# Antivirus Soft help



## Taasla (May 27, 2010)

Last night my SO got infected by Antivirus Soft, and we found this site to help us.  Unfortunately, Spyware Doctor isn't free.  We'll have to pay them money just to recover our machine.

This isn't the variant that doesn't allow you to boot into safe mode, so we're good on that front.  I just need to know an alternative method to kill this sucker.  I've been told to try Malware bytes, but some people have told me that it sometimes doesn't work against this thing.

I'm not experienced enough to go rooting around and deleting things manually.


----------



## yiffytimesnews (May 27, 2010)

Take my advice stick with something that most people know about I use http://www.avast.com/index and had not had a single virus since I installed it.


----------



## ToeClaws (May 27, 2010)

Malwarebytes is definitely a good choice for the low-level stuff that might already be on the system.  It's used quite frequently here at the university as a scrubber for such things.  You may also want to try Spybots Search and Destroy suite (which is free) which is also a great low-level worm tool.  Both are available for download on Majorgeeks.com.


----------



## Taasla (May 27, 2010)

yiffytimesnews said:


> Take my advice stick with something that most people know about I use http://www.avast.com/index and had not had a single virus since I installed it.



Antivirus Soft has killed our Avast.  In fact, it was running when it infected his PC.


----------



## ArielMT (May 27, 2010)

http://www.malwarebytes.org/

Download the free version of Malwarebytes' Anti-Malware (MBAM), install it, and let it update and run.  (The download mirrors I know of are CNet Download.com and Major Geeks.)

If MBAM won't download or run in normal mode, reboot into "Safe Mode with Networking."  Reboot, and just after POST (the first screen) finishes, press the F8 key as if it were the F5 key and FA went down, until gives a text menu asking how you want Windows to start.  Use the arrow keys to move the highlight bar, and press Enter when "Safe Mode with Networking" is selected.  Then try downloading and running MBAM again.

Once a scan gives a clean bill of health, either fix up or reinstall Avast.


----------



## ArielMT (May 27, 2010)

Also, as TC mentioned, Spybot Search&Destroy: http://www.safer-networking.org/ or http://spybot.info/, both are the same site and offer the same program.


----------



## Issashu (May 27, 2010)

For me Malwarebytes and Microsoft Security Essentials are doing great job so far.
A good way of cleaning the PC would be a bootable antivirus CD. Kaspersky had something like that for free download. You burn the image on a CD and boot it, the program will update the AV definitions and scan/clean the PC with no windows running.

Majorgeeks website (as stated earlier) is a great place to find solutions too


----------



## Runefox (May 27, 2010)

I don't recommend Spyware Doctor.

Echoing Malwarebytes' Anti-Malware. Spybot can perform additional cleanup, but more than likely will not be as effective out of the gate. In any event, it's not a good idea to rely on any single program when cleaning this kind of thing, because automated cleanups rarely get the whole thing (even Malwarebytes misses bits and pieces, but usually manages to get enough of it that the rest of the cleanup is a snap).

Which version of Avast are you using? 4.x or 5.x? 4.x has a blue system tray icon, while 5.x has an orange one. 4.x is older, and offers less protection. Also, if you're using a 32-bit version of Windows, you can use Avast's Boot-time Scan feature, which will scan for and remove threats before Windows even loads (unfortunately not available on 64-bit systems yet). This can help get rid of it rather nicely.

If none of that works, then there's a couple of industrial-strength choices you can use. Combofix is a powerful utility that automatically scans for and removes a range of malware, and gets in pretty deep. It has anti-rootkit ability (as does MBAM), so it's likely that it can remove or at least detect whatever's hooked in. Close all programs before running, and don't touch the computer while it's going. When it's done, it'll give you a log of what it found and what it did.

Another one you can try is GMER, which is a dedicated anti-rootkit program. In general, if something shows up in red, first disable it, then reboot, scan again and delete it. Disabling first ensures that it isn't running next time Windows starts - Deleting outright can either fail or be undone if it's still running. There are instructions on the website for removal in any case.


----------



## SNiPerWolF (May 27, 2010)

Virus - Kaspersky or Nod32
Spyware/Malware - Spybot Search and Destroy


----------



## Melo (May 27, 2010)

I've had Antivirus Soft infect my brother's pc as well as a co-workers.

Malwarebytes cleaned it off both times.


----------



## Slyck (May 27, 2010)

1. Download Knoppix (click there) and burn the ISO file to a blank cd. You can use Active@ISO burner for this. Note that the download for Knoppix might start ar 10kb/s or less but it WILL rev up (to around 200kb/s). The server must be throttled. (I'm using a 4mb/s connection)

2a. Pop the CD in the drive. Reboot your comp. You might need to force it to boot from the CD. To do this, go into the BIOS and set 'boot from CD-ROM' as the number one boot priority.

