Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Just wanted to drop a note here… I got infected with this Antivirus Soft trojan and went through a nightmare trying to get rid of it. In the end, the only thing that worked was HijackThis. MBAM didn’t even find it.
BUT… for future readers, they’ve apparently gotten smarter since you posted this because they changed the filenames from sysguard.exe to some random filename like csxytib.exe. I found four entries in the HijackThis list with random letters in the O4-….[random]….(random).exe.
Since the letters in the brackets seemed random, and a google search on all four filenames returned no results, I figured it couldn’t be a legitimate entry. If it were, somewhere on *some* page on the entire internet, there would be a reference to it.
And when it comes right down to it, the trojan had turned my desktop into a boat anchor anyway, so how much worse could I hurt it by removing these?
I checked those 4 file entries (as well as one entry that looked just like the one you noted above that begins with R1) and the problem went away.
A clean reboot, and all was well. Thank goodness!!!
I just wanted to share the fact that the “designers” of this trojan have changed the filename in those O4 entries to random letters, just in case anyone else ends up with this stupid thing too.
Thanks.
Thank you very much for your help, I was so lost til I found this page, my computer runs much better and antivirus soft is gone, when I ran Highjack software I checked all the box’s I assumed that was the right thing to do, whether it was or not it did the trick..Thank you again
This scamware was a major pain!
Nowhere was the ????sysguard.exe to be found.
So I renamed files that were created about the time of the infection in the C:\Documents and Settings\user\Local Settings\Application Data diredtory. Bingo! Errors in the scamware started occuring.
Now I had the name of the directory and file name the rest was hijackthis and spybotSd!
But the clencher was that the information I needed to know was in the post by Twintrbl!
I will read all the posts! I will read all the posts! I will read all the posts!
Thanks everyone 🙂
When I got this virus it didn’t have the sysgaurd name on it’s executable file either. I learned that the program took a lot of memory and sorted my processes by memory and then googled the highest one’s until one didn’t have any hits. It started with “hybysf” and once I stopped that file suddenly my real antivirus program could find a virus when I scanned. I hope this helps the next poor soul.
Just wanted to say this guide was a huge help!! I did a scan for my processes and the culprit in my case was mspfsftav.exe.
I can’t run any of the anti spy programs and I can’t access the task manager. I’m at a loss here.
Prince, read first step above, you need download HijackThis and rename it in Save dialog to iexplore.exe <= most important!
Prince you must right click on the download HijackThis from here. Where the here is highlighted, then rename in iexplore.exe, then you will be able to open it.
Hey guys I need help when I open the iexplore.exe
I found the first line R1… but I cant find these
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Pearl, you should fix O4 lines that have sysguard.exe or ftav.exe right part or ask for help in our Spyware removal forum.
This is a great post. I thank you for all your help.
How do I fix them? and thanks for the reply :]
I went to check again and I cant see the 04 lines with sysguard.exe or ftav.exe
Okay, I cannot download anything or access anything. It says to follow these instuctions but I am accessing this site from my desktop and my laptop (which is infected) will not allow my to download or access anything. Can anybody help me please?
OMG…this is way out of my capibilities…I have this stupid thing and I know I couldn’t do the above..I am computer challanged….I’m thinking about taking it into the shop…on husband’s computer now and almost afraid to look up anothing on the virus for fear of infecting his too….
Pearl, you should select lines that have sysguard.exe or ftav.exe right part and click Fix checked button.
Pearl, then open a new topic in our Spyware removal forum. Don`t forget to include your HijackThis log.
Pat, you have “fixed” proxy settings as i posted above ?
There are not a lot of locations on the internet dealing with this particular attack…at least that I could find. The information here was spot on, and I REALLY appreciate everyone’s input. It worked, and that’s the key.
Thank you.
I could only find one ftav.exe file. Is that the only one I check? I could not find any other sysguard or ftav ones in the O4 section.
I also found a lot of R1 though. Am I supposed to only check R1 – HKCU or all of R1?
Need a little help here. I’ve downloaded Hijack this, but when I try to open it, the agreement flickers up for a moment and then Antivirus Soft closes it and tells me it’s infected and I am not allowed to open it.
Getting a little frustrated — please advise.
Ys, fix only the one line. Its ok.
Fix only “R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555”
Schuler, you need rename HijackThis.exe before running.
I did rename the file, that’s what’s been bothering me.
I’m also having IE automatically opened and run to multiple pornographic and ED related websites which is weird considering I am not an IE user and was not using IE when this thing downloaded itself.
THANK YOU!!!!!!
My computer is back to normal! Follow this procedure EXACTLY and you will have no trouble understanding/removing \ANTIVIRUS SOFT\!
(The first comment was also very helpful) If you’re unsure what to place a check mark next to, simply Google it.
very helpful info! thanks!
GREAT POST…I thank you for all your help!!!!
I found only two entries in the HijackThis list O4-….[random]….(random)ftav.exe.. removed both the entries…restarted…and BINGO…my laptop is back to normal…Can’t thanks you guys enough…God Bless you!!!!!
So I think i got all the files that are HKLM and and HKCU but i opened up the Hijack This scan again just to make sure and there’s a bunch of files that are like 02 BHO: (no name) with a string of letters and numbers, than at the end it says (no file) should I delete those too?
Yes, you can fix them too.
I have a quick question. I did the fix a few days ago and it worked, but then just last night this stupid program found itself back onto my computer. Do I need to keep doing this forever?