Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
I don’t know how I’m supposed to change the name of hijackthis, when I save it it doesn’t offer me the chose of changing the name…so what do I do? Help Please!
Omg I cant stop it! Even when i turn the proxy thing off it still comes back on and i cant access the download im only here cause luckley i had firefox to. Please help
dlawyer, please start a new topic in our Spyware removal forum. I will check your PC.
matt, you have checked proxy settings ?
Roxy, try boot your computer in Safe mode and try the instructions above once again.
Fox, you using Firefox ?
Brandon, reboot your computer in Safe mode and follow the steps above once again.
I get a lot of rogue anti spyware softwares and it is pissing me off as its my mums work computer. I have eventually got them off but this one antispyware soft/ antivirus soft is the most annoying one I have ever encounted. Thank Goodness that we got people who know how to get rid of these stupid freeware softwares, so they can’t gain money of people that doesn’t even work.
Kind Regards
Harry Swettenham
I’m looking for some help with this virus because my situation seems to be more complex than the others here. I first encountered antispyware soft about two months ago and nothing would remove it. Nothing. Not even Malwarebytes. I eventually had to wipe my entire drive which seemed to do the trick. However, about two weeks later it was back again. My java started running while using hotmail, and it installed once more. However this time Malwarebytes did the job, and I assume that they updated their database to deal with this rogue even more effectively.
HOWEVER! three weeks later- last night- it was back AGAIN. It tried to install through Adobe and my anti virus partially blocked it, and I removed the rest of it with Malwarebytes again. I am VERY concerned that some kind trace is being left on my PC, because I cannot think of any other way to explain it’s continued reappearance. I’ve used Hijack this, and while I do see files that have 04 next to them they do not end with sysguard.exe and they appear to be programs that I use. One 04 is listed as being my anti-virus program, so I assume that I need these and have not deleted them. Should I go ahead and delete them? I’m not sure. I just want this thing gone for good!
I just want to say. Will the stupid f**ks that come up with these things STOP!!. You guys have NO LIFE!! STOP ruining peoples computers for a laugh!
this virus is ticking me off. I restarted in safe mode, went into msconfig, found a program called nvywkttk in my start up programs. I disabled this and I was able to log into windows normally without any issues. I still could not get on internet so I disabled proxy server and it connected. I downloaded malwarebytes and spybot-search and destroy. Malwarebytes did not find the infection, but spybot did. After I removed them, I still cannot conect to the internet with proxy server enabled, and nvywkttk is still in my start up programs but disabled, and if I enable it, sntivirus soft comes back, anyone have any ideas for me?
Gabrielle and Matt, please start a new topic in our Spyware removal forum. I will check your PC.
Here’s what I did:
Immediately after start up, I had a 5-6 second period where I could open Firefox,before the virus took effect, I then downloaded “Microsoft security essentials”
Then i restarted and installed the program
then restarted again to run the program
It caught it all and I was fine from then on out
I would do as requested, but I don’t want to join yet another forum. I keep joining forums and taking software to fix this and it results in nothing. If I can’t get some sort of answer here, where I can post questions and comments without creating yet another account, then I suppose that I am back on my own again. To Matt- try Hijack this which was recommended in this article. It does/did remove the infected key that blocks internet access for me, so I was able to turn my proxy back on and surf just fine. My PC actually seems okay- it just runs a bit crappy- but nothing is loading up in my system tray, there is nothing there that shouldn’t be there. This damn thing just reinstalls after a few weeks and I have no idea why. Some trace must still be on my PC, but if it is I can’t find it….
malware bytes wont open on my comp. :/
Try opening task manager before the malware starts, so the task managar cant be blocked.
Eric, try the instructions: http://www.myantispyware.com/2009/06/08/malwarebytes-wont-install-run-or-update-how-to-fix-it/
Thanks worked like a charm!
I did the above renamed iexplorer.exe it would not run HOWEVER REBOOT and do it right as your windows desktop appears it takes the anti soft a little longer to load you can get the ieporer to load and you are gold
Yep – I got hit by this malware/trojan and it had me tossed about what it was.
It was behaving exactly as you descibe – blocking my main programs from opening etc – pop-ups – the works.
Thankfully, my browser (Firefox) was still active and I searched [Antivirus Soft] and found your instruction site.
Thanks for these instructions and to the scum who create these bugs . . . I have nothing for you.
I have just gotten this stupid thing last night. I’m trying to go through these steps, but I cannot even access the internet now, and when I try to uncheck the proxy box, the apply button doesn’t appear and it goes back to the way it was after hitting ok. I have tried to download hijack this on another computer and put it on a flash drive, but my laptop will not allow me to install it. Please help!!!
John, you need rename HijackThis to iexplore before running.
Thanks patrick, but I did. I saved it as iexplore.exe on my home computer, then put it on a flash drive. then when I tried to install it on my laptop, I get a “problem with shortcut” message. Do I need to do it in safe mode? There is something I must be missing, but I cannot figure it out. I tried to access the internet on the laptop, but it is not letting me. Thank you so much for any help you can provide
John, looks like you have make a shortcut. Try copy HijackThis to a flash drive once again. Click right button to HijackThis icon and drug and drop to your flash drive. Popup menu opens. Select copy.
im on step 2 but it wont allow me to open the MBAM, wot should i do??
I changes the LAN setting but it still blocks the Internet.. How am I supposed to download those two programs???
Please respond soon
Wow! That was a pain! That was one of the most vicious malware programs I’ve had to deal with so far! I was freaking out alittle there, I thought it would never go away 😛 I’ve been sitting here all night trying to figure it out. I would have been completely lost without your help here! I did all you said and it worked perfect.
Just wanted to say THANK YOU SO MUCH!
I am going to go try and get some sleep now 😛 lol
pino, computer still displays “application cannot be executed” fake alert ?
Kevin, you can use another computer or try download the the suggested apps above in Safe mode with networking.
I used Hijack This and Malware Bytes. Both programs found infection, so I the suspicious looking ones. I still cannot connect to internet. When I go into LAN settings, the box is checked, but it is also greyed out so I am unable to uncheck the box. Can someone give me advice? Thank you!!!
Wait, do u fix the R1 thing or just the 04’s???