Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)

Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.

When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.

While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:

Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.

What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:

Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.

Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?

Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!

As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.

Symptoms in a HijackThis Log

O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe

Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)

Step 1.

Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.

Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.

Click “Do a system scan only” button. Look for lines that looks like:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe

Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.

Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.

Step 2.

Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.

Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded you will see window similar to the one below.

malwarebytes-antimalware1
Malwarebytes Anti-Malware Window

Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.

When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.


Malwarebytes Anti-malware, list of infected items

Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.

Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.

Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.

Antivirus Soft (Antispyware Soft) creates the following files and folders

%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe

Antivirus Soft (Antispyware Soft) creates the following registry keys and values

HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]

January 30, 2010 on 11:21 am | In Malware removal, Rogue Anti Spyware | 483 Comments |


483 Comments »

RSS feed for comments on this post.

  1. Just wanted to drop a note here… I got infected with this Antivirus Soft trojan and went through a nightmare trying to get rid of it. In the end, the only thing that worked was HijackThis. MBAM didn’t even find it.

    BUT… for future readers, they’ve apparently gotten smarter since you posted this because they changed the filenames from sysguard.exe to some random filename like csxytib.exe. I found four entries in the HijackThis list with random letters in the O4-….[random]….(random).exe.

    Since the letters in the brackets seemed random, and a google search on all four filenames returned no results, I figured it couldn’t be a legitimate entry. If it were, somewhere on *some* page on the entire internet, there would be a reference to it.

    And when it comes right down to it, the trojan had turned my desktop into a boat anchor anyway, so how much worse could I hurt it by removing these?

    I checked those 4 file entries (as well as one entry that looked just like the one you noted above that begins with R1) and the problem went away.

    A clean reboot, and all was well. Thank goodness!!!

    I just wanted to share the fact that the “designers” of this trojan have changed the filename in those O4 entries to random letters, just in case anyone else ends up with this stupid thing too.

    Thanks.

    Comment by Twintrbl — February 1, 2010 #

  2. Thank you very much for your help, I was so lost til I found this page, my computer runs much better and antivirus soft is gone, when I ran Highjack software I checked all the box’s I assumed that was the right thing to do, whether it was or not it did the trick..Thank you again

    Comment by Ryan — February 3, 2010 #

  3. This scamware was a major pain!
    Nowhere was the ????sysguard.exe to be found.
    So I renamed files that were created about the time of the infection in the C:\Documents and Settings\user\Local Settings\Application Data diredtory. Bingo! Errors in the scamware started occuring.
    Now I had the name of the directory and file name the rest was hijackthis and spybotSd!
    But the clencher was that the information I needed to know was in the post by Twintrbl!
    I will read all the posts! I will read all the posts! I will read all the posts!
    Thanks everyone :)

    Comment by R. Frank — February 3, 2010 #

  4. When I got this virus it didn’t have the sysgaurd name on it’s executable file either. I learned that the program took a lot of memory and sorted my processes by memory and then googled the highest one’s until one didn’t have any hits. It started with “hybysf” and once I stopped that file suddenly my real antivirus program could find a virus when I scanned. I hope this helps the next poor soul.

    Comment by Althea — February 3, 2010 #

  5. Just wanted to say this guide was a huge help!! I did a scan for my processes and the culprit in my case was mspfsftav.exe.

    Comment by Matthew — February 4, 2010 #

  6. I can’t run any of the anti spy programs and I can’t access the task manager. I’m at a loss here.

    Comment by Prince — February 4, 2010 #

  7. Prince, read first step above, you need download HijackThis and rename it in Save dialog to iexplore.exe <= most important!

    Comment by Patrik — February 5, 2010 #

  8. Prince you must right click on the download HijackThis from here. Where the here is highlighted, then rename in iexplore.exe, then you will be able to open it.

    Comment by Ant — February 5, 2010 #

  9. Hey guys I need help when I open the iexplore.exe
    I found the first line R1… but I cant find these

    O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
    O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
    O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
    O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“

    Comment by Pearl — February 5, 2010 #

  10. Pearl, you should fix O4 lines that have sysguard.exe or ftav.exe right part or ask for help in our Spyware removal forum.

    Comment by Patrik — February 5, 2010 #

  11. This is a great post. I thank you for all your help.

    Comment by John P — February 5, 2010 #

  12. How do I fix them? and thanks for the reply :]

    Comment by Pearl — February 5, 2010 #

  13. I went to check again and I cant see the 04 lines with sysguard.exe or ftav.exe

    Comment by Pearl — February 5, 2010 #

  14. Okay, I cannot download anything or access anything. It says to follow these instuctions but I am accessing this site from my desktop and my laptop (which is infected) will not allow my to download or access anything. Can anybody help me please?

    Comment by Pat — February 5, 2010 #

  15. OMG…this is way out of my capibilities…I have this stupid thing and I know I couldn’t do the above..I am computer challanged….I’m thinking about taking it into the shop…on husband’s computer now and almost afraid to look up anothing on the virus for fear of infecting his too….

    Comment by Judi — February 5, 2010 #

  16. Pearl, you should select lines that have sysguard.exe or ftav.exe right part and click Fix checked button.

    Comment by Patrik — February 6, 2010 #

  17. Pearl, then open a new topic in our Spyware removal forum. Don`t forget to include your HijackThis log.

    Comment by Patrik — February 6, 2010 #

  18. Pat, you have “fixed” proxy settings as i posted above ?

    Comment by Patrik — February 6, 2010 #

  19. There are not a lot of locations on the internet dealing with this particular attack…at least that I could find. The information here was spot on, and I REALLY appreciate everyone’s input. It worked, and that’s the key.

    Thank you.

    Comment by Evan — February 6, 2010 #

  20. I could only find one ftav.exe file. Is that the only one I check? I could not find any other sysguard or ftav ones in the O4 section.

    I also found a lot of R1 though. Am I supposed to only check R1 – HKCU or all of R1?

    Comment by Eve — February 6, 2010 #

  21. Need a little help here. I’ve downloaded Hijack this, but when I try to open it, the agreement flickers up for a moment and then Antivirus Soft closes it and tells me it’s infected and I am not allowed to open it.

    Getting a little frustrated — please advise.

    Comment by Schuler — February 6, 2010 #

  22. I could only find one ftav.exe file. Is that the only one I check? I could not find any other sysguard or ftav ones in the O4 section.

    Ys, fix only the one line. Its ok.

    I also found a lot of R1 though. Am I supposed to only check R1 – HKCU or all of R1?

    Fix only “R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555″

    Comment by Patrik — February 7, 2010 #

  23. Schuler, you need rename HijackThis.exe before running.

    Comment by Patrik — February 7, 2010 #

  24. I did rename the file, that’s what’s been bothering me.

    I’m also having IE automatically opened and run to multiple pornographic and ED related websites which is weird considering I am not an IE user and was not using IE when this thing downloaded itself.

    Comment by Schuler — February 7, 2010 #

  25. THANK YOU!!!!!!

    My computer is back to normal! Follow this procedure EXACTLY and you will have no trouble understanding/removing \ANTIVIRUS SOFT\!

    (The first comment was also very helpful) If you’re unsure what to place a check mark next to, simply Google it.

    Comment by Scott — February 7, 2010 #

  26. very helpful info! thanks!

    Comment by Scottie Talent — February 7, 2010 #

  27. GREAT POST…I thank you for all your help!!!!

    I found only two entries in the HijackThis list O4-….[random]….(random)ftav.exe.. removed both the entries…restarted…and BINGO…my laptop is back to normal…Can’t thanks you guys enough…God Bless you!!!!!

    Comment by Sanjeev Thakur — February 7, 2010 #

  28. So I think i got all the files that are HKLM and and HKCU but i opened up the Hijack This scan again just to make sure and there’s a bunch of files that are like 02 BHO: (no name) with a string of letters and numbers, than at the end it says (no file) should I delete those too?

    Comment by Max — February 7, 2010 #

  29. at the end it says (no file) should I delete those too

    Yes, you can fix them too.

    Comment by Patrik — February 7, 2010 #

  30. I have a quick question. I did the fix a few days ago and it worked, but then just last night this stupid program found itself back onto my computer. Do I need to keep doing this forever?

    Comment by Gabbs — February 7, 2010 #

  31. Eventually had to remove my hard drive and follow these directions on a completely separate computer.

    Not fun but it did work.

    Comment by Schuler — February 7, 2010 #

  32. I found this an easy one to get rid of, but I cant prevent it from returning. So whats causing it to get back into my /temp folder a few times a week? Cant find any trojans on my system. and it seems to get installed after visiting myspace.
    and yes the .exe is most always a random name.
    hit me up (reaper at pimpmymob.com)

    Comment by Leonard — February 7, 2010 #

  33. I would like to extend my gratitude to this website and all the people involved for their invaluable help in removing Antivirus Soft. I have extremely limited knowledge of anything like this, but with your help, was able to follow the step by step instructions…PHEW!!!!! Many many thanks. Tom

    Comment by Tom Dignam — February 7, 2010 #

  34. I was able to find 2 of the O4 files ending in ftav.exe, but did not have the R1 file like the one stated above. I removed the 2 ftav.exe files but the antivirus soft keeps coming back. Someone help me please! I have to pay bills on my computer and can’t until I can get rid of this.

    Comment by Sarah — February 8, 2010 #

  35. I’m having the same problem as Schuler. I’ve renamed HijackThis and it still shuts it down immediately when I open.

    Comment by Thomas — February 8, 2010 #

  36. This is as good as information gets! HijackThis file along with the registry info helped me repair my laptop. Again, “MBAM didn’t even find it.” THANK YOU!!!

    Comment by Gman — February 8, 2010 #

  37. Gabbs, probably your have infected with a trojan that reinstalled the rogue. Ask for help in our Spyware removal forum.

    Comment by Patrik — February 8, 2010 #

  38. Leonard, open a new topic in our Spyware removal forum.

    Comment by Patrik — February 8, 2010 #

  39. You can run this procedure using “Safe Mode with Network Support.” The only issue was that I couldn’t update the malwarebytes definitions, but was able to run hijackthis and run the scan. Cleaned most of it out. Then, upon rebooting, updated the malwarebytes definitions and running the scan, again. Finding a few straggler objects.

    Thanks for the procedure!

    Comment by Jonathan — February 8, 2010 #

  40. Hey! I got this virus. But problem is I dont know how to take it off. :( I downloaded micro hijack. im looking at the list but dont know wat to check. :( please help this is the thing that shows
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:13:38 PM, on 2/8/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Normal


    End of file – 17091 bytes

    Comment by Jose — February 8, 2010 #

  41. I have read ALL the comments posted in this thread. I can’t get hijackthis to work. even after renaming it. My task manager, the
    un section and anything I download is disabled. Comes back saying it can not be opened because it is infected. then askes if i would like to download the antivirus software.i as well have tried the pskill stuff. it will not let me download the new link that was made to bypass this virus. SOMEONE PLEASE HELP?!?!

    Comment by Bay — February 9, 2010 #

  42. Soo…if the sysguard.exe files don’t show up after the scan, is it possible they have a different name?

    Comment by naomi — February 9, 2010 #

  43. Ok. So I installed hijackthis but I can get passed where you accept the terms of use or whatever. It closes right when I get there.

    Comment by lovely — February 9, 2010 #

  44. Jose, fix also the following line:
    O4 - HKCU\..\Run: [yjgwvhwq] C:\Users\Lino\AppData\Local\hmfkew\mxyqsftav.exe

    Comment by Patrik — February 10, 2010 #

  45. How can I download this stuff when I can not open browser – it just directs me to the AV Soft website.

    Comment by Mike — February 10, 2010 #

  46. Bay, if after renaming HijackThis to iexplore.exe (in Save dialog), HijackThis won`t run, try re-download it, but rename to userinit.exe, or winlogon.exe, or explorer.exe.

    Comment by Patrik — February 10, 2010 #

  47. naomi, yes look also for files that have “ftav.exe” at right.

    Comment by Patrik — February 10, 2010 #

  48. Mike, uncheck “Use a proxy server” box in Internet Explorer proxy settings.

    Comment by Patrik — February 10, 2010 #

  49. I am another one having trouble.

    I am in safemode, and got Trend Micro HijackThis open, with the list up.

    I cannot find any of the sysguard or ftav files…what else should I be looking for?

    Thanks in advance

    Comment by Justin — February 10, 2010 #

  50. Has anyone run into an instance where MalwareBytes will be scanning and the computer shuts down? I haven’t found anything saying that this virus will do that, but the “window” that pops up says Antivirus Soft. I’m fighting and fighting to get rid of this thing, but I can’t help but wonder if I’m not trying to remove the correct thing. I haven’t tried the hijackthis thing, (I was following removal instructions from another website) and am about to do so. But I wanted to ask ahead of time, so that if this doesn’t work, I could hope to look forward to an answer instead of getting frustrated.

    Comment by Anna — February 10, 2010 #

  51. I think that I was able to get rid of the virus following the advice listed here. Time will tell. I would like to add, that if someone pays close attention to the startup tab in msconfig, they can start to disable the virus there. I started my machine in safe mode, and went into the startup tab and noticed 4 entries that didn’t look “right” and I had never seen before. I disabled them on start up and was able to run hijackthis (after renaming it) with no problems. Thanks to everyone for their help.

    Comment by Anna — February 10, 2010 #

  52. What if I did all of these steps, yet when it came to the Malware scanning for threats nothing showed up? No Trojan or any other type of “threat” was found. What should I do then if I still have an Antivirus Soft problem yet malware is not detecting it?

    Comment by Arielle — February 10, 2010 #

  53. Hey! Thank you so much for this! Yeah, they changed a LOT. I clicked all of the random files I saw in Hijack this. I didn’t see any of the ones listed above. This stupid virus is HORRIBLE.

    Comment by Ashley — February 11, 2010 #

  54. Justin and Anna, ask for help in our Spyware removal forum.

    Comment by Patrik — February 11, 2010 #

  55. Thanks for the advice on removing antivirus soft. I got rid of it using highjack and malwarebytes, however, after changing my prxy settings in internet options, I no longer can use options and they dissapeared in my control panel. Can someone tell me how to get them back? Thanks Mike

    Comment by mike — February 11, 2010 #

  56. Mike, Click Start, Run.
    Type regedit and press Enter.
    Registry editor opens.
    Navigate to the following keys by expanding the + at left of each key at left:
    HKEY_CURRENT_USER
    Software
    Policies
    Microsoft
    Internet Explorer
    Control panel

    In right part of window, right click to Proxy and select Delete.
    Close registry editor.
    Run Internet Explorer and try enable/disable proxy.

    Comment by Patrik — February 11, 2010 #

  57. I don’t understand how I’m supposed to do any of this when my computer has been totally hijacked. It wont even let me open the control panel! HELP PLEASE!!

    Comment by Bridget — February 11, 2010 #

  58. Thanks Patrick, I got all the way to control panel but there is no proxy. My screen came up REG SZ value not set and Home page REG [0x00000000[0]. Any more help is appreciated. Mike

    Comment by mike — February 11, 2010 #

  59. Bridget, if you can`t download HijackThis, then use another computer to downloading it, then move it to infected pc using a flash or cd disk.

    Comment by Patrik — February 11, 2010 #

  60. Mike, remove “control panel” key from “Internet Explorer” key.

    Comment by Patrik — February 11, 2010 #

  61. Oh waw, this is very neat! thanks a bunch for the big help. I was watching some movies at watchmoviesonline when suddenly a strange AV appeared. So shocked, confused, panic and frustrated at first. thanks for this good instructions!

    Comment by Jacques — February 12, 2010 #

  62. Just received this on my computer, but I’m running with Firefox, not IE. What should I do to remove??

    Comment by jist — February 12, 2010 #

  63. I had antivirus soft infect my computer last thursday. I turned my computer off and didn’t do anything with it for a week. When I turned it back on, all of the antivirus soft symptoms and annoyances seemed to be gone. I have run hijackthis and malware bytes, and neither of them found anything. However, my computer keeps freezing, invariably every 3 to 15 minutes or so after I turn it on, no matter what I am doing. Does anyone know if the freezing could be linked to antivirus soft?

    Comment by Lauren — February 12, 2010 #

  64. I am so distressed at having this on my laptop. I can’t even get to a website on internet explorer on my laptop. I tried to uncheck the Proxy Settings on internet explorer, but it wouldn’t work. The Apply button wouldn’t show up and I still can’t access a website. I tried to download Hijack via Mozilla, but it won’t let me rename it. Someone please help!!

