Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Thanks so much to this website! I followed the directions, and it worked. Yes, the file names have changed slightly, but the “av” ending is always in the file name near the end. NOTE: I only had the R1 file and one of the O4 files found by Hijack. When I then ran Malware (after the Hijack find and removal of 2 files), it found nothing malicious. I rebooted the computer and went to the control panel because I realized the appdata files are hidden in Vista. Once I unhid them, I found one more “av” file hanging around, deleted it and restarted the computer. Everything is fine now!
I cann’t figure out how to rename it? i googled it and it didn’t helped me because it pops up and then is bolded but you cannt hit it… can yuo right click it? Oh and I really hate whoever made this right now!! they need to put them in jail this has been infecting my computer for months and today it started with the stupid this site is bad thing.. help!!
You are a life saver; I got infected last night. I only had 2 O4 entries. They were not exactly named as any of the files mentioned above, but they did end in “tav” which made it a pretty dead give away when compared to the above posts. Hope that helps
Sara, please open a new topic in our Spyware removal forum.
I got the Antivirus Soft virus and followed the directions on this as posted and it went away. However after running Malwarebytes’ and rebooting the problem popped up again. Right now it is away as I redid everything except running Malwarebytes’.
I also have another problem in all this is that I can’t run Internet Explorer and can only run Firefox.
Cam, please ask for help in our Spyware removal forum.
An easier way to remove it is to install malware anti-malware bites. then if you normaly double click it wont work so you right click and then select run as. it should open and preform a full scan.
sinceirly,
Bob The Builder
{p.s. I just cant say my real name!}
In order to rename the hijack, don’t double click on it, right click and click on save as and then rename it and save it to your desktop.
Thanks for the help. I already had hijack this and was able to execute the above fixes from safe mode with networking. Seems to have worked like a charm.
I followed the intstructions (i think) after downloading the hijack this. i looked for the lines that look like R1 HKCU but didnt see any with any ending in ftav.exe or sysguard.exe but did find the one that said RI HKCU\software\microsoft\windows and fixed it. then after an error sign popped up Error code 732 (12027.0).
i tried downloading HijackThis and it’s not showing up on my desktop anywhere and i can’t find it in my computer. When i went to download it, all it said was save as or cancel. couldn’t rename it or anything. Am i just stupid? Help me please. thanks.
Im sorry the error code was 732 (12029,0).
how do you know which one to delete and check? ahh this is such a pain! they all have different names and ect. which one and how od i know? ty!
Cynthia, open a new topic in our Spyware removal forum. I will check your PC.
THANKYOU SO MUCH for this info !!!
thanks a million, Dell wanted to charge me $234 to get my computer fixed. I followed your instructions and so far things are going smoothly. I just had difficulty changing the file name of Hijack This…had to go to their site and download it from there.
ya i dunno, seems to me this dam program (antivirus soft) got even smarter…won’t let me run any .exe programs none!!!!! I’m soo friggen pissed help?
but in safe mode the thing isn’t appearing but these programs aren’t detecting it
found the following item.
gblisftav.exe
I was about to throw the computer out the window and find a lawyer for the time it took to get this off the computer. People who write such malware should be flogged in public.
thank you for the public service.
NRM, if the instruction does not help you, then ask for help in our Spyware removal forum.
With HiJackThis I removed the following line and I was able to update and run Malwarebytes.
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
Followed Ryan’s comments (Feb 17) to open task manager at start up, googled exe file before deleting process. Downloaded Hijackthis using Google Chrome after unchecking proxy server setting. Then followed Step 1 Hijackthis process to remove the two annoying exe files. Also fixed the proxy setting in the R1 line. Rebooted my computer and all is well so far.
Thanks everyone.
I forgot to mention that I followed everyone’s instructions to rename Hijackthis at download time before running it.
Thank you so much for the help!
I couldn’t find any R1 section though.
There were only sections that start with O4 and end with ftav.exe =) And on internet browser, you can’t even change your internet option. They automatically set it as that proxy thing every time I uncheck it. And plus, through internet browser, you can’t even reach to this website because this antivirus soft keeps disrupting. (but firefox works well while there were thousands of purchasing ads popped up.)
Apparently this means that they become smarter..
Any way, once again, Thanks for your help.
Thanks everyone so much for the advice. The two steps worked like a charm and helped me to finally get rid of this abhorrent virus. I really hope that whomever created this spyware would get caught and get sentenced to 40 years in prison.
The Hijackthis program was especially helpful. Thanks again!
I followed all directions, and I am now up to the part where on Hijack This I have to place a checkmark next to the items to delete. Before I do this I want to make sure I am deleting the right things and not something I need. I looked at the list above and do not see similar items. I have some things that start with ‘R1′ and ’04’ but I don’t see any files that end with ‘sysguard.exe’. Should I just delete everything that starts with ‘R1′ or ’04’? Thanks in advance…
Aimee, if you unsure, please open a new topic in our Spyware removal forum. I will help you.
I had this pop up again and I was able to run hijack this and remove the bad programs. After I did that I could run malwarebytes but nothing is showing up to remove/clean, which I think is odd. Normally, I have trojans and other junk to delete.
Holy cow — what a nightmare! I had trouble getting HijackThis to download, then it wouldn’t run because it was ‘infected’. Finally I had to shut the computer down by unplugging it, since nothing was opening anymore (taskmgr, cmd, regedit, etc), and I couldn’t even shut it down gracefully. I brought it up in SAFE mode and successfully ran HijackThis. Then I rebooted and was able to proceed with MalwareBytes.
THANK YOU…THANK YOU….THANK YOU
Okay, so I finally got rid of Antivirus Soft after reading this page, but I still can’t connect to the internet. My firewall is set to allow access for both Internet Explorer and Firefox, and neither programs are using a proxy server to connect. I can still access the web through another computer on this network, but even in Safe Mode, the system which was infected won’t allow me to access the internet. Any suggestions?