Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antispyware Soft Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Antispyware Soft is similar in interface and behavior to Antivirus Soft, Antivirus Live and Antivirus soft scareware. This malicious, rogue security software aggressively displays fraudulent system security alerts about non-existent network infiltration attempts and malware.

The anti spyware soft rogue when installed:

  • Installs the Fake Windows Security Center where all the links lead to its payment page.
  • Hijacks Internet Explorer and automatically opens a specific set of porn websites every few minutes.
  • Blocks execution of most programs.
  • Blocks execution of Task Manager, Command Prompt and MS Configuration editor.
  • Blocks Windows firewall, Automatic Updates and Internet Options.
  • Disables Internet Explorer Phishing Filter.

Scareware like Antispyware Soft are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

anti-spyware-soft scareware

Desktop hijacked by Antispyware Soft

Antispyware Soft Removal (How to remove Antispyware Soft)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

If you find the Internet Explorer is still being re-directed to the scareware website, remove the proxy settings as follows:

Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.

IE-connections-proxy IE-remove-proxy

In the Local Area Network (LAN) Settings window, click Advanced and clear the proxy address and port 5555. Click Yes and OK your way out.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antispyware Soft. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Antispyware Soft Analysis

A rogue security software such as Antispyware Soft belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan downloader was about 271104 bytes in size. It was detected by 32/41 (78.05%) of antivirus engines available at VirusTotal.

  • Trojan.Win32.FakeSpypro
  • Trojan/Win32.FraudPack
  • W32/FakeAlert.GQ.gen!Eldorado
  • Win32:Rootkit-gen
  • Win32/XPInternetSecurity.D
  • Trojan.Win32.FraudPack.avgj
  • Win32/Adware.SpywareProtect2009
  • Troj/FakeAV-BGE
  • FraudTool.Win32.AVSoft (v)
  • SpywareGuard2008

Typical Antispyware Soft Scare Messages

Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

Infiltration alert. Virus Attack. Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antispyware Soft Associated Files and Folders

  • C:\Documents and Settings\\Local Settings\Application Data\ylyqcrynp\klbqtgitssd.exe
  • C:\WINDOWS\Prefetch\

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antispyware Soft Associated Registry Values and Keys

  • HKEY_CURRENT_USER\Software\avsoft
  • HKEY_CURRENT_USER\Software\avsuite
  • HKEY_CURRENT_USER\Software\avsuite\knkd=1
  • HKEY_CURRENT_USER\Software\avsuite\aazalirt=1
  • HKEY_CURRENT_USER\Software\avsuite\skaaanret=1
  • HKEY_CURRENT_USER\Software\avsuite\jungertab=1
  • HKEY_CURRENT_USER\Software\avsuite\zibaglertz=1
  • HKEY_CURRENT_USER\Software\avsuite\iddqdops=1
  • HKEY_CURRENT_USER\Software\avsuite\ronitfst=1
  • HKEY_CURRENT_USER\Software\avsuite\tobmygers=1
  • HKEY_CURRENT_USER\Software\avsuite\jikglond=1
  • HKEY_CURRENT_USER\Software\avsuite\tobykke=1
  • HKEY_CURRENT_USER\Software\avsuite\klopnidret=1
  • HKEY_CURRENT_USER\Software\avsuite\jiklagka=1
  • HKEY_CURRENT_USER\Software\avsuite\salrtybek=1
  • HKEY_CURRENT_USER\Software\avsuite\seeukluba=1
  • HKEY_CURRENT_USER\Software\avsuite\jrjakdsd=1
  • HKEY_CURRENT_USER\Software\avsuite\krkdkdkee=1
  • HKEY_CURRENT_USER\Software\avsuite\dkewiizkjdks=1
  • HKEY_CURRENT_USER\Software\avsuite\dkekkrkska=1
  • HKEY_CURRENT_USER\Software\avsuite\rkaskssd=1
  • HKEY_CURRENT_USER\Software\avsuite\kuruhccdsdd=1
  • HKEY_CURRENT_USER\Software\avsuite\krujmmwlrra=1
  • HKEY_CURRENT_USER\Software\avsuite\kkwknrbsggeg=1
  • HKEY_CURRENT_USER\Software\avsuite\ktknamwerr=1
  • HKEY_CURRENT_USER\Software\avsuite\iqmcnoeqz=1
  • HKEY_CURRENT_USER\Software\avsuite\ienotas=1
  • HKEY_CURRENT_USER\Software\avsuite\krkmahejdk=1
  • HKEY_CURRENT_USER\Software\avsuite\otpeppggq=1
  • HKEY_CURRENT_USER\Software\avsuite\krtawefg=1
  • HKEY_CURRENT_USER\Software\avsuite\oranerkka=1
  • HKEY_CURRENT_USER\Software\avsuite\kitiiwhaas=1
  • HKEY_CURRENT_USER\Software\avsuite\otowjdseww=1
  • HKEY_CURRENT_USER\Software\avsuite\otnnbektre=1
  • HKEY_CURRENT_USER\Software\avsuite\oropbbsee=1
  • HKEY_CURRENT_USER\Software\avsuite\irprokwks=1
  • HKEY_CURRENT_USER\Software\avsuite\ooorjaas=1
  • HKEY_CURRENT_USER\Software\avsuite\id=8.0
  • HKEY_CURRENT_USER\Software\avsuite\ready=1
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures=no
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures=1
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8=0
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=http=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes=.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\njjhiffj=C:\Documents and Settings\\Local Settings\Application Data\ylyqcrynp\klbqtgitssd.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug=1

