Antivirus Live is a rogue antispyware program. It is a clone of widely spread rogue called Antivirus System Pro. The software usually spreads with the help of trojans. Once downloaded and installed Antivirus Live will register itself in the Windows registry to run automatically when Windows loads.
When running, it will start a scan your computer and reports numerous infections to make you think that your computer is infected with trojans, spyware and other malware. Then Antivirus Live will ask you to pay for a full version of the program to remove these infections. Of course, all of these infections are fake and don’t actually exist on your computer. So you can safely ignore them!
Antivirus Live blocks the ability to run any programs. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, while Antivirus Live is running , you will be shown fake Windows Security Center, nag screens, warnings and fake security alerts from your Windows taskbar. The rogue will also change the proxy setting of Internet Explorer to redirect you to the Antivirus Live site.
As you can see, Antivirus Live is a scam. Do not be fooled into buying the program. Instead of doing so, follow these removal instructions below in order to remove Antivirus Live and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [ekwdvdwk] C:\Documents and Settings\username\Local Settings\Application Data\username\gxymsysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Use the following instructions to remove Antivirus Live (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the explorer.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [wpolkxos] C:\Documents and Settings\user\Local Settings\Application Data\ovugbs\rwjrsysguard.exe
Note: list of infected items may be different, but all of them have “sysguard.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Live infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Live removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Antivirus Live creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Live creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
I have tried this method but I am stuck at the first hurdle. I opened up this website on my laptop in order to remove Antivirus Live from my mum’s home PC. However, when I uncheck the ‘allow proxy’ box from Lan Setting, I am unable to apply this change in settings and it does not take effect. Is there any way of solving this?
Hi Guys,
Thank yo SO MUCH for this website….
You guys just woke me up from my malware nightmare:-) Keep up the great work, cheers
Timothy, you need stop malware processes. Use exeHelper or rkill.
I actually had to pay for the program, but intend to have the payment cancelled when the bill comes due.
Is there any thing I can do to avoid it in the first place
Jim
Precisely HOW DOES ONE get this???!!!!
The first time I appear to have gotten this, I was when on YouTube paying music videos (Trans Siberian Orchestra). Actually infected twice under different set of random prefix names.
The second time, a week later, I was on match.com!!
Both times a couple of strange things occurred. IE hung while a page was coming up. Acrobat reader started to open, and then Norton firewall notified me that [random]sysguard.exe was trying to go to the internet.
Prior the second time I was infected, I had checked everything running on the PC, and all was ligit.
Is it possible that msmsgs.exe is a vehicle for this virus? Time will tell. Since I removed it from my startup (not sure whether or not it always was there) I have not gotten it again.
BTW, a few extra tips for manual removel. I did not have to use anything extra.
1)Try to bring up the task manager while booting. After the first [random]sysguard.exe comes up, kill it but KEEP watching, it will often come up again (see item 3).
2) The directory \Documents and Settings\username\Local Settings\Application Data will become hidden. After you delete the programs and directories, run a REGISTRY scan (norton). It should report the Registry entries associated exe’s with the virus (but not AVSAN)
3)In the Registry look at both the CURRENT_USER and LOCAL_MACHINE. Entries will be in both places.
I had tried all of those steps but the Malwarebytes and Microsoft online scanner still detect the infected file.
The infected file is “xqacvz.sys”
Can somebody help me?
I have had the same problem. If you can’t rkill or exehelper to work, do the following.
Re-start your computer and as soon as the Windows desktop appears, right click the taskbar at the bottom as quickly as you can.
In the white drop down box, Click on “Task Manager” and wait for this to open. This allows the task manager box to remain open. If you wait and try Ctrl-Alt-Del, Antivirus Live will already be loaded and it wont open!
In the Task Manager click on the “Processes” tab at the top.
In the bottom left side corner check the box labeled “Show Processes From All Users.”
Look for the files ending with “sysguard.exe” It will have other letters before that, and there may be more than one process running.
Click the filename, then click the “End Process” button. Make sure you have all instances of this type closed.
Now follow the steps above about turning off proxy in IE, installing and running anti-malware.
Remember , DON’T RESTART your computer until after the anti-malware has been run, or AntiVirusLive will reload at startup!
cool
Please help, I’m going crazy! After 3 days, literally, with SpyDoctor, the best they could get me to was being able to boot up in safe mode. In regular boot up I have no icons on my desktop. I was about to reformat in the new year when I came across your site. I have downloaded to my laptop the Hijack this and malwarebytes exe and transferred to my infected desktop, Hijack found a nokksguard file which I deleted, then ran the malware and it found several problems, including the nokksguard file, which Spydoctor had found earlier and had me rename it to Viruss000, can I post the log, if it will help?. With renewed anticipation I was hoping this would be the fix, but alas I am still only able to boot up in safe mode, so no internet access and no icons on my desktop in normal mode. Can anyone help before I reformat. Many thanks.
