Antispyware Soft
Antispyware Soft is deadly security software ordinarily dropped on computers by Trojan. Being able to conceal its existence from installed anti-virus programs, Trojan is perfect for the task. Taking full benefit from software and security vulnerabilities, Antispyware Soft cleverly manipulates infected system imposing its own authority. The fake antispyware application briefly modifies system files embedding its own code. Separate alteration on Windows registry is accomplished to make itself run on its own whenever Windows is started. Infected computer will experience an enormous pop-up and alert messages that leads to payment website when convince to acquire Antispyware Soft registration key. Aside from that, this fake program will commence virus scan deliberately detecting imaginary threats that does not really present on the computer. Its aim to persuade victims is alleviated by false warning messages like:
Windows Security Alert
Application cannot be executed. The file cmd.exe is infected. Do you want to active your antivirus software now?
Prolonging its stay on PC gives it an opportunity to continue with destructive process. Not only it kills disables security application but causes other programs to stop responding. Antispyware Soft blocks and proclaims that software is unable to run because of virus infection. In another couple of hours, malware constantly contact remote server to fetch more threat leading to absolute disability of PC.
Failure to remove Antispyware Soft using add/remove program of Windows is anticipated since no entry was created during the installation. Manual removal is also close to impossible for novice computer users because most of Antispyware Soft files were objectively hidden in system folders. We advise the use of legitimate anti-spyware application for easy and hassle-free removal of Antispyware Soft.
Update: August 12, 2010
A much recent variant was released. The same method of propagation was used either by Trojan or fake antivirus web site. The new version is called Security Suite.
Antispyware Soft Screen Shot:
Alias: AntiSpywareSoft, Anti-Spyware Soft
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Antispyware Soft Removal Procedures
Removal Tool for Antispyware Soft :
1. Click here to download removal tool. Save it on your Desktop.
2. After downloading, double-click on the file to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart the computer.
Online Virus Scanner:
A free way to scan computer and remove without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner. This is provided by legitimate anti-virus and security providers like Symantec, TrendMicro and Kaspersky among others.
Technical Details and Additional Information:
This rogue program was designed to keep itself on victims computer. Antispyware Soft will modify system settings and blocks running of various programs particularly anti-virus application installed. This situation will be utilized in its favor to convince users to obtain the registered version by showing fake alerts.
Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan – dropper or similar.
Details
Attack from: IP Address, port 39096
Attacked Port: 30516
Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
Malicious Files Added by Antispyware Soft
%UserProfile%\Local Settings\Application Data\[random characters] %UserProfile%\Local Settings\Application Data\[random characters]\[random characters]tssd.exe
File Location for Windows Versions:
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
Antispyware Soft Registry Entries:
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[random characters] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random characters]
Sam Ellis
May 04, 2010 @ 22:29:50
I just managed to manually remove this virus without use of any anti-virus software. It was very difficult, but I managed to get windows task manager open within a few seconds of my computer warming up [hence bypassing the virus's ability of preventing me from opening any programmes] and worked out through trial and error on the processes tab [ending processes until the virus dissappeared] which process was the virus and from here gainged the file location. I then ended the process and next deleted the containing folder [that order is required]. However, once the virus is on a system the internet cannot be accessed unless it is to connect to the sales site of antispyware soft – this problem persisted even after I managed to remove the virus, I realised eventually that the virus had changed the proxy settings on my internet explorer, and I changed this back to automatic [the standard windows configuration] I think the moderators of this site should realise that once someone has this virus they cannot access to internet to find help so perhaps it would be a good idea to send out an email to people informing them of how to remove the virus should they encounter it, as once it has infected their computer they will not be able to get any help from the internet or this site until they have completely disposed of the virus and the changes it makes to the IEs’ proxy settings.
Will
May 06, 2010 @ 18:44:06
I am currently running a scan with malwarebytes, and am still on this site whilst the virus is present. I did a similar thing to Sam by opening cmd within a few seconds of start up. I used tasklist and taskkill commands to find the source of the pop-ups and manage to keep the effects at bay. However the phony sheild logo is still on the task bar.
HeLLnuT
May 07, 2010 @ 20:41:25
I managed to do the same thing, only in a different way, i held alt-ctrl-del for so long the virus could not keep up with me to close them all, had a scroll through the list and noticed an oddly named command, “EKAFGGCTSSD.exe” I ended it and sure enough the virus disappeared after mousing over its icon. I found its main file using search but havnt deleted it just yet, not until i do a few scans.