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antispyware Soft Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • avtiviruspower .com

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antispyware Soft Scareware — Screenshots

Antispyware Soft Scareware — Video

Note: The Antispyware Soft installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 12 comments… read them below or add one }

Site Tech May 15, 2010 at 4:20 AM

All of these infections are essentially the same in nature but the real question is how are these infections actually getting past security suites and such. Even if the user clicks on the page (Which they are) why won’t the AV and AS programs block the execution. If these programs can detect the infection once it is on the computer why can’t they detect the threat before infection?

Site Tech


NCPhysicist9 May 24, 2010 at 4:32 PM

With Windows XP SP3 I appear to have gotten a successful disinfection with Malware bytes. Since data files are not usually infected, might I suggest a backup to your data files before just merrily go along? In actual point of fact, one can usually retrieve data only files like Word Excel PDFs etc while in Safe Mode. “Antispyware Soft” infected our home desktop PC which is the oldest computer in the house. It truly is a pretty nasty infection to contend with, especially manually. Thank you for the great product. I’m looking into ways of using your product but will have to first get rid of the stubborn remnants of Norton AV which I do not like!


Tina May 28, 2010 at 12:29 AM

My husband’s CPU was just attacked with Antispyware Soft. It removed Malwarebytes software and disabled AVG. They had both been updated first thing this morning. It also appears to have locked some of the files.

I’m now in the process of reinstalling both AVG & Malwarebytes. Very frustrating.


chevy812 May 28, 2010 at 11:21 AM

I would like to praise you on this software fix. I am so happy so happy to have my laptop back. My hubby used my laptop and when i opened it to use it, it told me that i had a virus and it wanted me to pay money to fix my laptop. I used my desktop and downloaded this fix onto a usb and downloaded it onto my laptop because the virus disabled my sd drive. Downloaded using usb and then used the safemode and it worked great.



Abubeker Osman May 28, 2010 at 7:42 PM

I was so frustrated that I couldn’t do anything at all because my computer was infected. Downloaded and followed the instruction how to remove it. Now I can use my Internet browser.


Deb May 29, 2010 at 1:05 AM

I managed to pick this virus up last night. Found instructions on how to remove, and still have the virus. Here’s what I’ve done:

Rebooted into Safe Mode with Networking
Ran Malbyetes and AVG command scan (4 hours!!)
Rebooted & cleared proxy’s for both browsers

The virus is still popping up “warnings” every two seconds. Bah.


Running Vista and using Firefox for everyday surfing; I only use IE for one work-related site which requires activex for filling in data.

Standard protector is a combo of AVG and Adaware which has, up til now, done me well!

Many thanks.



Anonymous May 29, 2010 at 2:57 AM

Thank you!!!!!!!!!!!!!!!!!!


Kim June 4, 2010 at 1:46 AM

Thank You, Thank You!!!! We have no idea how we got this virus. We are using Windows 7 on a computer that is two months old to us. We also are anti IE.
Other sites say Spyware Doctor removes the Antispyware Soft …uh, no it does not. It goes through the motions but does nothing. I found your site and Yes, it worked….Thanks Again!


Anonymous June 5, 2010 at 4:09 AM

This worked great


dan g July 15, 2010 at 3:03 PM

I was tricked into actually making a purchase from the antispyware soft virus, and later removed everything with a system restore. However, looking back, I can’t recall what all information I had to provide in order to make the purchase. Does anybody know what information is required for the purchase?


Harriskyr September 19, 2010 at 3:00 AM

Thank you. I was surfing into various sites I got that virus which I could not remove until I found your site. I was really desperate before as it had almost blocked everything, but after running malewarebytes my laptop seems to be working fine.

Most grateful!


Sarah September 28, 2010 at 2:27 AM

My husband’s computer got infected with this virus software and your directions have helped cure the problem. Thank you so very much for your help! You’re Awesome!! 🙂


Leave a Comment

{ 1 trackback }

Previous post:

Next post: