Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
I got this virus about an hour ago, and I immediately got online and found this site.
Since I use Firefox (and really folks, it’s best to use something other than IE…Chrome, Opera, Mozilla, anything), I was able to surf. I downloaded Hijack this, renamed it iexplore.exe, did a search. I didn’t find any files that ended in sysguard or ftray or “av”, but I did see one file in the “O4” files that was just a bunch of random letters, so I checked that, and the “R1” file that had what looked like an IP address. After fixing those, I rebooted, and quickly did the ctrl+alt+del thing just in case that didn’t work. I figured I would at least have access to the task manager. But I don’t think I needed it since I didn’t see the icon on the task bar anymore, nor was I receiving the pop-ups.
However, I also downloaded malware bytes and did a scan. It found two trojans, so I quarantined, then deleted those. So I hope that’s all I have to do. Still, I’m going to continue to do a check for any lingering trojans, and download some free anti-virus software and beef up my Firefox security with some add-ons. You never can be safe enough.
Now I wish I could get my hands on the people responsible for this annoyance!!!
I just wanted to say thank you as this information was tremendously helpful. I used the hijackthis and malwarebytes software to eradicate the virus. There were two files, both gibberish letters, which I blew away in hijackthis. Then when Internet Explorer would not work, I used a restore point to get the whole thing working. It took me about five hours and two computers to get to this point, but it was worth it.
Thanks and Cheers,
Ian
I followed all the the instructions above and ran Malwarebytes in safe mode, but when I go to normal mode, I am still having the same problem. Please help. I am out of patience.
Carolyn, open a new topic in our Spyware removal forum. I will help you.
This virus is ridiculous and the company should be shut down and fined for screwing up so many people’s computers! I became infected with it yesterday and tried “Try This”‘s method and it appears to have worked! Thanks and good luck to all of you!
A quick tip for Vista users at least:
When you first log in, it takes a bit for the Antivirus Soft (or, in my case, Antispyware Soft) to load up. Hit ctrl-alt-delete as soon as possible, and you can get up a task manager before the software has a say in it. Then you find something that looks like a random string under the processes menu, terminate that process and it will stop terminating your files for the duration of that boot-up. It made working to the directories and manually trashing these files much easier.
Oh, thank you guys so much for all your help. My laptop got hit a few hrs ago and I didn’t know what to do. I was almost tempted to purchase the thing. Luckily I found this website. Thanks again all.
Bee
Ok, few notes.. I will say this, though.. THANKS for the instructions!!
I ran into this issue about an hour or so ago. Took me a bit to find this site/page, but once I did, I pretty much had almost no problems. The two biggest issues I had was trying to figure out how to rename a file before I save it (I use FireFox). Once I figured that out via trial and error, I was able to run HijackThis fine.
The second issue I ran into was in Vista, you need to run it as Administrator. I didn’t know this until opening HijackThis. But I couldn’t completely end the HyjackThis process. At all. So I ended up restarting. When the computer fired back up after the restart, I didn’t have any issues whatsoever with the AV Soft. But, I still ran HyjackThis, didn’t find any odd ’04’ registries, so I closed that out and ran Malwarebytes. Only found 5 issues, and only 2 of them had ‘av’ in the filenames.
I ‘fixed’ those files and am about to restart the computer now.. Thanks again for the awesome info!! I have bookmarked this page!
Thank you!!! Very good instructions.
Thnx guys!! This helped me got rid of the virus!
Keep up the good work;)
Thank you for the instructions, they worked wonderfully. After I had removed the offending files, I ran a scan from Safety.live.com and it found the directory and additional items to be removed.
Hi, I’m having a problem renaming hijackthis to iexplorer.exe. I use Firefox and when I click on the link provided above for hijackthis it only allows me to hit save or cancel to open it, no opportunity to change the name. Also when I do hit save, nothing seems to happen. Unfortunately I don’t have Jeremy’s trial and error skills. I’d love some help…this antivirus soft is laaame.
Thank you!
Thanks a lot ,
You really saved my day…
Thanks for the post and everyone’s comments. I followed the instructions and deleted:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
as well as two files ending in nuosttltssd.exe.
So far so good, have just downloaded Malwarebytes and am doing a system scan.
Thanks. You have saved me from trouble and spending money on vendors to have this cleaned.
Thank you, this guide worked perfectly along with all the helpful comments
How do i rename the Hijackthis it in vista? When i clicked the “here” the only thing i can press is save or cancel. I clicked save then the download window opens. when i right clicked it, it only gave me option to open, open containing folder, copy download link, select all and remove from list. Please help 🙁
OK, so from the other posts above i figured out my problem but now i have a new one. I cant get into the internet options in internet explorer. I clicked tools ->Internet Options but nothing happens.
My computer was infected an hr ago. I just restarted my computer then quickly went into system restore before all the programmes had a chance to download, then simply brought it back a month. It seems fine now.
I hope this helps.
Simple and effective. Fixed my parents’ computer in short order. Bless you, dear writer.
Thanks guys!! Followed the steps and my norton cleared it out.
Courtney, to open a Save dialog in the Firefox you need right click to download link and select “Save Link As” option.
After 2 crazy days of fighting this AWFUL, SHIT virus, after using all possible antivirus (malwarebytes, stopzilla, hijack, kill it, etc. etc.), starting in safe mode, etc. I found out that the only thing that works and VERY SIMPLY:
1.Restart
2. act quickly and click on start menu, accessories
3. click on system tools
4. click on system restore
5. restore to a date prior to virus infestation. (i used a week earlier to be sure)
6. restore system
7. restart
And all was miraculously working as before.
Hope it helps.
THANK YOU THANK YOU THANK YOU!!! It worked!! I followed the directions and it work perfectly!! But like the guy below me said they have changed it from sysguard.exe to random letters I just had to look closely at all of my files to see which one looked crazy my file ended in tpavskvtssd.exe….I run firefox so I wasnt able to change the name.
Ian, rename HijackThis after downloading to iexplore.
Hi.
My Dad’s computer recently had this virus. I found it under a different name though which was ‘MCXKFQBTSSD.exe’. Hidden in a few places in sys folers. C:\WINDOWS\Prefetch, Application Data (C:\documents and settings\[USER NAME]\Local Settings\Application Data\ifhjuveey (I dont know wether or not the ‘ifhjuveey’ was selective to this computer or not. Also in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Run for startup.
I deleted the files in Safe Mode and then ran a anti-virus check just to make sure all was gone.
Good luck removing this virus to whoever has it.
Thanks
The uninstall instructions for this crappy “antivirus soft” worked. Thank you. I wish I could meet these punks who have far too much time on their hands. I liked to give them an incurable virus! Thank you for helping us out. Now, the question…how do I keep this crap off my computer. I have Crap Cleaner, Malwarebytes Anti-Malware and MS Security Essentials. I still got the spyware. Should I use Norton or something similar to keep this off my computer…thoughts?
I could kiss you guys!
Dear god that virus was a pain. Think I got it now though, running my Malwarebytes scan now.
If you have trouble with this, follow this guide to the letter, it works.
Only thing I’d say is my Hijackthis scan didn’t return anything like what is suggested. Mine returned only one O4 that looked suspicious, it was *pathway*/{random}/{random}
Thanks again!
Jim, try instead MS Security Essentials to use Norton AV or Kaspersky AV. Also you can try following free and good antivirus program: AVG, Avast, Avira.
I would remind Firefox users that you can save the file as is, then re-name it. Be sure to set your browser to download the file to the Desktop, though.