    Comment by Elizabeth — February 13, 2010 #

  65. jist, follow above steps.

    Comment by Patrik — February 13, 2010 #

  66. Lauren, open a new topic in our Spyware removal forum, i will check your PC.

    Comment by Patrik — February 13, 2010 #

  67. Elizabeth, download HijckThis using Mozilla. Once loaded, right click it and select rename, type iexplore and press Enter. Run it.

    Comment by Patrik — February 13, 2010 #

  68. Thanks Patrik! I ended up figuring out a way to bypass the internet explorer problem. In order to get the Apply button to work, I changed settings under the General tab of Internet Options to “trick” it into allowing me to Apply the Proxy changes. However, I had to redo this each time I clicked a link on internet explorer. It worked, but just took a lot of time.

    Just wanted to say thanks so much for all the help! This is coming from someone who has had minimal experience with computers, but I followed the directions precisely and seem to have gotten rid of the virus. Time will tell!

    Comment by Elizabeth — February 13, 2010 #

  69. I just deleted everything with a 04 by it!! And so far so good!! Thanks

    Comment by Diggz — February 13, 2010 #

  70. This was a nightmare. I think I’m fixed but we will see. I couldn’t get malware to run at first but I did get Hijack This to run after renaming it. After that I had two programs to check/delete. After that I could run Malware and my system is coming up clean. I’ll be back if this didn’t work. ;) Thanks

    Comment by jane — February 14, 2010 #

  71. I have this problem on my laptop and I can not log in how do I get this progam on it to remove the problem
    if I coln the drive out side drive and plug it in a computer can I run this progam or norton to get ride of this
    thank

    Comment by lewis — February 14, 2010 #

  72. I just got infected with this virus tonight and even though I followed the instructions, Malwarebytes didn’t find jack.
    (But maybe that’s because it was already installed on my system WEEKS ago… I don’t know.)

    It’s like what Twintrbl (the guy below me) said. They’ve UPDATED this virus but my two entries (in hijackthis) had “ftav.exe“ on the end so be sure to check for those!
    Also be sure to google any .exe file with random letters as the file name. If google turns up nothing, it’s most likely not a real program extension.

    Comment by NoirRaven — February 15, 2010 #

  73. lewis, you can`t login to windows in all modes (Safe mode and Normal mode) ?

    Comment by Patrik — February 15, 2010 #

  74. I got this annoying Antivirus Soft programme on my laptop just now and it’s pretty shocking to me!

    Followed the steps outlined and I’m finally back into business!!! If there are any problems that arise, I may have to look into it. Thanks!

    Comment by Simon — February 15, 2010 #

  75. I followed the directions. I used a jump drive to get the programs to my laptop and ran them while in safe mode. I got rid of the programs this listed to with HijackThis. When I ran malwarebytes, nothing showed up. I restarted my computer, this time in normal mode, and it’s still there.

    Comment by Mint — February 15, 2010 #

  76. I rebooted my laptop again, this time in safe mode, and I ran HijackThis again. There is one 04 file.
    “O4-HKLM\…\RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
    I’m sure I got rid of every single one the first time, so what caused this to come back, and how can I fix it?

    Comment by Mint — February 15, 2010 #

  77. This worked great – thanks so much! I’m all right with computers but I’m no whiz and I was at a loss – none of my scans would find it. HijackThis worked great, though.

    Comment by Flute — February 16, 2010 #

  78. —-Everyone try this!!!!!—

    As soon as your computer starts hit ctrl+alt+delete and get into your proccesses! If you do it at the earliest possible moment you should be able to beat startup on antivirus soft. You can then find the virus and turn it off, giving you complete freedom to download, install and run whatever to get rid of it.

    Comment by Collin — February 16, 2010 #

  79. Mint, the line is ok, don`t remove it.

    Comment by Patrik — February 16, 2010 #

  80. Hi, I’m trying to remove the virus and have downloaded HiJack This. I’m just wondering which 04 files I’m supposed to delete? All of them?

    Comment by jana — February 16, 2010 #

  81. Jana, if you unsure, then ask for help in our Spyware removal forum.

    Comment by Patrik — February 16, 2010 #

  82. Followed the instructions and it worked perfect!!! Thanks

    Comment by Michael H — February 16, 2010 #

  83. Thanks for the incredibly helpful advice; I was able to clean my dad’s computer off and all is working well.

    This will show my ignorance, but I was wondering if the virus might have transferred itself to our extended drives (external hard drive connected to desktop that was infected, Ipod, flash drive). Should I scan those as well? I disconnected them once I realized we’d gotten this virus.

    Comment by Jenni — February 16, 2010 #

  84. I got rid of this little bugger as follows:

    1. Found a randomly named folder in the C:\Documents and Settings\user\Local Settings\Application Data directory that was created about the time the infection kicked in.

    2. Opened the folder and renamed the executable file (which ended with -”ftav”).

    3. Restarted my computer.

    4. At this point, because the executable was not initiated, I was able to use HijackThis and Malwarebytes to clean things up.

    5. So far, so good. Thanks for the good advice!

    Comment by Al — February 16, 2010 #

  85. Just removed this from a clients computer a couple days ago. Ive removed this before though, but one thing to know, this form of malware connects you to a private VNC(virtual network connection) so safe-mode with networking isnt a good idea like some articles mention. Samem with malware scans because your connected to someones server and they still have network access to block or compromise your AV’s. So scan in safe mode. Or the best way

    Safe mode-> Regedit-> use the above mentioned Reg key areas, but the programs name will be all different names like ftav, tfav, or randomnumbersandlettersav, but “av” is always there so its not hard to spot.

    After you remove the keys, install, update and scan with malwarebytes, then subsequently asquared to assure there are no leftover executables or reg keys leftover

    Comment by h4x0r — February 16, 2010 #

  86. Step one worked perfectly to get rid of it. I’m doing step two to make sure I’ve got no other issues here that I didn’t know about.
    For HiJack This, I just marked the ones in R1 and O4 that had names I didn’t recognize, and it worked.

    Comment by Natasha — February 16, 2010 #

  87. Here’s what worked for me:

    After Windows boots up, press Ctrl+Alt+Delete. Click on the “processes” tab and then click the “Mem Usage” tab to sort them from highest to lowest. You will likely have a .exe file near the top of your list (mine was called brwjsftav.exe). I searched this file on Google and found no record of it, so I knew something was up. I selected this file and ended the process and then the pop-ups finally stopped. I now knew that I was onto something. I then ran Hijack This and found this file under the O4- listings. I deleted the file and restarted. Problem solved.

    Comment by Ryan — February 17, 2010 #

  88. I ran the Malwarebytes program and it did not detect any files ..

    Though i did run the HiJackthis program and checked off the files that were suspicious and all the pop-ups stopped coming out.

    I restarted my laptop and still, nothing is popping out, no virus threats but i can’t help to think that i still have it on my laptop.

    What should I do ?

    Comment by Jimmy — February 17, 2010 #

  89. Jenni, no, only if the malware was installed with an other trojan. Attach the drive to a computer. Don`t open the disk, run an antivirus and check it.

    Comment by Patrik — February 17, 2010 #

  90. Jimmy, looks like your PC is clean. Also you can scan your computer with an online anti-virus scanner.

    Comment by Patrik — February 17, 2010 #

  91. I had the problem too, but its now sorted out.

    Instructions to remove.

    Press Ctrl+Alt+Delete when your almost in the desktop (If you press too late task manager will not open).

    In task manager look at the processes, google
    them in firefox anything that doesnt show up in google is the one to close.

    I had process kboqsftav.exe running which I googled & no results were shown. I chose to close
    it.

    Then I installed Hijackthis, I ran scan & removed files given in original post(Thanks).

    O4 – HKLM..Run: [RANDOM] %UserProfile%Local SettingsApplication Data[RANDOM][RANDOM]sysguard.exe

    O4 – HKCU..Run: [RANDOM] %UserProfile%Local SettingsApplication Data[RANDOM][RANDOM]sysguard.exe

    O4 – HKLM..Run: [RANDOM] %UserProfile%Local SettingsApplication Data[RANDOM][RANDOM]ftav.exe

    O4 – HKCU..Run: [RANDOM] %UserProfile%Local SettingsApplication Data[RANDOM][RANDOM]ftav.exe

    Mine were named slightly different but
    was easy to figure out!

    Remove them & you should be back to normal.

    Robert Pires

    Comment by Robert Pires — February 17, 2010 #

  92. If you can’t get Hijack this to work, you can try to use a program called Rkill ( I got it from Bleepingcomputer.com). It will automatically stop the processes of this vicious Malware, so you can run Malwarebytes. Here is the link:http://download.bleepingcomputer.com/grinler/rkill.exe.

    Good luck all, this one really sucked to get rid of.

    Comment by Anthony Nelson — February 17, 2010 #

  93. This forum was a lifesaver. When I did the scan the file was called vwhrsftav.exe.

    Best of luck to anyone needing to read this. Don’t give up though – it is entirely possible to beat this virus.

    Comment by wsal — February 17, 2010 #

  94. Thank you so much guys!

    It worked perfectly!

    Comment by Gato — February 17, 2010 #

  95. I have a whole list of stuff an don’t know which to delete. I don’t want to delete something I need

    Comment by Sissy — February 17, 2010 #

  96. Am I gonna mess up my comp too much if I delete something I shouldn’t

    Comment by Sissy — February 18, 2010 #

  97. Hey everyone I really tried to use this guide and it didn’t work. I don’t know what I am doing, really and I don’t really know anyone who knows anything to help me anyway. :(

    This is driving me insane. Doesn’t help I have anxiety problems as it is.

    I tried to delete the files that look odd even by googling what I didn’t know. It didn’t work. And it’s getting worse.

    Comment by Noraye — February 18, 2010 #

  98. BEST SOLUTION LOG OFF YOUR CPU THEN LOG BACK IN IMMEDIATELY PRESS Ctrl+Alt+Delete. Click on the “processes” tab and then click the “Mem Usage” tab to sort them from highest to lowest. You will likely have a .exe file near the top of your list everyone will prob be different. I searched this file on Google and found no record of it, so I knew something was up. I selected this file and ended the process and then the pop-ups finally stopped. I now knew that I was onto something. I then ran Hijack This and found this file under the O4- listings. I deleted the file and restarted. Problem solved.

    MY RESULTS MIXED WITH “RYAN’S”

    Comment by ilkan — February 18, 2010 #

  99. >>> After Windows boots up, press Ctrl+Alt+Delete. Click on the “processes” tab and then click the “Mem Usage” tab to sort them from highest to lowest. You will likely have a .exe file near the top of your list (mine was called brwjsftav.exe)….I selected this file and ended the process and then the pop-ups finally stopped…I then ran Hijack This and found this file under the O4- listings.

    This procedure worked for me. Only difference was that I had to disable the proxy setting in IE to get Net access back. Thanks, Ryan!

    Comment by Joe — February 18, 2010 #

  100. Thanks for your help. Excellent feed back. All is working well. Getting use to this fix, recently had to remove security 2010 last month.

    Comment by David Coupe — February 19, 2010 #

  101. None of the listed files show up during the scan.

    Comment by jbaer — February 19, 2010 #

  102. Sissy, if you unsure, ask for help in our Spyware removal forum.

    Comment by Patrik — February 19, 2010 #

  103. Noraye, please open a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — February 19, 2010 #

  104. If you can’t dowload go to the task maanger as soon as you boot (before the virus has a chance to activate) and hit ALT+CTRL+DELETE and go to process and look for any process that ends with either FSTAV.exe or Sysguard.exe and end the process. This will allow the computer to work as normal so you can download and run the applications.

    Comment by Adler — February 19, 2010 #

  105. Thanks for all the help, and all the comments were very helpful. Lets hope this one doesn’t come back :)

    Comment by Misery — February 19, 2010 #

  106. I went in to safe mode and did a system restore to the previous day ad thats all it took, no more popups…. but is the malware still hiding on my system??

    Comment by Bob — February 19, 2010 #

  107. 13 days later AntiVirus Soft came right back. I’ve been running on a limited Windows account since I first removed the little bugger which I’d hoped would prevent unauthorized installations.

    Guess I was wrong.

    Any thoughts?

    Comment by Schuler — February 19, 2010 #

  108. Bob, anyway download Malwarebytes Anti-malware and perform a scan.

    Comment by Patrik — February 20, 2010 #

  109. I love you I love you I love you!

    ONLY this page saved me

    Comment by Terry — February 20, 2010 #

  110. thanks man hijack worked! Unfortunately, malwarebytes didn’t find it and I been had it downloaded before I downloaded hijack. I’m just glad my computer works again thanks!

    Comment by Whatzup — February 21, 2010 #

  111. This program had taken over my computer so bad that I couldn’t get to the the hijack this website (i couldn’t get to any web site) so I used a different computer and saved it on a USB Drive in order to run it on my laptop with the malware. I ran the Hijack this and deleted all the files I thought might be it. Luckily I deleted enough of it that I was able to get to the malware bytes website and download it and that was able to find the rest of it. Only two day later windows wouldn’t load at all, all i was getting was a blue screen. I used my reinstall disc and it was able to repair the windows that I had on the computer and it saved everything and it has been working fine for about 2 weeks.

    Comment by TBird — February 23, 2010 #

  112. If your system allows a “System Restore” feature to return your computer to an earlier operating state, then this is an easy fix. This worked for me. Just choose an earlier date than the date you got this annoying virus and follow the instructions and you’re done. You may have to select this feature from safe mode because in regular mode this virus won’t let you get there. But in safe mode you can do a system restore. To get to safe mode keep tapping F8 as your computer is starting up. To whoever came up with this virus, may I say to you — you are scum!

    Comment by Try this — February 24, 2010 #

  113. Thanks for your input everyone! I used Ryan’s advice (Feb 17) and it worked perfectly for me. I highly recommend trying that strategy. I can’t help but wonder how many people have fell for the scam and bought anti-virus soft? Too many I’m guessing. Education is the best defense against the losers who create this mess. A big THANK YOU and CHEERS to the developers of this site and all those who have contributed on this forum.

    Comment by Tyler — February 25, 2010 #

  114. I’ve been able to get rid of this mostly. Malwarebytes doesn’t find anything in a scan, and I don’t receive any pop-ups, but when I run HiJack there are still two entries that show up that end with the ftav.exe. I check them and try and “fix” them, but they still remain.

    Any ideas?

    Comment by Corey — February 25, 2010 #

  115. Corey, probably a trojan reinstalls it every time when you booting your PC. Please open a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — February 26, 2010 #

  116. Thank you much for the help.

    Comment by SB — February 28, 2010 #

  117. Thanks for this website! Helped me out a ton. Great advice by Ryan (Feb. 17th). I only had one file with the O4-string that was affected (besides the R1-string file). My O4-string ended with a y….stag.exe so they are definitely changing up the virus. But again if search for the processes by memory its not too difficult to find. Thanks again to this website!

    Comment by SC — March 1, 2010 #

  118. I just went through this mess… I used Hijack and Malwarebytes and it’s gone for now… The needles in the haystack were two O4 files that ended in “pllstav.exe”. I found them using the advice above and google. Thanks to all who submitted feedback!

    Comment by Scott — March 1, 2010 #

  119. Thank you for the tremendous help in removing this monster of a virus. I was pulling my hair trying everything I know and nothing was working I was ready to give up and then I came across this website. I used Hijack first renaming it to ‘iexplore.exe’ and that worked great then I used Malwarebytes to remove the rest of the malware/virus. Thanks again so much.

    Comment by Perla — March 1, 2010 #

  120. Thanks so much for this site and the links. However, the comments were the most helpful due to the update to the malware.

    The method that worked for me was a simple system restore from safe mode. I highly recommend trying this method first then scanning your computer with both these anti-malware programs to make sure no traces remain.

    Comment by HC — March 2, 2010 #

  121. Thanks so much to this website! I followed the directions, and it worked. Yes, the file names have changed slightly, but the “av” ending is always in the file name near the end. NOTE: I only had the R1 file and one of the O4 files found by Hijack. When I then ran Malware (after the Hijack find and removal of 2 files), it found nothing malicious. I rebooted the computer and went to the control panel because I realized the appdata files are hidden in Vista. Once I unhid them, I found one more “av” file hanging around, deleted it and restarted the computer. Everything is fine now!

    Comment by Susanne — March 2, 2010 #

  122. I cann’t figure out how to rename it? i googled it and it didn’t helped me because it pops up and then is bolded but you cannt hit it… can yuo right click it? Oh and I really hate whoever made this right now!! they need to put them in jail this has been infecting my computer for months and today it started with the stupid this site is bad thing.. help!!

    Comment by Sara — March 3, 2010 #

  123. You are a life saver; I got infected last night. I only had 2 O4 entries. They were not exactly named as any of the files mentioned above, but they did end in “tav” which made it a pretty dead give away when compared to the above posts. Hope that helps

    Comment by Cranston — March 3, 2010 #

  124. Sara, please open a new topic in our Spyware removal forum.

    Comment by Patrik — March 4, 2010 #

  125. I got the Antivirus Soft virus and followed the directions on this as posted and it went away. However after running Malwarebytes’ and rebooting the problem popped up again. Right now it is away as I redid everything except running Malwarebytes’.

    I also have another problem in all this is that I can’t run Internet Explorer and can only run Firefox.

    Comment by Cam — March 4, 2010 #

  126. Cam, please ask for help in our Spyware removal forum.

    Comment by Patrik — March 5, 2010 #

  127. An easier way to remove it is to install malware anti-malware bites. then if you normaly double click it wont work so you right click and then select run as. it should open and preform a full scan.
    sinceirly,
    Bob The Builder
    {p.s. I just cant say my real name!}

    Comment by bob the builder — March 7, 2010 #

  128. In order to rename the hijack, don’t double click on it, right click and click on save as and then rename it and save it to your desktop.

    Comment by melissa howerton — March 7, 2010 #

  129. Thanks for the help. I already had hijack this and was able to execute the above fixes from safe mode with networking. Seems to have worked like a charm.

    Comment by rick — March 8, 2010 #

  130. I followed the intstructions (i think) after downloading the hijack this. i looked for the lines that look like R1 HKCU but didnt see any with any ending in ftav.exe or sysguard.exe but did find the one that said RI HKCU\software\microsoft\windows and fixed it. then after an error sign popped up Error code 732 (12027.0).

    Comment by Cynthia — March 11, 2010 #

  131. i tried downloading HijackThis and it’s not showing up on my desktop anywhere and i can’t find it in my computer. When i went to download it, all it said was save as or cancel. couldn’t rename it or anything. Am i just stupid? Help me please. thanks.

    Comment by Katie — March 11, 2010 #

  132. Im sorry the error code was 732 (12029,0).

    Comment by Cynthia — March 11, 2010 #

  133. how do you know which one to delete and check? ahh this is such a pain! they all have different names and ect. which one and how od i know? ty!

    Comment by dylan — March 11, 2010 #

  134. Cynthia, open a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — March 12, 2010 #

  135. THANKYOU SO MUCH for this info !!!

    Comment by Sachin — March 17, 2010 #

  136. thanks a million, Dell wanted to charge me $234 to get my computer fixed. I followed your instructions and so far things are going smoothly. I just had difficulty changing the file name of Hijack This…had to go to their site and download it from there.

    Comment by Sal — March 18, 2010 #

  137. ya i dunno, seems to me this dam program (antivirus soft) got even smarter…won’t let me run any .exe programs none!!!!! I’m soo friggen pissed help?

    Comment by NRM — March 18, 2010 #

  138. but in safe mode the thing isn’t appearing but these programs aren’t detecting it

    Comment by NRM — March 18, 2010 #

  139. found the following item.
    gblisftav.exe

    I was about to throw the computer out the window and find a lawyer for the time it took to get this off the computer. People who write such malware should be flogged in public.
    thank you for the public service.

    Comment by Nathan — March 18, 2010 #

  140. NRM, if the instruction does not help you, then ask for help in our Spyware removal forum.

    Comment by Patrik — March 19, 2010 #

  141. With HiJackThis I removed the following line and I was able to update and run Malwarebytes.

    R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

    Comment by Robert — March 20, 2010 #

  142. Followed Ryan’s comments (Feb 17) to open task manager at start up, googled exe file before deleting process. Downloaded Hijackthis using Google Chrome after unchecking proxy server setting. Then followed Step 1 Hijackthis process to remove the two annoying exe files. Also fixed the proxy setting in the R1 line. Rebooted my computer and all is well so far.
    Thanks everyone.

    Comment by Gana — March 20, 2010 #

  143. I forgot to mention that I followed everyone’s instructions to rename Hijackthis at download time before running it.

    Comment by Gana — March 20, 2010 #

  144. Thank you so much for the help!
    I couldn’t find any R1 section though.
    There were only sections that start with O4 and end with ftav.exe =) And on internet browser, you can’t even change your internet option. They automatically set it as that proxy thing every time I uncheck it. And plus, through internet browser, you can’t even reach to this website because this antivirus soft keeps disrupting. (but firefox works well while there were thousands of purchasing ads popped up.)
    Apparently this means that they become smarter..
    Any way, once again, Thanks for your help.

    Comment by Christine — March 20, 2010 #

  145. Thanks everyone so much for the advice. The two steps worked like a charm and helped me to finally get rid of this abhorrent virus. I really hope that whomever created this spyware would get caught and get sentenced to 40 years in prison.

    The Hijackthis program was especially helpful. Thanks again!

    Comment by Clark — March 21, 2010 #

  146. I followed all directions, and I am now up to the part where on Hijack This I have to place a checkmark next to the items to delete. Before I do this I want to make sure I am deleting the right things and not something I need. I looked at the list above and do not see similar items. I have some things that start with ‘R1′ and ’04′ but I don’t see any files that end with ‘sysguard.exe’. Should I just delete everything that starts with ‘R1′ or ’04′? Thanks in advance…

    Comment by Aimee — March 21, 2010 #

  147. Aimee, if you unsure, please open a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — March 22, 2010 #

  148. I had this pop up again and I was able to run hijack this and remove the bad programs. After I did that I could run malwarebytes but nothing is showing up to remove/clean, which I think is odd. Normally, I have trojans and other junk to delete.

    Comment by Jane — March 23, 2010 #

  149. Holy cow — what a nightmare! I had trouble getting HijackThis to download, then it wouldn’t run because it was ‘infected’. Finally I had to shut the computer down by unplugging it, since nothing was opening anymore (taskmgr, cmd, regedit, etc), and I couldn’t even shut it down gracefully. I brought it up in SAFE mode and successfully ran HijackThis. Then I rebooted and was able to proceed with MalwareBytes.

    THANK YOU…THANK YOU….THANK YOU

    Comment by Gwen — March 23, 2010 #

  150. Okay, so I finally got rid of Antivirus Soft after reading this page, but I still can’t connect to the internet. My firewall is set to allow access for both Internet Explorer and Firefox, and neither programs are using a proxy server to connect. I can still access the web through another computer on this network, but even in Safe Mode, the system which was infected won’t allow me to access the internet. Any suggestions?

    Comment by Louis — March 24, 2010 #

  151. how do you rename it
    and I didn’t rename it so I saved it as hijackthis, it opens the menu, I clicked on ‘do a system scan only’ but I don’t see the R1 line

    Comment by anabel — March 25, 2010 #

  152. Louis, what shows your browser when you trying open any site ?

    Comment by Patrik — March 25, 2010 #

  153. Patrik – Firefox shows “Server not Found” and Internet Explorer shows “Cannot display the webpage.”

    Comment by Louis — March 25, 2010 #

  154. Louis, read the instructions, use additional steps.

    Comment by Patrik — March 25, 2010 #

  155. so was infected with this few days ago booted safe mode networking ran Super anti spyware and another scan with Malwarebytes both picked it right up removed reboot did full scan..things good for 2 days get on today and pops back up scanners find it again,but both times it comes up as i was using firefox not ie..everytime avg pops up says threat i hit move to vault.then antivirus soft takes over ! Any advice be appreciated !

    Comment by bjv — March 26, 2010 #

  156. bjv, looks like your PC is infected with a hidden trojan that can reinstall the rogue. Open a new topicin our Spyware removal forum. I will check your PC.

    Comment by Patrik — March 26, 2010 #

  157. Hello, I scanned my computer with Malware Bytes but the Antivirus Soft keeps coming back.
    I tried to fix it with ComboFix and it only worked for 2 seconds before the darned thing came back again…. please any help

    Oh, I’ve been infected with Internet Security 2010 before and used Malware Bytes maybe my computer already reconizes it? I don’t know but I’ve had it with the rouge antiviruses!! Thanks in advance! :D

    Comment by Amy — March 26, 2010 #

  158. Amy, please follow the steps.

    Comment by Patrik — March 26, 2010 #

  159. This worked well for me. I spent about 4 hours, but followed the steps with great success. Thanks for publishing this post!

    Comment by Johnny — March 28, 2010 #

  160. thanks so much for this excellent programme
    now im going to london to force the bastards
    to buy somthing they dont want……………… they will buy it…..

    Comment by enrique veogente — March 29, 2010 #

  161. how about i go to london with a bucket of whitewash and swill the bastards and their offices them tell them i’m from a paint removal company (newly formed)……. and bill them for the removal of the paint :)….six months after of course then offer them a deal on not swilling them again if they subscribe to my bona-fide company.

    Comment by enrique veogente — March 29, 2010 #

  162. then twat em

    Comment by enrique veogente — March 29, 2010 #

  163. i was able to shut down two things in hijack this: the IP one and one other with a totally made up bogus name. Whatever version of Antivirus Soft I had did not have sysguard.exe or ftav.exe in the hijackthis.

    And malwarebytes didn’t find ANYTHING but after running hijackthis i was able to open regedit and delete several keys including one with AVSCAN in title and another with AVGUIDE. There was also a entry in the LOCAL_MACHINE area which is listed above.

    Finally I was able to delete the folder it made in my local user profile. Totally made up bogus name and an exe with the same name inside.

    Did all that, restarted and 30 minutes now without any popups or warnings. I think it’s kicked.

    Comment by steve young — April 15, 2010 #

  164. Hi guys. This virus hit my desktop about an hour ago and thanks to this guide and the comments on this site I’ve been able to get rid of it. Thanks a ton, you guys are lifesavers.

    A few comments from my discoveries:

    I wasn’t able to run either Malwarebytes or HijackThis, both were found to be “viruses” by Antivirus Soft and weren’t allowed to open. I was able to download them fine by turning off the proxy thing in Internet Explorer, but when I tried to open the file (even after naming iexplorer.exe) neither one worked.

    I followed a comment above and searched under C:\Documents and Settings\Aaron\Local Settings\Application Data\

    Here there was a folder named btandvlfm with a file inside called nqftdoctssd.exe. I wasn’t able to delete the file but I could rename it to get rid of the .exe.

    Next I restarted my computer, pressing ctrl-alt-delete just as windows was loading. I organized running processes by computer % usage and found some weird exe file with random letters, so I closed that fast. I was then able to run Hijackthis and Malwarebytes. Malwarebytes found 12 processes, which I deleted. I then went back to the directory that I found and deleted the folder and file. I restarted my computer here as Malwarebytes wanted me to, and I think everything is now okay.

    Thanks a lot to everyone who contributed to this page, it’s been a great help.

    Comment by Aaron — April 15, 2010 #

  165. Hi guys. This virus hit my desktop about an hour ago and thanks to this guide and the comments on this site I’ve been able to get rid of it. Thanks a ton, you guys are lifesavers.

    .
    A few comments from my discoveries:

    .
    I wasn’t able to run either Malwarebytes or HijackThis, both were found to be “viruses” by Antivirus Soft and weren’t allowed to open. I was able to download them fine by turning off the proxy thing in Internet Explorer, but when I tried to open the file (even after naming iexplorer.exe) neither one worked.

    .
    I followed a comment above and searched under C:\Documents and Settings\Aaron\Local Settings\Application Data\

    .
    Here there was a folder named btandvlfm with a file inside called nqftdoctssd.exe. I wasn’t able to delete the file but I could rename it to get rid of the .exe.

    .
    Next I restarted my computer, pressing ctrl-alt-delete just as windows was loading. I organized running processes by computer % usage and found some weird exe file with random letters, so I closed that fast. I was then able to run Hijackthis and Malwarebytes. Malwarebytes found 12 processes, which I deleted. I then went back to the directory that I found and deleted the folder and file. I restarted my computer here as Malwarebytes wanted me to, and I think everything is now okay.

    .
    Thanks a lot to everyone who contributed to this page, it’s been a great help.

    Comment by Aaron — April 15, 2010 #

  166. Thank You so much. This worked great!

    Instead of downloading Hijackthis in Internet Explorer I ended up having to download it using Google Chrome to get it to work.

    Comment by Tina — April 15, 2010 #

  167. Thankyou for having this information available, it has fixed my computer….. :)

    You’re legends!!

    Comment by Jen Hanlon — April 15, 2010 #

  168. I just got it fixed and the o4 line was random letters.exe just delete all random ones! then to malwarebytes scan

    Comment by Nathan — April 15, 2010 #

  169. my laptop got infected with this software , i was reading this post in my desktop ready to go through the step , in the same time i was scanning my laptop with Norton software .
    and surprise surprise Norton was able to remove it.
    good luck all

    Comment by joe — April 16, 2010 #

  170. You can make your computer easier to work with by stopping the virus from running on startup.

    Do this by:
    1) Reboot your computer
    2) As soon as you are able, click the start button
    3) Press “run” (windows xp) or just use the default search area in vista/windows7
    4) Type ‘msconfig’ and press enter
    5) Once the window pops up click on the Startup tab
    6) Untick anything that looks unfamiliar to prevent the virus from running on startup
    7) Click apply and reboot your computer

    Comment by Devin — April 16, 2010 #

  171. I got this virus earlier today and the first thing I tried was HijackThis. Like others have been saying there was no sysguard.exe or that other one mentioned above. If you look through all the O4 ones even the technophobic (like myself) can approximately discern what’s legit and what isn’t. If it’s got names of actual programs you have on your computer (Adobe, AVG, etc.) you probably shouldn’t delete those. I did, however, find one entry with random letters.exe. It was only 1 and after I deleted it the icon disappeared and the infection popups stopped. Good luck to you all.

    Comment by Sephora — April 16, 2010 #

  172. Hi, my system is having the same issue. The virus is not allowing me run any exe. it just flashes and then closes that, followed by a pop up to buy the product. Tried to rename the Hijack file but it didnt work. I have vista OS.

    Thanks,
    Nick

    Comment by Nick — April 17, 2010 #

  173. Nick, boot your computer in Safe mode, then run HijackThis.

    Comment by Patrik — April 17, 2010 #

  174. This website is so great, it’s helped me with so many of my problems and there’s no doubt in my mind that I’ll tell my family and friends to use this site if they’ve got a problem.

    Comment by Alex — April 17, 2010 #

  175. Malwarebytes is great! We got infected with the stupid Cleanup antivirus scam and NOTHING would remove it from the computer…McAfee was hosed..task manager completely useless…Spyware dr was blocked from running…so I tried malwarebytes and it found 780 infected items! It removed them all right away and now my computer is working perfectly again! Thanks Malwarebytes! I will recommend you to ANYONE with similar issues!

    Comment by Mya — April 17, 2010 #

  176. Oh man thanks so much, I’ll never take my poor pc for granted again! Was really panicked,but followed all the steps and read the comments for more perspective and so far it’s working like a dream, which is a miracle compared to how banjaxed it was all afternoon. It took patience, lots of tea, but it’s worth it. Once again thanks:)

    Comment by Marc — April 17, 2010 #

  177. I was able to close antivirus soft by, after an hour of opening task manager to stop the damn program, executing the scan in the virusware and quickly opening the manager and closing it that way in applications. It must have been slowed down to give me time to do this. But after that I just got the occasinal opened Internet page. This guide was easy after that to get rid of the remaining infection without being told everything I did was a virus.

    Comment by Garrett — April 17, 2010 #

  178. Thanks everyone, I followed these instructions and got rid of the virus immediately!

    Like Sephora I had no sysguard.exe but I just googled any names I was concerned about!

    Great advice! :)

    Comment by Lynzi — April 17, 2010 #

  179. That same virus is on my other comp and has made it so it wont start up and get passed the dell screen making it so i cant even press F8 to get into safe mode. Any help at all please?

    Comment by help — April 18, 2010 #

  180. help, use the steps above.

    Comment by Patrik — April 18, 2010 #

  181. I got this virus about an hour ago, and I immediately got online and found this site.

    Since I use Firefox (and really folks, it’s best to use something other than IE…Chrome, Opera, Mozilla, anything), I was able to surf. I downloaded Hijack this, renamed it iexplore.exe, did a search. I didn’t find any files that ended in sysguard or ftray or “av”, but I did see one file in the “O4″ files that was just a bunch of random letters, so I checked that, and the “R1″ file that had what looked like an IP address. After fixing those, I rebooted, and quickly did the ctrl+alt+del thing just in case that didn’t work. I figured I would at least have access to the task manager. But I don’t think I needed it since I didn’t see the icon on the task bar anymore, nor was I receiving the pop-ups.

    However, I also downloaded malware bytes and did a scan. It found two trojans, so I quarantined, then deleted those. So I hope that’s all I have to do. Still, I’m going to continue to do a check for any lingering trojans, and download some free anti-virus software and beef up my Firefox security with some add-ons. You never can be safe enough.

    Now I wish I could get my hands on the people responsible for this annoyance!!!

    Comment by jay — April 18, 2010 #

  182. I just wanted to say thank you as this information was tremendously helpful. I used the hijackthis and malwarebytes software to eradicate the virus. There were two files, both gibberish letters, which I blew away in hijackthis. Then when Internet Explorer would not work, I used a restore point to get the whole thing working. It took me about five hours and two computers to get to this point, but it was worth it.
    Thanks and Cheers,
    Ian

    Comment by hiproverbs — April 18, 2010 #

  183. I followed all the the instructions above and ran Malwarebytes in safe mode, but when I go to normal mode, I am still having the same problem. Please help. I am out of patience.

    Comment by Carolyn — April 19, 2010 #

  184. Carolyn, open a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — April 19, 2010 #

  185. This virus is ridiculous and the company should be shut down and fined for screwing up so many people’s computers! I became infected with it yesterday and tried “Try This”‘s method and it appears to have worked! Thanks and good luck to all of you!

    Comment by Carl — April 19, 2010 #

  186. A quick tip for Vista users at least:
    When you first log in, it takes a bit for the Antivirus Soft (or, in my case, Antispyware Soft) to load up. Hit ctrl-alt-delete as soon as possible, and you can get up a task manager before the software has a say in it. Then you find something that looks like a random string under the processes menu, terminate that process and it will stop terminating your files for the duration of that boot-up. It made working to the directories and manually trashing these files much easier.

    Comment by Ov3rR1d3 — April 19, 2010 #

  187. Oh, thank you guys so much for all your help. My laptop got hit a few hrs ago and I didn’t know what to do. I was almost tempted to purchase the thing. Luckily I found this website. Thanks again all.

    Bee

    Comment by bee — April 19, 2010 #

  188. Ok, few notes.. I will say this, though.. THANKS for the instructions!!

    I ran into this issue about an hour or so ago. Took me a bit to find this site/page, but once I did, I pretty much had almost no problems. The two biggest issues I had was trying to figure out how to rename a file before I save it (I use FireFox). Once I figured that out via trial and error, I was able to run HijackThis fine.

    The second issue I ran into was in Vista, you need to run it as Administrator. I didn’t know this until opening HijackThis. But I couldn’t completely end the HyjackThis process. At all. So I ended up restarting. When the computer fired back up after the restart, I didn’t have any issues whatsoever with the AV Soft. But, I still ran HyjackThis, didn’t find any odd ’04′ registries, so I closed that out and ran Malwarebytes. Only found 5 issues, and only 2 of them had ‘av’ in the filenames.

    I ‘fixed’ those files and am about to restart the computer now.. Thanks again for the awesome info!! I have bookmarked this page!

    Comment by Jeremy — April 19, 2010 #

  189. Thank you!!! Very good instructions.

    Comment by Ana/Nicolas — April 20, 2010 #

  190. Thnx guys!! This helped me got rid of the virus!
    Keep up the good work;)

    Comment by Tim — April 20, 2010 #

  191. Thank you for the instructions, they worked wonderfully. After I had removed the offending files, I ran a scan from Safety.live.com and it found the directory and additional items to be removed.

    Comment by Swaff — April 20, 2010 #

  192. Hi, I’m having a problem renaming hijackthis to iexplorer.exe. I use Firefox and when I click on the link provided above for hijackthis it only allows me to hit save or cancel to open it, no opportunity to change the name. Also when I do hit save, nothing seems to happen. Unfortunately I don’t have Jeremy’s trial and error skills. I’d love some help…this antivirus soft is laaame.
    Thank you!

    Comment by Courtney — April 20, 2010 #

  193. Thanks a lot ,

    You really saved my day…

    Comment by Sagar — April 20, 2010 #

  194. Thanks for the post and everyone’s comments. I followed the instructions and deleted:
    R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

    as well as two files ending in nuosttltssd.exe.

    So far so good, have just downloaded Malwarebytes and am doing a system scan.

    Comment by JJ — April 20, 2010 #

  195. Thanks. You have saved me from trouble and spending money on vendors to have this cleaned.

    Comment by Shardul — April 20, 2010 #

  196. Thank you, this guide worked perfectly along with all the helpful comments

    Comment by Jesse — April 20, 2010 #

  197. How do i rename the Hijackthis it in vista? When i clicked the “here” the only thing i can press is save or cancel. I clicked save then the download window opens. when i right clicked it, it only gave me option to open, open containing folder, copy download link, select all and remove from list. Please help :(

    Comment by Ian — April 20, 2010 #

  198. OK, so from the other posts above i figured out my problem but now i have a new one. I cant get into the internet options in internet explorer. I clicked tools ->Internet Options but nothing happens.

    Comment by Ian — April 20, 2010 #

  199. My computer was infected an hr ago. I just restarted my computer then quickly went into system restore before all the programmes had a chance to download, then simply brought it back a month. It seems fine now.

    I hope this helps.

    Comment by I hope this helps. — April 20, 2010 #

  200. Simple and effective. Fixed my parents’ computer in short order. Bless you, dear writer.

    Comment by JCS — April 21, 2010 #

  201. Thanks guys!! Followed the steps and my norton cleared it out.

    Comment by Hilander — April 21, 2010 #

  202. Courtney, to open a Save dialog in the Firefox you need right click to download link and select “Save Link As” option.

    Comment by Patrik — April 21, 2010 #

  203. After 2 crazy days of fighting this AWFUL, SHIT virus, after using all possible antivirus (malwarebytes, stopzilla, hijack, kill it, etc. etc.), starting in safe mode, etc. I found out that the only thing that works and VERY SIMPLY:
    1.Restart
    2. act quickly and click on start menu, accessories
    3. click on system tools
    4. click on system restore
    5. restore to a date prior to virus infestation. (i used a week earlier to be sure)
    6. restore system
    7. restart

    And all was miraculously working as before.

    Hope it helps.

    Comment by Katherine — April 21, 2010 #

  204. THANK YOU THANK YOU THANK YOU!!! It worked!! I followed the directions and it work perfectly!! But like the guy below me said they have changed it from sysguard.exe to random letters I just had to look closely at all of my files to see which one looked crazy my file ended in tpavskvtssd.exe….I run firefox so I wasnt able to change the name.

    Comment by Flame — April 21, 2010 #

  205. Ian, rename HijackThis after downloading to iexplore.

    Comment by Patrik — April 21, 2010 #

  206. Hi.

    My Dad’s computer recently had this virus. I found it under a different name though which was ‘MCXKFQBTSSD.exe’. Hidden in a few places in sys folers. C:\WINDOWS\Prefetch, Application Data (C:\documents and settings\[USER NAME]\Local Settings\Application Data\ifhjuveey (I dont know wether or not the ‘ifhjuveey’ was selective to this computer or not. Also in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Run for startup.

    I deleted the files in Safe Mode and then ran a anti-virus check just to make sure all was gone.

    Good luck removing this virus to whoever has it.

    Thanks

    Comment by Unknown — April 21, 2010 #

  207. The uninstall instructions for this crappy “antivirus soft” worked. Thank you. I wish I could meet these punks who have far too much time on their hands. I liked to give them an incurable virus! Thank you for helping us out. Now, the question…how do I keep this crap off my computer. I have Crap Cleaner, Malwarebytes Anti-Malware and MS Security Essentials. I still got the spyware. Should I use Norton or something similar to keep this off my computer…thoughts?

    Comment by Jim — April 21, 2010 #

  208. I could kiss you guys!

    Dear god that virus was a pain. Think I got it now though, running my Malwarebytes scan now.

    If you have trouble with this, follow this guide to the letter, it works.

    Only thing I’d say is my Hijackthis scan didn’t return anything like what is suggested. Mine returned only one O4 that looked suspicious, it was *pathway*/{random}/{random}

    Thanks again!

    Comment by Fraser — April 22, 2010 #

  209. Jim, try instead MS Security Essentials to use Norton AV or Kaspersky AV. Also you can try following free and good antivirus program: AVG, Avast, Avira.

    Comment by Patrik — April 22, 2010 #

  210. I would remind Firefox users that you can save the file as is, then re-name it. Be sure to set your browser to download the file to the Desktop, though.

    Comment by jay — April 22, 2010 #

  211. Worked like a charm! Took care of the problem in all of 5 minutes, thanks a lot!

    Comment by Josh — April 23, 2010 #

  212. the link to hijackthis doesnt work anymore =(

    Comment by eric — April 23, 2010 #

  213. eric, i have updated the link above, Try download HijackThis once again.

    Comment by Patrik — April 23, 2010 #

  214. whew.. still holding my breath but it worked! thank you guys so very much, people that make programs like this should be hunted for sport. anyways thanks again!

    Comment by Cliff — April 23, 2010 #

  215. I found that if I restarted my computer and immediately started the task manager I could stop the virus process as soon as it popped up (it was some random letters like this asfshkdhjs and a few other 4 letter words like asam) then once I stopped those processes I was able to download hijackthis and the other suggested programs. Once I did that I ran them scanned and did as prompted and now I am free of this horrid problem. Good luck to the rest of you!

    Comment by Ellah — April 24, 2010 #

  216. mine was called gnodmwatssd.exe

    Comment by Bamboy — April 24, 2010 #

  217. it now prevents any program from being started. so when i installed malwarebytes i had to rename it to run it. running the scan right now hopefully it will be gone

    Comment by Neel — April 25, 2010 #

  218. Hello, I did not find any suspicious \.exe\ file so I just deleted all file beginning with 4\ and \R1\.
    I was able to install the malware and it helped me delete the malicious antivirus soft.
    I did this in safe mode then restarted my computer and re-ran the malwarebyte in normal mode just to be safe and also ran my antivirus scan in nomal mode to be on the safe side. in case you are wondering, I have XP operating system.

    Thank you very much for all the info. It saved me . Thanks a lot!

    Comment by Amiee — April 25, 2010 #

  219. Hi, can someone please help me?

    So I downloaded the Hijack. and did the scan. But I cant find any sysguard.exe OR ftav.exe
    I read some comments and people said that it is now random letters. I am a bit worried that I might checkoff the wrong thing and it will mess up my computer. So can someone help me check the ones I found suspicious?

    HKCU\..\Run: [gwggdwfw]C: \Users\Owner\AppData\Local\kqnaykhov\dswcsjktssd.exe

    HKLM\..\Run: [Persistence] C: Windows\system32\igfxpers.exe

    HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe

    HKLM\..\Run: [RtHDVCpl]RtHDVCpl.exe

    This was all found in the O4 section.

    thanks!

    Comment by Fionna — April 25, 2010 #

  220. Patrik,

    Thanks…I had Norton and got rid of it for MS Essentials. Nothing but problems since I drop Norton. The reason I dropped Norton is it takes so much ram and slowed down my computer.

    Comment by Jim — April 26, 2010 #

  221. so, thanks to all the helpful comments and the instructions, i beat antispyware soft, but, it was a real pain. I would seriously like to kill the reject who spent their time making this to make other’s lives miserable. Does anyone know where these virus/malware come from?

    Comment by Randy — April 26, 2010 #

  222. ok…while i was running mbam it opened up a random porn site…….im confused

    Comment by confused... — April 26, 2010 #

  223. I got this obiously moving thru adult sites, out of the blue, it just started up. mbam fully updated and running didn’t help, and I am running avast home version as well. I went into safemode and ran spybot search n destroy and it removed most if not all of the antivirus soft app. Malware bytes full scan got the rest. Live and learn.

    Comment by David G — April 26, 2010 #

  224. Thank you so much for the information. I was so shocked when I got this virus but with all of your help, I GOT RID OF IT. I started in safe mode and ran Hijack then ran the Malware bytes software. It all worked. I hope that it does not come back. This antivirus soft is horrible. BTW: To find which R1′s and O’s to delete… I had my laptop (2nd “uninfected” computer) next to me and I googled any .exe files that I could not 100% identify.

    Comment by Todd — April 27, 2010 #

  225. Fionna, fix the line below:
    HKCU\..\Run: [gwggdwfw]C: \Users\Owner\AppData\Local\kqnaykhov\dswcsjktssd.exe

    Comment by Patrik — April 27, 2010 #

  226. thank you! my ended dimjhssudtssd.exe

    Comment by Avi — April 27, 2010 #

  227. thank you so much! you are a genius! this virus was really getting on my nerves.

    last question,should I keep HijackThis and the Malware bytes? Can i use these in the future for other viruses or should i just throw them out?

    thanks :]

    Comment by Fionna — April 27, 2010 #

  228. Fionna, you can leave both programs to remove a malware in the future.

    Comment by Patrik — April 28, 2010 #

  229. Thank you very much ! It was a huge help.

    Comment by Erik — April 28, 2010 #

  230. THANKS!!!!

    Comment by Aubrey — April 28, 2010 #

  231. This is one of the greatest sites ever!! Many thanks for the help. My issue with this was abit different as I changed my configuration some. I don’t have a C:\Document and Settings\user\mike\Local Settings\Application Data directory but the virus still showed up there in Hijackthis.

    Thanks For the help!!

    Comment by Mike — April 29, 2010 #

  232. I looked at quite a few web sites on how to tackle this hard to get rid of virus… I couldn’t find anything that actually helped me make progress.

    I followed the instructions on this page and within 5 minutes I was back in business, I appreciate the help immensely.

    Comment by Techniq — April 29, 2010 #

  233. Excuse me, but I want to open Hijackthis and Antispyware block it… I simply can’t do the revome step…

    Comment by Jonathan — April 30, 2010 #

  234. Oh, another one. I can’t come to the dll with explorer. I dll it with Firefox but I can’t rename Hijackthis untill he’s dll on my pc.

    (SOrry for my english, I talk frensh)

    Comment by Jonathan — April 30, 2010 #

  235. Now I’ve rename iexplorer with right click. But he don’t want to open… I need help T.T

    Comment by Jonathan — April 30, 2010 #

  236. Just for information. (sorry for quadruple post)
    I’ve read all comments. I’ve rename it with all name I see and dosen’t work

    Comment by Jonathan — April 30, 2010 #

  237. I just wanted to thank all of you for the help provided. I couldn’t find anything on the internet as clear as what’s mentioned above, and got rid of this rogue within minutes thanks to your help.
    I really have no idea how I got it. I am a very safe internet user, and I never browse any suspect websites. I scares me a little when I think of it… But now I know how to get rid of it.

    Thanks again !

    Comment by Mélanie — April 30, 2010 #

  238. Heya, i have to say this really looks like it could help me, but unfortunately i have a problem :(
    I am using Firefox to read this because IE closes automatically whenever i open it.
    I tried to download Hijackthis and to rename it but Firefox doesnt give me the oppertunity to, and when i try to open the file location the damn program also closes it.
    Is there anyone here who knows what to do? :(
    I would really appreciate any help, i will just check the site every day to check if someone left me a reply. Thanks.

    Comment by Marco — April 30, 2010 #

  239. Hello, i downloaded and renamed Hijackthis like it said and i did the whole scan thing…
    but going through the list i cannot find sysguard.exe or ftav.exe at all …. so what do i check and fix? If anyone could help i would really appreciate it! :]

    (i dont want to go through all the comments because im getting a headache @_@ )

    Comment by Kait — April 30, 2010 #

  240. Nevermind, it magically dissapeared O.o

    Comment by Marco — April 30, 2010 #

  241. Jonathan, try run HijackThis in the Safe mode.

    Comment by Patrik — April 30, 2010 #

  242. Marco, to open a Save dialog in the Firefox you need click to a link and select “Save link as” option.

    Comment by Patrik — April 30, 2010 #

  243. Kait, look also lines that have “tssd” in right part.

    Comment by Patrik — April 30, 2010 #

  244. Thanks! I will remember it for the future.

    Comment by Marco — May 1, 2010 #

  245. Hey

    i tryed what Kathrine sayed, about restoring computer to a few saus before this issue happend, bit does that mean im totally free of it ??

