Antivirus Soft also known as Antispyware Soft is a new rogue antispyware program from the same family of malware as Antivirus Live. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Soft onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Soft is started, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Soft gives you.
While Antivirus Soft is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Windows Security alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antvirus software now?
Last but not least, Antivirus Soft will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. Of course, all of above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Soft is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Soft and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Use the following instructions to remove Antivirus Soft or Antispyware Soft (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe“
Note: list of infected items may be different, but all of them have “sysguard.exe” or “tssd.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Soft infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Soft removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Soft (Antispyware Soft) creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
Antivirus Soft (Antispyware Soft) creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Worked like a charm! Took care of the problem in all of 5 minutes, thanks a lot!
the link to hijackthis doesnt work anymore =(
eric, i have updated the link above, Try download HijackThis once again.
whew.. still holding my breath but it worked! thank you guys so very much, people that make programs like this should be hunted for sport. anyways thanks again!
I found that if I restarted my computer and immediately started the task manager I could stop the virus process as soon as it popped up (it was some random letters like this asfshkdhjs and a few other 4 letter words like asam) then once I stopped those processes I was able to download hijackthis and the other suggested programs. Once I did that I ran them scanned and did as prompted and now I am free of this horrid problem. Good luck to the rest of you!
mine was called gnodmwatssd.exe
it now prevents any program from being started. so when i installed malwarebytes i had to rename it to run it. running the scan right now hopefully it will be gone
Hello, I did not find any suspicious \.exe\ file so I just deleted all file beginning with 4\ and \R1\.
I was able to install the malware and it helped me delete the malicious antivirus soft.
I did this in safe mode then restarted my computer and re-ran the malwarebyte in normal mode just to be safe and also ran my antivirus scan in nomal mode to be on the safe side. in case you are wondering, I have XP operating system.
Thank you very much for all the info. It saved me . Thanks a lot!
Hi, can someone please help me?
So I downloaded the Hijack. and did the scan. But I cant find any sysguard.exe OR ftav.exe
I read some comments and people said that it is now random letters. I am a bit worried that I might checkoff the wrong thing and it will mess up my computer. So can someone help me check the ones I found suspicious?
HKCU\..\Run: [gwggdwfw]C: \Users\Owner\AppData\Local\kqnaykhov\dswcsjktssd.exe
HKLM\..\Run: [Persistence] C: Windows\system32\igfxpers.exe
HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
HKLM\..\Run: [RtHDVCpl]RtHDVCpl.exe
This was all found in the O4 section.
thanks!
Patrik,
Thanks…I had Norton and got rid of it for MS Essentials. Nothing but problems since I drop Norton. The reason I dropped Norton is it takes so much ram and slowed down my computer.
so, thanks to all the helpful comments and the instructions, i beat antispyware soft, but, it was a real pain. I would seriously like to kill the reject who spent their time making this to make other’s lives miserable. Does anyone know where these virus/malware come from?
ok…while i was running mbam it opened up a random porn site…….im confused
I got this obiously moving thru adult sites, out of the blue, it just started up. mbam fully updated and running didn’t help, and I am running avast home version as well. I went into safemode and ran spybot search n destroy and it removed most if not all of the antivirus soft app. Malware bytes full scan got the rest. Live and learn.
Thank you so much for the information. I was so shocked when I got this virus but with all of your help, I GOT RID OF IT. I started in safe mode and ran Hijack then ran the Malware bytes software. It all worked. I hope that it does not come back. This antivirus soft is horrible. BTW: To find which R1’s and O’s to delete… I had my laptop (2nd “uninfected” computer) next to me and I googled any .exe files that I could not 100% identify.
Fionna, fix the line below:
HKCU\..\Run: [gwggdwfw]C: \Users\Owner\AppData\Local\kqnaykhov\dswcsjktssd.exe
thank you! my ended dimjhssudtssd.exe
thank you so much! you are a genius! this virus was really getting on my nerves.
last question,should I keep HijackThis and the Malware bytes? Can i use these in the future for other viruses or should i just throw them out?
thanks :]
Fionna, you can leave both programs to remove a malware in the future.
Thank you very much ! It was a huge help.
THANKS!!!!
This is one of the greatest sites ever!! Many thanks for the help. My issue with this was abit different as I changed my configuration some. I don’t have a C:\Document and Settings\user\mike\Local Settings\Application Data directory but the virus still showed up there in Hijackthis.
Thanks For the help!!
I looked at quite a few web sites on how to tackle this hard to get rid of virus… I couldn’t find anything that actually helped me make progress.
I followed the instructions on this page and within 5 minutes I was back in business, I appreciate the help immensely.
Excuse me, but I want to open Hijackthis and Antispyware block it… I simply can’t do the revome step…
Oh, another one. I can’t come to the dll with explorer. I dll it with Firefox but I can’t rename Hijackthis untill he’s dll on my pc.
(SOrry for my english, I talk frensh)
Now I’ve rename iexplorer with right click. But he don’t want to open… I need help T.T
Just for information. (sorry for quadruple post)
I’ve read all comments. I’ve rename it with all name I see and dosen’t work
I just wanted to thank all of you for the help provided. I couldn’t find anything on the internet as clear as what’s mentioned above, and got rid of this rogue within minutes thanks to your help.
I really have no idea how I got it. I am a very safe internet user, and I never browse any suspect websites. I scares me a little when I think of it… But now I know how to get rid of it.
Thanks again !
Heya, i have to say this really looks like it could help me, but unfortunately i have a problem 🙁
I am using Firefox to read this because IE closes automatically whenever i open it.
I tried to download Hijackthis and to rename it but Firefox doesnt give me the oppertunity to, and when i try to open the file location the damn program also closes it.
Is there anyone here who knows what to do? 🙁
I would really appreciate any help, i will just check the site every day to check if someone left me a reply. Thanks.
Hello, i downloaded and renamed Hijackthis like it said and i did the whole scan thing…
but going through the list i cannot find sysguard.exe or ftav.exe at all …. so what do i check and fix? If anyone could help i would really appreciate it! :]
(i dont want to go through all the comments because im getting a headache @_@ )
Nevermind, it magically dissapeared O.o