Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Liz, boot your computer in Safe mode with networking and try scan with Malwarebytes once again.
Bram, if you need a help, please open a new topic in our Spyware removal forum.
Conor, download HijackThis to another PC, rename it. Move this file to infected computer through flash or cd disk.
It says i have no virus’s. I’ve tried a system restore and that hasn’t worked. I didi do an automatic update while i was deleting the virus. I think that may have caused this. any clues as to what settings i need to change to get it to start up?
I did a scan and then did a system restore but now when I restart my comp it starts loading windows but all it shows is my wallpaper with no explorer help
I’ve discovered that it does not affect other admin accounts on your computer…well not yet of course. Many web browsers aren’t working, and i believe that i am have the same problem that paige recently had.
Hey guys, it would seem if your laptop or computer is able to “repair” itself on the start menu you can take the restore system back a day or two before the fake program put itself on your computer and it seems to work. No signs of the fake program, hijakk isn’t picking it up anymore.
sorry by start menu i mean when your laptop starts up and gives you an option to select Safe mode, safe mode networking or start normally.
Another way to stop the virus, like I did (I found this out trial and error), was if you are infected, reboot to Windows Safe Mode, open up the control panel, click on Administrative Tools, then System Configuration, go to the Startup Tab, and you’ll see a process which is basically random letters (for example, mine was efsthlrm), which is in users/NAME/appdata. Stop this process from happening by unticking the box. Then, using your Windows Explorer, type in the address that the process comes from, it’s described in the System Configuration Tab. Delete the folder. Securely Delete your Recycle Bin. Reboot. Still download HijackThis and MBAM to ensure it’s complete removal from the registy.
However, if you don’t know how to reboot to safe mode or are unsure of the control panel options, using the method of renaming HijackThis should work too.
THANK YOU SO Much!!!!! That stupid garbage is gone thanks to you. I am grateful for this web page. I was ready to beat my computer into scrap with a baseball bat. You saved me money I cannot afford to spend. Thanks.
THANK YOU! Hi-Jack this worked like a pro!
Ok so i started to use these instructions and i have gotten to hijack this but i can only find the R1 one. I can’t find any of the O4 ones… i saw in an earlier comment that the names are different but with random letters and i have these
HKCU\..\Run: [ggpujabr]C:\Users\Home\AppData\Local\tuwrbrmkj\cfcnaxmtssd.exe
HKCU\.. \Run: [asam] C:\Users\Home\AppData\Local\asam.exe
should i delete these too or am i missing something?
I had tried everything on this page and a few others, but whenever I tried to change the LAN settings Antivirus immediately checked the box. I then looked at the comments and the first one I saw was Twintrbl’s comment, and it was PERFECT. Thank you Twintrbl, I found 3 extremely weird looking .exes and looked them up google and came up with nothing. I fixed them and then everything worked again. Truly amazing.
I managed to get to the accessories and restored my pc to a week earlier as suggested by a poster, well it worked! Obviously the Trojan is still there but do I have to remove it and will it pop back up at some point.
I could not load Hijack This even when renamed to iexplore.exe. I was able to log in as Administrator which was not infected, load Hijackthis under the Administrator account and remove this antispyware. Maybe try to create another account if possible and you may be able to get Hijackthis loaded.
Thanks for all of the above postings which were helpful!
so my problem is i cant even get to this website on my computer…im on a friends instead. so how do i get hijackthis on my computer if i cant even get to this website because soft keeps effing it up first?
Got this on the 15th had exams so waited a while before trying to fix it,downloaded the HijackThis.exe and renamed it and that deleted the files that i thought were wrong, then got Malware bytes and removed all infected files, aftewards it said not able to remove all files?!
Anyway i restared the computer and no sign of the rouge anti virus as of yet, but i am currently scanning the computer again but i just wanted to say bless you for this guide and thanks a bunch.
Really helped me out here
the software devolpers of this trojan make me sick!
Any thanks for the assistance it is greatly appricieated.
The Spyware has done a crazy thing to my internet, I have gotten rid of the spyware and done everything above yet I cannot use safari or my itunes store will not open… anyone have the same problem?
Ok the scan was finished and i still have 4 infected files i believe these were the ones that Malware bytes couldn’t remove how do i get rid of them? There are 3 trojan downloaders and 1 trojan.agent. Two are Registry values and two are under the file section.
Trojan downloader 1 : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run\hsfg9 and then a load of random characters.
Trojan agent: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run\mcexe and another load of characters just gave the beginnning of them
and
Trojan downloader 2: is C:\Users\Josh\AppData\Local\Temp\login.exe
And Trojan downloader 3 is C:\Users\Josh\AppData\Local\Temp\jisfije9fjoiee.tmp
Any help or guidance would be greatly appriceiated. By the way i’m only 13 so i may not understand some references and that.
ive managed to get this wretched virus today and now its not letting me reboot windows in any mode be it normal safe or safe with networking. help!
Samantha, press CTRL + ALT + DEL. Task Manager opens. Click File, New task. Type explorer and press Enter. It should back your icons and Start button. Run Malwarebytes and perform a scan.
Robb,
yes, fix these lines.
Rico, you have tried uncheck “Use a proxy server” box in Internet Explorer network settings before downloading HijacThis ?
Lloyd and Josh, start a new topic in our Spyware removal forum. I will check your PC.
stu, you have tried Last good configuration mode ?
After going through everything from running HijackThis and Malwarebyte, I still couldn’t get the wee beastie to leave my computer. Everytime I restarted my computer it would start up again.
I wint in search of programs then. I found the problem in: user\appdata\local\wdrwiirvy. In that file is: uyceiiptssd.exe. Delete it and it won’t load anymore.
I am having trouble removing this, is it safe to browse the internet, and continue working online while ANTISPYWARE SOFT is on my computer. I am very tired of trying to resolve this on my own :*(
Hey, so I’m using iexplore and I can’t find any of the O4 files that end in the sysguard.exe or sftav.exe. Even when I do the task manager i can’t find it. Any help? I’m running in safe mode.
It was bothering me at frst but now it just disappears does it mean its gone (i never used malware, but i tried to.)
This worked like a charm. My wife’s computer got this yesterday morning and I sat down today to clean it off. Looks like it is good, but I didn’t download malwarebytes. I have prevx, spybot, adaware, and norton. Would have been nice is she updated at least one of them in the last 9 months or so…