Dam
May 08, 2010 @ 13:31:33
Hi I have this virus on my pc so I’m using my iPod to browse through forums, this virus is worse than the one I had before Which was called vista defender pro I managed to get rid of it wth malwarebytes anti malware however I don’t hav or any more I only have avast and. Hasn’t foun anything any suggestions, If u have can you tell me step by step please
mike
May 08, 2010 @ 17:28:06
did the same thing as others…hit the ctl.alt.del as system was booting up…looked through the task manager until I found a …..ssd.EXE file and stopped that task. the pop-ups stopped, then using the search feature and used ssd as my criteria. Found two files created on the date my virus started and deleted them to the recycle bin so they could be recovered if needed…and the green icon vanished…thankfully I have both IE and firefox…couldn’t use IE to get help but firefox was unaffected thus finding this search…kept popping up ‘P0RN0 . 0RG’ as the website it wanted me to link to…had to shut off my wireless device to avoid linking into the page…they were listed as PF files on my folder.
Bill
May 08, 2010 @ 21:00:27
I used f8 and SYSTEM RESTORE to go back to an earlier time when the virus was not present.
Sean
May 09, 2010 @ 03:28:44
ok. this is the easiest way i know how to do this. please bear with me. i just figured it out after 2 days of playing with my c drive. this worked for windows vista on my laptop. you should be able to open ‘my computer’. from there, navigate to ‘control panel’. then, ‘system and maintenance’. then, ‘performance information and tools’. on this next page, on the sidebar there is a tab to ‘manage startup programs’ using windows defender. choose that option. from there, windows defender will show you all programs that run on startup. from what ive read, this virus has different names. find the one under the ‘Publisher not available’ category that has all its information ‘not available’ when you click it. end that program. then, choose the ‘currently running programs’ option instead of startup programs. here, find the same program and end the process. finally, go to the file location (for me it was in C:\Users\Milles30\AppData\Local\ in a folder called ‘didfyrqwk’). delete the folder, and it should be gone. good luck, and happy hunting :)
student
May 10, 2010 @ 02:06:51
I have been unfortunate enough to get 3 versions of this freaking virus/trojan. Today’s was antispyware soft. This one was the worst cause it wouldn’t let anything open. I’m on my boyfriend’s laptop to look up solutions. I was able to ctrl alt del at startup before the virus engaged. I already have the registry fix and malwarebites (running scan now) but couldn’t access it even when changing file names and copying from jump drive. jeez. thanks everyone for your ideas and trial and error solutions. I tried a few before finding one that worked. eff this virus!!
Caitlin
May 10, 2010 @ 16:32:25
I am on an Acer Vista laptop so i don’t know if it works differently. I also ran task manager as soon as i logged in, but that seemed to inhibit the virus, although i did not end any processes. This meant that i was able to run my AVG and scan my computer for viruses, and therefore finding the virus. I was then able to go into the corresponding file and delete the folder containing the virus. i then ran my AVG again to check that the virus was gone and that everything was in working order. Thankyou to everyone on this site for starting me off in the right direction! ;)
Krunchpow
May 11, 2010 @ 06:58:58
Manual removal is fairly simple if you follow the right steps. I got hit with it so I urned off my pc, booted in safe mode, ran Process Explorer to kill the process (it appeared as a random series of letters on my machine), ran HiJack This to find the directory it was hiding in (in my case, AppData\Local\jibberish) and used eraser to wipe it (I scanned it with Avira first- strangely, it is not recognized as a virus) and used HiJack This to remove it from the registry. Hope my story helps somebody.
Tess
May 12, 2010 @ 02:40:18
Got this nasty virus today. It basically hijacked my system and every file I tried to open said it was infected. AVG did detect the virus but didn’t stop it from doing its thing. I powered down then restarted in safe mode using my other computer to troubleshoot. First thing I did was used EVEREST Ultimate to stop the startup program from running. It was named jumbled letters. Then I searched my user directory under AppData\Local and sure enough the nonsense directory as well as a few files were there so deleted that with CCleaner. Next I opened internet explorer and reset my LAN settings to configure automatically instead of use a proxy. Then I went to REGEDIT and deleted all the bogus registry entries in HKEY current user. You can find the registry entries on another site using a google search. Now I am running a full Malwarebytes scan and we’ll see how that goes but system SEEMS to be back to normal.
Alicia
May 12, 2010 @ 16:53:26
Same as above. Deleting the folder is the key and scanning the reg for the name of the folder and file. The name I found was “hrddocxtssd.exe” under the local settings\App Data folder named jbwacgqww. It was difficult to pinpoint since you normally look for a file named simialr to the program.
Symantec 11.0.3 picked it up when the virus was running. Another strange thing about this virus is that it runs under the user’s profile only.
I tried the rkill.com and ti worked along with killing the processes and looking for the program in msconfig.
