Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
how do you rename it
and I didn’t rename it so I saved it as hijackthis, it opens the menu, I clicked on ‘do a system scan only’ but I don’t see the R1 line
Louis, what shows your browser when you trying open any site ?
Patrik – Firefox shows “Server not Found” and Internet Explorer shows “Cannot display the webpage.”
Louis, read the instructions, use additional steps.
so was infected with this few days ago booted safe mode networking ran Super anti spyware and another scan with Malwarebytes both picked it right up removed reboot did full scan..things good for 2 days get on today and pops back up scanners find it again,but both times it comes up as i was using firefox not ie..everytime avg pops up says threat i hit move to vault.then antivirus soft takes over ! Any advice be appreciated !
bjv, looks like your PC is infected with a hidden trojan that can reinstall the rogue. Open a new topicin our Spyware removal forum. I will check your PC.
Hello, I scanned my computer with Malware Bytes but the Antivirus Soft keeps coming back.
I tried to fix it with ComboFix and it only worked for 2 seconds before the darned thing came back again…. please any help
Oh, I’ve been infected with Internet Security 2010 before and used Malware Bytes maybe my computer already reconizes it? I don’t know but I’ve had it with the rouge antiviruses!! Thanks in advance! 😀
Amy, please follow the steps.
This worked well for me. I spent about 4 hours, but followed the steps with great success. Thanks for publishing this post!
thanks so much for this excellent programme
now im going to london to force the bastards
to buy somthing they dont want……………… they will buy it…..
how about i go to london with a bucket of whitewash and swill the bastards and their offices them tell them i’m from a paint removal company (newly formed)……. and bill them for the removal of the paint :)….six months after of course then offer them a deal on not swilling them again if they subscribe to my bona-fide company.
then twat em
i was able to shut down two things in hijack this: the IP one and one other with a totally made up bogus name. Whatever version of Antivirus Soft I had did not have sysguard.exe or ftav.exe in the hijackthis.
And malwarebytes didn’t find ANYTHING but after running hijackthis i was able to open regedit and delete several keys including one with AVSCAN in title and another with AVGUIDE. There was also a entry in the LOCAL_MACHINE area which is listed above.
Finally I was able to delete the folder it made in my local user profile. Totally made up bogus name and an exe with the same name inside.
Did all that, restarted and 30 minutes now without any popups or warnings. I think it’s kicked.
Hi guys. This virus hit my desktop about an hour ago and thanks to this guide and the comments on this site I’ve been able to get rid of it. Thanks a ton, you guys are lifesavers.
A few comments from my discoveries:
I wasn’t able to run either Malwarebytes or HijackThis, both were found to be “viruses” by Antivirus Soft and weren’t allowed to open. I was able to download them fine by turning off the proxy thing in Internet Explorer, but when I tried to open the file (even after naming iexplorer.exe) neither one worked.
I followed a comment above and searched under C:\Documents and Settings\Aaron\Local Settings\Application Data\
Here there was a folder named btandvlfm with a file inside called nqftdoctssd.exe. I wasn’t able to delete the file but I could rename it to get rid of the .exe.
Next I restarted my computer, pressing ctrl-alt-delete just as windows was loading. I organized running processes by computer % usage and found some weird exe file with random letters, so I closed that fast. I was then able to run Hijackthis and Malwarebytes. Malwarebytes found 12 processes, which I deleted. I then went back to the directory that I found and deleted the folder and file. I restarted my computer here as Malwarebytes wanted me to, and I think everything is now okay.
Thanks a lot to everyone who contributed to this page, it’s been a great help.
Hi guys. This virus hit my desktop about an hour ago and thanks to this guide and the comments on this site I’ve been able to get rid of it. Thanks a ton, you guys are lifesavers.
.
A few comments from my discoveries:
.
I wasn’t able to run either Malwarebytes or HijackThis, both were found to be “viruses” by Antivirus Soft and weren’t allowed to open. I was able to download them fine by turning off the proxy thing in Internet Explorer, but when I tried to open the file (even after naming iexplorer.exe) neither one worked.
