Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Hello, I found this little bugger on my computer this morning, it closed my real antivirus program, closed Add/Removed programs and task mangager.
I installed HiJackthis and searched for the stuff listed above, found none of them so i looked for other ones. The best way is to browse the 04 section for .exe with suspicious names. Google the .exe and see what it does. If its important, dont touch it. If google says its virus, you know what to do. In my case google had no search results for “kmwoqqitssd.exe” so I removed it from my computer. Then I was able to actually run applications properly
I found the folder hidding in “C:\Documents and Settings\[censored]\Local Settings\Application Data\[insert virus folder name] with the help of my antivirus, scanned it removed it, deleted it.
Anyway I’m gonna try remove the rest of it. Goodluck to you all
I saved Hijack this as iexplore.exe, and saved onto the infected desktop. After the scan, I found over 100 listed and I don’t know which ones to put the check mark. Plesae help
Cameron, you need remove HijackThis before running.
I got this pain in the butt thing last week and your instructions worked great. Now a week later and I got it again. Is there any way to block it all together? What’s odd is I haven’t run my malwarebytes program since I removed the antispyware soft last week and just now I ran it and I got the antispyware soft again. So why did I get it again after running malwarebytes?
John, you have unchecked ““Use a proxy server” option in Lan Settings of Internet Explorer ?
Pemberley, if you unsure, please start a new topic in our Spyware removal forum (include your HijackThis log). I will help you.
Patricia, to keep your computer clean and secure:
1. Update your programs (most important: Java, Adobe Flash Player, Adobe Acrobat reader).
2. Visit Microsoft Update (update.microsoft.com). Make sure that you have all the Critical Updates recommended for your operating system and IE. Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found.
Update all antivirus/antispyware programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
3. A well protected computer should have at least an antivirus and firewall, an antispyware is also great addition to your computers security.
4. Many of the exploits are directed to users of Internet Explorer.
Use only an alternate browser – Firefox or Opera…
5. Be careful when opening attachments and downloading files.
I went thru the steps again and I found the R1 file but none of the 04 files listed. So after I removed that R1 I downloaded the malwarebytes and it let’s me get to a couple install steps then I get the dreaded error and I can’t go any further.
I do have virus protection with AVG and I have spyware terminator running and try my best to keep everythingupdated. Also I use firefox not IE, it runs alot faster.
So now I’m stuck and I can’t get any further. Any suggestions?
THANK YOU. SO MUCH. I APPRECIATE THIS SO MUCH. THANK YOU THANK YOU THANK YOU A MILLION TIMES!
Thanks for all of the help, was able to remove this trojan and i am back in business.
I’m so grateful for your help. I followed the instructions and it worked perfectly.
Thank you!
I’m sure someone has probably asked this already, but I ran Malware, and it didn’t seem able to find anything at all. However I ran HijackThis and was able to successfully delete all the “O4’s”. Is it safe to continue using my computer having only used HijackThis and not Malware afterwards? (I aborted Malware’s scan because nothing was coming up). It seems as if the virus is gone, though.
Thank you for the help!
Nevermind, I decided to play it safe and ran Malware. Thank goodness, because it found 4! They were removed and when I ran the program again, it came up clean.
Thank you again for posting the initial instructions for getting rid of this virus!
Patricia, start a new topic in our Spyware removal forum. I will help you.
I kept trying to run malware and it would freeze up after a few hours. I ended up doing a system restore that that worked.
thanks worked a treat
Thank you, thank you thank you.
For the first time, an online walk through actually worked, and wasn’t completely confusing. You guys are amazing and my mom is under intense supervision when touching my computer. Lol.
This walk through worked like a charm. 😀
Hi,I tried to do the following as suggested above and found the file, only i renamed the filename not the extension by mistake and now my desktop will not load, is there anyway around this?
I got rid of this little bugger as follows:
1. Found a randomly named folder in the C:\Documents and Settings\user\Local Settings\Application Data directory that was created about the time the infection kicked in.
2. Opened the folder and renamed the executable file (which ended with -”ftav”).
3. Restarted my computer.
4. At this point, because the executable was not initiated, I was able to use HijackThis and Malwarebytes to clean things up.