Leanne
May 13, 2010 @ 22:43:31
I had the exact same problem with they virus. I tried the many different ways and luckily found this forum or wouldn’t of been able to fix it. My virus scanners didn’t find the virus and I couldn’t locate it in start task manager. I went into control panel and did it that way then searched for appdata as it seems that’s where evernody found the virus and deleted it! Now it seems to ne gone bit my google chrome won’t work! :(
Stefan
May 15, 2010 @ 07:04:17
It takes about 15 seconds to pop up when system starts up…Ran “msconfig” quickly, clicked “Startup” tab, found the Appdata\local\fhkhgdskjghdfkghdg.tssd and disabled it from starting up….did the trick…THEN i ran crapcleaner which i have always had, ran the registry tool and it took out the now invalid entries :-) E-mail me if you have questions.
Ken
May 15, 2010 @ 13:35:20
Got infected as well with this “Antispyware soft” and was able to get taskmanager open on reboot, then stopped the process. Ran Malwarebytes and it got rid of the spyware. However, now internet explorer won’t work….ideas?
lawson
May 15, 2010 @ 14:11:23
sean your suggestion worked for me 1st try. was able to kill the virus 1st try without going into safe mode. ctrl alt delete on startup is key and for me the process to kill was bougcvgtssd
definately recommend following up and looking in your user folder for the file to rid yourself of it completely.
Dan
May 15, 2010 @ 20:12:35
I found a program called “Process Explorer” that gives a more detailed view of your processes than Task Manager. I was able to download it then get it installed at start up before the virus took over. It showed a program that started with scrambled letters then tssd.exe. Was able to find it on my disk and delete it.
But there are also a bunch of registry keys that get created and need to be removed. I think this is a good list.
Finally I found another file,
RHJBKDYTSSD.EXE-0D394A48.PF
in c:\windows\prefetch.
I found that until all of this got fixed I still had some problems.
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random characters]“
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random characters]“
HKEY_CURRENT_USER\Software\avsoft
HKEY_CURRENT_USER\Software\avsuite
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” =”1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
john
May 20, 2010 @ 02:24:38
Found the **** file!!! named tjncrywtssd in my local folder in a folder named wlfrjlhdu However unable to delete folder or file. Any suggestions ??????
Karthik
May 22, 2010 @ 04:54:31
you shld now the exact location of the file before doing this process
1. Restart the system ,press F8 continously
2.select safe mode with command prompt
3. remove the entire directory with rmdir command
4. once the exe is clean,now you have to start claning up the other mess
Delete the follwoing items from reg edit
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random characters]“
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random characters]“
HKEY_CURRENT_USER\Software\avsoft
HKEY_CURRENT_USER\Software\avsuite
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” =”1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555?
sky_above
May 23, 2010 @ 04:15:44
thanks for all the advise, I was able to find the tssb.exe file and clean the system with ccleaner
Vista_user
May 23, 2010 @ 19:12:37
I went to system restore and it seemed to solve the problem. I did not look for a jiberish folder nor an *ssd.exe file but now tat I did the restore, I certainly do not have those present. Sounds like eithere way works. I would think the restore method is a safer way and there is not much downside, just pck a restore point that preceded the infeection date.
nate
May 24, 2010 @ 04:16:33
I can’t even get to system restore
Mike
May 24, 2010 @ 13:34:29
I have been able to get the thing removed using maleware bytes in startup mode, however my internet explorer, will only go to my home page,, and google chrome will not work at all, I have removed google chrome and reinstalled it but still the same thing, It opens but will not find any pages, like it doesnt see the internet. Any suggestions?
Help
Brett
May 25, 2010 @ 07:27:03
*READ* YOU CAN GET RID OF THIS!
Everyone’s system will be different, therefor, the actual virus may go by a different name than what has been posted by all of the others above. One may read “ehwognh.exe” or “dhjhewk.exe” (these are simply EXAMPLES) but I believe this virus does NOT go by the same “file path” or name…..BUT..
If you read SEAN’S from MAY 9TH, this may very well be the best way to get rid of the virus: it’s what worked for me AFTER I tried some of the other suggestions.
NOT ALL OF YOU will have the same “malware programs” or “anti-virus” programs that others have stated that THEY USED, but ALL OF YOU will have the access to what SEAN has stated.
1 – make sure your windows defender is ON
*if you cant find it, go to your windows icon on the bottom left of your computer screen and simply search “windows defender”
*if the virus is not letting you into windows defender to turn it on, then restart your computer and AS SOON AS IT RESTARTS, HURRY UP AND GET INTO THE WINDOWS DEFENDER AND TURN IT ON BEFORE THE VIRUS TAKES CONTROL AGAIN
2 – Follow SEAN’S instructions (I have included them below)
*YOUR VIRUS FILE may NOT go by the same name as his, but find the “publisher not available” file, more than likely it’s going to be ” ____.exe” (the line is simply a blank for whatever your virus may be named)
*After you have stopped the processes, removed the file, etc , go back and forth between “startup programs” and “currently running …” to make sure that it has been stopped / removed)
–at this point, your pop ups should stop.
