Antivirus Suite is a new rogue antispyware program from the same family of rogues as Antivirus Soft. Nothing new here, as before, it usually installed through the use of trojans. When the trojan is initialized, it will download and install the core component of Antivirus Suite onto your PC and also, will register it in the Windows system registry to run automatically every time when your logon into Windows.
Once running, Antivirus Suite will start a system scan and report a lot of infections that will not be fixed unless you first purchase it. Doing this is not necessary since the scan results, and the scan itself – a fake. It is only a method created to trick and force you to believe that your computer is infected. So you can safely ignore the false scan results.
While Antivirus Suite is running, it may block any program from running. You will be shown a variety of nag screens, fake security alerts, popups and notifications from Windows task bar. An example:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Last but not least, Antivirus Suite will hijack Internet Explorer so that it will randomly show a warning page with the “Internet Explorer Warning – visiting this web site may harm your computer!” header. However, all of these warnings, alerts and pop-ups are a fake and like scan false results should be ignored!
From the above, obviously, Antivirus Suite is a dangerous program and unwanted guest on your computer. When the first symptoms of infection stop using the computer to perform any action, ranging from document editing and finishing shop on the Internet. You need as quickly as possible to remove the rogue antispyware. To do this, use the instructions below to help you remove Antivirus Suite and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
O4 – HKLM\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
O4 – HKCU\..\Run: [RANDOM] %UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
Use the following instructions to remove Antivirus Suite (Uninstall instructions)
Step 1.
Download HijackThis from here, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop. If you can`t download the program, the you should repair the proxy settings of Internet Explorer. Run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK.
Doubleclick on the iexplore.exe on your desktop for run HijackThis. HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [vcspymsv] “C:\Users\Owner\AppData\Local\bbenmt\badwsftav.exe”
O4 – HKCU\..\Run: [udcqinjy] “C:\Users\Owner\AppData\Local\rhjimj\bogjsftav.exe”
O4 – HKLM\..\Run: [kjwerkje] C:\Documents and Settings\user\Local Settings\Application Data\asdasd\qweqwetssd.exe
O4 – HKCU\..\Run: [qlweklqw] C:\Documents and Settings\user\Local Settings\Application Data\qweqwe\adasdastssd.exe
Note: list of infected items may be different, but all of them have “sysguard.exe” or “ftav.exe” or “tssd.exe”string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for Antivirus Suite infection. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove Antivirus Suite. MalwareBytes Anti-malware will now remove all of associated Antivirus Suite files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Suite creates the following files and folders
%UserProfile%\Local Settings\Application Data\[RANDOM]
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]sysguard.exe
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]ftav.exe
%UserProfile%\Local Settings\Application Data\[RANDOM]\[RANDOM]tssd.exe
Antivirus Suite creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
Hello guys, as everybody is jubilating mine is a diffrent case entirely. My sysem is infected with same antivirus suite, i attempt to start my computer in safe mode and turned to be something else, it did not allow me to start in save mode and at thesame time did not allow me start my system normally (can’t start at all). I am so frustrated, can someone help please….
thanks for the help from Italy, if my father had discovered the virus on the computer he would cut my head
Tikko, what is your version of Windows ?
I downloaded the Hijackthis program from a clean computer, changed the name, and attempted to run it on my infected computer. But it doesn’t appear to do anything. Also when I tried to disable to program, my “apply” button isn’t highlighted so the change never sticks.
I already had Malwarebytes and Kaspersky installed on my infected computer. I restarted in Safe Mode, ran iexplore.exe, ran both antivirus programs, and the virus is still there. I don’t have the latest updates and because of the proxy problem, I don’t have control of my internet access to download them. PLEASE HELP!
Rachelle, read the instructions and manually update Malwarebytes Anti-malware.
Hey, just cleaned up my sisters infected computer. For some reason I wasn’t able to connect to the internet in safe mode no matter what I tried. So I made a data disk with hijack this and malwarebytes and installed them in Safemode. Then I restarted the computer normally and ran Malwarebyes asap. I had a small window of time before the virus started, I was able to remove it while in “normal” mode. Hope this helps!
I have wireless internet and in safe mode it would not give me internet access. So what I did is restart my computer and hover the mouse over the bottom toolbar and right click until the menue come up and you can click \task manager\ and it will open up and stay open. You have to be fast before \Anti virus suite\ starts running. Once its starts running you are too late as it will close \task manager\ down everytime you try to open it. You have to be fast for this to work. You may have to restart your computer a couple of time to get the timing down.
When I got \Task Manager\ to stay on I went to the tab \processes\. In there I found a file called FWFJXQJTSSD.EXE.3672DBFO.TF. I highlighted that file and clicked \end process\ That stops \Anti Virus Suite\. I now had control of my computer back.
Then I opened Internet Exployer and on the top bar found \tools\. I clicked on \tools\ and at the bottom of the Menue clicked \Internet options\. Then click \connections\. Then click \Lan settings\. Then check \Automatically detect settings\ and uncheck \Use a proxy for your LAN\. Click OK and OK again and I now had control of may computer back and able to download programs and open them. However I have yet to find a anti spyware program that will get that junk off my computer permantly yet but I can at least use it.
How do you chance the name of it when you download it?
Thank you soooooo much! It worked like a charm! I can’t believe it was that easy. Again, thank you sooo much!
yeah, this thing came out of nowhere. crazy. the file names were a bit different from the ones you suggested but it helped guide the process. thanks. currently running the malwarebytes but the little icon on the bottom page is now gone! hopefully for good. I’m sooo grateful for your help. saved me a lot of time.
Silas, you need rename HijackThis.exe in the Save dialog.