    I was reading my say down, i was about to do all that seems to help others, but my only problem was i couldnt go to any other web site, so couldnt download hijackthis..im using my iPhone atm to read this forum…

    But now after restoring i can surf the nett again..so would i need to download hijackthis etc now?

    Ps: no idea why i suddenly got small letters on parts of this post :P

    Comment by Vikingskog — May 1, 2010 #

  246. Hehe nvm the small letters i was talking about, Must have been my iPhone ;)

    Comment by Vikingskog — May 1, 2010 #

  247. Thx a lot!!

    Found a “tssd” in the right after a lot of different letters! Crappy thing!!

    Comment by TorErik — May 1, 2010 #

  248. LIke this:

    O4 – HKCU\..\Run: [madrycgk] C:\Users\…\AppData\Local\ihyxfdsxa\duhdakytssd.exe

    Comment by TorErik — May 1, 2010 #

  249. if it weren’t for this site and the helpful recommendations i think i would’ve died. this antispy virus was a nightmare, but after i followed the instructions and downloaded hijackthis i got rid of it. so thank you, thank you, thank you, thank you. you really dont know how much i appreciate what you;ve done just by having this page.
    whoever the sad jackass(es) who sit at their desks and create these viruses are, i’d like to get my hands on them.

    Comment by Dallia — May 1, 2010 #

  250. If you download this file, it will stop the errors, thus allowing you to deinstall it somehow.

    It’s a .com file instead of .exe and it wont be stopped

    http://download.bleepingcomputer.com/grinler/rkill.com

    Comment by I conquered it — May 1, 2010 #

  251. In my case, the name of this malware ujgewjttssd.exe, it still appears in the notification. But it is not bothering now, I did everything but it seems somefiles are still there. hijackthis was the one thar pause this nightmare. Any way, thank you for this post.

    Comment by Luis — May 1, 2010 #

  252. I did what Katherine sayed, and restored my computer to an erlier stage. 2 days before this issue happend, so will that say i dont have it anymore? at all atm?
    And wouldnt have to download HijackThis etc…?

    Cause everything seems to run fine now..

    Comment by Vikingskog — May 1, 2010 #

  253. Hmm sry for 2 posts about this, i coudnt see my post i made from iphone, when i was on my computer now, tought it might not have gone throu or something…

    Comment by Vikingskog — May 1, 2010 #

  254. I FIGURED A REALLY REALLY EASY WAY!!
    all you do is… Right click that pop up antivirus soft page… Copy the url it has..(location is somewhere in your App Data)

    Open up My Computer , Paste it into the url bar BUT DELETE the last part of the url…delete it all the way after the exe part
    example…
    C:\Users\Christopher\AppData\Local\qwooiwtuwi\eriowuep.exe
    delete the exe part so..
    C:\Users\Christopher\AppData\Local\qwooiwtuwi\
    (Something like that, i dont remember i deleted already…)

    Then you will see the .exe File…
    RENAME IT to whatever…preferably soemthing like NOTGOODeriowuep.exe :P (just so you can find it easier later)

    The Antivirus Soft is still in use… Reboot your computer And it should no longer start :)
    GO back to the location of the file and delete it permanently. :)

    Comment by TiffTiff — May 2, 2010 #

  255. I tried to download hijack this but couldnt seem to get it working. Downloaded malewarebytes after following ie reconfig steps. ran malewarebytes and was good to go. Malewarebytes removed 52 infections. I am upset that this antispyware soft got onto my computer in the first place as I was running an updated System Mechanic Professional program that didnt catch it. I am going to ask system mechanic why I should continue to pay for a program that doesnt catch what a free program did. Thank you Malewarebytes and to the operators of this site. System mechanic youve got some splaning to do.

    Comment by John S — May 2, 2010 #

  256. Works

    Comment by vg — May 2, 2010 #

  257. I cannot find systeguard or ftav.ev I have made a printscreen of hijack can you look it for me.

    i39.tinypic.com/29fruad.jpg

    Comment by Vinesh — May 2, 2010 #

  258. Vikingskog, anyway scan your computer with Malwarebytes Anti-malware.

    Comment by Patrik — May 2, 2010 #

  259. Vinesh, open a new topic in our Spyware removal forum and post your HijackThis log. I will help you.

    Comment by Patrik — May 2, 2010 #

  260. Thank you – this was really helpful.

    Comment by Margaret — May 2, 2010 #

  261. Yep i downloaded & installed malwarebyte.
    I first preformed a quick scan, and it didnt find anything.
    Then i did a full scan, but it was late so i whent to bed, when i woke uptoday my computer had restarted, so not sure it found anything then either, but i dont think so.

    So still eveything seems to work as normal ;)
    And yes Thanks alot for this website (and my iPhone so i could access it)

    Comment by vikingskog — May 2, 2010 #

  262. shyt thanks guys…. u guys are life savers…

    Comment by Jeo — May 2, 2010 #

  263. Just wanted to say thank-you to the makers of this site.

    There was a small part of me that thought perhaps THIS SITE was an elaborate scheme to get me to download more viruses, but rest assured it’s legit (other sites offer similar, if not the same solution, just do a search).

    Just run the HijackThis file, you’ll get a TON of data that makes 0 sense at all, but take 5 minutes to look through .exe files that do not look familar, and “fix” them, which deletes them.

    Really simple, just follow the steps.

    Thanks again,

    Comment by Robin — May 2, 2010 #

  264. All I can say is wow. Simple and effective!!!

    Comment by Aaron — May 2, 2010 #

  265. thank you it worked great

    Comment by jason — May 2, 2010 #

  266. Thank you so much. Okay guys, the Hijack system works at first shot. Everyone should have the R1 file. However, the people have changed the endings from sysguard.exe and ftav.exe.. to other random stuff. Mine was “fatssd.exe” something. Just any name that looks weird, delete it. There will be more than ONE of that file. I deleted 4 in total, I’m pretty sure if you delete enough files that are related to Antispyware Soft, that it will be deleted off your pc. I don’t think all of them need to deleted because frankly, we don’t know if we deleted ALL of them. But if you delete at least 4, then you should be good :) Hope this helped! Thanks again ♥

    Comment by Sasha — May 2, 2010 #

  267. If you guys are having any problems, you can contact me at \luv_devka55@hotmail.com\. I dont open random emails so please write \Antispyware Soft Help\ as the message title. I’ll be glad to help you out ♥

    Comment by Sasha — May 2, 2010 #

  268. This is the easiest little virus I have ever seen to get rid of.

    Honestly, just follow the steps above. I noticed I was infected and within 15 mins I was cured of it by READING THE INSTRUCTIONS ABOVE.

    A minimal amount of effort goes a long way…

    Thanks for the advice on the best (and easiest) way of kicking this sucker to the curb. Now the real challenge is figuring out where exactly I got infected from and how.

    Comment by Bubbz421 — May 3, 2010 #

  269. VERY SIMPLE SOLUTION

    this nasty program take a few seconds to load when the windows starts

    In these few seconds you can run the task manager

    it appears in the task manager soon (but can’t close it while open)

    stop the process after knowing the exact file source location

    after stopping its process, go to location and delete it

    then apply the setting described earlier in internet options to access the net again (unchecking the proxy in LAN setting)

    CHEERS

    Comment by smsm — May 3, 2010 #

  270. The file I had to delete using Hijack this ended in tssd not sysguard.

    Comment by Jack — May 3, 2010 #

  271. My son also had this on his computer. After a whole day trying to sort things out I found this forum and done the following
    1. Ctl+Alt+delete for task manager
    2. Found the process qoopudttssd.exe – deleted this
    3. downloaded Hijack this.
    4.Found files starting with 04 and ending with qoopudttssd.exe – fixed them.

    Everything seems fine now. Thanks folks for posting on this forum I was about to format the C Drive. My son will be a happy chappy that virus has gone. Cant wait to see his face when I give him with the bill for my time.!!

    Comment by Weld — May 4, 2010 #

  272. hey guys i had the same exact virus and it would tell that everything was infected. but i went into safe mode and wasnt quite sure what to do. so i rebooted normally and it did not start immediately. but i used ad-aware and it took care of it for me

    Comment by aj — May 4, 2010 #

  273. This is great! my file had a weird name it started with r (forgot what it was called) you just have to find the weirdest name in the list and ur done.

    Comment by polakdawido — May 4, 2010 #

  274. I just wish to offer a thanks to whoever put these easy to follow steps together, and for those of you that have commented and added further, updated, information. It would seem that you’ve collectively helped me kick this little f**ker of a virus off my computer. Thanks again to you all.

    Comment by Ash — May 4, 2010 #

  275. Just wanted to say that this is one of the worse attempts at writing a virus I have ever seen. Just follow the instructions, and you will be back up and running.

    Comment by Brandon — May 5, 2010 #

  276. Would like to thank this guide for saving my computer..

    i dont know how i got this virus ,is there any webby i should avoid?

    and will it reoccur?

    thks

    Comment by Temocder — May 5, 2010 #

  277. Hi, here is what helped me:

    1. Restarting my computer
    2. Pressing strg/alt/delete as soon as I see my desktop and before the infection can start
    3. choose: open task manager
    4. looking in processes for any process
    that doesnt make sense or if you dont know which one it is just type all processes in google, often its the one that google doesnt find.
    5. stop the process (Now the popups are gone and you can use/download hijack this to logfile your system or use spybot-search and destroy to delete the fuckin virus.

    hijackThis showed me this exe in the O4 section: puyihutssd.exe
    spybot showed me immediately:
    Fraud.Sysguard (4 entries)

    Comment by Mario — May 5, 2010 #

  278. I was infected by the virus 2 days ago. When I was following the steps to uninstall the virus, it wouldn’t let me open internet explorer options so that I can complete the rest of the steps.

    Comment by Courtney — May 5, 2010 #

  279. Temocder,
    Visit Microsoft Update (update.microsoft.com). Make sure that you have all the Critical Updates recommended for your operating system and IE. Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found.
    Update all antivirus/antispyware programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

    Many of the exploits are directed to users of Internet Explorer. Try using a different browser – Firefox or Opera.

    Comment by Patrik — May 5, 2010 #

  280. Courtney, try use another PC to download the suggested programs, then move them to your PC using a flash or cd disk.

    Comment by Patrik — May 5, 2010 #

  281. Hi,

    I got infected by the virus mentioned in this article and followed the instructions to get rid of it except now when i start my computer up normally after about a minute or so the programs start freezing and then the whole computer just freezes up, cant do anything. When its running in safe mode it doesnt do this.

    Any suggestions ?

    Comment by Keeba — May 5, 2010 #

  282. Thanks guys! I had this virus for like 10 minutes, and it drove me mad, but I found help here and now I am back to normal… thanks.

    Comment by Micke — May 5, 2010 #

  283. Keeba, try run your PC in last good configuration.

    Comment by Patrik — May 5, 2010 #

  284. Removal process worked for me.

    Thanks!

    What a pain… could have been worse.

    Comment by Kai — May 5, 2010 #

  285. Well currently trying what patrik said working great so far but i know the virus got in through java and i know what site can i report it somewhere?

    Comment by PrinceOfFools — May 6, 2010 #

  286. I think I have everything deleted, but when i look under the startup section under the System Configuration Utility, there is still a startup item there called ybabpyvtssd. It’s unchecked, and everything seems to be working fine, but I’m still worried. What do i do?

    Comment by Cris — May 6, 2010 #

  287. 1- right away when windows is opening up go to the start menu and click on RUN type MSCONFIG

    2 – when the panels opens go to the ‘startup’ tab and click to open. uncheck the file ending in SST
    click apply and ok . Restart computer ( you are now in ‘ selective startup mode ‘

    3 – Download the program ‘Malwarebytes’,update the program with the latest malware definitions and run this. This is a free program which will remove remaining trojan files

    4- go to your windows security center and re enable your firewall.

    you are done

    Comment by scanav — May 6, 2010 #

  288. OMG!!! got the virus this afternoon whilst revising for my GCSE’s and after about 5 minutes of trying to ignore it, EVERY BLOODY THING CLOSED, EVEN explorer.exe. so bcoz i couldnt do anyhing i had 2 remove my battery and am now at a loss.

    Comment by Ben Breame — May 6, 2010 #

  289. THANK YOU! I tried bleeping computer’s solution, the virus seemed to go away, then when I rebooted my computer the virus came right back! I had to remove the proxy every time a page loaded, but I finally searched the virus and ended up here. Thanks for the removal process. (I had th evirus for three days, couldn’t do ma homeework)

    Comment by Colin — May 6, 2010 #

  290. Unlike some people here, the problem i’m having is that it’s not letting me run M.b.A.M. am i supposed to re-name mbam also? please answer A.S.A.P

    Comment by Jim — May 6, 2010 #

  291. Thanks for the guide, it worked brilliantly. Yea they rename the sysguard thingy. Apart from the R1 file, for the O4 look out for file ending ukwktibtssd.exe

    Comment by Henry — May 6, 2010 #

  292. Thx to the team at Myantispyware, I have my computer fix after 4 hours of infected.
    Good work team, well done.
    Cheers.

    Comment by hoang — May 6, 2010 #

  293. Nevermind, got it to work. Thank you so much to whoever made this article

    Comment by Jim — May 6, 2010 #

  294. Thanks so much, awesome instructions and I’m not the most computer literate. Only needed hijack. Not sure if this has been mentioned in the above comments, but using mozilla firefox is much easier to get hijack to go where you want it than when I first tried to download it using Internet explorer. Very thankful for the instructions :)

    Comment by Bronwyn — May 7, 2010 #

  295. The hijackthis helped 100% thanks a lot :)

    Comment by Aj — May 7, 2010 #

  296. PrinceOfFools, yes you can report malicious site to malwaredomainlist.com.

    Comment by Patrik — May 8, 2010 #

  297. Cris, run mscondig and select Normal boot option. Reboot your PC, run HijackThis and fix all malicious entries.

    Comment by Patrik — May 8, 2010 #

  298. Ben, if the guide above does not help, then start a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — May 8, 2010 #

  299. Thanks alot! this guide cleaned up my computer nicely, thanks for the time and effort put into this post, youre a life saver!

    Comment by Kelvin — May 8, 2010 #

  300. I was trying to find the easiest way to get rid of the virus.
    The easiest way I have found is by:
    1. Download http://www.malwarebytes.org/ Just the free version will do.
    2. Install it.
    3. Rename it to iexplore.exe
    4. Run it (The fastest scan option should work)
    5. It will ask you to reboot your computer. Click ok
    DONE!

    Comment by fallingsaints — May 8, 2010 #

  301. THANK YOU SOOOO SOOOO MUCH!! I’m sure that the many of us that used your solution successfully, are eternally grateful to you!

    With the HiJackThis Log, I couldn’t find the files which you specified in it, so I just checked the 04 files which looked suspicious.

    Comment by christine — May 8, 2010 #

  302. Hi need some help!

    When I do a system scan with HijackThis, I can only find 2 ‘infected lines’ which are not labelled sysguard:

    I found ‘piesydntssd.exe’
    Only 1 under ‘HKLM’
    Only 1 under ‘HKCU’

    Should there be more? Or is it good that there is only 1 infected file under ‘HKCU’ for me whereas your guide shows 3 infected lines?

    Comment by Rob — May 8, 2010 #

  303. I was able to launch Hijack but I could only find 1 out 5 you told and the remaining 4 was the 04

    Comment by Mike — May 8, 2010 #

  304. Control alt delete and deleting ‘ieuser.exe’ seemed to work for us – alongside deleting the one that had random letters next to it both in the title and the program name in the task manager program. This then allowed us to use avg scanner which has now picked up a number of trojan viruses and adware toolbars.

    Good luck to all and thanks to everyone else for advice – you really saved us!

    Comment by Vicky — May 8, 2010 #

  305. plzzzzz help me. iv already got malwarebytes-anti malware, and every time i try to open it so i can do the scan the fucked up antispyware soft keeps stopping me!!!!!! plz help!!!!!!

