PDA

View Full Version : Manual Removal Guide for AntiSpyCheck



Friday
2008-11-28, 18:04
The following instructions have been created to help you to get rid of "AntiSpyCheck" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
AntiSpyCheck claims to be an antispyware solution. If it is installed on the computer it detects some spyware even if the computer is a totally clean machine. In order to fix these problems, the user needs to purchase a license.
Removal Instructions:

Desktop:

Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

Shortcuts named "AntiSpyCheck v2.4.lnk" and pointing to "<$PROGRAMFILES>\AntiSpyCheck\*.exe".

Start Menu:

Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

Items named "AntiSpyCheck v2.4 Un-Installer.lnk" and pointing to "<$PROGRAMFILES>\AntiSpyCheck\uninst.exe".
Items named "AntiSpyCheck v2.4 Website.lnk" and pointing to "<$PROGRAMFILES>\AntiSpyCheck\AntiSpyCheck.url".
Items named "AntiSpyCheck v2.4.lnk" and pointing to "<$PROGRAMFILES>\AntiSpyCheck\*.exe".

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "ASpyC" and pointing to "*".
Entries named "aspch" and pointing to "*".
Entries named "asc32" and pointing to "*".
Entries named "AntiSpyCheck 2.1" and pointing to "*".
Entries named "AUTORUN_VAL" and pointing to "*".
Entries named "AntiSpyCheck 2.1.0" and pointing to "*".
Entries named "AntiSpyCheck" and pointing to "*".
Entries named "AntiSpyCheck" and pointing to "<$PROGRAMFILES>\AntiSpyCheck\*.exe*".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "ASpyC".
Products that have a key or property named "aspch".
Products that have a key or property named "asc 2.1".
Products that have a key or property named "AntiSpyCheck 2.1".
Products that have a key or property named "IEBrowse Tool".
Products that have a key or property named "IExplorer Bar".
Products that have a key or property named "Warning Center".
Products that have a key or property named "AntiSpyCheck".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$PROGRAMFILES>\ASC 2.1\ASCWarning32.dll".
The file at "<$PROGRAMFILES>\Web Technologies\iebt.dll".
The file at "<$PROGRAMFILES>\Web Technologies\iebr.dll".
The file at "<$COMMONDESKTOP>\Antivirus Scan.url".
The file at "<$COMMONDESKTOP>\Online Spyware Test.url".
The file at "<$COMMONSTARTMENU>\Antivirus Scan.url".
The file at "<$COMMONSTARTMENU>\Online Spyware Test.url".
The file at "<$COMMONDESKTOP>\Antivirus Scan.url".
The file at "<$COMMONDESKTOP>\Online Spyware Test.url".
The file at "<$COMMONSTARTMENU>\Antivirus Scan.url".
The file at "<$COMMONSTARTMENU>\Online Spyware Test.url".
The file at "<$PROGRAMFILES>\ASpyC\ASpyC.exe".
The file at "<$PROGRAMFILES>\ASpyC\uninst.exe".
The file at "<$QUICKLAUNCH>\AntiSpyCheck 2.1.lnk".
The file at "<$QUICKLAUNCH>\AntiSpyCheck 2.1.0.lnk".
The file at "<$STARTMENU>\AntiSpyCheck 2.1.0.lnk".
The file at "<$DESKTOP>\AntiSpyCheck 2.1.0.lnk".
The file at "<$FAVORITES>\Antivirus Scan.url".
The file at "<$STARTMENU>\Antivirus Scan.url".
The file at "<$DESKTOP>\Antivirus Scan.url".
The file at "<$STARTMENU>\Online Spyware Test.url".
The file at "<$DESKTOP>\Online Spyware Test.url".
The file at "<$WINDIR>\neltabxw.exe".
The file at "<$PROGRAMFILES>\AntiSpyCheck\activex.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\AntiSpyCheck.url".
The file at "<$PROGRAMFILES>\AntiSpyCheck\blacklist.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\config.ini".
The file at "<$PROGRAMFILES>\AntiSpyCheck\cookies.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\filesNames.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\hosts.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\knownLocations.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\md5.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\registry.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\sdebug.log".
The file at "<$PROGRAMFILES>\AntiSpyCheck\spywareinfo.db".
The file at "<$PROGRAMFILES>\AntiSpyCheck\tips.txt".
The file at "<$PROGRAMFILES>\AntiSpyCheck\uninst.exe".
The file at "<$PROGRAMFILES>\AntiSpyCheck\Languages\English.ini".
The file at "<$PROGRAMFILES>\AntiSpyCheck\Languages\Spanish.ini".
The file at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\DesktopManager\DesktopManager.dll".
The file at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\DesktopManager\Languages\English.ini".
The file at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\DesktopManager\Languages\Spanish.ini".
The file at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\MessengerControl\MessengerControl.dll".
The file at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\MessengerControl\Languages\english.ini".
The file at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\MessengerControl\Languages\Spanish.ini".
Make sure you set your file manager to display hidden and system files. If AntiSpyCheck uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$PROGRAMFILES>\ASpyC".
The directory at "<$PROGRAMFILES>\aspch".
The directory at "<$PROGRAMFILES>\ASC 2.1".
The directory at "<$PROGRAMFILES>\ASpyC".
The directory at "<$PROGRAMS>\AntiSpyCheck 2.1".
The directory at "<$PROGRAMFILES>\AntiSpyCheck 2.1".
The directory at "<$PROGRAMS>\AntiSpyCheck 2.1.0".
The directory at "<$PROGRAMFILES>\AntiSpyCheck".
The directory at "<$WINDIR>\pebgkxwq".
The directory at "<$PROGRAMS>\AntiSpyCheck".
The directory at "<$PROGRAMFILES>\AntiSpyCheck\Languages".
The directory at "<$PROGRAMFILES>\AntiSpyCheck\Logs".
The directory at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\DesktopManager\Languages".
The directory at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\DesktopManager".
The directory at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\MessengerControl\Languages".