Bob
Hey all,
I found Antivirus Live on my computer, I mean I saw a whole performance of it. I restarted the computer in safe mode and did a system recovery to one week ago. I restarted windows and logged in, quickly started the task manager but never saw any *sysguard.exe coming up. I think I tried to open some program and my computer freezed while beeping, so I figured it should still be infected. I went back to safe mode and installed malwarebytes anti-malware, ran a full scan and found something identified as Rootkit.mbr!! I went ahead and erased it along with all the files that had been saved since I last logged into the computer (5 days before).
My computer is still slow and it freezes if I try to run malwarebytes. Any advice?? Thanks.
Also, how possibly did my computer get infected if I didn’t visit any suspicious website? I have AVG free 8.5 installed on that computer.
Pond, probably xqacvz.sys is malicious driver. Try remove it using Avenger, download it from here.
Unzip and run it.
Paste the following text in Input script Box:
Drivers to delete:xqacvz
Then click on ‘Execute’.
Also you can ask us for help in our Spyware removal forum.
Bob, please make a new topic in our Spyware removal forum (include HijackThis log).
Brownie, please follow these steps.
I will do it now, thanks Patrik.
Bob
Hi Patrik, I posted to the other forum, there is a red star against the post, have I missed something?
Many thanks,
Bob
wow this was a bad one…paralised my computer.
i couldnt download any of the files on the website above BUT, the best thing that worked for me was to have a 2nd laptop to dowloand the files with and a usb key.
Restart your computer in command prompt and run the files from your USB there…this will prevent any of the virus’ applications from preventing a succeful removal or stopping the removal tool from loading if you loaded windows fully.
if you do this, the app works great and within 20 minutes i was back up
thank you!
Bob, sorry for delay. Today, i will answer you.
couldn’t run MBAM or any other programs so booted my laptop up in safe mode. Opened task manager…..no sign of sysguard.exe, performed a search for sysguard.exe…..no sign of it, ran MBAM and it didn’t find any infections!!! yet when i run my laptop in normal mode the virus is there!
Hey Folks,
I really can’t thank you enough. You’re all Legends.
I was about to head down the format hard drive road when I came across your site.
I had to download the RKill program to get anywhere first, then the instructions above worked a treat.
I’m back in control……for a while anyway 🙂
Thanks Heaps
Thanks for this – I never realized how easy this problem was to fix!!
I have this evil virus too…If you actually buy the product will they stop annoying you?
rkill worked really well and i was able to open task manager again..
internet explorer is completely infected however, firefox works well. I’m usig malwarebytes to try and remove it
thanks,
Kat
Kev, probably your PC is infected with a new version of the rogue. Ask for help in our Spyware removal forum.
Insane job patrick! if i wasnt a broken student i would donate
Found the file, renamed it, rebooted the renamed file didn’t load then I restored to yesterday.
I did what Jake posted on Dec 28th and worked finally (Ran REGEDIT) thanks. Still downloaded the 2 programs above for good measure. what a PITA!
Thank you! Thank you! Thank you! It worked beautifully!
Thank you so much for these comments here! They saved my computer. I did exactly what Tony Dee did on Dec 25th. I downloaded malwarebytes to a usb flash drive on an uninfected computer. Then I started the infected computer in Safe Mode, installed the Malwarebytes and ran a scan. I ran the full scan which took about 1 1/2 hr. But WELL worth it, after the scan, the virus was GONE!
Malwarebytes is the BEST !!
Holy cow, this malware is tough to clean. I’ve tried these instructions (fixing IE, HijackThis, Malwarebytes) and it still comes back. Trying a second time. My question is if I’m going to run Regedit and delete keys, what part of the last two ones do I delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Do I delete the whole “Run” folder and its contents? Or am I looking for something specific in the Run folders?
If I delete the Run folders and then do something like CCCleaner registry repair, will that restore anything that shouldn’t have been deleted or will it bring the malware back for some reason?
Thanks!
Jeff, best way for you – open a new topic in our Spyware removal forum. I will help you.
And don`t remove whole “Run” folder!
Hi all …
I got rid of AntiVirus Live using the steps described, but now my comp has created an “administrator” user account, when I had no accounts before, and it logs me out immediately after I try to log in. Is there another thread I can see to get answeres on this problem please?
Thanks in advance.