Antivirus Live is a rogue antispyware program. It is a clone of widely spread rogue called Antivirus System Pro. The software usually spreads with the help of trojans. Once downloaded and installed Antivirus Live will register itself in the Windows registry to run automatically when Windows loads.
When running, it will start a scan your computer and reports numerous infections to make you think that your computer is infected with trojans, spyware and other malware. Then Antivirus Live will ask you to pay for a full version of the program to remove these infections. Of course, all of these infections are fake and don’t actually exist on your computer. So you can safely ignore them!
Antivirus Live blocks the ability to run any programs. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, while Antivirus Live is running , you will be shown fake Windows Security Center, nag screens, warnings and fake security alerts from your Windows taskbar. The rogue will also change the proxy setting of Internet Explorer to redirect you to the Antivirus Live site.
As you can see, Antivirus Live is a scam. Do not be fooled into buying the program. Instead of doing so, follow these removal instructions below in order to remove Antivirus Live and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [ekwdvdwk] C:\Documents and Settings\username\Local Settings\Application Data\username\gxymsysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Use the following instructions to remove Antivirus Live (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the explorer.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [wpolkxos] C:\Documents and Settings\user\Local Settings\Application Data\ovugbs\rwjrsysguard.exe
Note: list of infected items may be different, but all of them have “sysguard.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Live infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Live removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Antivirus Live creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Live creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Ray, you account have administrator privileges ? If yes, remove the “new” account.
Hey Patrik.
Thanks for the response. I can’t get in to do anything with my computer. I get to the login page and it flashes up my desktop background for a moment then logs me out. I’m going to try and re-install XP as I believe the problem is a deleted registery file caused by the AntiVirus Live Trojan.
I’ll keep you posted.
Ray.
Thanks Patrick, I seem to have gotten rid of it with the help of regedit, hijack this, and Malwarebytes run a second time. As for deleting stuff in the registry, I didn’t see anything that looked unusual in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM], so I didn’t delete anything, but I fear I deleted the contents of the “Run” folder (but not the folder itself) in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
My Print to PDF seems to be acting funny, not sure how to restore what was in there…any help would be appreciated…even if pointing to another website…Thanks.
Nothing is working for me cant gt task manager or anything up the malware is asking me to pay but it wont let the ie come up to allow me to do that. someone please help me
Jeff, what shows PC when you trying print to PDF ?
Ran a real simple fix for this…download superantispyware.com on mozilla or safari, your IE7 or 8 is toast. The malware will not allow you to run the install. shut down your unit and when it reboots, as soon as your desktop comes up click on the install for superantispyware and run the program, allowing for it to scan for garbage. If you start the process before antivirus live starts its process, you will win the battle here. Continue to “x” out the windows it brings up while Superantispyware does its thing. This malware cannot block processes running in front of it and you will be able to scrub it off your machine. At the end of the scan your machine reboots and Antivirus live is gone. Be sure to go back and change the proxy settings in IE when you are all done…better yet, don’t ever surf with IE!!!
I downloaded the malware application with mozilla firefox. However, after downloading, it would not open to allow me to run the scan so I had shutdown and restart the computer click on f8 and then go into \safe mode with networking\. Only then was i able to open the application and run the scan. Did a full scan check, 4 trojan files were found. I had those removed and now my computer is running fine. Thanks so much for this information.
That’s a pretty clever trick, renaming a removal tool “iexplore.exe”, the one application the virus doesn’t block. The problem is that the virus hijacks IE, and you can’t use another browser unless it’s already running at the time you’re infected. At least, that’s the case in some versions of the virus, which seems to be adapting itself to prevent more and more removal methods.
If you have another computer on your network running Windows, you can kill it remotely, following the instructions I posted in another forum (scroll down through the comments to the date January 17, 2010 to find my post):
howtogeek.com/howto/8693/how-to-remove-antivirus-live-and-other-roguefake-antivirus-malware/
Jeff – Yes, you are looking for something specific in the Run key. The name of the entry is randomized, but it will be obvious which one it is, because it looks like just a bunch of gibberish. That’s what you want to delete. The Run key contains a list of programs that run when you start the computer (HKLM) or when you log on (HKCU). Deleting it can break some legitimate applications, as you’ve discovered.
To restore it, you can try doing a System Restore to a point in time before you deleted it, but be careful, the virus’s entries could also return if you restore to a point in time after you were infected.
Got Antivirus live. Tryed to go to safe mode with networking, won’t go anywhere keeps coming back to windows did not start correctly over and over. Will not even open windows now. Help
Wow — got blasted by this crap while trying to finish an assignment. Locked out of everything on my computer. Fortunately, I was able to look up this site’s instructions on my phone and fix things in a few hours at no cost. I got in front of the evil program with an immediate ctrl-alt-del and killed the *sysgaurd.exe processes in the Task Manager. This gave me time to search & destroy before I got locked up again. Thanks, all & good luck to those who are still struggling or see it in the future…
This worked PERFECTLY on my laptop.
Only difference is I used another computer to download the programs and then USB to laptop.
THANK YOU!
Great instructions also.
Thank you! I was unable to download other tools to remove the virus, even when using another computer to download onto a thumbdrive and attempting to download onto my laptop from USB. I was able to download HijackThis onto my laptop from the thumbdrive, however, and even though AntiVirus Live was trying to run (popping up windows frequently) while Hijack was running, it still successfully completed and I was able to erase the contaminated file. Then Malwarebyte ran without a problem, and I deleted the trojan file. This was my third attempt to remove this virus, so thank you again!!
Thanks a million for your instructions on removing the nasty Antivirus Live plague. It came up on my machine (via an e-mail, I think) out of nowhere and took it over. I hope the creator(s) of this plague rot in hell.
Thanks again!
managed to get it of my computer after a few go due to the advice on here(downloaded malwarebytes.com after getting onto my computer through safe mode ‘repair computer’ way ) thanks you kind people out there
I don’t understand how this stupid virus keeps coming back even though my superspyware thing and malwarebytes detected the files and got rid of them! Everything seemed peachy at first when I logged back into my account normally, but once I opened my browser to go on facebook, and it came back. And I really REALLY do not want to wipe my laptop.
Emily, if the instructions above does not help you, then ask for help in our Spyware removal forum.