****I did not find the actual file location so I could delete it directly after this point, but what I DID DO was do a SYSTEM RESTORE. (if you cant find it, again, go to the windows icon and search “windows restore”)
-restore the system.
NOW —- Read sean’s post and do what he did. If you still have trouble, read what I typed above, if you still have trouble after that, read everyone elses post, if you still have trouble after that, you’re doomed.
—-SEAN’S POST—–
ok. this is the easiest way i know how to do this. please bear with me. i just figured it out after 2 days of playing with my c drive. this worked for windows vista on my laptop. you should be able to open ‘my computer’. from there, navigate to ‘control panel’. then, ’system and maintenance’. then, ‘performance information and tools’. on this next page, on the sidebar there is a tab to ‘manage startup programs’ using windows defender. choose that option. from there, windows defender will show you all programs that run on startup. from what ive read, this virus has different names. find the one under the ‘Publisher not available’ category that has all its information ‘not available’ when you click it. end that program. then, choose the ‘currently running programs’ option instead of startup programs. here, find the same program and end the process. finally, go to the file location (for me it was in C:\Users\Milles30\AppData\Local\ in a folder called ‘didfyrqwk’). delete the folder, and it should be gone. good luck, and happy hunting :)
aussie
May 25, 2010 @ 13:32:39
I managed to stop the program to start, by going to safemode,
control panel->adminstrative tools->system configuration->startup
untick the file “yunmblrr” the press ok and restart
now the program will not run at the startup and you could now follow the instruction from the above post and remove the spyware program~
Lisa
May 25, 2010 @ 21:18:34
Thanks for all the info. I’ve just managed to get rid of the damn thing! Good job I’d got internet on my phone or I’d of been in real trouble!
Dixie Pixie
May 25, 2010 @ 21:28:19
I was cruising the American Thinker website when a Java Application starting running. As the Application looked like a automatic Java update I let it run. Apparently the Java Application was the malware loader program for the “Antispyware Soft” program.
The Java loader dropped the malware exe file into directory location ::::
C:\ users \ (User_Name) \ appdata \ local \ XXXXXXXXX \ XXXXXXtssd.exe
{ Where X is a randomly generated lower case letter.}
As I am old school IT I went after the malware by using the right-click to file properties trick. That gave me the file path and the name of the malware exe file. Deleting and /or trying to rename the file XXXXXXTSSD.EXE did not work but changing the file path did. That killed the malware by moving the exe file to a “out of the directory path condition” for program execution.
The malware is started by a line entry in :::: [ Vista Home System ]
\%sysroot%\system32\autoexec.nt
\%sysroot%\system32\config.nt
So both files must be edited to remove the possibility of unexpected program restart due to Windows repairing the directory path.
The Internet still needed to be fixed by eliminating the proxy server. You can see how to do that in the above instructions.
Good luck and when these bandit programmers are found remember
{ Hanging Is Too Good For The Bastards.}
BURN THEM AT THE STAKE.
the doc
May 26, 2010 @ 03:28:23
Get an application called “rkill.exe” at bleepingcomputer.com. This code kills malware processes. After downloading rkill, restart your computer and run rkill immediately (before the malware runs). rkill will stop the processes and tell you what the name of the processes are. You can then do a search on the file names to locate the malware files and delete them. After this you can run antispyware to delete other folders/files associated with the malware. Try something like “malwarebytes”, which you can get free.
josh
May 27, 2010 @ 10:45:13
I gotta say im a total noob for computers, but Sean´s post saved me, I read most of the steps and advices but sean´s seemed easier for me :)
I have a problem though. I understand that the virus changes the configuration of the Internet Explorer so that when its active, it sends you only to the site where you have to pay… and after errasing the virus the changes made are still affecting the IE, only that this time you cant go to page because the virus is gone, but you cant eithere access internet… so, again Im a total noob, how do I change the proxy settings? I cant find it :(… and for everyone who is still struggling, I recomend sean´s post!!
