Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
My son also had this on his computer. After a whole day trying to sort things out I found this forum and done the following
1. Ctl+Alt+delete for task manager
2. Found the process qoopudttssd.exe – deleted this
3. downloaded Hijack this.
4.Found files starting with 04 and ending with qoopudttssd.exe – fixed them.
Everything seems fine now. Thanks folks for posting on this forum I was about to format the C Drive. My son will be a happy chappy that virus has gone. Cant wait to see his face when I give him with the bill for my time.!!
hey guys i had the same exact virus and it would tell that everything was infected. but i went into safe mode and wasnt quite sure what to do. so i rebooted normally and it did not start immediately. but i used ad-aware and it took care of it for me
This is great! my file had a weird name it started with r (forgot what it was called) you just have to find the weirdest name in the list and ur done.
I just wish to offer a thanks to whoever put these easy to follow steps together, and for those of you that have commented and added further, updated, information. It would seem that you’ve collectively helped me kick this little f**ker of a virus off my computer. Thanks again to you all.
Just wanted to say that this is one of the worse attempts at writing a virus I have ever seen. Just follow the instructions, and you will be back up and running.
Would like to thank this guide for saving my computer..
i dont know how i got this virus ,is there any webby i should avoid?
and will it reoccur?
thks
Hi, here is what helped me:
1. Restarting my computer
2. Pressing strg/alt/delete as soon as I see my desktop and before the infection can start
3. choose: open task manager
4. looking in processes for any process
that doesnt make sense or if you dont know which one it is just type all processes in google, often its the one that google doesnt find.
5. stop the process (Now the popups are gone and you can use/download hijack this to logfile your system or use spybot-search and destroy to delete the fuckin virus.
hijackThis showed me this exe in the O4 section: puyihutssd.exe
spybot showed me immediately:
Fraud.Sysguard (4 entries)
I was infected by the virus 2 days ago. When I was following the steps to uninstall the virus, it wouldn’t let me open internet explorer options so that I can complete the rest of the steps.
Temocder,
Visit Microsoft Update (update.microsoft.com). Make sure that you have all the Critical Updates recommended for your operating system and IE. Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found.
Update all antivirus/antispyware programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Many of the exploits are directed to users of Internet Explorer. Try using a different browser – Firefox or Opera.
Courtney, try use another PC to download the suggested programs, then move them to your PC using a flash or cd disk.
Hi,
I got infected by the virus mentioned in this article and followed the instructions to get rid of it except now when i start my computer up normally after about a minute or so the programs start freezing and then the whole computer just freezes up, cant do anything. When its running in safe mode it doesnt do this.
Any suggestions ?
Thanks guys! I had this virus for like 10 minutes, and it drove me mad, but I found help here and now I am back to normal… thanks.
Keeba, try run your PC in last good configuration.
Removal process worked for me.
Thanks!
What a pain… could have been worse.
Well currently trying what patrik said working great so far but i know the virus got in through java and i know what site can i report it somewhere?
I think I have everything deleted, but when i look under the startup section under the System Configuration Utility, there is still a startup item there called ybabpyvtssd. It’s unchecked, and everything seems to be working fine, but I’m still worried. What do i do?
1- right away when windows is opening up go to the start menu and click on RUN type MSCONFIG
2 – when the panels opens go to the ‘startup’ tab and click to open. uncheck the file ending in SST
click apply and ok . Restart computer ( you are now in ‘ selective startup mode ‘
3 – Download the program ‘Malwarebytes’,update the program with the latest malware definitions and run this. This is a free program which will remove remaining trojan files
4- go to your windows security center and re enable your firewall.
you are done
OMG!!! got the virus this afternoon whilst revising for my GCSE’s and after about 5 minutes of trying to ignore it, EVERY BLOODY THING CLOSED, EVEN explorer.exe. so bcoz i couldnt do anyhing i had 2 remove my battery and am now at a loss.
THANK YOU! I tried bleeping computer’s solution, the virus seemed to go away, then when I rebooted my computer the virus came right back! I had to remove the proxy every time a page loaded, but I finally searched the virus and ended up here. Thanks for the removal process. (I had th evirus for three days, couldn’t do ma homeework)
Unlike some people here, the problem i’m having is that it’s not letting me run M.b.A.M. am i supposed to re-name mbam also? please answer A.S.A.P
Thanks for the guide, it worked brilliantly. Yea they rename the sysguard thingy. Apart from the R1 file, for the O4 look out for file ending ukwktibtssd.exe
Thx to the team at Myantispyware, I have my computer fix after 4 hours of infected.
Good work team, well done.
Cheers.
Nevermind, got it to work. Thank you so much to whoever made this article
Thanks so much, awesome instructions and I’m not the most computer literate. Only needed hijack. Not sure if this has been mentioned in the above comments, but using mozilla firefox is much easier to get hijack to go where you want it than when I first tried to download it using Internet explorer. Very thankful for the instructions 🙂
The hijackthis helped 100% thanks a lot 🙂
PrinceOfFools, yes you can report malicious site to malwaredomainlist.com.
Cris, run mscondig and select Normal boot option. Reboot your PC, run HijackThis and fix all malicious entries.
Ben, if the guide above does not help, then start a new topic in our Spyware removal forum. I will help you.
Thanks alot! this guide cleaned up my computer nicely, thanks for the time and effort put into this post, youre a life saver!
I was trying to find the easiest way to get rid of the virus.
The easiest way I have found is by:
1. Download http://www.malwarebytes.org/ Just the free version will do.
2. Install it.
3. Rename it to iexplore.exe
4. Run it (The fastest scan option should work)
5. It will ask you to reboot your computer. Click ok
DONE!