# Well, this virus is FUN.



## San-Ryuuk (May 17, 2010)

I just got attacked out of the blue by the "antispyware soft" virus. Apparently it attacks you through trojans, and then makes your security center block next to anything that can help. I looked up online that spyware doctor helps for this, and I got it to download, but there's no free trial for it. Does anyone know something that's free or at least pirate-able that I can get to remove this ****ing annoying virus from my laptop?


----------



## Lucy Bones (May 17, 2010)

My first reaction is try a system restore.


----------



## gdzeek (May 17, 2010)

I tried that and it worked temporarily, supposedly spyware dr or antimalewarpro will remove it but it costs like $30. I just reformatted my laptop to fix it, especially since the antivirus cronies are responsible for making the fake anitspyware in the first place.


----------



## SnowFox (May 17, 2010)

Malwarebytes?

I prefer the satisfaction of defeating it manually.


----------



## Ferretmon (May 17, 2010)

try  "hjack this"


----------



## gdzeek (May 17, 2010)

SnowFox said:


> Malwarebytes?
> 
> I prefer the satisfaction of defeating it manually.



yeah that was the one


----------



## Issashu (May 17, 2010)

What is the name of the so called "soft"? Hijack this is a good start, if you want to get your hands dirty


----------



## Wyldfyre (May 17, 2010)

Delete System32.
It's the only way.


----------



## gdzeek (May 17, 2010)

and dont update to version 9 whatever you do!


----------



## San-Ryuuk (May 17, 2010)

Alright. I got a scan to say it removed 'em. Hopefully it worked. Thanks for the help, all.


----------



## Slyck (May 17, 2010)

EDIT: I see what you did thar. Hope it works.

1: I just got this yesterday. Try boting off a live cd / lunix partition and deleting anything that ends in tssd.exe.

1: Manually remove it. HijackThis can work, but it seemed to fuck up my PC. It could have been something else, but not Windows just hangs on boot. Not worth the risk for a little automation in my view.

2: Did you give your taint a nice caviar rubdown? Did it have gusto? If you don't know what the hell I'm saying, you didn't visit the site I'm starting to suspect. To be safe, get your 'content' somewheres else.


----------



## Runefox (May 17, 2010)

Second on MalwareBytes. Boot up into Safe Mode With Networking (F8 before you see the Windows startup logo) and do an update+full scan with it.

Also, you might get some success with Avast anti-virus, since it offers a boot-up scanner that runs before Windows boots.

On that note, I wonder if I shouldn't just write up a pretty "universal" checklist of things to do if you get infected with something.


----------



## ArielMT (May 17, 2010)

Ferretmon said:


> try  "hjack this"



HijackThis is a fairly advanced tool.  The only things it finds are changes from a pristine Windows installation, many of which are either harmless or essential for your computer.



Issashu said:


> What is the name of the so called "soft"? Hijack this is a good start, if you want to get your hands dirty



English is apparently not the malware author's native language.  "Antispyware Soft" is its name.



Wyldfyre said:


> Delete System32.
> It's the only way.



>:C



Runefox said:


> On that note, I wonder if I shouldn't just write up a pretty "universal" checklist of things to do if you get infected with something.



Please, and I'll make it a sticky.  We could use some basic guides here, and that's one of them.


----------



## Scotty1700 (May 17, 2010)

Avast antivirus

http://www.avast.com/free-antivirus-download


----------



## Runefox (May 17, 2010)

Hmm, I guess I'll try drawing up something over the next few days.


----------



## Flatline (May 18, 2010)

I'm using Avast, Comodo, KeyScrambler, Spyware Terminator, A-Squared, and NoScript. Those are pretty great.

I got my worst virus about three months ago (The Cri-Cri virus). It's only purpose to freeze the computer on  [FONT=Arial, sans-serif][SIZE=-1][FONT=Arial, sans-serif][FONT=Arial, sans-serif][FONT=Arial,  sans-serif][FONT=Arial, sans-serif][FONT=Arial, sans-serif][FONT=Arial, sans-serif]the 4th of June and display a message. Unfortunately, it has a bug which can render .EXE and .COM files unusable.
So it fucked up almost pretty much every executable on both of my HDDs.
 [/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/SIZE][/FONT]


----------



## Irreverent (May 18, 2010)

Some times these shell-latching malware can be disabled just by bringing up the task manager, and then running msconfig to edit the startup config.

Since this virus latches onto the shell and interrupts the run, command, cmd and ctrl-alt-del functions, you'll have to start the task manager by issuing a ctrl-shft-esc command.

Application tab, new task, msconfig, entre

In msconfig, examine the Startup tab and disable anything that looks suspicious.  Now, you can get into some grief doing this, but the machine is already compromised.  Reboot, update your virus definitions, rescan and you should be good to go.


----------



## Joeyyy (May 18, 2010)

Hahaha it sucks don't it?  :3


----------



## Ibuuyk (May 18, 2010)

Scotty1700 said:


> Avast antivirus
> 
> http://www.avast.com/free-antivirus-download



Avast sucks badly

Get Avira AntiVir.


----------



## Ricky (May 18, 2010)

Runefox said:


> Second on MalwareBytes. Boot up into Safe Mode With Networking (F8 before you see the Windows startup logo) and do an update+full scan with it.



I don't know why they are so fucking good...

I think they have insider knowledge. They probably put half the shit out there and profit from it :roll:


----------



## Runefox (May 18, 2010)

Irreverent said:


> Some times these shell-latching malware can be disabled just by bringing up the task manager, and then running msconfig to edit the startup config.



A lot of the time, this stuff comes with rootkits nowadays to not only prevent being removed so easily, but to prevent certain applications from starting at all no matter what you do (except renaming from .exe to .com - I've yet to actually see one intercept .com, but Windows Vista and later are unable to allow you to rename, for example, regedt32.exe to regedt32.com. In fact, most apps within the Windows folder are untouchable in this way, though one workaround is to copy it to somewhere and rename the copy - It may work, but not for regedt32). It's one of the reasons why GMER's download randomly names the executable and why anti-rootkit software tend to launch randomly-named subprocesses when scanning for rootkits.


----------



## Scotty1700 (May 18, 2010)

Ibuuyk said:


> Avast sucks badly
> 
> Get Avira AntiVir.



Everyone in my immediate family is using Avast and we're all virus free. You're the only person I've ever seen that says Avast isn't good.


----------



## ArielMT (May 18, 2010)

Ricky said:


> I don't know why they are so fucking good...
> 
> I think they have insider knowledge.



In the age of full disclosure and readily accessible forensics tools, insider knowledge isn't as necessary as it once was.



Ricky said:


> They probably put half the shit out there and profit from it :roll:



That would be easy enough to find if true, and also if true it would've made headlines throughout the computer industry on par with the way Milli Vanilli made headlines throughout the music industry: total and instant destruction of any value the name has.

The same accusations were made of Norton and McAfee's products most of a decade before the Internet was opened to public access.

Edit: I tried Avast 5, and although it did a decent job of staying out of my way (much better than 4), the free download still expired and annoyed me to no end with dire warnings of how my system was OMGUNPROTECTED REGISTER NAO when it did.  I don't care that it was willing to keep working if I didn't forfeit any money; it still wanted personal information as payment to keep working at all.  Dealbreaker.

I'm now testing MSE on my Windows test system.


----------



## Nollix (May 18, 2010)

Next time don't be an idiot.


----------