    Comment by lolol — May 8, 2010 #

  306. Thank you so much for creating this blog. I bought my Mom a netbook for Xmas, and she got the Antispyware Soft virus. Instead of taking it Geek Squad (a service I’ve already pre paid 3 years for) she nags me to do it. I don’t know anything about computers!! But your page helped me so much, and now it’s spyware free and running with a trusted antivirus/antispyware system.

    Comment by Ruby — May 8, 2010 #

  307. I just want to extend my gratitude to this website. Without the help you provided, quite frankly, I’d have been absolutley stuffed! Thank you very much indeed.

    All the best,

    Matt.

    Comment by Matt Shearman — May 9, 2010 #

  308. Guys is SO EASY!!

    Simply:

    1. Go to Internet Explorer Internet Options
    2. Go to LAN Settings
    3. Uncheck Proxy

    You can now RUN ALL PROGRAMS

    4. Use Malware Bytes and job done ;)

    Comment by Josh — May 9, 2010 #

  309. Rob, its normal.

    Comment by Patrik — May 9, 2010 #

  310. lolol, you need use HijackThis before Malwarebytes. Follow the first step above.

    Comment by Patrik — May 9, 2010 #

  311. Thank you for this wonderful site. I noticed that when did a msconnfig there is a checked box for that antispyware. My question – Does that mean the trojan is still on my laptop?

    Using HijackThis, I found only One (01). Do I need to redo another search? My computer is still running slow. Help! Please. Thank you.

    Comment by Adeliade — May 9, 2010 #

  312. the hijack program worked best for stuck with this virus for 3 hours but really looked hard at hijack and found 2 suckers after that pain sailing but it fought hard thanks so much x

    Comment by Thomas Comery — May 9, 2010 #

  313. OMG!! Please help! Have tried everything suggested on this site – HiJack this and Malwarebytes, but could only do this in Safe Mode. As soon as I start up my computer normally the virus is still there and I can’t open anything – no HiJack This, no Malwarebytes, no internet access, nothing. In fact, HiJack this doesn’t even show up on the desktop in normal mode. Then, when I go back into Safe Mode, and re-run HiJack This, more 04 codes show up, even though I removed them all the last time I ran it. No infections show up with Malwarebytes now, but I still can’t start my computer normally without the virus. Been working at this for hours – please help!!

    Comment by Kel — May 9, 2010 #

  314. Adeliade, start a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — May 9, 2010 #

  315. Kel, try rename hijackThis.exe to iexplorer.exe and run it in the Normal mode. Fix all infected entries, run Malwarebytes, update it and perform a scan.

    Comment by Patrik — May 9, 2010 #

  316. my hijackthis scan found no files that had the endings sysguard or ftav. 4 suspicious files apeared looking something like this

    04-HKLM\..\Run:[lyjknz]lyjknz.exe

    got rid of them & doing malwarebytes scan now.
    thanks for your help patrik, you’re a champion :)

    Comment by matt — May 10, 2010 #

  317. I cannot thank you enough, i was going insane trying to fight that f****** “antivirus soft”. I followed your instructions using “Hijack This” and it did exactly what said on the can. IT’S GONE !!!!
    Once again thanks cus thats one fine piece of software.

    Mick

    Comment by Mick — May 10, 2010 #

  318. Just got it half an hour ago and came straight to this website. Followed the instruction to turn the computer off, then when the desktop is loading press ctrl-alt-del and start task manager. looked for the dodgyest looking program wgttshte or something similar, and ended it. Sure enough the popups and the green shield dissapeard. To be extra careful I restored my computer to a few days ago, hopefully its completly gone. Does anyone know how you get it? Unfortunatly I was downloading a song AND watching a movie online =)

    Comment by Dom — May 10, 2010 #

  319. Patrik, have renamed hijackThis but it doesnt appear on my computer when i start my computer in normal mode. It only appears in safe mode??? Malwarebytes appears in normal mode but hijackThis doesn’t.
    Kel

    Comment by Kel — May 10, 2010 #

  320. This is perhaps the absolute best anti-virus/ Mal-ware (what ever you want to call it) program i have ever used! I’d love to purchase the full version of it but i can’t because i got no cash. =(
    By the way, THANKS!!! I seriously thought i would need to reformat my computer along with everything else in my computer. This program would be recommended to my friends for sure!

    Comment by Fuzzy888 — May 10, 2010 #

  321. How do these guys even get by with selling this thing? I mean, you would think the FBI would be knocking on the door of whoever is receiving the money from the poor schmucks who bought it.

    Comment by Thomas — May 11, 2010 #

  322. thanks a lot guys!
    everything worked well, they just changing the file names.

    Comment by andriy — May 11, 2010 #

  323. wanted to express my many thanks, simple process for a scary project…thanks!!!!! John.

    Comment by John R. — May 11, 2010 #

  324. This is definitely a pain in the butt virus. I tried everything listed here to remove this thing. Tried open in Safe Mode- did not work. Change Proxy server- did not work. Tried downloading the Hijackthis- could not downlaod because it was Dos. The only thig that worked for me after reading all these posts was hitting CNTR-ALT-DEL as soon as windows was loading. It enabled me to open my processes and arrange them by memory usage. I googled the files listed and found one that was not found and closed it. That then closed the virus program and I was able to run MBAM! It is now removed successfully. Thank you for the help on this site. I just purchased the upgraded version of MBAM to run with my Norton as well.

    Comment by Kirk — May 11, 2010 #

  325. This is my third time trying to get rid of this horrid thing and every time, MBAM doesn’t catch anything… so i tried to use other programs like spyware doctor and it seemed like it worked, but after i shut down and restart, antivirus soft just pops up again… any suggestions? this has got to be the most annoying malware i’ve had to deal with. alkdsf;jsaf

    Comment by Sally — May 12, 2010 #

  326. @Kirk: ooh i just tried your method of manually removing it from processes and i think it worked! i’m not that great with computer codes and whatnot, but i was able to catch something called csrss.exe. i’m still in the process of cleaning out my drive, but i’m really hoping this works! :D

    to the author of this post, thanks for all the help! you really save the sanity of people like me whose whole life is basically on their computer o_o

    Comment by Sally — May 12, 2010 #

  327. Sally, if the instructions above does not help you, then ask for help in our Spyware removal forum.

    Comment by Patrik — May 13, 2010 #

  328. this is just another comment like the ones above. THANK YOU SO SO SO MUCH! this site was a life saver! my dad got infected with antispyware soft and actually bought it for 69.95 and he tried to install it into my comp!!! THANK GOD i found out it was a fake virus. THANK YOU!!!

    Comment by felicity — May 13, 2010 #

  329. HELP ME!!!
    I can’t run the Registry, I can’t run Task Manager, I can’t run Anti Virus/Malware, etc…

    AND I CANT RUN HIJACK!!!!

    HELP ME!!!!

    Comment by Cameron — May 13, 2010 #

  330. Have this virus on our computer, cannot connect to the internet. Saw the recommended solution beginning with pressing ctrl+alt+del as soon as the desktop appears, found a suspicious process, and ended it. The green shield in the bottom right corner and the popups have disappeared. However, we still can’t connect to the internet to proceed through the steps above re: Hijack This, etc. Our browser is Internet Explorer, and it says that it can’t display the webpage. Not very computer savvy. Can anyone send step-by-step directions to fix our problem? Would appreciate very much. Thx.

    Comment by John — May 14, 2010 #

  331. Hello, I found this little bugger on my computer this morning, it closed my real antivirus program, closed Add/Removed programs and task mangager.

    I installed HiJackthis and searched for the stuff listed above, found none of them so i looked for other ones. The best way is to browse the 04 section for .exe with suspicious names. Google the .exe and see what it does. If its important, dont touch it. If google says its virus, you know what to do. In my case google had no search results for “kmwoqqitssd.exe” so I removed it from my computer. Then I was able to actually run applications properly

    I found the folder hidding in “C:\Documents and Settings\[censored]\Local Settings\Application Data\[insert virus folder name] with the help of my antivirus, scanned it removed it, deleted it.

    Anyway I’m gonna try remove the rest of it. Goodluck to you all

    Comment by Satisfied Person :) — May 14, 2010 #

  332. I saved Hijack this as iexplore.exe, and saved onto the infected desktop. After the scan, I found over 100 listed and I don’t know which ones to put the check mark. Plesae help

    Comment by Pemberley — May 14, 2010 #

  333. Cameron, you need remove HijackThis before running.

    Comment by Patrik — May 15, 2010 #

  334. I got this pain in the butt thing last week and your instructions worked great. Now a week later and I got it again. Is there any way to block it all together? What’s odd is I haven’t run my malwarebytes program since I removed the antispyware soft last week and just now I ran it and I got the antispyware soft again. So why did I get it again after running malwarebytes?

    Comment by Patricia — May 15, 2010 #

  335. John, you have unchecked ““Use a proxy server” option in Lan Settings of Internet Explorer ?

    Comment by Patrik — May 15, 2010 #

  336. Pemberley, if you unsure, please start a new topic in our Spyware removal forum (include your HijackThis log). I will help you.

    Comment by Patrik — May 15, 2010 #

  337. Patricia, to keep your computer clean and secure:
    1. Update your programs (most important: Java, Adobe Flash Player, Adobe Acrobat reader).

    2. Visit Microsoft Update (update.microsoft.com). Make sure that you have all the Critical Updates recommended for your operating system and IE. Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found.
    Update all antivirus/antispyware programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

    3. A well protected computer should have at least an antivirus and firewall, an antispyware is also great addition to your computers security.

    4. Many of the exploits are directed to users of Internet Explorer.
    Use only an alternate browser – Firefox or Opera…

    5. Be careful when opening attachments and downloading files.

    Comment by Patrik — May 15, 2010 #

  338. I went thru the steps again and I found the R1 file but none of the 04 files listed. So after I removed that R1 I downloaded the malwarebytes and it let’s me get to a couple install steps then I get the dreaded error and I can’t go any further.
    I do have virus protection with AVG and I have spyware terminator running and try my best to keep everythingupdated. Also I use firefox not IE, it runs alot faster.
    So now I’m stuck and I can’t get any further. Any suggestions?

    Comment by Patricia — May 15, 2010 #

  339. THANK YOU. SO MUCH. I APPRECIATE THIS SO MUCH. THANK YOU THANK YOU THANK YOU A MILLION TIMES!

    Comment by Dalena — May 15, 2010 #

  340. Thanks for all of the help, was able to remove this trojan and i am back in business.

    Comment by Fred — May 15, 2010 #

  341. I’m so grateful for your help. I followed the instructions and it worked perfectly.

    Thank you!

    Comment by Grateful — May 15, 2010 #

  342. I’m sure someone has probably asked this already, but I ran Malware, and it didn’t seem able to find anything at all. However I ran HijackThis and was able to successfully delete all the “O4′s”. Is it safe to continue using my computer having only used HijackThis and not Malware afterwards? (I aborted Malware’s scan because nothing was coming up). It seems as if the virus is gone, though.
    Thank you for the help!

    Comment by K — May 15, 2010 #

  343. Nevermind, I decided to play it safe and ran Malware. Thank goodness, because it found 4! They were removed and when I ran the program again, it came up clean.

    Thank you again for posting the initial instructions for getting rid of this virus!

    Comment by K — May 15, 2010 #

  344. Patricia, start a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — May 16, 2010 #

  345. I kept trying to run malware and it would freeze up after a few hours. I ended up doing a system restore that that worked.

    Comment by Chris — May 16, 2010 #

  346. thanks worked a treat

    Comment by ed — May 16, 2010 #

  347. Thank you, thank you thank you.
    For the first time, an online walk through actually worked, and wasn’t completely confusing. You guys are amazing and my mom is under intense supervision when touching my computer. Lol.

    This walk through worked like a charm. :D

    Comment by Julie — May 16, 2010 #

  348. Hi,I tried to do the following as suggested above and found the file, only i renamed the filename not the extension by mistake and now my desktop will not load, is there anyway around this?

    I got rid of this little bugger as follows:

    1. Found a randomly named folder in the C:\Documents and Settings\user\Local Settings\Application Data directory that was created about the time the infection kicked in.

    2. Opened the folder and renamed the executable file (which ended with -”ftav”).

    3. Restarted my computer.

    4. At this point, because the executable was not initiated, I was able to use HijackThis and Malwarebytes to clean things up.

    5. So far, so good. Thanks for the good advice!

    Comment by Hawk — May 17, 2010 #

  349. you guys have helped me before, im hoping this works. It seems i received this scamware virus and another similar i think it was called defender xp and was easier to destroy. off the once safe website mp3boo.com i warn everybody don’t go there!
    and god bless the people who made this page
    thanks man

    Comment by chris — May 18, 2010 #

  350. I was unable to download the software on the infected computer. Downloaded to a flash drive on another computer and then loaded to the infected computer successfully. Ran both programs as recommended and the rogue antispyware has been eliminated.

    Thank you!!!!

    Comment by Joe A — May 18, 2010 #

  351. Worked a charm, thank you!
    this is such a horrible programme… why is no one able to destroy it or block it :( ?

    Comment by varven — May 18, 2010 #

  352. Okay so i got this while going to my usual website that I go to every week (narutocentral.com)

    I’ve gotten it twice now! At first I thought I must have clicked something went back the next day and all was well, then I got it again tonight.

    Now because it rendered me useless the first time I eventually got it fixed by doing a sneaky.

    I rebooted my computer and before it was able to fully load, I did ctrl+alt+delete and opened tasked manager before it blocked it, found the file name which was like fnfvfqheh.exe or something, and ended it, thus stopping it. I then did a search on my PC for it, and found it and deleted it, and voila it was gone.

    I’ve done a full scan of my pc using all my spyware/Avast!/crapcleaner but havent found anything new.

    Anyone know exactly how this thing just randomly pops on your pc?

    Comment by Wewties — May 18, 2010 #

  353. While in Safe mode, I did the steps listed at the beginning of this page to run HijackThis, without changing the name of the file to iexplore.exe though, not sure why someone would need to change the name. I deleted the files that looked suspicious, then downloaded and ran the MalwareBytes Anti-malware program, it found 17 infected files! I deleted them and everything seems to work fine now. I ran this anti-malware program on my other computer that wasn’t having any issues and it found 4 files, Thanks A Lot!!!

    Comment by Leigh — May 18, 2010 #

  354. thank you, thank you, THANK YOU. The stupid software installed itself while I was searching for a good video site- and two hours later it was fixed by these instructions.

    I think I’ll just wait until the DVD’s come out from now on.

    Anyone reading this- follow the instructions. Little girl from Australia did and now she can get on with playing Pokemon instead of doing her homework!

    Comment by Lucy — May 19, 2010 #

  355. Got this sob a few days ago and I am losing my mind trying to get rid of it! When I go to download Hijack this, it will not let me rename it…tried right click, left click, no click, great chick…nothing works. How do I save and rename hijack this? HELP!

    Comment by Rocky — May 19, 2010 #

  356. please help!
    I did all the steps everything went perfectly and malwarebytes had found lots of things and deleted them. It told me to restart and when i did, now it just gets suck at the windows loading sign forever.
    It won’t start up but i can get in in safe mode.
    I need help badly!

    Comment by Liz — May 19, 2010 #

  357. OK, same problem here. But it looks like I have another problem. Yes I have the green shield with all the annoying messages and changing backgrounds. But like Cameron, I can’t do anything – regedit, taskmrg, even notepad everything is cancelled immediately.

    So no turning off a suspicious proces while booting.

    Off course I red most off above messages in this topic. Like Cameron:
    ‘Cameron, you need remove HijackThis before running.’

    Doesn’t work. I put it on my pc (while running) with a USB stick. (Same go’s for malebyte.) Both programs are immediately stopt and don’t run.

    I was able, because I installed a dozen anti virus and syware tools, to remove some files… Still the green shield, etc.

    I search for stranges files in the my documents and settings/user /etc/applications data.
    Yes I found something strange, it was an .exe so I change the name in the hope the program would not boot and I could run HijackThis or mailebyte… But it didn’t work. Even tried to give it another extension. Didn’t work, so wrong file. But I couldn’t find another suspicious file in any of the users applications data (2 users and 1 extra account).

    When I now boot, I can see a cmd command prompt with: c:windowssystem32!.exe and the ‘_’ sign is running randomly (yes it has a pattern but hard to explain in my bad English, sorry) over the command screen. And I do not disappear.

