Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Oh waw, this is very neat! thanks a bunch for the big help. I was watching some movies at watchmoviesonline when suddenly a strange AV appeared. So shocked, confused, panic and frustrated at first. thanks for this good instructions!
Just received this on my computer, but I’m running with Firefox, not IE. What should I do to remove??
I had antivirus soft infect my computer last thursday. I turned my computer off and didn’t do anything with it for a week. When I turned it back on, all of the antivirus soft symptoms and annoyances seemed to be gone. I have run hijackthis and malware bytes, and neither of them found anything. However, my computer keeps freezing, invariably every 3 to 15 minutes or so after I turn it on, no matter what I am doing. Does anyone know if the freezing could be linked to antivirus soft?
I am so distressed at having this on my laptop. I can’t even get to a website on internet explorer on my laptop. I tried to uncheck the Proxy Settings on internet explorer, but it wouldn’t work. The Apply button wouldn’t show up and I still can’t access a website. I tried to download Hijack via Mozilla, but it won’t let me rename it. Someone please help!!
jist, follow above steps.
Lauren, open a new topic in our Spyware removal forum, i will check your PC.
Elizabeth, download HijckThis using Mozilla. Once loaded, right click it and select rename, type iexplore and press Enter. Run it.
Thanks Patrik! I ended up figuring out a way to bypass the internet explorer problem. In order to get the Apply button to work, I changed settings under the General tab of Internet Options to “trick” it into allowing me to Apply the Proxy changes. However, I had to redo this each time I clicked a link on internet explorer. It worked, but just took a lot of time.
Just wanted to say thanks so much for all the help! This is coming from someone who has had minimal experience with computers, but I followed the directions precisely and seem to have gotten rid of the virus. Time will tell!
I just deleted everything with a 04 by it!! And so far so good!! Thanks
This was a nightmare. I think I’m fixed but we will see. I couldn’t get malware to run at first but I did get Hijack This to run after renaming it. After that I had two programs to check/delete. After that I could run Malware and my system is coming up clean. I’ll be back if this didn’t work. 😉 Thanks
I have this problem on my laptop and I can not log in how do I get this progam on it to remove the problem
if I coln the drive out side drive and plug it in a computer can I run this progam or norton to get ride of this
thank
I just got infected with this virus tonight and even though I followed the instructions, Malwarebytes didn’t find jack.
(But maybe that’s because it was already installed on my system WEEKS ago… I don’t know.)
It’s like what Twintrbl (the guy below me) said. They’ve UPDATED this virus but my two entries (in hijackthis) had “ftav.exe“ on the end so be sure to check for those!
Also be sure to google any .exe file with random letters as the file name. If google turns up nothing, it’s most likely not a real program extension.
lewis, you can`t login to windows in all modes (Safe mode and Normal mode) ?
I got this annoying Antivirus Soft programme on my laptop just now and it’s pretty shocking to me!
Followed the steps outlined and I’m finally back into business!!! If there are any problems that arise, I may have to look into it. Thanks!
I followed the directions. I used a jump drive to get the programs to my laptop and ran them while in safe mode. I got rid of the programs this listed to with HijackThis. When I ran malwarebytes, nothing showed up. I restarted my computer, this time in normal mode, and it’s still there.
I rebooted my laptop again, this time in safe mode, and I ran HijackThis again. There is one 04 file.
“O4-HKLM\…\RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
I’m sure I got rid of every single one the first time, so what caused this to come back, and how can I fix it?
This worked great – thanks so much! I’m all right with computers but I’m no whiz and I was at a loss – none of my scans would find it. HijackThis worked great, though.
—-Everyone try this!!!!!—
As soon as your computer starts hit ctrl+alt+delete and get into your proccesses! If you do it at the earliest possible moment you should be able to beat startup on antivirus soft. You can then find the virus and turn it off, giving you complete freedom to download, install and run whatever to get rid of it.
Mint, the line is ok, don`t remove it.
Hi, I’m trying to remove the virus and have downloaded HiJack This. I’m just wondering which 04 files I’m supposed to delete? All of them?
Jana, if you unsure, then ask for help in our Spyware removal forum.
Followed the instructions and it worked perfect!!! Thanks
Thanks for the incredibly helpful advice; I was able to clean my dad’s computer off and all is working well.
This will show my ignorance, but I was wondering if the virus might have transferred itself to our extended drives (external hard drive connected to desktop that was infected, Ipod, flash drive). Should I scan those as well? I disconnected them once I realized we’d gotten this virus.
I got rid of this little bugger as follows:
1. Found a randomly named folder in the C:\Documents and Settings\user\Local Settings\Application Data directory that was created about the time the infection kicked in.
2. Opened the folder and renamed the executable file (which ended with -“ftav”).
3. Restarted my computer.
4. At this point, because the executable was not initiated, I was able to use HijackThis and Malwarebytes to clean things up.
5. So far, so good. Thanks for the good advice!
Just removed this from a clients computer a couple days ago. Ive removed this before though, but one thing to know, this form of malware connects you to a private VNC(virtual network connection) so safe-mode with networking isnt a good idea like some articles mention. Samem with malware scans because your connected to someones server and they still have network access to block or compromise your AV’s. So scan in safe mode. Or the best way
Safe mode-> Regedit-> use the above mentioned Reg key areas, but the programs name will be all different names like ftav, tfav, or randomnumbersandlettersav, but “av” is always there so its not hard to spot.
After you remove the keys, install, update and scan with malwarebytes, then subsequently asquared to assure there are no leftover executables or reg keys leftover
Step one worked perfectly to get rid of it. I’m doing step two to make sure I’ve got no other issues here that I didn’t know about.
For HiJack This, I just marked the ones in R1 and O4 that had names I didn’t recognize, and it worked.
Here’s what worked for me:
After Windows boots up, press Ctrl+Alt+Delete. Click on the “processes” tab and then click the “Mem Usage” tab to sort them from highest to lowest. You will likely have a .exe file near the top of your list (mine was called brwjsftav.exe). I searched this file on Google and found no record of it, so I knew something was up. I selected this file and ended the process and then the pop-ups finally stopped. I now knew that I was onto something. I then ran Hijack This and found this file under the O4- listings. I deleted the file and restarted. Problem solved.
I ran the Malwarebytes program and it did not detect any files ..
Though i did run the HiJackthis program and checked off the files that were suspicious and all the pop-ups stopped coming out.
I restarted my laptop and still, nothing is popping out, no virus threats but i can’t help to think that i still have it on my laptop.
What should I do ?
Jenni, no, only if the malware was installed with an other trojan. Attach the drive to a computer. Don`t open the disk, run an antivirus and check it.
Jimmy, looks like your PC is clean. Also you can scan your computer with an online anti-virus scanner.