—-SEAN’S POST—–
ok. this is the easiest way i know how to do this. please bear with me. i just figured it out after 2 days of playing with my c drive. this worked for windows vista on my laptop. you should be able to open ‘my computer’. from there, navigate to ‘control panel’. then, ’system and maintenance’. then, ‘performance information and tools’. on this next page, on the sidebar there is a tab to ‘manage startup programs’ using windows defender. choose that option. from there, windows defender will show you all programs that run on startup. from what ive read, this virus has different names. find the one under the ‘Publisher not available’ category that has all its information ‘not available’ when you click it. end that program. then, choose the ‘currently running programs’ option instead of startup programs. here, find the same program and end the process. finally, go to the file location (for me it was in C:\Users\Milles30\AppData\Local\ in a folder called ‘didfyrqwk’). delete the folder, and it should be gone. good luck, and happy hunting :)
Dennis
May 28, 2010 @ 03:20:53
Like everyone else I got the virus as well. But I think I may have gotten a combination virus. Before anything loads even my screen you start hearing those d**** alerts. I said eff it and started it back to factory after I had tried everyone’s techniques. Does anyone know of a really good antispyware?
SBC
May 28, 2010 @ 05:38:54
Bless you Sean (May 9th, 2010 at 3:28 am)
Your method was quick and easy —and most important, effective!
Warsai
May 28, 2010 @ 06:33:57
The quickest way for me was to reboot my computer in safe mode ( hit F8 right after u hear the beep when it restarts)..from there i selected the option to restore my computer to an earlier date before the virus hit.. took 5 minutes and my computer is back to normal.
I am now performing a full system scan with Malwarebyte’s Anti-Malware program.
So far so good!
Minna
May 28, 2010 @ 06:46:15
“Sean” (May 9th, 2010 at 3:28 am)
THANKS SO MUCH!!! EASY AND QUICK!!!
Tyler W
May 28, 2010 @ 06:53:16
This virus is extremely frustrating but you can get rid of it. I found Sam Ellis’ post from May 4 (the first) to work perfectly.
A few other tips to add. If you have Vista (likely the same with XP), this will affect only the user profile that was in use when you acquired it. You can access the internet with other profiles. If you use those a different profile, you can easiy find the name the virus is using on your system, and the location of the virus, by searching for files added on the date the virus was added. You won’t be able to delete them immediately once you find them, however, because you have to disable it first.
Resetting IE after getting rid of the virus is simply a matter of de-selecting the use of a proxy in your internet options and resetting it for automatic (unless of course you use a proxy, in which case you will have to redirect IE to that proxy).
Thanks much to all for their posts. Obviously this thing is gaining steam.
Brian
May 28, 2010 @ 08:00:48
Hey guys,
managed to delete the virus but still having issues getting IE or firefox to work again. tried deselecting proxy and setting it to automatic but that didnt seem to help. any suggestions?
Tim
May 28, 2010 @ 10:32:10
Got “antispyware soft” tonight and with your posts removed it in under 15 minutes.
-Restarted into safe mode (w/networking).
-Disabled proxy settings in IE.
-Ran MSConfig to find the offending file.
-Deleted folder containing the file.
-Searched registry for all references to the file and deleted the entries.
-Emptied the recycle bin and restarted normally.
Darned thing seemed to piggyback on a banner ad. I was surfing a site I visit regularly, something on the page started the JRE, AVG threw something in the vault, then the annoying “OMG YOU’RE INFECTED BUY NOW” started.
Rick
May 28, 2010 @ 17:15:05
I got conned into buying the software thinking it was part of my recently downloaded Malwarebytes. I saw the pop-ups and thought that this was the virus portion of Malware and needed to get it. I purchased the Platinum version, which restored some of my functions (sort of). Then I had a hunch that Antispyware may be the problem. I quickly searched on another PC and found this site. Now I am worried that buying the full version may have opened me up to all kinds of other issues. Any comments on this?
Matt
May 28, 2010 @ 19:28:13
Hi, this may be helpful. Once the virus is running it will allow any executable named “iexplore.exe” to run. So, to run any program all you have to do is rename it to “iexplore.exe”.
Mila
May 28, 2010 @ 20:25:49
Thank you SEAN and BRETT
THANK YOU SOOOOO MUCH!!!
Dude
May 29, 2010 @ 04:52:42
The easiest way to deal with this is to do System Restore. Just reboot, press F8, then select System Restore. Your PC will think about it for a bit, but you’ll finally see the Restore wizard. Just follow the steps and select a time prior to the infection.
As a slight consolation, remind yourself of how pathetic and empty the lives of these virus creators are. :-)
kacemo
May 29, 2010 @ 17:53:59
I also tried the System Restore on reboot, but it didn’t display anything after a few minutes and there didn’t seem to be any hard disk activity on the computer, so I gave up on it. Now, I’m wondering if maybe I should have waited a little longer.