The directory at "<$PROGRAMFILES>\AntiSpyCheck\Plugins\MessengerControl".
The directory at "<$PROGRAMFILES>\AntiSpyCheck\Plugins".
The directory at "<$PROGRAMFILES>\AntiSpyCheck\Quarantine".
The directory at "<$PROGRAMFILES>\AntiSpyCheck".
Make sure you set your file manager to display hidden and system files. If AntiSpyCheck uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "{F58FF278-2198-403b-9170-C95022A194C6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "ASpyC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "{F58FF278-2198-403b-9170-C95022A194C6}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "ASpyC" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key "ASpyC" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{E1FAB6BD-4A34-47ce-82AF-50B16A6BE77E}" at "HKEY_CLASSES_ROOT\CLSID\".
A key in HKEY_CLASSES_ROOT\ named "ThreatWarning.WarningBHO", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "ThreatWarning.WarningBHO.1", plus associated values.
Delete the registry key "aspch" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "{E1FAB6BD-4A34-47ce-82AF-50B16A6BE77E}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "aspch" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key "aspch" at "HKEY_CURRENT_USER\Software\".
Delete the registry value "<$PROGRAMFILES>\aspch\ASpCh.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
Delete the registry value "<$PROGRAMFILES>\aspch\ASpCh.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
Delete the registry value "<$PROGRAMFILES>\aspch\ASpCh.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
Delete the registry key "{58472BC6-BEA3-42d4-8917-7A8BCB0711B5}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
A key in HKEY_CLASSES_ROOT\ named "ASCWarning32.WarningBHO", plus associated values.
Delete the registry key "{58472BC6-BEA3-42d4-8917-7A8BCB0711B5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{65742936-8079-408B-9F3C-874B78030A72}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\".
Delete the registry value "{65742936-8079-408B-9F3C-874B78030A72}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\".
Delete the registry value "{65742936-8079-408B-9F3C-874B78030A72}" at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
Delete the registry value "{65742936-8079-408B-9F3C-874B78030A72}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
Delete the registry key "{65742936-8079-408B-9F3C-874B78030A72}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "asc" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "ASC 2.1" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key "ASC 2.1" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}" at "HKEY_CLASSES_ROOT\CLSID\".
A key in HKEY_CLASSES_ROOT\ named "SpyWarning.WarningBHO", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "SpyWarning.WarningBHO.1", plus associated values.
Delete the registry key "AntiSpyCheck 2.1.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "AntiSpyCheck 2.1" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key "AntiSpyCheck 2.1" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{56FA7933-DC3E-403b-8D47-BB5E3F345A21}" at "HKEY_CLASSES_ROOT\CLSID\".
A key in HKEY_CLASSES_ROOT\ named "IEWarning.WarningBHO", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "IEWarning.WarningBHO.1", plus associated values.
Delete the registry key "{56FA7933-DC3E-403b-8D47-BB5E3F345A21}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "AntiSpyCheck" at "HKEY_CURRENT_USER\Software\".
Delete the registry value "{F99D0C20-F8E1-43B6-AB24-3F16BFAEA77B}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\".
Delete the registry value "{F99D0C20-F8E1-43B6-AB24-3F16BFAEA77B}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\".
Delete the registry value "{F99D0C20-F8E1-43B6-AB24-3F16BFAEA77B}" at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
Delete the registry value "{F99D0C20-F8E1-43B6-AB24-3F16BFAEA77B}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
Delete the registry value "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
Remove "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}" from registry value "DefaultScope" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
Delete the registry key "{A49E097A-D6EF-4B2F-8B0F-1230E998587F}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{A49E097A-D6EF-4B2F-8B0F-1230E998587F}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{F99D0C20-F8E1-43B6-AB24-3F16BFAEA77B}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9989F1F6-70DE-4244-AC9F-6672983681A0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9989F1F6-70DE-4244-AC9F-6672983681A0}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
A key in HKEY_CLASSES_ROOT\ named "IEWarning32.WarningBHO", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "IEWarning32.WarningBHO.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "AntiSpyCheck.Server", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "AntiSpyCheck.Server.1", plus associated values.
Delete the registry key "{90E48040-F6F3-434e-A847-21687C04FA38}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "antispycheck.EXE" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "(aa5e63f4-5df2-4b48-9c53-01f37d0174c3)" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D2608046-DD09-A225-01BF-70C1EDD8B2E8}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CF231820-9904-4A37-B5B0-C87EF6F6CC82}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5AA883DB-7CFD-4737-B3C3-C671595ECCE5}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "AntiSpyCheck" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "AntiSpyCheck.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
If AntiSpyCheck uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.