Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
i hate whoever created spyware soft
I just got hit by this and the file name it was using was vjdmhlutssd.exe, I restarted my computer in safe mode with networking, and deleted that file and the .pf file that it also created it my windows directory. Computer is running fine now!
How, please tell me, do I “rename” HyjackThis before saving it? When I click on the word “here” (in Mozilla; the malware will not let me open Explorer), the only options I have are to “save”, or “cancel”. No option to rename or save as… HELP!!
I have great sympathy for those who are indeed computer challenged like myself lol !! Malwarebytes is scanning at the moment, and I couldn’t find any of those files listed, so took someones advice who commented earlier and did a google search for a lot of the random .exe files and numbers, and clicked ‘fix checked’ so fingers crossed it works, I’m having to do all of this in safe mode with networking too as I couldn’t even use the computer normally, as soon as it started up I got those fake security alerts and everytime I opened a program it closed straight away… it totally had me fooled into thinking my whole system was ruined. but turns out it was just that silly virus scaring me lol !! x x
Why has no one recommended a system restore? I had the “anti-spyware soft” trojan BAD and only had access to things the first 15-20 seconds my vista logged on. So I logged out/in, and IMMEDIATELY restored the system back 5 days, and now everything is working just fine. Is the trojan 2 in Appdata still there or have i successfully deleted it when I clicked delete on the trojan 2 in AVG’s virus vault? Help (experts) please and comment.
I just infected just now. I followed the steps above and it took care of it thank goodness. And I didn’t have to restart in safe mode either. I’d like to get my hands on the guy/guys who made this virus!!
Hi. Thank you for all the great info. It was very informative and helped me get rid of that nasty virus. But, i didnt download anything to get it off. I started my comp in safe mode. Clicked start, control panel, folder, view, “show hidden files”. then went to info stated above and it showed me the dirty virus folder right where it said it would be. I proceeded to scan the folder without opening it and FINALLY Norton showed that it was the virus. After scanning Norton took it away. Afterwards I hit up the regedit and looked in the places where the info told me to look and I deleted from there. simple and easy. took less than 15 min. i’m up and running again with no issues. And, more importantly no excess downloads of programs to remove it. Thank you greatly.
Wow, thankyou so much. i did all this, and after a few problems i fixed easily, a smooth fix was done. my laptop seems to be back to normal, time will only tell i spose.
THANKYOU THANKYOU THANKYOU!
hey, thank god i found the new name, it was under local settings or files, that was my keym it was called something like mcflotssd under another randomly named file similiar, there were 2, thanks to sum guy who found a different name which prompted me to look for a new name.
scryer41, if your computer won`t boot, try boot it in Last good configuration.
Dustin, if you unsure, please start a new topic in our Spyware removal forum. I will help you.
dlawyer, if you using Firefox, then you need right click to a link and select Save link as. It will open a Save dialog.
charles, system restore is right way, but in most cases the rogue can disable system restore.
My Computer Wont Let Me Go On The Website So Im having Problems It wont let me on this 1 ethier
plz help 🙁 send help at randypham12 at yahoo dot com
Thany You.
Did Everyone Got Infected On May 25, 2010?
I Mean May 24,2010
Just want to say the input by others is great! However, I deleted the Antivirus Soft executable from my processes in Task Manager, and now when I use HijackThis it can’t find it.
P.S. I already found it in the Prefetch using Mycomputer/search so can I just delete it from there? After that I guess I’ll have to download Malwarebytes?
This thing has updated again and doesn’t go by the same process names as listed above, on the \version\ I just took off my neighbors pc anyway. Furthermore, on this latest release removing the localhost proxy from IE doesn’t stop the redirections either, and it also affects firefox – I didn’t try with any other browsers. It disables task manager and msconfig as well so unless you can get into safemode from your boot config you’re pretty much at a loss. Really one hell of a payload this thing will dump on you. This particular infection was caused by an un-updated adobe flash plugin. Update your flash, acrobat, etc, and you should be fine.
The real solution to all of this though is to simply not run Windows. Why pay hundreds of dollars for a virus magnet that constantly has some kind of security problem because it’s more profitable to allow \security\ vendors to ship their resource hogging software along with copies of Windows than it is to actually fix the holes in the system?
I stopped the process in task manager. Mine was fvxvlbctssd.exe I renamed and downloaded hijack this. I did scan of computer and I get a bunch of results, but none ot them say “sysguard” at the end. I see one with that fake .exe application. Should I uncheck that one and continue? The rest seem normal. Please help. Thanks for everything.
Brian, if you can`t download the suggested programs above, then download them to another computer. Move files to your PC using a flash or CD disk.
Sam, yes you can remove it from Prefetch folder. Anyway, you need scan your computer with a good antispyware tool (Superantispyware, Malwarebytes, SpyBot, AdAware…).
The right solution 🙂 I`m use Linux 🙂
Greg, infected entries have “tssd.exe” at right. Fix them.
Patrik,
Thanks for the tip. Right clicking the link worked, and I got Hijack This loaded. But I only found one file that had one of the left and hand and right hand extensions on it. I hit “fix checked” and that file disappeared. But I’m still getting scam “alerts” every few seconds. There must be other files needing to get “fixed”, but how on earth do I determine which???
Thanks Patrik! I’m on my way to purging my pc (malwarebytes is awesome) and I just wanted to say thanks for helping everyone and myself, regardless of redundancy or whatever.
Hopefully I’ll only come back if I figure out a way to help.
P.S. It seems there was a major outbreak of this virus in the past 4 days, and some pc’s (including mine) have an altered version which redirects web browsers to porn sites.
P.S.S As soon as you start up your computer go to task manager, find the program, and right-click “end task”. This will at least allow you control over you programs by putting the virus in a temporary “cage” until you restart or power up your computer
Thank you! Thank you! Thank you! This saved my life…thought I was going to have to completely over haul my computer. You are my hero, thanks for taking the time to teach others what you know!
thankyou so much i thought id have to pay to have my computer fixed!!
hey i followed all the steps above and malwarebytes detected soemthing that i deleted and now i cant get onto the interent both – IE or Safari. any clues on how to fix this?
I can’t do anything, I can’t go to a website, I can do task manager, I can’t restore, how can I get this shit off my computer? Please help!!!
Luckily my iPad was charged because my comp was a brick before finding this site…