In any case, I did the System Restore logged in as another user and, so far, so good: it seems like I have overcome it.
kacemo
May 29, 2010 @ 17:57:30
To Rick, who commented 5/28/10 5:15, I would recommend you try the System Restore as well if you can still find Restore Points available that preceded the problem. There’s no telling what they have done to you know, but it can’t be good.
Liz
May 30, 2010 @ 16:09:00
Thanks so much SEAN and BRETT! Your technique worked.
Hunter
May 31, 2010 @ 00:56:02
Sean you’re the right man. That helped me out so much without doing that F8 thing. Thanks man. Really appreciate that.
Eric
May 31, 2010 @ 03:45:52
My son’s computer was infected two days ago. I ran Malware Bytes, removed the bad registry entries and cleared the bad proxy. Now the system mostly works but windows update is blocked somehow. Internet Explorer says that it can’t display the page windowsupdate.microsoft.com but it will display www. microsoft.com. When I try to go to windowsupdate.microsoft.com with Firefox, it says that the connection was reset. It seems that eithere the URLs or the network accesses are being tampered with at a low level. My hosts file is OK and I reset and cleared all the internet zones (which wouldn’t affect Firefox anyway.) I can’t find anything obvious in the registry that would be doing something like this. Where should I look next?
Tammy
May 31, 2010 @ 04:21:42
I wish i read these earlier. I had to nuke my computer and start from scratch. Im on my second computer and waiting for my infected computer to install the basics. I couldnt get into control panel so i paniced lol
margaret
May 31, 2010 @ 05:02:03
You are all great! Thanks for the help-got rid of the virus/trojan.
Matt
May 31, 2010 @ 08:43:37
Thanks Sean, worked like a charm!
tom
May 31, 2010 @ 08:59:22
Thanks so much for the help!
This was a pretty annoying virus, i had to go onto another administrator account to delete my own though.
I cannot explain just how much i would like to meet one of these vermin in real life. Any one of us would be able to take these f***ers in real life, when they don’t have their little keyboards to hide behind. These ‘people’ need to face the real world, it isnt as pretty as their WoW accounts may show it to be.
Peter, San Francisco
May 31, 2010 @ 17:48:33
My DAW computer was infected yesterday – what a frightening ordeal. Many thanks Sean, your advice worked like a charm.
In my situation the culprit programs (found in AppData\Local) were called:
vfbfnqrns/Tdxohetss.exe
asam.exe
syssvc.exe
Euge
May 31, 2010 @ 19:02:02
Hello all i just got this virius today and decided to attack it with your alls inputs here, my promblem is i went to boot in safe mode, pressing F8 on start up and when it gets to the screen I cannot upp or Down arrow to select Safe Mode, i tried up and down arrow even tab but nothing, any help as to why?? also i am running XP and not to Computer savy. thanks in advance.
Euge
Your Friendly Kij
May 31, 2010 @ 19:14:55
Manual removal is not difficult just read carefully at above instructions from some helpful people. If it looks too scary look below
Restarted in safemode (tap f8 as computer starts up)
Continue in order.
I CHANGED the settings back in IE first. Go to tools>internet options> connections tab> lan settings> uncheck bottom two check boxes in proxy area> check top boc that says auto detect settings (hope your not using an odd internet service)
Download CCleaner at hxxp://www.piriform.com/ccleaner/download
Download And install Spybot S&D and detection list update at hxxp://www.safer-networking.org/en/spybotsd/index.html
USE spybotS&D (free spyware removal) will remove folder/files and some associated registry entries.
RESTART
INSTALL and USE CCleaner to remove leftover registry crap.
RESTARTED Ran all (spybotS&D, CCleaner, and anitvirus) again and it all came up clean
Great programs to keep on your system at all times because 3 years ago I got something took 5 min to remove. This took me 15min, mostly waiting for the S&D scan.
Euge
May 31, 2010 @ 19:15:09
Well i tried the Control panel route to turn on the windows defender Virus Protection button in Security center and it wouldnt show up till the virus started, now what??
Euge
May 31, 2010 @ 19:47:06
no i tried system restore and i could not go back a few days or week even only, to about the time i think the virus started at 1130 a yesterday, how come i cant go back any farthere do a differnt date, soory for noob?’s
Victoria
Jun 01, 2010 @ 01:17:13
So, I got this thing 3 days ago, used system restore and it worked for an hour or two then the stupid pop-ups started again. I found that folder that it was in, and I THINK (I’m in safemode so the Antispyware Soft isn’t running) I got rid of it. But I’d like to point out, look at the random little programs at the bottom of AppsData/Local. There was one program in the folder, and there were two that were outside of it, and I’m sure they are apart of it because they’re made the same time as the folder… So check the programs in Local as well, don’t need to leave little bits of it behind, it’ll come back.
