and click ‘Start’ in the left-hand bottom part of your desktop;
3. Click ‘Run’ and type in ‘msconfig’ (without quotes);
4. In the popup window that opens up, hit ‘Startup’ tab and locate the process that ends in ‘tssd’. Untick this process immediately;
5. Click ‘Apply’ and ‘Ok’;
6. Reboot your computer.
Now that you have restarted your PC, Antivirus Soft will not load. BUT it’s not gone yet. It’s still on your computer so you need to remove all of its files. So please visit our website and follow our instructions listed below.
In case you can’t surf the Internet, open Internet Explorer, go to ‘Tools’, choose ‘Internet options’ and hit ‘Connections’ tab. Click ‘LAN settings’ and untick the following option ‘Use a proxy server for your LAN’. Save all these changes.

The files to be deleted are listed below:

%Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string]tssd.exe
%Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string]sftav.exe
%Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string]sysguard.exe

The registry entries that need to be removed are as follows:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random string]“
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random string]“

_________________

THANKS! I hope to god this works and if it does, you can rest happily knowing you probably got me laid.

In response to telling someone about this. Yeah, makes sense but Im in sales, not development. Nobody listens to us, especially in the development area. They just want us to talk about how great they are even though they despise us, lol.

_________________
"I can't really hear what Jeremy says, because I got my two Stanley Cup Rings plugging my ears...." -Patrick Roy in reference to Jeremy Roenick's trash talking

I despise Trend Micro, for what it's worth.

And also, you may want to do all the deletions and registry edits in safe mode as well. Backing up a copy of her registry before making changes will definitely NOT hurt; at least back up the hives you're working in.

_________________

Oh, and as far as that getting you laid, it's never worked that way for me. Usually I get laid, and THEN have to work on their computer. Bitches are sneaky.

_________________

No kidding. It's harder to say no to fixing something after you've already been 'paid'.

Depends on where the deposit went, usually.

_________________

I got one of those awhile back...Norton wouldn't get rid of it normally, but in safe mode, I ran a Norton scan and it worked.

Spyware Doctor has worked well for me

_________________
Proud LGBTQQ Individual

This is why I'm a unix admin.....plausible deniability.

_________________
Hold my beer and watch this...

Yeah, but when something goes wrong for you....

_________________

You do what our old systems admin did.

Blame it on the networking department (mine) and fix it before I come back and tell you that nothing's wrong.

Or, as I'm known to do, have really good backup schemas

It's just about mandatory if you run windows boxes

_________________