Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Eventually had to remove my hard drive and follow these directions on a completely separate computer.
Not fun but it did work.
I found this an easy one to get rid of, but I cant prevent it from returning. So whats causing it to get back into my /temp folder a few times a week? Cant find any trojans on my system. and it seems to get installed after visiting myspace.
and yes the .exe is most always a random name.
hit me up (reaper at pimpmymob.com)
I would like to extend my gratitude to this website and all the people involved for their invaluable help in removing Antivirus Soft. I have extremely limited knowledge of anything like this, but with your help, was able to follow the step by step instructions…PHEW!!!!! Many many thanks. Tom
I was able to find 2 of the O4 files ending in ftav.exe, but did not have the R1 file like the one stated above. I removed the 2 ftav.exe files but the antivirus soft keeps coming back. Someone help me please! I have to pay bills on my computer and can’t until I can get rid of this.
I’m having the same problem as Schuler. I’ve renamed HijackThis and it still shuts it down immediately when I open.
This is as good as information gets! HijackThis file along with the registry info helped me repair my laptop. Again, “MBAM didn’t even find it.” THANK YOU!!!
Gabbs, probably your have infected with a trojan that reinstalled the rogue. Ask for help in our Spyware removal forum.
Leonard, open a new topic in our Spyware removal forum.
You can run this procedure using “Safe Mode with Network Support.” The only issue was that I couldn’t update the malwarebytes definitions, but was able to run hijackthis and run the scan. Cleaned most of it out. Then, upon rebooting, updated the malwarebytes definitions and running the scan, again. Finding a few straggler objects.
Thanks for the procedure!
Hey! I got this virus. But problem is I dont know how to take it off. 🙁 I downloaded micro hijack. im looking at the list but dont know wat to check. 🙁 please help this is the thing that shows
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:38 PM, on 2/8/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
—
End of file – 17091 bytes
I have read ALL the comments posted in this thread. I can’t get hijackthis to work. even after renaming it. My task manager, the
un section and anything I download is disabled. Comes back saying it can not be opened because it is infected. then askes if i would like to download the antivirus software.i as well have tried the pskill stuff. it will not let me download the new link that was made to bypass this virus. SOMEONE PLEASE HELP?!?!
Soo…if the sysguard.exe files don’t show up after the scan, is it possible they have a different name?
Ok. So I installed hijackthis but I can get passed where you accept the terms of use or whatever. It closes right when I get there.
Jose, fix also the following line:
O4 - HKCU\..\Run: [yjgwvhwq] C:\Users\Lino\AppData\Local\hmfkew\mxyqsftav.exeHow can I download this stuff when I can not open browser – it just directs me to the AV Soft website.
Bay, if after renaming HijackThis to iexplore.exe (in Save dialog), HijackThis won`t run, try re-download it, but rename to userinit.exe, or winlogon.exe, or explorer.exe.
naomi, yes look also for files that have “ftav.exe” at right.
Mike, uncheck “Use a proxy server” box in Internet Explorer proxy settings.
I am another one having trouble.
I am in safemode, and got Trend Micro HijackThis open, with the list up.
I cannot find any of the sysguard or ftav files…what else should I be looking for?
Thanks in advance
Has anyone run into an instance where MalwareBytes will be scanning and the computer shuts down? I haven’t found anything saying that this virus will do that, but the “window” that pops up says Antivirus Soft. I’m fighting and fighting to get rid of this thing, but I can’t help but wonder if I’m not trying to remove the correct thing. I haven’t tried the hijackthis thing, (I was following removal instructions from another website) and am about to do so. But I wanted to ask ahead of time, so that if this doesn’t work, I could hope to look forward to an answer instead of getting frustrated.
I think that I was able to get rid of the virus following the advice listed here. Time will tell. I would like to add, that if someone pays close attention to the startup tab in msconfig, they can start to disable the virus there. I started my machine in safe mode, and went into the startup tab and noticed 4 entries that didn’t look “right” and I had never seen before. I disabled them on start up and was able to run hijackthis (after renaming it) with no problems. Thanks to everyone for their help.
What if I did all of these steps, yet when it came to the Malware scanning for threats nothing showed up? No Trojan or any other type of “threat” was found. What should I do then if I still have an Antivirus Soft problem yet malware is not detecting it?
Hey! Thank you so much for this! Yeah, they changed a LOT. I clicked all of the random files I saw in Hijack this. I didn’t see any of the ones listed above. This stupid virus is HORRIBLE.
Justin and Anna, ask for help in our Spyware removal forum.
Thanks for the advice on removing antivirus soft. I got rid of it using highjack and malwarebytes, however, after changing my prxy settings in internet options, I no longer can use options and they dissapeared in my control panel. Can someone tell me how to get them back? Thanks Mike
Mike, Click Start, Run.
Type regedit and press Enter.
Registry editor opens.
Navigate to the following keys by expanding the + at left of each key at left:
HKEY_CURRENT_USERSoftware
Policies
Microsoft
Internet Explorer
Control panel
In right part of window, right click to Proxy and select Delete.
Close registry editor.
Run Internet Explorer and try enable/disable proxy.
I don’t understand how I’m supposed to do any of this when my computer has been totally hijacked. It wont even let me open the control panel! HELP PLEASE!!
Thanks Patrick, I got all the way to control panel but there is no proxy. My screen came up REG SZ value not set and Home page REG [0x00000000[0]. Any more help is appreciated. Mike
Bridget, if you can`t download HijackThis, then use another computer to downloading it, then move it to infected pc using a flash or cd disk.
Mike, remove “control panel” key from “Internet Explorer” key.