Thanks Sean!!!
Johnny
Jun 01, 2010 @ 05:29:19
Let me tell you i thought i was doomed, but Sean and Brett came to the rescue and was able to fix the problem in minutes. Thanks to all of you that posted the remedy..
Patrick Zhen
Jun 01, 2010 @ 13:32:43
I did the same thing as most people i held alt-ctrl-del and found the …ssd.exe file and tried to find all the folders and deleted those. when i restarted my computer it was still there so i held alt-ctrl-del and deleted the ..ssd.exe file then system restored it and finally it worked
Abe Assad
Jun 01, 2010 @ 15:44:33
Quick task manager + end process + McAfee worked for me. If you have Mozilla on your pc you can access the interweb using that.
Matt
Jun 02, 2010 @ 01:34:26
Just restart in safe mode and do a system restore.
Shtin
Jun 02, 2010 @ 05:51:21
I opened up task manager right away and stopped the -tssd.exe process. Then I followed Sean’s instructions and I got no more pop-ups. However, my internet explorer or google chrome don’t work. Any suggestions?
Thanks a ton Sean!!!
Shtin
Jun 02, 2010 @ 06:06:29
Never mind, found the answer to my own problem.
Essentially, I reset internet explorer AFTER what I did earlier.
Found the instructions at support.microsoft.com/kb/318378
and did the following
Start Internet Explorer.
On the Tools menu, click Internet Options.
On the Advanced tab, click Reset.
In the Reset Internet Explorer Settings dialog box, click Reset to confirm.
No reinstalling necessary and everything is in working order!
tsunamela
Jun 02, 2010 @ 07:09:18
thank you sean and brett!!! :]
Alexander Jones
Jun 02, 2010 @ 20:10:04
On the twentieth, I was infected by this. (God! This feels like an AA Meeting.) I managed to remove the virus by opening Malwarebytes Anti-Malware and Symantec Endpoint Protection. But now I’m having problems. When it first struck, I received two error reports: “Run DLL as an app has encountered an error and must now close” and “Dr. Watson Post Mortum Debugger has encountered an error yada yada yada.” Durring the reign of the virus I couldn’t open Windows Media Player 11. After: I now still can’t open Media Player 11, I get the Run DLL and Dr. Watson errors AT LEAST once every session, my windows and start bar at the bottom of the screen change appearence to Windows’ Classic and I don’t get any other options to change appearence, every once in a while after startup I can’t access any wireless signal and the speakers won’t work: I get a loud beep when something goes wrong or some simple window pops up, even when headphones are plugged in. Chkdsk (suggested by a friend) won’t fix the problem, and System Restore’s earliest restore point is the exact moment that Antyspyware Soft Hit. I have Windows XP. Can Someone help please?!
jinnei
Jun 03, 2010 @ 00:54:24
peeps give me a feedback here!!!
1. restarted windows in safemode.
2. run msconfig.exe and under startup i disabled an item that looked like random letters with unknown manufacturer (note the command and location)
3. reboot
4. go to the path as noted on the command and delete the whole folder!
5. run regedit.exe and follow the location. there, make sure you delete everything that is similar of what dan wrote (be careful on what you delete!!!)
6. run all of your antivirus and reg cleaners!
well…it worked for me (i think). i’ll let it run for a while and see what happens. but, in my startup it left that startup command i just dont know how to remove it.
thanervous1
Jun 03, 2010 @ 18:06:18
i just rebooted intp safe mode and ran Spybot it found the file and the registry keys removed them rebooted as normal and it was gone then reran Spybot 2b sure problem solved
thanervous1
Jun 03, 2010 @ 18:09:41
oh and i had 2 reset my explorer 8 goto tools/internet options/connections/lan settings uncheck use a proxy sever
brooks
Jun 04, 2010 @ 08:10:54
YAAAAA sean ur post is the best i used ur post. but the one thing was that i kouldnt find it sooo i stop a explorer.exe program in the task manager n it pop up it was crazy i then found the location n bam zapped it still having problem with internet to work but for now ill use the guest profilee hahahahhahahahahah. u saved my life my mom had a report due by 4:30 hahhahaahahaha it started around 3:30 soooo u get my drift hahahaaha .
thanks a lot sean!!!!!
Russ
Jun 04, 2010 @ 13:07:53
Does anyone know…Will any virus programs prevent it from action?
Larry
Jun 04, 2010 @ 23:17:18
Sean,
Thank you so much. I followed exactly what you said, and it worked perfectly. The only other thing I had to do was remove the proxy server settings and and click automatically detect settings in the LAN part of the connection options in IE because I couldn’t get back online. Now it works perfect. Thanks again Sean!!!