5. So far, so good. Thanks for the good advice!
you guys have helped me before, im hoping this works. It seems i received this scamware virus and another similar i think it was called defender xp and was easier to destroy. off the once safe website mp3boo.com i warn everybody don’t go there!
and god bless the people who made this page
thanks man
I was unable to download the software on the infected computer. Downloaded to a flash drive on another computer and then loaded to the infected computer successfully. Ran both programs as recommended and the rogue antispyware has been eliminated.
Thank you!!!!
Worked a charm, thank you!
this is such a horrible programme… why is no one able to destroy it or block it 🙁 ?
Okay so i got this while going to my usual website that I go to every week (narutocentral.com)
I’ve gotten it twice now! At first I thought I must have clicked something went back the next day and all was well, then I got it again tonight.
Now because it rendered me useless the first time I eventually got it fixed by doing a sneaky.
I rebooted my computer and before it was able to fully load, I did ctrl+alt+delete and opened tasked manager before it blocked it, found the file name which was like fnfvfqheh.exe or something, and ended it, thus stopping it. I then did a search on my PC for it, and found it and deleted it, and voila it was gone.
I’ve done a full scan of my pc using all my spyware/Avast!/crapcleaner but havent found anything new.
Anyone know exactly how this thing just randomly pops on your pc?
While in Safe mode, I did the steps listed at the beginning of this page to run HijackThis, without changing the name of the file to iexplore.exe though, not sure why someone would need to change the name. I deleted the files that looked suspicious, then downloaded and ran the MalwareBytes Anti-malware program, it found 17 infected files! I deleted them and everything seems to work fine now. I ran this anti-malware program on my other computer that wasn’t having any issues and it found 4 files, Thanks A Lot!!!
thank you, thank you, THANK YOU. The stupid software installed itself while I was searching for a good video site- and two hours later it was fixed by these instructions.
I think I’ll just wait until the DVD’s come out from now on.
Anyone reading this- follow the instructions. Little girl from Australia did and now she can get on with playing Pokemon instead of doing her homework!
Got this sob a few days ago and I am losing my mind trying to get rid of it! When I go to download Hijack this, it will not let me rename it…tried right click, left click, no click, great chick…nothing works. How do I save and rename hijack this? HELP!
please help!
I did all the steps everything went perfectly and malwarebytes had found lots of things and deleted them. It told me to restart and when i did, now it just gets suck at the windows loading sign forever.
It won’t start up but i can get in in safe mode.
I need help badly!
OK, same problem here. But it looks like I have another problem. Yes I have the green shield with all the annoying messages and changing backgrounds. But like Cameron, I can’t do anything – regedit, taskmrg, even notepad everything is cancelled immediately.
So no turning off a suspicious proces while booting.
Off course I red most off above messages in this topic. Like Cameron:
‘Cameron, you need remove HijackThis before running.’
Doesn’t work. I put it on my pc (while running) with a USB stick. (Same go’s for malebyte.) Both programs are immediately stopt and don’t run.
I was able, because I installed a dozen anti virus and syware tools, to remove some files… Still the green shield, etc.
I search for stranges files in the my documents and settings/user /etc/applications data.
Yes I found something strange, it was an .exe so I change the name in the hope the program would not boot and I could run HijackThis or mailebyte… But it didn’t work. Even tried to give it another extension. Didn’t work, so wrong file. But I couldn’t find another suspicious file in any of the users applications data (2 users and 1 extra account).
When I now boot, I can see a cmd command prompt with: c:windowssystem32!.exe and the ‘_’ sign is running randomly (yes it has a pattern but hard to explain in my bad English, sorry) over the command screen. And I do not disappear.
I googled it, but it refers to ‘remove internet security 2010’ and starts with enabeling processes, with I can’t because my taskmanager is enabled…
I tried real hard, did many things… Noting works.
Ow and I can’t boot in (any) savemode. My pc freezes… So no enabling the poxyserver or HijackThis, etc. doesn’t work.
Strangely internet does work on the infected pc…
Please help :).
THANKS!
Bram
Thank You so much for this help I literally came home for my 30 min. lunch break to take this malware off and thanks to you i did it at home after work lol….thank you know im just enjoying my pc again…thanks
Using other computer to view this webpage. On the infected computer the virus will not let me run any programmes so i cant download HijackThis.exe. So what should i do to be able to run internet explorer?
Rocky, reboot your computer in Safe mode and try run HijackThis once again.