AntiSpy Safeguard Virus – 973 days old

[w9ffc]

Okay it got me. (The Anti-spy Safeguard) virus.
I have Malwarebytes' anti-malware but it doesn't see or remove it.
Any suggestions on a removal program?
I prefer it to be free if possible.

Thank you............Bob

[casca]

CCcleaner always works for me to remove stubborn apps.

[Grogan]

You will just have to scan with some other malware cleaning utilities and hope that one has a detection for it. Try SuperAntiSpyware and Spybot Search and Destroy. Update any of these to the latest versions and latest detection databases before using. (Try updating Malwarebytes again? Maybe they've added it since you tried)

Other than that, you will have to try to find it manually. Some of those are pretty simple. Delete the startup entries (look at the path to see where it is) and delete the program directory.

In Spybot Search and Destroy, go to Advanced Mode, then under Tools, there's a good startup entry managing facility.

[Grogan]

It seems this one is a bit more complicated than just a startup entry. I found some instructions on a site, but I'm not going to post a link to it because the site is plastered with "download free Antispy Safeguard Removal" buttons and shit and I don't trust it.

But the directions look sound. Obviously if the stuff isn't there where they say it is, you know it's not correct so there's no harm in posting the information.

AntiSpy Safeguard is a fake anti-spyware program that display false scan results as a tactic to scare you into thinking that your computer is infected with viruses. This fake program is advertised through websites that pretend to be online malware scanners that find infections on your computer, usually some Trojans, worms and other malicious software. Of course, the rogue program may come bundled with other malware onto your computer without your knowledge and pop-up in your computer screen like form nowhere. Also, malware authors distribute their bogus products using social engineering. Once installed, AntiSpy Safeguard will supposedly run a quick system scan and find a variety of files that it states are malware. These files, though, cannot be removed unless you first purchase the software. However, don't purchase it. The scan results are false, so you may safely ignore them. Besides, AntiSpy Safeguard won't remove any infections anyway because they simply don't exist on your computer.

AntiSpy Safeguard is a clone of Red Cross Antivirust, Pest Detector 4.1, Peak Protection 2010 and Major Defense Kit. While running, it will also display many fake security alerts and notifications from Windows task bar
. Those notifications will claim that your computer is under attack from a remote computer and that a remove login attempt was block by AntiSpy Safeguard. Sounds great, but unfortunately that's not true. Furthermore, this scareware will block task manager, system restore and even safe mode. It will probably block all other programs on your computer too claiming that those programs are infected. That's also a lie. As you can see, AntiSpy Safeguard is nothing more but a scam. If you find that your computer is infected with this virus, please follow AntiSpy Safeguard removal instructions bellow to remove it either manually for free or with an automatic removal tool.

These are their removal instructions:

Code:

AntiSpy Safeguard manual removal:
Kill processes:
antispy.exe defender.exe tmp.exe

Delete registry values:
HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPostRedirect" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "tmp"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SelfdelNT"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\antispy.exe"

Delete files:
%UserProfile%\\Application Data\\antispy.exe %UserProfile%\\Application Data\\defender.exe %UserProfile%\\Application Data\\tmp.exe %UserProfile%\\Local Settings\\Temp\\kjkkklklj.bat

Delete directories:
%UserProfile%\Application Data\PAV\

When they say terminate, they mean use task manager. You might also just boot to Safe Mode where the startup processes won't run in the first place.

%UserProfile% means your user profile. (e.g. for XP that would be c:\documents and settings\yourname or for Vista/Windows7 c:\users\yourname)

[w9ffc]

Thank you, going to set aside this evening to tackle the problem and let you know how I got rid of it. (If I do).

Bob

[w9ffc]

Got rid of it, it took time but it's gone. The virus locked me out of the programs that are used to search for virus' and malware. safe mode, and the internet (I use Firefox).
I decided to download Malwarebytes on another computer and put it on a flash drive. Fortunately I was able to install it via the usb port and run it (perhaps another way to get at this virus). Malwarebytes worked, it found the virus code processes in the Task Manager. Once these were gone I was able to re-boot and re-gain control. I then ran Malwarebytes and Avira and found some more problems. I checked all locations that were mentioned by Grogan for manual removal and none of these lines of code were there.

Thank you.................Bob

[Grogan]

I've got a Vista laptop here right now with this same pest.

It sets itself up as the user's shell, overriding explorer. (I booted to Safe Mode with Command Prompt where cmd.exe is the shell, to get around this so I could run regedit). The program was c:\users\jake\appdata\roaming\hotfix.exe

It's changed... the names and locations of files are not the same as in that article. It did jack the redirect warnings in Internet Explorer's registry settings though, as above.

All I did for now was fix the shell entry (delete it, because it was hkey_current_user... the real shell= value is system wide) and delete the startup values so I can boot to normal mode without this loading, and use Malwarebytes and friends. I have to scan anyways, so I'll just let it do the work.