Sunday, April 25, 2010

Public Service Announcement:

A rogue antivirus program called Antispyware Soft appears to have (re)erupted in April and can get on your machine* even if you have genuine anti-virus software running (as I do: AVG on XP machine). From
Once installed, Antivirus Soft will be configured to start automatically when Windows starts. Once running it will scan your computer and display numerous infections, but will state it will not remove them until you purchase the program. In reality, the infected files it detects are all fake and do not actually exist on your computer.

This program also uses aggressive techniques to protect itself from being removed by anti-malware programs. When the Antivirus Soft process is running it will close almost any running program while falsely stating that they are infected. Antivirus Soft will also change the Proxy settings in Internet Explorer so that you cannot browse to any web site other than the site for Antivirus Soft so that you can purchase the program. It does this so that you cannot browse the web to find removal guides or download software that will help you remove the infection. Using these two methods, the program essentially ransoms the normal use of your computer until you purchase the program or use the guide below to remove the infection.
(watch video here)

I advise that, as a defensive mechanism, you download Malwarebytes Anti-Malware module now, so that you can run it (in SAFE MODE) if you get infected. Also, you should run MSIE and under Tools/Connections/LAN uncheck the USE PROXY setting, which is part of the take-over.

* when I got infected, it was not from suspect websites (e.g. adult or gaming oriented - which is often a source). I was using the FireFox browser (v 3.0) while reading the usual political/financial blogs that many of us visit: Salon, Calculated Risk, Kevin Drum. Although it's possible (?) the infection came from an MP3 podcast from a legit radio station.


My son got it through MySpace while using my ex-wife's netbook. It's an annoying malware. I was able to clear it out of her netbook following online instructions, and a combination of MalwareBytes, Hijack This!, and Spybot Search and Destroy. I followed up with a registry cleaning. The several anti-virus programs I initially tried did nothing. The key is to keep this bugger from starting up with your services and programs when you boot up. At that point it becomes vulnerable to anti-malware programs.

By Anonymous Anonymous, at 4/26/2010 10:18 AM  

I don't have a lot of faith in Spybot anymore. Malwarebytes seems to outclass it in every way.

rkill is a useful tool to stopping malware processes. More about it here:

I'm a PC tech and we have to deal with crap like this all the time.

By Anonymous e. nonee moose, at 4/27/2010 10:15 AM  

Post a Comment