    I googled it, but it refers to ‘remove internet security 2010′ and starts with enabeling processes, with I can’t because my taskmanager is enabled…

    I tried real hard, did many things… Noting works.

    Ow and I can’t boot in (any) savemode. My pc freezes… So no enabling the poxyserver or HijackThis, etc. doesn’t work.

    Strangely internet does work on the infected pc…

    Please help :).
    THANKS!
    Bram

    Comment by Bram — May 20, 2010 #

  358. Thank You so much for this help I literally came home for my 30 min. lunch break to take this malware off and thanks to you i did it at home after work lol….thank you know im just enjoying my pc again…thanks

    Comment by Luis J. — May 20, 2010 #

  359. Using other computer to view this webpage. On the infected computer the virus will not let me run any programmes so i cant download HijackThis.exe. So what should i do to be able to run internet explorer?

    Comment by Conor — May 20, 2010 #

  360. Rocky, reboot your computer in Safe mode and try run HijackThis once again.

    Comment by Patrik — May 20, 2010 #

  361. Liz, boot your computer in Safe mode with networking and try scan with Malwarebytes once again.

    Comment by Patrik — May 20, 2010 #

  362. Bram, if you need a help, please open a new topic in our Spyware removal forum.

    Comment by Patrik — May 20, 2010 #

  363. Conor, download HijackThis to another PC, rename it. Move this file to infected computer through flash or cd disk.

    Comment by Patrik — May 20, 2010 #

  364. It says i have no virus’s. I’ve tried a system restore and that hasn’t worked. I didi do an automatic update while i was deleting the virus. I think that may have caused this. any clues as to what settings i need to change to get it to start up?

    Comment by Liz — May 20, 2010 #

  365. I did a scan and then did a system restore but now when I restart my comp it starts loading windows but all it shows is my wallpaper with no explorer help

    Comment by Samantha — May 21, 2010 #

  366. I’ve discovered that it does not affect other admin accounts on your computer…well not yet of course. Many web browsers aren’t working, and i believe that i am have the same problem that paige recently had.

    Comment by Danny — May 21, 2010 #

  367. Hey guys, it would seem if your laptop or computer is able to “repair” itself on the start menu you can take the restore system back a day or two before the fake program put itself on your computer and it seems to work. No signs of the fake program, hijakk isn’t picking it up anymore.

    Comment by Marco — May 21, 2010 #

  368. sorry by start menu i mean when your laptop starts up and gives you an option to select Safe mode, safe mode networking or start normally.

    Comment by Marco — May 21, 2010 #

  369. Another way to stop the virus, like I did (I found this out trial and error), was if you are infected, reboot to Windows Safe Mode, open up the control panel, click on Administrative Tools, then System Configuration, go to the Startup Tab, and you’ll see a process which is basically random letters (for example, mine was efsthlrm), which is in users/NAME/appdata. Stop this process from happening by unticking the box. Then, using your Windows Explorer, type in the address that the process comes from, it’s described in the System Configuration Tab. Delete the folder. Securely Delete your Recycle Bin. Reboot. Still download HijackThis and MBAM to ensure it’s complete removal from the registy.

    However, if you don’t know how to reboot to safe mode or are unsure of the control panel options, using the method of renaming HijackThis should work too.

    Comment by Tim — May 21, 2010 #

  370. THANK YOU SO Much!!!!! That stupid garbage is gone thanks to you. I am grateful for this web page. I was ready to beat my computer into scrap with a baseball bat. You saved me money I cannot afford to spend. Thanks.

    Comment by Scott — May 21, 2010 #

  371. THANK YOU! Hi-Jack this worked like a pro!

    Comment by SB — May 21, 2010 #

  372. Ok so i started to use these instructions and i have gotten to hijack this but i can only find the R1 one. I can’t find any of the O4 ones… i saw in an earlier comment that the names are different but with random letters and i have these
    HKCU\..\Run: [ggpujabr]C:\Users\Home\AppData\Local\tuwrbrmkj\cfcnaxmtssd.exe
    HKCU\.. \Run: [asam] C:\Users\Home\AppData\Local\asam.exe

    should i delete these too or am i missing something?

    Comment by Robb — May 21, 2010 #

  373. I had tried everything on this page and a few others, but whenever I tried to change the LAN settings Antivirus immediately checked the box. I then looked at the comments and the first one I saw was Twintrbl’s comment, and it was PERFECT. Thank you Twintrbl, I found 3 extremely weird looking .exes and looked them up google and came up with nothing. I fixed them and then everything worked again. Truly amazing.

    Comment by Rachel — May 21, 2010 #

  374. I managed to get to the accessories and restored my pc to a week earlier as suggested by a poster, well it worked! Obviously the Trojan is still there but do I have to remove it and will it pop back up at some point.

    Comment by Dougie — May 21, 2010 #

  375. I could not load Hijack This even when renamed to iexplore.exe. I was able to log in as Administrator which was not infected, load Hijackthis under the Administrator account and remove this antispyware. Maybe try to create another account if possible and you may be able to get Hijackthis loaded.
    Thanks for all of the above postings which were helpful!

    Comment by Rich — May 21, 2010 #

  376. so my problem is i cant even get to this website on my computer…im on a friends instead. so how do i get hijackthis on my computer if i cant even get to this website because soft keeps effing it up first?

    Comment by Rico — May 22, 2010 #

  377. Got this on the 15th had exams so waited a while before trying to fix it,downloaded the HijackThis.exe and renamed it and that deleted the files that i thought were wrong, then got Malware bytes and removed all infected files, aftewards it said not able to remove all files?!

    Anyway i restared the computer and no sign of the rouge anti virus as of yet, but i am currently scanning the computer again but i just wanted to say bless you for this guide and thanks a bunch.
    Really helped me out here
    the software devolpers of this trojan make me sick!
    Any thanks for the assistance it is greatly appricieated.

    Comment by Josh — May 22, 2010 #

  378. The Spyware has done a crazy thing to my internet, I have gotten rid of the spyware and done everything above yet I cannot use safari or my itunes store will not open… anyone have the same problem?

    Comment by Lloyd — May 22, 2010 #

  379. Ok the scan was finished and i still have 4 infected files i believe these were the ones that Malware bytes couldn’t remove how do i get rid of them? There are 3 trojan downloaders and 1 trojan.agent. Two are Registry values and two are under the file section.

    Trojan downloader 1 : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run\hsfg9 and then a load of random characters.
    Trojan agent: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run\mcexe and another load of characters just gave the beginnning of them
    and
    Trojan downloader 2: is C:\Users\Josh\AppData\Local\Temp\login.exe

    And Trojan downloader 3 is C:\Users\Josh\AppData\Local\Temp\jisfije9fjoiee.tmp

    Any help or guidance would be greatly appriceiated. By the way i’m only 13 so i may not understand some references and that.

    Comment by Josh — May 22, 2010 #

  380. ive managed to get this wretched virus today and now its not letting me reboot windows in any mode be it normal safe or safe with networking. help!

    Comment by stu — May 22, 2010 #

  381. Samantha, press CTRL + ALT + DEL. Task Manager opens. Click File, New task. Type explorer and press Enter. It should back your icons and Start button. Run Malwarebytes and perform a scan.

    Comment by Patrik — May 22, 2010 #

  382. Robb,
    yes, fix these lines.

    Comment by Patrik — May 22, 2010 #

  383. Rico, you have tried uncheck “Use a proxy server” box in Internet Explorer network settings before downloading HijacThis ?

    Comment by Patrik — May 22, 2010 #

  384. Lloyd and Josh, start a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — May 22, 2010 #

  385. stu, you have tried Last good configuration mode ?

    Comment by Patrik — May 22, 2010 #

  386. After going through everything from running HijackThis and Malwarebyte, I still couldn’t get the wee beastie to leave my computer. Everytime I restarted my computer it would start up again.

    I wint in search of programs then. I found the problem in: user\appdata\local\wdrwiirvy. In that file is: uyceiiptssd.exe. Delete it and it won’t load anymore.

    Comment by scryer41 — May 22, 2010 #

  387. I am having trouble removing this, is it safe to browse the internet, and continue working online while ANTISPYWARE SOFT is on my computer. I am very tired of trying to resolve this on my own :*(

    Comment by Christian — May 22, 2010 #

  388. Hey, so I’m using iexplore and I can’t find any of the O4 files that end in the sysguard.exe or sftav.exe. Even when I do the task manager i can’t find it. Any help? I’m running in safe mode.

    Comment by Dustin — May 22, 2010 #

  389. It was bothering me at frst but now it just disappears does it mean its gone (i never used malware, but i tried to.)

    Comment by Raymond — May 23, 2010 #

  390. This worked like a charm. My wife’s computer got this yesterday morning and I sat down today to clean it off. Looks like it is good, but I didn’t download malwarebytes. I have prevx, spybot, adaware, and norton. Would have been nice is she updated at least one of them in the last 9 months or so…

    Comment by Jason — May 23, 2010 #

  391. i hate whoever created spyware soft

    Comment by mark — May 23, 2010 #

  392. I just got hit by this and the file name it was using was vjdmhlutssd.exe, I restarted my computer in safe mode with networking, and deleted that file and the .pf file that it also created it my windows directory. Computer is running fine now!

    Comment by Mike — May 24, 2010 #

  393. How, please tell me, do I “rename” HyjackThis before saving it? When I click on the word “here” (in Mozilla; the malware will not let me open Explorer), the only options I have are to “save”, or “cancel”. No option to rename or save as… HELP!!

    Comment by dlawyer — May 24, 2010 #

  394. I have great sympathy for those who are indeed computer challenged like myself lol !! Malwarebytes is scanning at the moment, and I couldn’t find any of those files listed, so took someones advice who commented earlier and did a google search for a lot of the random .exe files and numbers, and clicked ‘fix checked’ so fingers crossed it works, I’m having to do all of this in safe mode with networking too as I couldn’t even use the computer normally, as soon as it started up I got those fake security alerts and everytime I opened a program it closed straight away… it totally had me fooled into thinking my whole system was ruined. but turns out it was just that silly virus scaring me lol !! x x

    Comment by Nic — May 24, 2010 #

  395. Why has no one recommended a system restore? I had the “anti-spyware soft” trojan BAD and only had access to things the first 15-20 seconds my vista logged on. So I logged out/in, and IMMEDIATELY restored the system back 5 days, and now everything is working just fine. Is the trojan 2 in Appdata still there or have i successfully deleted it when I clicked delete on the trojan 2 in AVG’s virus vault? Help (experts) please and comment.

    Comment by charles — May 24, 2010 #

  396. I just infected just now. I followed the steps above and it took care of it thank goodness. And I didn’t have to restart in safe mode either. I’d like to get my hands on the guy/guys who made this virus!!

    Comment by Jeff — May 24, 2010 #

  397. Hi. Thank you for all the great info. It was very informative and helped me get rid of that nasty virus. But, i didnt download anything to get it off. I started my comp in safe mode. Clicked start, control panel, folder, view, “show hidden files”. then went to info stated above and it showed me the dirty virus folder right where it said it would be. I proceeded to scan the folder without opening it and FINALLY Norton showed that it was the virus. After scanning Norton took it away. Afterwards I hit up the regedit and looked in the places where the info told me to look and I deleted from there. simple and easy. took less than 15 min. i’m up and running again with no issues. And, more importantly no excess downloads of programs to remove it. Thank you greatly.

    Comment by Dave — May 24, 2010 #

  398. Wow, thankyou so much. i did all this, and after a few problems i fixed easily, a smooth fix was done. my laptop seems to be back to normal, time will only tell i spose.

    THANKYOU THANKYOU THANKYOU!

    Comment by Natalee — May 25, 2010 #

  399. hey, thank god i found the new name, it was under local settings or files, that was my keym it was called something like mcflotssd under another randomly named file similiar, there were 2, thanks to sum guy who found a different name which prompted me to look for a new name.

    Comment by Really Anoyed — May 25, 2010 #

  400. scryer41, if your computer won`t boot, try boot it in Last good configuration.

    Comment by Patrik — May 25, 2010 #

  401. Dustin, if you unsure, please start a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — May 25, 2010 #

  402. dlawyer, if you using Firefox, then you need right click to a link and select Save link as. It will open a Save dialog.

    Comment by Patrik — May 25, 2010 #

  403. charles, system restore is right way, but in most cases the rogue can disable system restore.

    Comment by Patrik — May 25, 2010 #

  404. My Computer Wont Let Me Go On The Website So Im having Problems It wont let me on this 1 ethier
    plz help :( send help at randypham12 at yahoo dot com
    Thany You.

    Comment by Brian — May 25, 2010 #

  405. Did Everyone Got Infected On May 25, 2010?

    Comment by Brian — May 25, 2010 #

  406. I Mean May 24,2010

    Comment by Brian — May 25, 2010 #

  407. Just want to say the input by others is great! However, I deleted the Antivirus Soft executable from my processes in Task Manager, and now when I use HijackThis it can’t find it.

    P.S. I already found it in the Prefetch using Mycomputer/search so can I just delete it from there? After that I guess I’ll have to download Malwarebytes?

    Comment by Sam — May 25, 2010 #

  408. This thing has updated again and doesn’t go by the same process names as listed above, on the \version\ I just took off my neighbors pc anyway. Furthermore, on this latest release removing the localhost proxy from IE doesn’t stop the redirections either, and it also affects firefox – I didn’t try with any other browsers. It disables task manager and msconfig as well so unless you can get into safemode from your boot config you’re pretty much at a loss. Really one hell of a payload this thing will dump on you. This particular infection was caused by an un-updated adobe flash plugin. Update your flash, acrobat, etc, and you should be fine.

    The real solution to all of this though is to simply not run Windows. Why pay hundreds of dollars for a virus magnet that constantly has some kind of security problem because it’s more profitable to allow \security\ vendors to ship their resource hogging software along with copies of Windows than it is to actually fix the holes in the system?

    Comment by Lou — May 25, 2010 #

  409. I stopped the process in task manager. Mine was fvxvlbctssd.exe I renamed and downloaded hijack this. I did scan of computer and I get a bunch of results, but none ot them say “sysguard” at the end. I see one with that fake .exe application. Should I uncheck that one and continue? The rest seem normal. Please help. Thanks for everything.

    Comment by Greg — May 25, 2010 #

  410. Brian, if you can`t download the suggested programs above, then download them to another computer. Move files to your PC using a flash or CD disk.

    Comment by Patrik — May 25, 2010 #

  411. Sam, yes you can remove it from Prefetch folder. Anyway, you need scan your computer with a good antispyware tool (Superantispyware, Malwarebytes, SpyBot, AdAware…).

    Comment by Patrik — May 25, 2010 #

  412. The real solution to all of this though is to simply not run Windows

    The right solution :) I`m use Linux :)

    Comment by Patrik — May 25, 2010 #

  413. Greg, infected entries have “tssd.exe” at right. Fix them.

    Comment by Patrik — May 25, 2010 #

  414. Patrik,

    Thanks for the tip. Right clicking the link worked, and I got Hijack This loaded. But I only found one file that had one of the left and hand and right hand extensions on it. I hit “fix checked” and that file disappeared. But I’m still getting scam “alerts” every few seconds. There must be other files needing to get “fixed”, but how on earth do I determine which???

    Comment by dlawyer — May 26, 2010 #

  415. Thanks Patrik! I’m on my way to purging my pc (malwarebytes is awesome) and I just wanted to say thanks for helping everyone and myself, regardless of redundancy or whatever.

    Hopefully I’ll only come back if I figure out a way to help.
    P.S. It seems there was a major outbreak of this virus in the past 4 days, and some pc’s (including mine) have an altered version which redirects web browsers to porn sites.
    P.S.S As soon as you start up your computer go to task manager, find the program, and right-click “end task”. This will at least allow you control over you programs by putting the virus in a temporary “cage” until you restart or power up your computer

    Comment by Sam — May 26, 2010 #

  416. Thank you! Thank you! Thank you! This saved my life…thought I was going to have to completely over haul my computer. You are my hero, thanks for taking the time to teach others what you know!

    Comment by Erica — May 26, 2010 #

  417. thankyou so much i thought id have to pay to have my computer fixed!!

    Comment by kris — May 26, 2010 #

  418. hey i followed all the steps above and malwarebytes detected soemthing that i deleted and now i cant get onto the interent both – IE or Safari. any clues on how to fix this?