2b. Knoppix (it's a linux distro) will boot off the CD as if the CD is your hard drive. It will make no changes to your computer. On the Knoppix bootup screen, press enter. You'll know when you get this screen.

3. In Knoppix, open up your hard drive. You should be able to find it. It's the folder with all the same files and folders as your C: drive in Windows. Delete these files:

For Vista and 7:

Replace '%UserProfile%' with 'Users\(Your Username)\'
Replace '(Your Username)' with,  well, just guess.
Replace '<random>' with a random string of characters like  'cf8dbkd' or 'fkf3gd' or something.


%UserProfile%\AppData\Local\<random>\
%UserProfile%\AppData\Local\<random>\<random>sysguard.exe
%UserProfile%\AppData\Local\<random>\<random>sftav.exe      

For XP:

Replace '%UserProfile%' with 'Documents and Settings\(Your Username)\'
Replace '(Your Username)' with,  well, just guess.
Replace '<random>' with a random string of characters like  'cf8dbkd' or 'fkf3gd' or something.

%UserProfile%\Local  Settings\Application Data\<random>\
%UserProfile%\Local Settings\Application  Data\<random>\<random>sysguard.exe
%UserProfile%\Local Settings\Application  Data\<random>\<random>sftav.exe

Now boot back in windows and delete these registry entries:

For any version of Windows:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  "<random>"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run  "<random>" 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments  "SaveZoneInformation" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet  Settings "ProxyServer" = "http=127.0.0.1:5555"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations  "LowRiskFileTypes" = ".exe"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download  "RunInvalidSignatures" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet  Settings "ProxyOverride" = ""

HKEY_CURRENT_USER\Software\avsoft

I've got infected with the 'AntiSpyware Soft' variant, and so did two of my clients. (I repair computers for a living.) I just used a slightly modified version of this procedure and it worked all three times.

I guess you could use a automated removal program, but you never know if the job is complete.


----------



## Nollix (May 27, 2010)

/g/ seems to recommend MSE strongly, though I haven't had any experience with it myself.


----------



## Shaui (May 27, 2010)

Linux, the best anti virus software V:

but seriously, use something free like avast.


----------



## SNiPerWolF (May 28, 2010)

NOD32


----------



## Taasla (May 28, 2010)

Shaui said:


> Linux, the best anti virus software V:
> 
> but seriously, use something free like avast.



Avast was running and updated when we were hit.    It was absolutely useless.  (Yes, it was the one with the blue shield, so it looks like I'll have to bug him to update it.)

Thanks guys, using some of the stuff in this thread, I managed to get Antisoft off.  It was a royal pain in the ass, but we're good to go now.  I have no idea how my fiance got it in the first place, but he's not as anal about security as I am.


----------



## yiffytimesnews (May 28, 2010)

Now if your taking anti spyware I would highly recommend http://www.superantispyware.com/ this bit of software even removed trojans that Avast did not detect.


----------



## auzbuzzard (May 28, 2010)

I wonder which free anti-virus for mac is nice and decent.


----------



## Janglur (May 29, 2010)

AVG, Avast, and Kaspersky seem to be the go-to guys.

Only use Norton/Symantec and McAfee if you don't value your data, don't care if it slows your PC to a crawl, and don't intend to ever actually get a virus, because they won't help if you do.


----------



## Nollix (May 30, 2010)

auzbuzzard said:


> I wonder which free anti-virus for mac is nice and decent.



BUT MACS DON'T GET VIRUSES AND THEY JUST WORK *smug grin*
durp


----------



## auzbuzzard (May 30, 2010)

Nollix said:


> BUT MACS DON'T GET VIRUSES AND THEY JUST WORK *smug grin*
> durp



But it's very easy to make a mac virus. Every mac users can juts compile a .app and make someone else run it. Then poof! You can go to the "genius bar" again.


----------



## Nollix (Jun 1, 2010)

auzbuzzard said:


> But it's very easy to make a mac virus. Every mac users can juts compile a .app and make someone else run it. Then poof! You can go to the "genius bar" again.



Do they have sarcasm in China?


----------



## ArielMT (Jun 1, 2010)

Nollix said:


> Do they have sarcasm in China?



Beijing banned it when the UK's lease expired.


----------



## auzbuzzard (Jun 1, 2010)

Nollix said:


> Do they have sarcasm in China?



No. I've eaten all of it. 



ArielMT said:


> Beijing banned it when the UK's lease expired.



One country two system. That's why people here love potitics. Especially when June 4 is coming. 

Did you see the news? Protests of showing the Goddess statue in Causeway Bay. And people are fighting for 2012 universal sufferage.

Wait, this thread is about antivirus right?


----------

