Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
I had the problem too, but its now sorted out.
Instructions to remove.
Press Ctrl+Alt+Delete when your almost in the desktop (If you press too late task manager will not open).
In task manager look at the processes, google
them in firefox anything that doesnt show up in google is the one to close.
I had process kboqsftav.exe running which I googled & no results were shown. I chose to close
it.
Then I installed Hijackthis, I ran scan & removed files given in original post(Thanks).
O4 – HKLM..Run: [RANDOM] %UserProfile%Local SettingsApplication Data[RANDOM][RANDOM]sysguard.exe
O4 – HKCU..Run: [RANDOM] %UserProfile%Local SettingsApplication Data[RANDOM][RANDOM]sysguard.exe
O4 – HKLM..Run: [RANDOM] %UserProfile%Local SettingsApplication Data[RANDOM][RANDOM]ftav.exe
O4 – HKCU..Run: [RANDOM] %UserProfile%Local SettingsApplication Data[RANDOM][RANDOM]ftav.exe
Mine were named slightly different but
was easy to figure out!
Remove them & you should be back to normal.
Robert Pires
If you can’t get Hijack this to work, you can try to use a program called Rkill ( I got it from Bleepingcomputer.com). It will automatically stop the processes of this vicious Malware, so you can run Malwarebytes. Here is the link:http://download.bleepingcomputer.com/grinler/rkill.exe.
Good luck all, this one really sucked to get rid of.
This forum was a lifesaver. When I did the scan the file was called vwhrsftav.exe.
Best of luck to anyone needing to read this. Don’t give up though – it is entirely possible to beat this virus.
Thank you so much guys!
It worked perfectly!
I have a whole list of stuff an don’t know which to delete. I don’t want to delete something I need
Am I gonna mess up my comp too much if I delete something I shouldn’t
Hey everyone I really tried to use this guide and it didn’t work. I don’t know what I am doing, really and I don’t really know anyone who knows anything to help me anyway. 🙁
This is driving me insane. Doesn’t help I have anxiety problems as it is.
I tried to delete the files that look odd even by googling what I didn’t know. It didn’t work. And it’s getting worse.
BEST SOLUTION LOG OFF YOUR CPU THEN LOG BACK IN IMMEDIATELY PRESS Ctrl+Alt+Delete. Click on the “processes” tab and then click the “Mem Usage” tab to sort them from highest to lowest. You will likely have a .exe file near the top of your list everyone will prob be different. I searched this file on Google and found no record of it, so I knew something was up. I selected this file and ended the process and then the pop-ups finally stopped. I now knew that I was onto something. I then ran Hijack This and found this file under the O4- listings. I deleted the file and restarted. Problem solved.
MY RESULTS MIXED WITH “RYAN’S”
>>> After Windows boots up, press Ctrl+Alt+Delete. Click on the “processes” tab and then click the “Mem Usage” tab to sort them from highest to lowest. You will likely have a .exe file near the top of your list (mine was called brwjsftav.exe)….I selected this file and ended the process and then the pop-ups finally stopped…I then ran Hijack This and found this file under the O4- listings.
This procedure worked for me. Only difference was that I had to disable the proxy setting in IE to get Net access back. Thanks, Ryan!
Thanks for your help. Excellent feed back. All is working well. Getting use to this fix, recently had to remove security 2010 last month.
None of the listed files show up during the scan.
Sissy, if you unsure, ask for help in our Spyware removal forum.
Noraye, please open a new topic in our Spyware removal forum. I will help you.
If you can’t dowload go to the task maanger as soon as you boot (before the virus has a chance to activate) and hit ALT+CTRL+DELETE and go to process and look for any process that ends with either FSTAV.exe or Sysguard.exe and end the process. This will allow the computer to work as normal so you can download and run the applications.
Thanks for all the help, and all the comments were very helpful. Lets hope this one doesn’t come back 🙂
I went in to safe mode and did a system restore to the previous day ad thats all it took, no more popups…. but is the malware still hiding on my system??
13 days later AntiVirus Soft came right back. I’ve been running on a limited Windows account since I first removed the little bugger which I’d hoped would prevent unauthorized installations.
Guess I was wrong.
Any thoughts?
Bob, anyway download Malwarebytes Anti-malware and perform a scan.
I love you I love you I love you!
ONLY this page saved me
thanks man hijack worked! Unfortunately, malwarebytes didn’t find it and I been had it downloaded before I downloaded hijack. I’m just glad my computer works again thanks!
This program had taken over my computer so bad that I couldn’t get to the the hijack this website (i couldn’t get to any web site) so I used a different computer and saved it on a USB Drive in order to run it on my laptop with the malware. I ran the Hijack this and deleted all the files I thought might be it. Luckily I deleted enough of it that I was able to get to the malware bytes website and download it and that was able to find the rest of it. Only two day later windows wouldn’t load at all, all i was getting was a blue screen. I used my reinstall disc and it was able to repair the windows that I had on the computer and it saved everything and it has been working fine for about 2 weeks.
If your system allows a “System Restore” feature to return your computer to an earlier operating state, then this is an easy fix. This worked for me. Just choose an earlier date than the date you got this annoying virus and follow the instructions and you’re done. You may have to select this feature from safe mode because in regular mode this virus won’t let you get there. But in safe mode you can do a system restore. To get to safe mode keep tapping F8 as your computer is starting up. To whoever came up with this virus, may I say to you — you are scum!
Thanks for your input everyone! I used Ryan’s advice (Feb 17) and it worked perfectly for me. I highly recommend trying that strategy. I can’t help but wonder how many people have fell for the scam and bought anti-virus soft? Too many I’m guessing. Education is the best defense against the losers who create this mess. A big THANK YOU and CHEERS to the developers of this site and all those who have contributed on this forum.
I’ve been able to get rid of this mostly. Malwarebytes doesn’t find anything in a scan, and I don’t receive any pop-ups, but when I run HiJack there are still two entries that show up that end with the ftav.exe. I check them and try and “fix” them, but they still remain.
Any ideas?
Corey, probably a trojan reinstalls it every time when you booting your PC. Please open a new topic in our Spyware removal forum. I will check your PC.
Thank you much for the help.
Thanks for this website! Helped me out a ton. Great advice by Ryan (Feb. 17th). I only had one file with the O4-string that was affected (besides the R1-string file). My O4-string ended with a y….stag.exe so they are definitely changing up the virus. But again if search for the processes by memory its not too difficult to find. Thanks again to this website!
I just went through this mess… I used Hijack and Malwarebytes and it’s gone for now… The needles in the haystack were two O4 files that ended in “pllstav.exe”. I found them using the advice above and google. Thanks to all who submitted feedback!
Thank you for the tremendous help in removing this monster of a virus. I was pulling my hair trying everything I know and nothing was working I was ready to give up and then I came across this website. I used Hijack first renaming it to ‘iexplore.exe’ and that worked great then I used Malwarebytes to remove the rest of the malware/virus. Thanks again so much.
Thanks so much for this site and the links. However, the comments were the most helpful due to the update to the malware.
The method that worked for me was a simple system restore from safe mode. I highly recommend trying this method first then scanning your computer with both these anti-malware programs to make sure no traces remain.