    Comment by matt — May 27, 2010 #

  419. I can’t do anything, I can’t go to a website, I can do task manager, I can’t restore, how can I get this shit off my computer? Please help!!!

    Comment by Roxy — May 27, 2010 #

  420. Luckily my iPad was charged because my comp was a brick before finding this site…

    Comment by Rashad — May 27, 2010 #

  421. I don’t know how I’m supposed to change the name of hijackthis, when I save it it doesn’t offer me the chose of changing the name…so what do I do? Help Please!

    Comment by Fox — May 27, 2010 #

  422. Omg I cant stop it! Even when i turn the proxy thing off it still comes back on and i cant access the download im only here cause luckley i had firefox to. Please help

    Comment by Brandon — May 27, 2010 #

  423. dlawyer, please start a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — May 28, 2010 #

  424. matt, you have checked proxy settings ?

    Comment by Patrik — May 28, 2010 #

  425. Roxy, try boot your computer in Safe mode and try the instructions above once again.

    Comment by Patrik — May 28, 2010 #

  426. Fox, you using Firefox ?

    Comment by Patrik — May 28, 2010 #

  427. Brandon, reboot your computer in Safe mode and follow the steps above once again.

    Comment by Patrik — May 28, 2010 #

  428. I get a lot of rogue anti spyware softwares and it is pissing me off as its my mums work computer. I have eventually got them off but this one antispyware soft/ antivirus soft is the most annoying one I have ever encounted. Thank Goodness that we got people who know how to get rid of these stupid freeware softwares, so they can’t gain money of people that doesn’t even work.
    Kind Regards
    Harry Swettenham

    Comment by Harry Swettenham — May 28, 2010 #

  429. I’m looking for some help with this virus because my situation seems to be more complex than the others here. I first encountered antispyware soft about two months ago and nothing would remove it. Nothing. Not even Malwarebytes. I eventually had to wipe my entire drive which seemed to do the trick. However, about two weeks later it was back again. My java started running while using hotmail, and it installed once more. However this time Malwarebytes did the job, and I assume that they updated their database to deal with this rogue even more effectively.

    HOWEVER! three weeks later- last night- it was back AGAIN. It tried to install through Adobe and my anti virus partially blocked it, and I removed the rest of it with Malwarebytes again. I am VERY concerned that some kind trace is being left on my PC, because I cannot think of any other way to explain it’s continued reappearance. I’ve used Hijack this, and while I do see files that have 04 next to them they do not end with sysguard.exe and they appear to be programs that I use. One 04 is listed as being my anti-virus program, so I assume that I need these and have not deleted them. Should I go ahead and delete them? I’m not sure. I just want this thing gone for good!

    Comment by Gabrielle — May 28, 2010 #

  430. I just want to say. Will the stupid f**ks that come up with these things STOP!!. You guys have NO LIFE!! STOP ruining peoples computers for a laugh!

    Comment by Evy — May 28, 2010 #

  431. this virus is ticking me off. I restarted in safe mode, went into msconfig, found a program called nvywkttk in my start up programs. I disabled this and I was able to log into windows normally without any issues. I still could not get on internet so I disabled proxy server and it connected. I downloaded malwarebytes and spybot-search and destroy. Malwarebytes did not find the infection, but spybot did. After I removed them, I still cannot conect to the internet with proxy server enabled, and nvywkttk is still in my start up programs but disabled, and if I enable it, sntivirus soft comes back, anyone have any ideas for me?

    Comment by Matt — May 29, 2010 #

  432. Gabrielle and Matt, please start a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — May 29, 2010 #

  433. Here’s what I did:
    Immediately after start up, I had a 5-6 second period where I could open Firefox,before the virus took effect, I then downloaded “Microsoft security essentials”

    Then i restarted and installed the program
    then restarted again to run the program
    It caught it all and I was fine from then on out

    Comment by Chris S — May 29, 2010 #

  434. I would do as requested, but I don’t want to join yet another forum. I keep joining forums and taking software to fix this and it results in nothing. If I can’t get some sort of answer here, where I can post questions and comments without creating yet another account, then I suppose that I am back on my own again. To Matt- try Hijack this which was recommended in this article. It does/did remove the infected key that blocks internet access for me, so I was able to turn my proxy back on and surf just fine. My PC actually seems okay- it just runs a bit crappy- but nothing is loading up in my system tray, there is nothing there that shouldn’t be there. This damn thing just reinstalls after a few weeks and I have no idea why. Some trace must still be on my PC, but if it is I can’t find it….

    Comment by Gabrielle — May 29, 2010 #

  435. malware bytes wont open on my comp. :/

    Comment by Eric — May 29, 2010 #

  436. Try opening task manager before the malware starts, so the task managar cant be blocked.

    Comment by Patrick — May 30, 2010 #

  437. Eric, try the instructions: http://www.myantispyware.com/2009/06/08/malwarebytes-wont-install-run-or-update-how-to-fix-it/

    Comment by Patrik — May 31, 2010 #

  438. Thanks worked like a charm!

    I did the above renamed iexplorer.exe it would not run HOWEVER REBOOT and do it right as your windows desktop appears it takes the anti soft a little longer to load you can get the ieporer to load and you are gold

    Comment by JC — May 31, 2010 #

  439. Yep – I got hit by this malware/trojan and it had me tossed about what it was.
    It was behaving exactly as you descibe – blocking my main programs from opening etc – pop-ups – the works.
    Thankfully, my browser (Firefox) was still active and I searched [Antivirus Soft] and found your instruction site.
    Thanks for these instructions and to the scum who create these bugs . . . I have nothing for you.

    Comment by Michael Searles — June 1, 2010 #

  440. I have just gotten this stupid thing last night. I’m trying to go through these steps, but I cannot even access the internet now, and when I try to uncheck the proxy box, the apply button doesn’t appear and it goes back to the way it was after hitting ok. I have tried to download hijack this on another computer and put it on a flash drive, but my laptop will not allow me to install it. Please help!!!

    Comment by John — June 1, 2010 #

  441. John, you need rename HijackThis to iexplore before running.

    Comment by Patrik — June 1, 2010 #

  442. Thanks patrick, but I did. I saved it as iexplore.exe on my home computer, then put it on a flash drive. then when I tried to install it on my laptop, I get a “problem with shortcut” message. Do I need to do it in safe mode? There is something I must be missing, but I cannot figure it out. I tried to access the internet on the laptop, but it is not letting me. Thank you so much for any help you can provide

    Comment by John — June 1, 2010 #

  443. John, looks like you have make a shortcut. Try copy HijackThis to a flash drive once again. Click right button to HijackThis icon and drug and drop to your flash drive. Popup menu opens. Select copy.

    Comment by Patrik — June 1, 2010 #

  444. im on step 2 but it wont allow me to open the MBAM, wot should i do??

    Comment by pino — June 1, 2010 #

  445. I changes the LAN setting but it still blocks the Internet.. How am I supposed to download those two programs???

    Please respond soon

    Comment by Kevin — June 1, 2010 #

  446. Wow! That was a pain! That was one of the most vicious malware programs I’ve had to deal with so far! I was freaking out alittle there, I thought it would never go away :P I’ve been sitting here all night trying to figure it out. I would have been completely lost without your help here! I did all you said and it worked perfect.

    Just wanted to say THANK YOU SO MUCH!

    I am going to go try and get some sleep now :P lol

    Comment by Ever — June 2, 2010 #

  447. pino, computer still displays “application cannot be executed” fake alert ?

    Comment by Patrik — June 2, 2010 #

  448. Kevin, you can use another computer or try download the the suggested apps above in Safe mode with networking.

    Comment by Patrik — June 2, 2010 #

  449. I used Hijack This and Malware Bytes. Both programs found infection, so I the suspicious looking ones. I still cannot connect to internet. When I go into LAN settings, the box is checked, but it is also greyed out so I am unable to uncheck the box. Can someone give me advice? Thank you!!!

    Comment by Cheri — June 2, 2010 #

  450. Wait, do u fix the R1 thing or just the 04′s???

    Comment by Kevin — June 2, 2010 #

  451. I’m telling you guys, you are taking the hardest route possible. Its easy, just reboot and during the short time between the start up and the activation of the virus (its a program like anything else and takes time to auto load) and go download “Microsoft security essentials” its free and it got all of it, I tried this three days ago! it works! And its simple!

    Comment by Chris S — June 2, 2010 #

  452. Thankyou,Thankyou,Thankyou very helpful and straight forward. The only thing though now when i reboot i get an error message saying: GetDriveLayOut: CreateFile fail ! The system cannot find the file specified. I think it has something to do with my VIA Raid utility, as when i click ok it flashes up quickly but everything seems fine other than that.

    Comment by Glenn — June 3, 2010 #

  453. Patrik, Thank you so much for your help. My computer is now working thanks to you. Malware bytes works great! Thank you, again, for your help!

    Comment by Cheri — June 3, 2010 #

  454. Cheri, run HijackThis and fix a line like below:
    R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

    Comment by Patrik — June 4, 2010 #

  455. Kevin, you need fix the R1 and O4 entries only that i have posted above. Please be very careful, do NOT fix any other entries!

    Comment by Patrik — June 4, 2010 #

  456. I only found one random-name file, but as soon as I used the hijackthis software to deletre it, I stopepd getting all the alerts…although, the icon in the taskbar shows that it is still running…I’m scanning with antimalware right now…

    Comment by James — June 4, 2010 #

  457. Please someone help me , I change my cable company before a chance to install security, a porno web enter my computer I want them out I don’t know how, I’m a Senior femele help me please. sincerly thank you all of you.

    The porno web side is mr800kingATaol.com

    Comment by Susan Hopkins — June 6, 2010 #

  458. Susan, if you need a help, then please start a new topic in our Spyware removal forum.

    Comment by Patrik — June 9, 2010 #

  459. I just used System Restore option on windows vista (quickly clicked it before the virus ran at the startup) and that solved the problem.

    Comment by Don — July 26, 2010 #

  460. I used System Restore in Safe Mode and that seems to have solved the problem.

    Comment by Ellen — August 17, 2010 #

  461. My safe mode didn’t work. My system restore did not work. Nothing on the computer would work. I hit control+alt+ delete to bring up task manager prior to the virus program booting up. (it takes time for antivirus soft to boot). In task manager I ended as many processes as i could, and luckily one of them halted antivirus soft from booting. I then ran Malwarebytes Anti Malware and it got rid of the virus. It may take a few times booting and fishing in the task manger but if you can run Malwarebytes it will get rid of it.

    Comment by tim — August 23, 2010 #

  462. You guys and gals rock! Thanks so much. I tried exhaustive research and downloads. But the only thing that would work was a system roll back.

    Warmest Regards,

    Lee

    Comment by Lee Traupel — September 11, 2010 #

  463. I installed a programme to clean up my pc and afterwords microsoft advise me that I have no anti-vruse protection. Am I able to retrieve the anti-virus programme and re-instal?Get printon

    Comment by George Harrison — September 14, 2010 #

  464. I have got a similar problem with Antivirus IS.

    However, I cannot view any website or open an anpplication due to the virus. Is there any way round this problem so I can use your method to uninstall it?

    Comment by Colin Letford — September 16, 2010 #

  465. Ignore my last post, I have read the other posts. Almost done it, just need to work out how to get internet access back after deleting the file from Task Manager

    Comment by Colin Letford — September 16, 2010 #

  466. Ok, so many websites are telling me that this Antispy Safeguard (or at least what I’m infected with), and they are all like DOWNLOAD THIS and DOWNLOAD THAT!!!!!!!! People… don’t download anything because I have tried at least 3 different kinds and nothing still has happened. I’ve looked at other posts to find out you can remove it without downloading anything. Only problem is, some of the ways require you to access the start file thingy in the bottom left corner of the screen, and right now, my screen is currently black, and I can’t access anything whatsoever :(… can anybody tell me how to access the start menu without having to click on it?

    Comment by Jeremy Fischer — September 22, 2010 #

  467. Crap, in fact, I can’t even use the shortcut button on my keyboard to access the start menu :(
    Not only that, but there is like no program that can clean this stuff up except for Ccleaner because they are awesome like that and don’t give me freaking viruses. However, Ccleaner can’t fix the problem either. I’m about to roll into a ball and cry. Someone please help me……

    Comment by Jeremy Fischer — September 22, 2010 #

  468. Jeremy, try the instructions below:
    http://www.myantispyware.com/2010/08/26/how-to-remove-fake-microsoft-security-essentials-alert/

    Comment by Patrik — September 25, 2010 #

  469. Ok, now my computer seems to be fixed again (without buying that bogus stuff). Thanks Patrik!!!!!!!!!!!! :)

    Comment by Jeremy Fischer — September 25, 2010 #

  470. Hi Patrick,

    I am unable to open any application in my laptop . Then How will I get into your website to download the hijackthis ? I tried doing the proxy settings as you suggested. Even then I get the same warning .any immediate help is greatly appreciated . Thanks

    Rev

    Comment by Rev — November 2, 2010 #

  471. Rev, reboot your PC in Safe mode with networking. Run Internet Explorer, Click Tools, then select Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and OK again. Download Malwarebytes and perform a scan. Remove what it found.

    Comment by Patrik — November 3, 2010 #

  472. Thanks alot…I nearly fell for their trick but came across ur website…My computer is fixed 4 free!pls people just follow the instructions step by step…printing the steps out helps…

    Comment by mya — November 5, 2010 #

  473. Hello,
    I have this vexation of a virus and I’m at the point where I hardly can access anything on my computer without it being blocked by that psuedo Security Alert pop-up

    after trying a couple things myself to get rid of Anti-virus Soft (which I’m guessing gave the virus time to spread more) I googled about this nuisance on another computer. So I have have followed the general directions of using Safe mode and networking to overide the internet proxy and download a virus remover. However the problem is whenever I got into Safe Mode and networking after five or six minutes my computer just shuts down inproperly before or while I download the scan.. = (
    So is there any other way to get rid of the virus or am I probably at the point where I need to have a proffesional look at it. Please help?

    Comment by GraceNeedsHelp — November 7, 2010 #

  474. GraceNeedsHelp, follow the steps below:
    Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Click Advanced button to open Proxy settings. Copy and paste the following text into “Do not use proxy server for addresses beginning with:”
    go.trendmicro.com;www.myantispyware.com;www.malwarebytes.org;
    Click OK to save Proxy settings, then Click OK to close Lan Settings and Click OK to close Internet Explorer settings.
    Then go to step 1 above.

    Comment by Patrik — November 7, 2010 #

  475. Oh my God… you saved my day. Because of this website I was able to remove that Antivirus software

    Comment by Maria — November 7, 2010 #

  476. Excellent Instructions……….

    I was about to format hard drive.

    Thanks for your help.

    Comment by Richard — November 9, 2010 #

  477. OMG…thank God, i was gonna cry, it happened today and took like 4 hours approx for me to fix it. i had DLed RKILL and MBAM first but it was STILL there after scans…and i used hijackthis and i looked but u know what? there weren’t really any sysguard.exe ends…they were RANDOM letters with exe at the end. I just deleted what i thought was wrong and it WORKS at last!! THANK YOU EVERYONE!! ALL THE HELPFUL PPL, UR MY SAVIORS!

    Comment by Imani — December 5, 2010 #

  478. Great info downloaded the hijackin safe mode. checked everything and deleted it. computer now runs better than before.

    Thanks

    Comment by Nottsstudent — December 27, 2010 #

  479. Blody brilliant, great guide man.
    Note: the file name’s may vary. But they’er allways in the same place (approx ofc, with some random’s inbetween)

    Comment by Robert — January 5, 2011 #

  480. Brilliant – this really works and very easy to follow. Thanks !!

    Comment by Martin — January 19, 2011 #

  481. I can’t access the Internet how do I delete this spyware I’m on my iPod so I can’t download it off here

    Comment by Jazmin — January 22, 2011 #

  482. Jazmin, you need to reset proxy settings. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
    Now, try to open any site.

    Comment by Patrik (Myantispyware admin) — January 25, 2011 #

  483. i am working on a seperate computer at the moment but i had Malwarebytes before hand and alot of full scans show nothing,
    also now i have hijackthis but i dont know which ones to delete.
    shold i just delete the ones with
    ‘random letters’.exe?
    because none of the ones mentioned above are present in the list.
    the only ones that seem suspicious are ones with random letters,
    but i also read above that the virus takes up alot of space? does it really, and if so, how do i check if it is?

    Comment by leo — February 17, 2011 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.