Qasim
Jun 05, 2010 @ 18:57:41
I finally managed to get rid of it …Thanks to MIKE ..Thanks alot…Keep holding down ctrl-alt-del and remove weird files …Hope it helps you too!
Lisa
Jun 05, 2010 @ 23:07:47
Sean – thanks for the tip. It was pretty easy with your instructions and yes that was a very frustrating virus.
Mike
Jun 06, 2010 @ 22:16:16
Here are part of the instructions for removal of the Trojan.Zlob.P virus…
Click Start > Run.
Type services.msc, and then click OK.
Locate and select the service that was detected.
Click Action > Properties.
Click Stop.
Change Startup Type to Manual.
Click OK and close the Services window.
Restart the computer.
We are at a loss as to what “Locate and select the service that was detected. means. Any clarification would be appreciated!
Adam
Jun 07, 2010 @ 13:04:04
Well, a very big thanks to Sean. This worked perfetcly (from what I can tell, so far), so thanks.
To everyone that has been saying they use Chrome or IE… get a real browser like Firefox!
Cyberologist
Jun 20, 2010 @ 06:50:02
I just got it a few hours ago…I got rid of it using Windows System restore point I restored it to a few days ago and it worked it got rid of it…someone gave me this afterwards…Its a horrid nasty little sucker…I had to go into Safety mode just in order to get to the system restore’
It locked down my entire computer couldn’t access the desk top, or get to the internet..just a black screen…
Cyberologist
Jun 20, 2010 @ 06:53:08
Russ Re:
Does anyone know…Will any virus programs prevent it from action?
A: I reported this to my antivirus people in an email
they are aware of it and working on a script…I always report these things if I know it to be malicious like this one ….
Kristen
Jun 24, 2010 @ 15:17:51
Hi. I’ve briefly read through the above comments regarding this virus. I have an Acer aspire one, just got the virus this morning, and it’s a doozy. I can’t get out to internet at all, and can’t do a system restore….it won’t let me do ANYTHING and keeps bumping me out everywhere I go. HELP!!!
Kristen
Jun 24, 2010 @ 18:14:57
got my fix. my brother , who is a tech. for a cable/internet co. found the info that got rid of my mess. While rebooting I pressed alt and f10 wich gave me a total system restore. The only negative was that I lost all current info on my pc….small price to pay I guess…
dan g
Jul 15, 2010 @ 09:25:59
I was tricked into actually making a purchase from the antispyware soft virus, and later removed everything with a system restore. However, looking back, I can’t recall what all information I had to provide in order to make the purchase. Does anybody know what information is required for the purchase?
edgar rivas
Aug 14, 2010 @ 15:11:34
ANTIVIR SOLUTION PRO!!!!! So I had a Variant of antispyware. The interface was identical and took over my system without me ever doing anything that might allow a virus to infect a pc. I noticed my system was lagging more than usual right after logging in, but I figured it was just the internet. A few seconds after I finished downloading ms updates I decided to run AVG and bam! It popped up saying my system is infected and looked like it was scanning, then a window popped up saying avg was infected. Right away I disabled wireless and tried stopping the process and it would not be stopped no matter how often I did it. I forced a shutdown did safe mode and ran AVG, Avast, and ad-aware but they found nothing! Malware bytes would not open not even in safe mode. so I shutdown and cried a while then when I felt brave enough I turned it back on my MS updates installed and I Ctrl Alt Delete before anything could load stopped the process and used a Malwarebytes… it found 3 major trojans the one I remember was named viking. I found my security had been disabled and port 80 was open. I fixed everything installed updates via CD, to avoid connecting to the net, anyway the point is now my version of XP is running in limited user mode and I cant get any networking or security services to run and my theme is classic windows, all drivers will not load, and system restore files and saved points gone. I also had to activate windows again through MS, they were kind and helpful…. that’s it people. good luck everyone
Sal
Aug 22, 2010 @ 12:05:56
Just wanted to say thanks to everyone who provided advise on this page. Sorted laptop out, just restarted in safe mode with networking, quick as possible upon loading laptop have pressed ctrl+alt+delete to bring up task manager. Went to processes, ended the process of the file I thought was the curropt(be aware as per above that if you end the incorrect file it may crash your computer).
After doing the above have simply restored to a few days back and BANG, system sorted. No spyware, have got my poor excuse for virus checker McAfee doing a full clean up of my laptop now.
Hope whoever made this virus gets pinns stuck in his balls and acid flushed up his ass!!!
jolin
Dec 29, 2010 @ 05:23:31
Actually, recently I’ve found another way to speed up my poor PC, the software “tuneup360″. It’s very easy to handle and of course very powerful, my friends and I all use it now, maybe you can have a try.