Thank you! This worked for me. I am definitley using your site to find out more about better protection for my PC.
My PC was stuck with that awful sp[yware. Downloaded the two softwares (hichjack this and malware)from a clean computer, changed the name, and run on my PC from a USB key and it worked like a charm. Thank you SO MUCH for the wonderful help/information you provided!!!
thank you so so much this really helped
Just finished following your instructions to the T. Downloaded HijackThis, renamed to iexplore.exe, ran it. Found and “checked” files starting with 04 and ending with sysguard, ftav, or tssd.exe. Then ran the malware program. Cleaned this virus off my PC. Found one thing—After running the malware program I had to go back into Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK. Click Apply. Click OK, before I could get a web page to load in Internet Explorer. I then went to Microsoft’s http://safety.live.com to run their Full Service Scan. Thanks for posting the resolution for fixing this nasty virus. Hope my added comments helps someone else.
OMG Dude I friggin love you!
I’ve had this evil thing for almost a week now, tried loads of other tricks and they all worked temporarily but didn’t get rid of the virus. I used the same method as this before but using Rkill instead of HiJackThis and I think thats what the problem was.
Cant thank you enough, just saved me 90 quid for a repair job 🙂
I am not completely finished, but wanted to share this because I have found what seems a way to DISABLE the “Antivirus Suite Infection” even if the trojan is still identified in the system.
Ok, this is what I did that has allowed me to “disable” the Antivirus Suite Infection.
Granted I don’t think the trojan has been eliminated completely.
1- I started the computer in safe mode.
2- I unchecked the proxy settings as instructed on this website. BTW, once you uncheck it and click ok, it does not let me click apply, but I went back and the change had been permanent.
3- I then downloaded the HijackThis.exe as instructed, saved it to desktop after changing its name to iexplorer.exe. It was saved with the HijackThis icon though, which is good.
4- I ran the HijackThis but it gave me a warning that I was not going to be able to make changes, but instructed me to (in Vista) to run as administrator. When I did, I was able to run the scan. This apparently applies only to Vista.
I only found the R1 line:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
I did not find any other line ending with:
sysguard.exe, ftav.exe, or tssd.exe
I did find a line that looks suspicious:
O4 – HKCU\..\Run: [la0a1g8wscl4m] C:\Windows\system32\la0a1g8wscl4m.exe
5- I clicked the proxy server R1 line above and clicked “fix checked” but did not fix the 04 line because I am not sure it belongs to the “Antivirus Suite” virus. Because of the random numbers I’m thinking it probably does.
6- I restarted the computer in regular mode, and it is working fine, all programs, including Internet Explorer are working. Previously I could not go on the net or even work my local programs. Whenever I tried it told me it could not open them because they were infected. That included Quickbooks, notepad, wordpad, ATF-Cleaner, CCleaner, the virus was forcing me to only BUY the program before I could use ANY program.
But now there are no signs of any problems running any of the programs.
It seems that removing the proxy server line with hijackthis disabled the virus.
7- I use AVG Free edition, so I went and downloaded the 9.0 version, installed it, downloaded the new definitions updated it is running now, so far it has found 1 infection:
Trojan horse FakeAV.BBM
Which is seems to be the trojan we are dealing with.
So, I will wait for the scan to finish and see if my AVG is able to get rid of the infection. I already know that the infection seems to have been disabled, even if the trojan is still in the system.
If the AVG is not able to remove it, I will download the MalwareBytes Anti-malware.
I don’t know how to fix this problem. I have the task manager up but I’m not sure which exe file I should end process on. I can not apply the changes in Internet Options and it will not let me download the hijack file even when I reaname it. Please help! Thanks!
I’m not sure how, but I ended the right process and everything seems to be working! Thanks so much!!!!
I was duped into buying Antivirus Suite for $59.95. Does anyone know their email address or phone number so I can call and cancel and get my money back? When I bought it, it said that I could cancel within 30 days by sending them an email. But, I accidentally removed it first without getting that address.
Thanks,
Mary
misty, try download HijackThis to another PC and then move this file to your computer using a flash or cd disk.
Mary, contact your credit card company and tell them what has happened.
hello,
I did another things
I had got this virus so I tried to remove it
I ran safe mode
then I search for this file: tueaqhytssd.exe
after that shift + delete
now I relief
what a yacky file!!!
why did they make this virus?
they have mental problem?
Ok.
This thing is what caoiuses internet Explorer not to work. Simply fix it with HijackThis, and internet works againe. Also you can disable from task manager the tssd.exe or sysguard.exe or ftav.exe No need to go to the safe mode. JUst spam the bottons for task manager the first time, so that you will see which you have and where they are located. Then restart normaly and as soon as the screen starts up bring up the task meneger and turn them off. But be carefull, my tssd.exe came back up 2 times after i turned oof the proccess and each time at the different spot in the manager, so be FAST.
R1 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:5555
I have had to manually remove this virus from my friends computer twice now, be sure to run a complete registry scan for the parts of the file names “tssd.exe”, “sysguard.exe” and “ftav.exe”, I found another string of tssd in the HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Thank you for these instructions! It’s all so scary when it happens but I appreciate the clear, detailed steps so I could fix it. You guys are great!
I was able to remove this remotely without going into safe mode. But to do this you need to know the name and password of a different Admin account on the PC. Luckly i already had LogMeIn installed before the computer was infected. I remotely connected. Found the C:\Windows\System32\TaskMgr.exe, right-clicked on it, clicked “Run As”, put the name of a different Admin account, and it ran! I then promptly killed all the junk processes and i was able to take complete control of the PC. Then ran MalwareBytes, etc