.
I followed a comment above and searched under C:\Documents and Settings\Aaron\Local Settings\Application Data\
.
Here there was a folder named btandvlfm with a file inside called nqftdoctssd.exe. I wasn’t able to delete the file but I could rename it to get rid of the .exe.
.
Next I restarted my computer, pressing ctrl-alt-delete just as windows was loading. I organized running processes by computer % usage and found some weird exe file with random letters, so I closed that fast. I was then able to run Hijackthis and Malwarebytes. Malwarebytes found 12 processes, which I deleted. I then went back to the directory that I found and deleted the folder and file. I restarted my computer here as Malwarebytes wanted me to, and I think everything is now okay.
.
Thanks a lot to everyone who contributed to this page, it’s been a great help.
Thank You so much. This worked great!
Instead of downloading Hijackthis in Internet Explorer I ended up having to download it using Google Chrome to get it to work.
Thankyou for having this information available, it has fixed my computer….. 🙂
You’re legends!!
I just got it fixed and the o4 line was random letters.exe just delete all random ones! then to malwarebytes scan
my laptop got infected with this software , i was reading this post in my desktop ready to go through the step , in the same time i was scanning my laptop with Norton software .
and surprise surprise Norton was able to remove it.
good luck all
You can make your computer easier to work with by stopping the virus from running on startup.
Do this by:
1) Reboot your computer
2) As soon as you are able, click the start button
3) Press “run” (windows xp) or just use the default search area in vista/windows7
4) Type ‘msconfig’ and press enter
5) Once the window pops up click on the Startup tab
6) Untick anything that looks unfamiliar to prevent the virus from running on startup
7) Click apply and reboot your computer
I got this virus earlier today and the first thing I tried was HijackThis. Like others have been saying there was no sysguard.exe or that other one mentioned above. If you look through all the O4 ones even the technophobic (like myself) can approximately discern what’s legit and what isn’t. If it’s got names of actual programs you have on your computer (Adobe, AVG, etc.) you probably shouldn’t delete those. I did, however, find one entry with random letters.exe. It was only 1 and after I deleted it the icon disappeared and the infection popups stopped. Good luck to you all.
Hi, my system is having the same issue. The virus is not allowing me run any exe. it just flashes and then closes that, followed by a pop up to buy the product. Tried to rename the Hijack file but it didnt work. I have vista OS.
Thanks,
Nick
Nick, boot your computer in Safe mode, then run HijackThis.
This website is so great, it’s helped me with so many of my problems and there’s no doubt in my mind that I’ll tell my family and friends to use this site if they’ve got a problem.
Malwarebytes is great! We got infected with the stupid Cleanup antivirus scam and NOTHING would remove it from the computer…McAfee was hosed..task manager completely useless…Spyware dr was blocked from running…so I tried malwarebytes and it found 780 infected items! It removed them all right away and now my computer is working perfectly again! Thanks Malwarebytes! I will recommend you to ANYONE with similar issues!
Oh man thanks so much, I’ll never take my poor pc for granted again! Was really panicked,but followed all the steps and read the comments for more perspective and so far it’s working like a dream, which is a miracle compared to how banjaxed it was all afternoon. It took patience, lots of tea, but it’s worth it. Once again thanks:)
I was able to close antivirus soft by, after an hour of opening task manager to stop the damn program, executing the scan in the virusware and quickly opening the manager and closing it that way in applications. It must have been slowed down to give me time to do this. But after that I just got the occasinal opened Internet page. This guide was easy after that to get rid of the remaining infection without being told everything I did was a virus.
Thanks everyone, I followed these instructions and got rid of the virus immediately!
Like Sephora I had no sysguard.exe but I just googled any names I was concerned about!
Great advice! 🙂
That same virus is on my other comp and has made it so it wont start up and get passed the dell screen making it so i cant even press F8 to get into safe mode. Any help at all please?
help, use the steps above.